Open Specification

Hybrid PQC Envelope
Wire Format Specification

This document specifies the encrypted payload envelope used by QuantaSeal for all data-in-transit and at-rest operations. It is published as an open specification so security researchers can verify the design and enterprise customers can decrypt their own data without QuantaSeal software.

View Full Spec on GitHub Download SPEC.md

Why publish the wire format?

Security researcher audit

Independent verification that the cryptographic design is correct - not just claimed.

Key escrow / business continuity

Enterprise customers can decrypt their data with any compliant liboqs implementation if QuantaSeal ever ceases to operate.

Third-party interoperability

Any open-source project can implement a compatible encoder or decoder using this spec.

JSON Envelope Structure

HybridCryptoEnvelope - wire format v1.0

{
  "encrypted": {
    "ciphertext_kem":  "<base64, exactly 1088 bytes - ML-KEM-768>",
    "ciphertext_data": "<base64 - nonce[12] || AES-GCM-ciphertext || tag[16]>",
    "tenant_id":       "<uuid>",
    "algorithm":       "ML-KEM-768"
  },
  "signature": {
    "pqc_signature":   "<base64, ≤ 3309 bytes - ML-DSA-65>",
    "hmac_signature":  "<base64, 64 bytes - HMAC-SHA-512>",
    "tenant_id":       "<uuid>",
    "algorithm":       "ML-DSA-65+HMAC-SHA-512"
  }
}

Algorithm Parameters (NIST References)

Algorithm	Standard	Security Level	Public Key	Secret Key	CT / Sig	Notes
ML-KEM-768	NIST FIPS 203	3	1,184	2,400	1,088	shared secret = 32 bytes
ML-DSA-65	NIST FIPS 204	3	1,952	4,032	≤ 3,309	max signature bytes
AES-256-GCM	NIST FIPS 197 + SP 800-38D	-	-	32	16 (tag)	nonce = 12 bytes
HKDF-SHA-512	RFC 5869	-	-	-	32	output key length (AES key)

All sizes in bytes. Source: NIST FIPS 203 §4 Table 2, FIPS 204 §4 Table 2, FIPS 197, RFC 5869.

Encryption Algorithm

1.Generate ephemeral ML-KEM-768 keypair
2.Encapsulate against tenant public key → shared_secret (32 B)
3.Derive AES key: HKDF-SHA-512(shared_secret, info=b"quantaseal-aes-key") → 32 B
4.Encrypt: AES-256-GCM(key, nonce=os.urandom(12), plaintext) → ciphertext_data
5.Sign ciphertext_data: ML-DSA-65.Sign(dk_tenant) + HMAC-SHA-512(tenant_hmac_key)

Decryption Algorithm

1.Reject if algorithm ≠ "ML-KEM-768" / "ML-DSA-65+HMAC-SHA-512"
2.Verify ML-DSA-65 signature AND HMAC-SHA-512 (bitwise &, no short-circuit)
3.ABORT if either signature fails - never attempt decryption
4.Decapsulate: ML-KEM-768.Decaps(dk_tenant, ciphertext_kem) → shared_secret
5.Derive AES key (same HKDF), decrypt AES-256-GCM, verify GCM tag

Key Escrow - Decrypt Without QuantaSeal

Enterprise customers can decrypt all QuantaSeal-protected data independently using any conformant ML-KEM-768 + AES-256-GCM implementation (e.g. liboqs, AWS Encryption SDK with custom KDF).

Required key material (exportable on request per the QuantaSeal SLA):

Tenant ML-KEM-768 secret key (dk_tenant)
Tenant HMAC secret (tenant_hmac_key, derived via SHA-512 from tenant secret)
Tenant ML-DSA-65 public key (pk_tenant, for signature verification)

Live NIST Parameter Verification

Every result on the attestation page is generated by running fresh ML-KEM-768 and ML-DSA-65 operations on our production backend - validated against this spec in real time.

View Live Attestation

Reference Implementations

🐍Python

pip install quantaseal

⬡Node.js

npm install @quantaseal/sdk

🐹Go

go get github.com/QuantaSeal/sdk/go

QUANTASEAL

Hybrid PQC Envelope
Wire Format Specification

Why publish the wire format?

Security researcher audit

Independent verification that the cryptographic design is correct - not just claimed.

Key escrow / business continuity

Enterprise customers can decrypt their data with any compliant liboqs implementation if QuantaSeal ever ceases to operate.

Third-party interoperability

Any open-source project can implement a compatible encoder or decoder using this spec.

JSON Envelope Structure

HybridCryptoEnvelope - wire format v1.0

{
  "encrypted": {
    "ciphertext_kem":  "<base64, exactly 1088 bytes - ML-KEM-768>",
    "ciphertext_data": "<base64 - nonce[12] || AES-GCM-ciphertext || tag[16]>",
    "tenant_id":       "<uuid>",
    "algorithm":       "ML-KEM-768"
  },
  "signature": {
    "pqc_signature":   "<base64, ≤ 3309 bytes - ML-DSA-65>",
    "hmac_signature":  "<base64, 64 bytes - HMAC-SHA-512>",
    "tenant_id":       "<uuid>",
    "algorithm":       "ML-DSA-65+HMAC-SHA-512"
  }
}

Algorithm Parameters (NIST References)

Algorithm	Standard	Security Level	Public Key	Secret Key	CT / Sig	Notes
ML-KEM-768	NIST FIPS 203	3	1,184	2,400	1,088	shared secret = 32 bytes
ML-DSA-65	NIST FIPS 204	3	1,952	4,032	≤ 3,309	max signature bytes
AES-256-GCM	NIST FIPS 197 + SP 800-38D	-	-	32	16 (tag)	nonce = 12 bytes
HKDF-SHA-512	RFC 5869	-	-	-	32	output key length (AES key)

All sizes in bytes. Source: NIST FIPS 203 §4 Table 2, FIPS 204 §4 Table 2, FIPS 197, RFC 5869.

Key Escrow - Decrypt Without QuantaSeal

Enterprise customers can decrypt all QuantaSeal-protected data independently using any conformant ML-KEM-768 + AES-256-GCM implementation (e.g. liboqs, AWS Encryption SDK with custom KDF).

Required key material (exportable on request per the QuantaSeal SLA):

Tenant ML-KEM-768 secret key (dk_tenant)
Tenant HMAC secret (tenant_hmac_key, derived via SHA-512 from tenant secret)
Tenant ML-DSA-65 public key (pk_tenant, for signature verification)

Hybrid PQC EnvelopeWire Format Specification

Why publish the wire format?

JSON Envelope Structure

Algorithm Parameters (NIST References)

Encryption Algorithm

Decryption Algorithm

Key Escrow - Decrypt Without QuantaSeal

Reference Implementations

Hybrid PQC EnvelopeWire Format Specification

Why publish the wire format?

JSON Envelope Structure

Algorithm Parameters (NIST References)

Encryption Algorithm

Decryption Algorithm

Key Escrow - Decrypt Without QuantaSeal

Reference Implementations

Hybrid PQC Envelope
Wire Format Specification

Hybrid PQC Envelope
Wire Format Specification