This document outlines the security architecture, assumptions and operational guidance for QuantumSecureAPI.
- PQC baseline: Use standardized PQC algorithms for authentication and signatures. NIST has published PQC standards and recommends organizations start the transition now. oai_citation:4‡NIST Computer Security Resource Center
- Quantum layer (where available): When a QKD link or a QRNG is available between two endpoints, use the QKD/QRNG output as an additional entropy/source to seed session keys — layered with PQC-derived KEM results. SIPRI and other primers recommend layering QKD on top of PQC for high-assurance links. oai_citation:5‡0725_military_and_security_dimensions_of_quantum_technologies_0.pdf
- Hybrid approach: All production-grade deployments MUST implement PQC for broad compatibility; QKD is an optional high-value add for selected links (e.g., cross-data-center control plane). ISO/IEC defines baseline requirements and testing for QKD modules. oai_citation:6‡ISO
- Use an enterprise KMS/HSM/TPM to store long-term keys. Do not persist raw QKD outputs without HSM controls.
- Private keys for PQC algorithms (example: Kyber/Dilithium) must be stored only in an HSM or protected keystore. oai_citation:7‡NIST Computer Security Resource Center
- KEM / key establishment: CRYSTALS-Kyber (example). oai_citation:8‡NIST Computer Security Resource Center
- Digital signatures / authentication: CRYSTALS-Dilithium (example). oai_citation:9‡NIST Computer Security Resource Center
- Symmetric cipher & AEAD: AES-GCM or XChaCha20-Poly1305 for application payloads; rotate keys frequently and derive using HKDF over all sources (KEM shared secret || QRNG || QKD key material if present).
- Randomness source: Prefer a certified QRNG for seeding high-entropy pools when hardware is available; otherwise use OS CSPRNG seeded by entropy-harvesting best practices.
Warning: use vetted libraries (libs that implement FIPS/PQC standards) and hardware HSMs. Do NOT implement crypto primitives yourself.