Craton HSM
Post-Quantum Algorithms
Post-Quantum Algorithms
Craton HSM exposes post-quantum key-encapsulation and signature primitives alongside the classical portfolio. Post-quantum support is optional and is guarded by the algorithms.enable_pqc configuration flag; it is automatically disabled when FIPS approved mode is enabled.
Maturity notice
The underlying crates — ml-kem 0.3.0-rc, ml-dsa 0.1.0-rc, slh-dsa 0.2.0-rc — are at release-candidate versions. The NIST specifications they implement (FIPS 203, 204, 205) are final, but:
- Encoded keys, signatures, and KEM ciphertexts produced by an RC release may not interoperate with a later RC or the 1.0 release of the same crate.
- The
CryptoBackendAPI for post-quantum operations may change before Craton HSM 1.0. - None of the PQC mechanisms are included in the FIPS 140-3 approved set today; CMVP has not yet published certification guidance for FIPS 203/204/205.
Treat post-quantum support as experimental for interoperability. It is production-grade for internal use where both the producer and consumer are pinned to the same Craton HSM version, but long-term interop with third-party implementations should be validated before deployment.
ML-KEM (FIPS 203)
Module-Lattice Key Encapsulation. Replaces classical key exchange with a lattice-based KEM.
| Parameter set | Mechanism | FIPS-approved | Recommended |
|---|---|---|---|
| ML-KEM-512 | CKM_ML_KEM_512 | No (pending CMVP) | Category 1 |
| ML-KEM-768 | CKM_ML_KEM_768 | No (pending CMVP) | Category 3 — default |
| ML-KEM-1024 | CKM_ML_KEM_1024 | No (pending CMVP) | Category 5 |
Usage: CKM_ML_KEM_* is a key-pair generation mechanism. Encapsulation and decapsulation are performed through C_DeriveKey with the KEM mechanism and the recipient public or private key as the base. The derived key material is the 32-byte shared secret, suitable for seeding an HKDF or direct use as an AES-256 key.
Mechanism numbers
PKCS#11 v3.0 does not yet assign standard mechanism numbers for FIPS 203. Craton HSM uses vendor-defined values:
| Mechanism | Value |
|---|---|
CKM_ML_KEM_512 | 0x80000001 |
CKM_ML_KEM_768 | 0x80000002 |
CKM_ML_KEM_1024 | 0x80000003 |
Consumers that need the eventual OASIS-standardised numbers should wrap Craton HSM behind an alias layer until OASIS publishes them.
ML-DSA (FIPS 204)
Module-Lattice Digital Signature Algorithm. The primary PQC signature scheme standardised by NIST.
| Parameter set | Mechanism | FIPS-approved | Security category |
|---|---|---|---|
| ML-DSA-44 | CKM_ML_DSA_44 | No (pending CMVP) | Category 2 |
| ML-DSA-65 | CKM_ML_DSA_65 | No (pending CMVP) | Category 3 — recommended default |
| ML-DSA-87 | CKM_ML_DSA_87 | No (pending CMVP) | Category 5 |
ML-DSA is used exactly like any other signature mechanism — C_SignInit / C_Sign or C_SignUpdate sequences. Multi-part streaming is not available; ML-DSA is a single-pass signature over the full message.
Mechanism numbers
| Mechanism | Value |
|---|---|
CKM_ML_DSA_44 | 0x80000010 |
CKM_ML_DSA_65 | 0x80000011 |
CKM_ML_DSA_87 | 0x80000012 |
SLH-DSA (FIPS 205)
Stateless Hash-Based Signatures. Provides a hash-based fallback should lattice assumptions fail.
| Parameter set | Mechanism | FIPS-approved | Notes |
|---|---|---|---|
| SLH-DSA-SHA2-128s | CKM_SLH_DSA_SHA2_128S | No (pending CMVP) | Small-signature variant — preferred |
| SLH-DSA-SHA2-256s | CKM_SLH_DSA_SHA2_256S | No (pending CMVP) | Higher security, larger signatures |
SLH-DSA signatures are substantially larger (kilobytes) and slower than ML-DSA; prefer ML-DSA unless a hash-based scheme is specifically required by policy.
Mechanism numbers
| Mechanism | Value |
|---|---|
CKM_SLH_DSA_SHA2_128S | 0x80000020 |
CKM_SLH_DSA_SHA2_256S | 0x80000021 |
Hybrid mechanisms
Hybrid schemes combine a classical and a post-quantum primitive so that the combined output remains secure as long as either primitive is unbroken. Craton HSM exposes two hybrid mechanisms.
X25519 + ML-KEM-768
| Mechanism | CKM_HYBRID_X25519_ML_KEM_768 |
|---|---|
| Value | 0x80000040 |
| Role | Key encapsulation / key agreement |
| Construction | Concatenated X25519 ECDH output and ML-KEM-768 shared secret, hashed through HKDF-SHA256 |
The hybrid public key encodes the X25519 public key followed by the ML-KEM-768 encapsulation key; the ciphertext encodes the X25519 ephemeral followed by the ML-KEM ciphertext. Cross-implementation interoperability requires matching this exact wire layout — no IETF standard fixes it yet.
ECDSA + ML-DSA
| Mechanism | CKM_HYBRID_ML_DSA_ECDSA |
|---|---|
| Value | 0x80000030 |
| Role | Digital signature |
| Construction | Concatenation of an ECDSA P-256 signature and an ML-DSA-65 signature over the same message; verification requires both to validate |
Hybrid signatures double the signature footprint relative to either primitive and double the verification cost. They are intended for transitional deployments where peers may run either classical-only, PQC-only, or hybrid code paths.
Interoperability risk
A brief summary of what may change under each crate's 1.0 release and the likely impact:
| Crate | Potential change | Impact |
|---|---|---|
ml-kem | Encapsulation key / ciphertext encoding | Keys generated today may not decapsulate with 1.0 releases |
ml-dsa | Context-string handling, randomised vs. deterministic default | Signatures may not verify cross-version |
slh-dsa | Parameter-set selection API | Signatures should remain wire-compatible |
When in doubt, pin Craton HSM versions across producer and consumer, or plan a coordinated roll-forward.
FIPS interaction
When algorithms.fips_approved_only = true, all PQC mechanisms are rejected by validate_mechanism_for_policy with CKR_MECHANISM_INVALID and C_GetMechanismList does not advertise them. See FIPS approved mode.