SATP: A Post-Quantum Hierarchical Key Distribution Protocol with Ephemeral Session Keys and Forward Secrecy A certificate-free, quantum-safe tunnel that raises in two packets and under one millisecond.
SATP Help Documentation
SATP Summary Document
SATP Protocol Specification
SATP Formal Analysis
SATP Implementation Analysis
SATP Integration Guide
SATP (Symmetric Authenticated Tunneling Protocol) is a post-quantum, certificate-free alternative to TLS and SSH that establishes fully authenticated symmetric tunnels in two packets.
It eliminates the complexity of asymmetric key exchange, certificate authorities, and online trust infrastructure while preserving confidentiality, integrity, and forward secrecy.
SATP is purpose-built for closed, high-assurance environments where public-key overhead, certificate churn, or quantum risk are unacceptable.
- Post-Quantum Security – Composed exclusively of SHA-3-family primitives and a wide-block Rijndael AEAD stream cipher (
RCS-256). Resistant to quantum search and factoring attacks. - Two-Packet Handshake – Client sends a 16-byte device ID and nonce; server responds with an authenticated hash. Tunnel established in < 1 ms.
- Certificate-Free Identity – 16-byte identity encodes domain · branch · device · key-index. No X.509, CRLs, or OCSP.
- Forward-Secrecy-by-Consumption – Each session consumes a one-time key derived from a hierarchical tree. Past sessions remain undecryptable even after key exposure.
- Deterministic, Verifiable Security – Every handshake, key derivation, and authentication event can be reproduced and audited from deterministic SHAKE outputs.
- Tiny Footprint – < 30 kB flash / < 4 kB RAM; deployable on Cortex-M0+, PLCs, CubeSats, and embedded controllers.
SATP delivers the cryptographic assurance of TLS 1.3 with constant-time operations, zero certificates, and predictable sub-millisecond setup latency.
| Primitive | Role | Quantum Margin |
|---|---|---|
| RCS-256 | Stream cipher + AEAD | ≥ 2¹²⁸ Grover-bounded |
| SHAKE-256 / cSHAKE-256 | Key derivation + hashing | ≥ 2¹²⁸ pre-image |
| KMAC-256 | Packet authentication | Tag-forgery ≤ 2⁻¹²⁸ |
| SCB-KDF | Password hardening / auth | ≥ 2²⁰ CPU·MiB per guess |
Tap-to-tunnel latency drops from 120 ms → 12 ms. No CA fees. Lost cards revoked overnight via branch-epoch rotation.
Internal API calls authenticate in < 0.5 ms. 65 % TLS CPU reclaimed; certificate pipeline removed entirely.
Sensors authenticate using a single SHAKE hash. Field-battery lifetime +25 %.
28 kB firmware upgrade delivers quantum-safe tunnels to legacy PLCs. Site re-key via USB epoch bump.
One 256-bit key per day ⇒ decade-long mission with fixed CPU budget and no certificate uplinks.
SATP depends on the QSC cryptographic library, a portable, MISRA-aligned implementation of SHA-3-family primitives, RCS, and SCB.
QSC builds cleanly across Windows, macOS, and Linux using CMake, with hardware acceleration support for AES-NI, AVX2/AVX-512, and RDRAND.
- CMake 3.15 or newer
- Windows: Visual Studio 2022 or newer
- macOS: Clang via Xcode or Homebrew
- Ubuntu: GCC or Clang
Use the Visual Studio solution to create the SATP, Server, and Client projects.
Extract the source, open the Server and Client solutions, and ensure library paths are set correctly:
- SATP library path:
$(SolutionDir)SATP - QSC library path:
$(SolutionDir)..\QSC\QSC
Verify that each Server/Client project References the SATP library and that SATP links to QSC.
All projects should target the same AVX instruction set under
Configuration Properties → C/C++ → All Options → Enable Enhanced Instruction Set.
Compile order: QSC → SATP → Server/Client.
SATP and QSC projects include Eclipse configurations for both Ubuntu and macOS.
Copy the appropriate .project, .cproject, and .settings files from
Eclipse/<OS>/project-name/ into each source folder.
Create new C/C++ projects named QSC, SATP, Server, and Client, importing the corresponding source directories.
Eclipse will detect build settings automatically; adjust compiler (GCC/Clang) as required.
The default configurations use minimal flags and no enhanced intrinsics.
Example flag sets:
- AVX Support:
-msse2 -mavx -maes -mpclmul -mrdrnd -mbmi2 - AVX2 Support:
-msse2 -mavx -mavx2 -maes -mpclmul -mrdrnd -mbmi2 - AVX-512 Support:
-msse2 -mavx -mavx2 -mavx512f -mavx512bw -mvaes -mpclmul -mrdrnd -mbmi2 -maes
Key flags:
-maesAES-NI (128-bit rounds)-mvaesVector-AES (512-bit rounds)-mpclmulCarry-less multiply for GF(2ⁿ)-mrdrndHardware RNG (RDRAND)-mbmi2Bit-manipulation instructions (PEXT/PDEP)
Compile QSC, then SATP, followed by the Server and Client binaries.
SATP produces small, deterministic binaries suitable for both desktop and embedded targets.
INVESTMENT INQUIRIES:
QRCS is currently seeking a corporate investor for this technology.
Parties interested in licensing or investment should connect to us at: contact@qrcscorp.ca
Visit https://www.qrcscorp.ca for a full inventory of our products and services.
PATENT NOTICE: One or more patent applications (provisional and/or non-provisional) covering aspects of this software have been filed with the United States Patent and Trademark Office (USPTO). Unauthorized use may result in patent infringement liability.
License and Use Notice (2025-2026)
This repository contains cryptographic reference implementations, test code, and supporting materials published by Quantum Resistant Cryptographic Solutions Corporation (QRCS) for the purposes of public review, cryptographic analysis, interoperability testing, and evaluation.
All source code and materials in this repository are provided under the Quantum Resistant Cryptographic Solutions Public Research and Evaluation License (QRCS-PREL), 2025-2026, unless explicitly stated otherwise.
This license permits public access and non commercial research, evaluation, and testing use only. It does not permit production deployment, operational use, or incorporation into any commercial product or service without a separate written agreement executed with QRCS.
The public availability of this repository is intentional and is provided to support cryptographic transparency, independent security assessment, and compliance with applicable cryptographic publication and export regulations.
Commercial use, production deployment, supported builds, certified implementations, and integration into products or services require a separate commercial license and support agreement.
For licensing inquiries, supported implementations, or commercial use, contact: licensing@qrcscorp.ca
Quantum Resistant Cryptographic Solutions Corporation, 2026.
All rights reserved by QRCS Corp. 2026.