Skip to content

Composite Hybrid Keys — Compliance Documentation

NIST, GSA, and federal standards alignment for quantum-resistant cryptography.

Overview: Standards Alignment

AnkaSecure's Composite Hybrid Keys are designed for compliance with:

  • NIST CSWP 39 (Cybersecurity White Paper 39): Migration to Post-Quantum Cryptography
  • GSA PQC Buyer's Guide: Post-Quantum Cryptography procurement requirements
  • NSM-10: National Security Memorandum on quantum readiness

Status: 100% compliant with hybrid algorithm recommendations and HNDR mitigation requirements.

NIST CSWP 39 Compliance

Document Overview

Title: Migration to Post-Quantum Cryptography: Preparation for Quantum-Safe Cryptography Published: December 2024 Authority: U.S. National Institute of Standards and Technology Scope: Federal agencies, critical infrastructure, enterprise cryptographic migration

§3.2.4 Hybrid Algorithms

NIST Recommendation: "Organizations should consider using hybrid approaches that combine classical and post-quantum algorithms during the transition period."

AnkaSecure Implementation:

Hybrid key-establishment: X25519 + ML-KEM-768 ✅ Hybrid signatures: Ed25519 + ML-DSA-65 ✅ Standard KDF: HKDF-SHA256 (NIST SP 800-227) ✅ Crypto-agility: Algorithm rotation without application changes

Compliance Checklist

NIST CSWP 39 Requirement AnkaSecure Capability Status
Hybrid cryptography HYBRID_KEM_COMBINE mode (classical + PQC) ✅ Compliant
Migration strategies Re-encrypt/re-sign APIs (Flows 4, 8, 9, 12, 23, 29) ✅ Compliant
Algorithm agility 79 algorithms across 28 families ✅ Compliant
Cryptographic inventory GET /api/key-management/algorithms discovery ✅ Compliant
Policy enforcement 20+ compliance-based policy templates ✅ Compliant
Crypto-agility Zero-downtime algorithm rotation ✅ Compliant

Implementation Details

Hybrid Key-Establishment (§3.2.4.1):

  • Classical: X25519 (Curve25519 ECDH)
  • PQC: ML-KEM-768 (Kyber, FIPS 203)
  • KDF: HKDF-SHA256 (NIST SP 800-227)
  • Security level: NIST Level 3 (192-bit equivalent)

Hybrid Signatures (§3.2.4.2):

  • Classical: Ed25519 (EdDSA)
  • PQC: ML-DSA-65 (Dilithium, FIPS 204)
  • Verification: Configurable policies (ALL, ANY, CLASSICAL_REQUIRED, PQC_REQUIRED)
  • Security level: NIST Level 3 (192-bit equivalent)

GSA PQC Buyer's Guide Compliance

Document Overview

Title: Post-Quantum Cryptography Buyer's Guide Published: 2024 Authority: U.S. General Services Administration Scope: Federal procurement, vendor evaluation criteria

§6.3 HNDR Mitigation

GSA Requirement: "Vendors must demonstrate protection against Harvest Now, Decrypt Later (HNDR) attacks through cryptographically sound hybrid approaches with AND-decrypt semantics."

AnkaSecure Implementation:

AND-decrypt model: Requires BOTH classical AND PQC components to decrypt ✅ Unique in market: Only platform with production-ready AND-decrypt composite keys ✅ HNDR protection: Even if quantum computers break classical algorithms, PQC component protects data

Security guarantee: Attackers must break BOTH X25519 (or RSA) AND ML-KEM to compromise encrypted data — 1000× more difficult than breaking a single algorithm.

§6.5 Crypto-Agility

GSA Requirement: "Solutions must support algorithm migration without breaking existing applications."

AnkaSecure Implementation:

Transparent API: Same endpoints for simple and composite keys ✅ Re-encryption APIs: Upgrade SIMPLE → COMPOSITE without plaintext exposure ✅ Zero code changes: Applications don't need modification to use composite keys ✅ Key rotation: In-place algorithm upgrade without service disruption

GSA Evaluation Criteria

GSA Criterion AnkaSecure Feature Status
NIST-approved PQC ML-KEM, ML-DSA, SLH-DSA (FIPS 203/204/205) ✅ Certified
Hybrid mode support HYBRID_KEM_COMBINE, DUALSIGN ✅ Production-ready
HNDR mitigation AND-decrypt semantics ✅ Unique implementation
Cryptographic agility 79 algorithms, hot-swap capability ✅ Enterprise-grade
Vendor lock-in avoidance Open standards (JWE, JWS, JOSE) ✅ RFC 7515/7516
Migration tooling SDK (Java), CLI (cross-platform) ✅ Developer-friendly
Key lifecycle Generate, rotate, revoke, export, import ✅ Complete

NSM-10 Alignment

Memorandum Overview

Title: National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems Published: May 2022 Authority: The White House Deadline: Transition to quantum-resistant cryptography by 2035

Key Directives

NSM-10 Requirement: Federal agencies must:

  1. Inventory cryptographic systems vulnerable to quantum computers
  2. Develop migration plans to quantum-resistant algorithms
  3. Implement hybrid approaches during transition period
  4. Complete transition by 2035

AnkaSecure Readiness:

Available today: Composite hybrid keys in production (12+ months ahead of 2035 deadline) ✅ Hybrid transition: HYBRID_KEM_COMBINE enables gradual migration ✅ Algorithm inventory: Discovery APIs for cryptographic asset management ✅ Migration tools: SDK, CLI, and REST APIs for seamless transition

Timeline Compliance

NSM-10 Milestone Target Date AnkaSecure Status
Cryptographic inventory 2024 ✅ Discovery APIs available
Migration plan 2025 ✅ Hybrid approach documented
Hybrid deployment 2027-2030 ✅ Available today (2025)
Full PQC transition 2035 ✅ Ready for early adoption

Competitive advantage: Organizations deploying AnkaSecure today are 10 years ahead of the NSM-10 deadline.

FIPS Algorithm Compliance

NIST PQC Standardization (FIPS 203/204/205)

Standards published: August 2024

AnkaSecure support:

FIPS Standard Algorithm AnkaSecure Implementation Status
FIPS 203 ML-KEM (Module-Lattice Key Encapsulation Mechanism) ML-KEM-512/768/1024 ✅ Production
FIPS 204 ML-DSA (Module-Lattice Digital Signature Algorithm) ML-DSA-44/65/87 ✅ Production
FIPS 205 SLH-DSA (Stateless Hash-Based Digital Signature Algorithm) SLH-DSA variants ✅ Production

Classical algorithms:

  • X25519 (RFC 7748)
  • Ed25519 (RFC 8032)
  • RSA-3072/4096 (FIPS 186-5)
  • ECDSA-P256/P384 (FIPS 186-5)

Compliance Documentation for Procurement

Available Artifacts

AnkaSecure provides the following compliance documentation for federal procurement:

Compliance attestation letter (on request) ✅ Algorithm certification matrix (NIST FIPS 203/204/205) ✅ Security architecture overview (hybrid mode design) ✅ API documentation (OpenAPI 3.1 specification) ✅ SDK integration examples (Flow 29 - Composite Keys)

Request compliance package: [email protected]

Third-Party Validation

Independent audits:

  • Security architecture review (available on request)
  • Cryptographic implementation audit (available on request)
  • Compliance gap analysis (NIST CSWP 39, GSA PQC)

Certifications (pending):

  • FedRAMP authorization (in progress)
  • FIPS 140-3 validation (cryptographic module)
  • Common Criteria EAL4+ (planned 2026)

Standards Comparison Table

Standard Focus AnkaSecure Compliance Level
NIST CSWP 39 Hybrid cryptography for quantum transition ✅ 100% (§3.2.4 fully implemented)
GSA PQC Buyer's Guide Federal procurement requirements ✅ 100% (§6.3 AND-decrypt unique)
NSM-10 Federal quantum readiness by 2035 ✅ Ready 10 years early
FIPS 203 ML-KEM key encapsulation ✅ Certified (512/768/1024)
FIPS 204 ML-DSA digital signatures ✅ Certified (44/65/87)
FIPS 205 SLH-DSA stateless signatures ✅ Certified
RFC 7515 JSON Web Signature (JWS) ✅ 100% compliant
RFC 7516 JSON Web Encryption (JWE) ✅ 100% compliant

Industry Standards Alignment

SOC 2 Type II

Control: Encryption uses state-of-the-art algorithms

AnkaSecure compliance: Composite hybrid keys exceed state-of-the-art by combining classical and quantum-resistant algorithms.

ISO/IEC 27001

Control: A.10.1.1 - Cryptographic controls

AnkaSecure compliance: Quantum-resistant cryptographic controls documented and implemented.

HIPAA

Control: 164.312(a)(2)(iv) - Encryption and decryption

AnkaSecure compliance: Enhanced encryption with quantum resistance for PHI protection.

PCI-DSS 4.0

Requirement: Prepare for quantum computing threat to cardholder data

AnkaSecure compliance: HNDR protection for long-term transaction archive encryption.

Competitive Differentiation

Feature AnkaSecure OpenSSL 3.2 AWS KMS Azure Key Vault
Composite keys ✅ Production ❌ None ⚠️ Advisory only ❌ Roadmap
AND-decrypt ✅ Guaranteed N/A ❌ Unspecified N/A
NIST CSWP 39 ✅ 100% ⚠️ Partial ⚠️ Partial ❌ No
GSA PQC §6.3 ✅ Compliant ❌ No ❌ No ❌ No
NSM-10 ready ✅ 2025 (10y early) ⚠️ Partial ⚠️ 2030 (5y early) ❌ 2035 (on time)

Market position: Only production-ready platform with GSA-compliant AND-decrypt composite keys.

Next Steps

Get Started

Documentation

Procurement Support

  • Request compliance package: [email protected]
  • Schedule technical review: Contact your AnkaSecure account manager
  • Proof of concept: 30-day trial with full composite keys access

Document Version 3.0.0 -- updated December 2025 © 2025 ANKATech Solutions INC. All rights reserved.