NIST Post-Quantum Compliant

Post-Quantum Encryption
for the AI Era

Pillar 2: The Iron-Clad Handshake

QuantumIQ Protocol with NIST Level 5 post-quantum encryption (ML-KEM-1024). Every client connection initiates an ephemeral post-quantum key exchange, protecting data from both current and future quantum threats. Data encrypted today remains secure even after quantum computers break RSA in 2030.

Get API AccessView Technical Specs
256-bit Post-Quantum Security
0.4ms Latency Overhead
95,000+ RPS Compatible
FIPS 140-3 Ready
Learn More
The Quantum Threat

"Harvest Now, Decrypt Later"

This isn't theoretical. It's documented fact. Your AI data encrypted today could be completely exposed by 2035.

Harvest Now

Adversaries collect encrypted data today.

Store Until

Data is held until quantum computers mature.

Decrypt Later

Future computers break today's encryption.

NIST spent 8 years developing post-quantum standards precisely because of this threat. They finalized those standards in 2024. Most AI companies haven't implemented them.

5-Layer Defense

The Ironclad-Shield Stack

Every layer is NIST-standardized with years of cryptographic review. Defense in depth means multiple locks, not just one.

~0.3ms
Key Exchange
~0.4ms
Total Overhead
256-bit
Security Level
~1.5KB
Bandwidth

Why Ironclad-Shield?

Standard encryption protects you today. Ironclad-Shield protects you forever.

Feature
Ironclad-Shield
Standard TLS
Cloud KMS
Post-Quantum Key ExchangeProtects against quantum computers breaking RSA/ECC
Harvest-Now ProtectionPrevents retroactive decryption of harvested data
NIST FIPS 203 ComplianceUses standardized ML-KEM-1024 algorithms
5-Layer Defense StackHybrid classical + post-quantum architecture
AES-256-GCM EncryptionIndustry standard symmetric encryption
Auto-Key RotationAutomatically rotates keys to limit blast radius
Optional
Pay-or-Shut-Off LicensingInstant access revocation for compliance

* Comparison based on standard implementation of TLS 1.3 and AWS/GCP KMS without PQC extensions.

Technical Specifications

Built on NIST-standardized algorithms for maximum compliance.

Quantum Security

  • ML-KEM-1024
  • X25519 Hybrid
  • SHAKE-256

Performance

  • <1ms Keygen
  • 0.4ms Overhead
  • 95k+ RPS

Standards

  • FIPS 203/204 PQC
  • FIPS 140-3 HSM
  • SOC 2 Type II

FIPS 140-3 validation in progress

Implementation

How It Works

The Iron-Clad Handshake establishes a quantum-safe encrypted channel in milliseconds. Here's exactly what happens under the hood.

The Quantum-Safe Handshake

1

Client Key Generation

Client generates ephemeral ECDH key pair (P-256) and unique session ID

// Client generates key pair
const keyPair = await crypto.subtle.generateKey(
  { name: 'ECDH', namedCurve: 'P-256' },
  true,
  ['deriveBits']
);
const sessionId = generateSessionId();

Ephemeral keys ensure forward secrecy - compromising one session doesn't compromise others.

End-to-End Encryption Flow

Client AppSDK/API
PRISM GatewayML-KEM-1024
HSM VaultFIPS 140-3
AI BackendSecure
Post-Quantum Protected
ML-KEM-1024 Layer
AES-256-GCM Encrypted

Quick Integration

// TypeScript SDK - Region-Aware Encryption
import { RegionalIronclad } from '@prism/ironclad/regional';
// Initialize with region detection
const ironClad = new RegionalIronclad({
  apiKey: 'your-api-key',
  region: 'SA',        // Explicit: Saudi Arabia
  // OR: countryCode: 'SA',
  // OR: autoDetect: true  // Detect from browser timezone
});
// Get regional compliance info
const info = ironClad.getRegionInfo();
console.log(`Region: ${info.name}`);  // "Saudi Arabia"
console.log(`Bodies: ${info.regulatoryBodies}`);  // ["NCA", "SAMA"]
// Fetch server config (HSM required, data residency)
const config = await ironClad.fetchConfig();
console.log(`HSM: ${config.compliance.hsmRequired}`);  // true
console.log(`Residency: ${config.compliance.dataResidency}`);  // "SA"
// Perform regional handshake
const session = await ironClad.handshake(clientPublicKey);
console.log(`Algorithm: ${session.algorithm}`);
1
Install SDK
npm install @prism/ironclad
2
Initialize
Configure API key
3
Encrypt
Quantum-safe in <1ms
~0.3ms
Handshake
~0.1ms
Encrypt
~0.1ms
Decrypt
<0.5ms
Total Overhead

Source Implementation

Frontend (TypeScript)

Browser-side encryption

Core Library
src/lib/ironclad.ts

Session management, ECDH key exchange, AES-256-GCM encryption

PQC Crypto
src/lib/ironclad/crypto.ts

ML-KEM-1024 encapsulation, X25519 hybrid, HKDF derivation

HSM Integration
src/lib/ironclad/hsm.ts

GCP Cloud KMS, FIPS 140-3 key storage

Backend (Python)

Server-side cryptography

PQC Module
utils/pqc_crypto.py

ML-KEM-1024 + P-384 ECDH hybrid, HKDF-SHA256, liboqs integration

Handshake API
routes/pqc_handshake.py

POST /api/v1/security/handshake, key rotation, compliance endpoints

Architecture Doc
IRONCLAD_ENCRYPTION_ARCHITECTURE.md

Complete system documentation, data flow diagrams

Algorithm Stack (NIST Compliant)

Key Exchange
ML-KEM-1024
FIPS 203
Classical Layer
P-384 ECDH
FIPS 186-5
Key Derivation
HKDF-SHA256
SP 800-56C
Symmetric
AES-256-GCM
FIPS 197
Signatures
ML-DSA-65
FIPS 204

CRYSTALS-Dilithium (ML-DSA) SignaturesIMPLEMENTED

Post-quantum digital signatures for data integrity and non-repudiation

PRISM implements hybrid ECDSA P-384 + ML-DSA-65 signatures for FIPS compliance and post-quantum protection. Both signatures must verify for maximum security.

Signing API
POST /api/v1/security/sign
{
  "data": "<base64_message>",
  "key_id": "sig-key-...",
  "use_hybrid": true
}

Response:
{
  "signatures": {
    "ecdsa_p384": {
      "signature_b64": "...",
      "algorithm": "ECDSA-P384-SHA384",
      "fips_compliant": true
    },
    "ml_dsa": {
      "signature_b64": "...",
      "algorithm": "ML-DSA-65",
      "fips_204_compliant": true,
      "post_quantum": true
    }
  },
  "hybrid": true
}
Verification API
POST /api/v1/security/verify
{
  "data": "<base64_message>",
  "signature_envelope": { ... },
  "public_keys": { ... }
}

Response:
{
  "valid": true,
  "verifications": {
    "ecdsa_p384": { "valid": true },
    "ml_dsa": { 
      "valid": true,
      "algorithm": "ML-DSA-65",
      "post_quantum": true
    }
  },
  "hybrid_verified": true
}
Regional Library Support
πŸ‡ΊπŸ‡Έ North America
liboqs (OpenQuantumSafe)
AWS-LC, BoringSSL
FIPS 203/204 compliant
πŸ‡ͺπŸ‡Ί European Union
Bouncy Castle
BSI/ANSSI hybrid mode
GDPR compliant
🌏 Asia-Pacific
PQClean / liboqs
JCMVP (Japan)
Regional standards
πŸ‡ΈπŸ‡¦ MENA (GCC)
liboqs + HSM
NCA/SAMA (Saudi), NESA (UAE)
Data residency options
FIPS 140-3β€’Validation in Progress
HIPAAβ€’Compliant
SOC 2 Type IIβ€’Compliant
GDPRβ€’Compliant
NIST Level 5β€’256-bit PQ

FIPS 140-3 Certification: Ironclad-Shield is currently undergoing FIPS 140-3 validation through the NIST Cryptographic Module Validation Program (CMVP). Our implementation uses FIPS-approved algorithms (ML-KEM-1024, ML-DSA, AES-256-GCM) and hardware security modules (HSM) that meet FIPS 140-2 Level 3 requirements. Certification is expected in Q2 2026.

Post-Quantum Encryption Plans

Choose the right level of quantum-safe protection for your infrastructure

MonthlyAnnual Save 17%
Popular

Defense

For production applications

$299/month
  • 100,000 encryptions/month
  • Full 5-layer stack
  • Priority Email support
  • 99.9% SLA
  • Audit logs

Armory

High-volume scale

$999/month
  • 1,000,000 encryptions
  • Dedicated HSM slots
  • 24/7 Phone support
  • Advanced Rotation
  • Custom retention

Need Sovereign Deployment?

For on-premise HSM, custom contracts, and unlimited volume.

FAQ

Frequently Asked Questions

Everything you need to know about Ironclad-Shield and post-quantum encryption.

Still have questions? Contact our team

Ready for Quantum-Safe Security?

Start protecting your data today. Get API access in minutes, or talk to our team about enterprise solutions.

View PricingSchedule Demo
API DocumentationSDK DownloadsTechnical Whitepaper
NIST FIPS 203 Compliantβ€’SOC 2 Type IIβ€’HIPAA Readyβ€’GDPR Compliant