Cryptography

Hybrid Ed25519 + ML-DSA-65 (FIPS 204). HybridKEM: X25519 + ML-KEM-768 (FIPS 203). liboqs fail-open.

8 jurisdictions: EU/US/UK/CA/SG/AU/JP/CH. MASQUE tunnels (H3/H2/TCP). TOFU TLS pinning. Least-latency routing.

Per-jurisdiction MinIO routing. Fernet-encrypted pod keys. 5s health probes. Jurisdiction→data_class resolution.

HMAC-SHA256 signed. 7-year Redis TTL. 10K cap per tenant. O(1) historical routing verification.

CLASSIFIED → never. PHI → 5 jurisdictions. GENERAL → all with adequacy. EU↔UK/CA/JP/CH decisions built-in.

Upgrade path to ML-KEM-1024 for post-quantum key exchange at FIPS 203 Security Level 5. Higher lattice dimension than ML-KEM-768 — stronger quantum resistance for long-lived keys.

PKCS#11 bridge to Hardware Security Modules for protecting sovereign key material. Keys never leave tamper-resistant hardware — enforced at the driver level.

Upgrade path from Trust-On-First-Use certificate pinning to CA-signed certificates for MASQUE tunnels. Enables enterprise-managed PKI with zero connectivity interruption during migration. Includes cert_mode field, issue_tunnel_certificate(), revoke_certificate_by_id(), upgrade_to_ca() with atomic rollback, and POST /sovereign/tunnels/{id}/upgrade-cert API.