Skip to main content

Post-Quantum Crypto Shield Router — bridge legacy crypto to quantum-safe algorithms with TIBET provenance

Project description

tibet-pqc — Post-Quantum Crypto Shield Router

Bridge legacy RSA/ECC to quantum-safe algorithms without touching legacy devices.

Same pattern as tibet-y2k38: protect legacy via a router, not via replacement.

tibet-pqc shields data from quantum-vulnerable devices by wrapping it in post-quantum cryptography at the router level. Every cryptographic transition is tracked with TIBET provenance tokens.

The "Store Now, Decrypt Later" Crisis

Adversaries are intercepting encrypted traffic today and storing it. When cryptographically relevant quantum computers arrive (~2030), they'll decrypt everything. This is not theoretical — the NSA, NCSC, and BSI are actively warning about it.

Your legacy SCADA PLC running RSA-1024 can't be upgraded. But the data it sends can be shielded at the network boundary.

Install

pip install tibet-pqc

Quick Start

Shield a legacy device

from tibet_pqc import PQCRouter, ClassicAlgorithm

router = PQCRouter()
router.add_device("plc-01", classic=ClassicAlgorithm.RSA_1024, profile="scada")
result = router.shield("plc-01", data=b"sensor_reading_42")

print(result.pqc_algorithm)    # ml-kem-512
print(result.security_level)   # 1
print(result.shielded)         # True

Scan for vulnerable endpoints

tibet-pqc scan example.com:443 api.example.com:443

  🟠 example.com:443
     Algorithm: rsa-2048 (256 bits)
     Risk:      HIGH
     Migrate:    ml-kem-768 (Level 3)
pqc-scan --json example.com:443 | jq '.[].risk'

View Q-Day countdown

tibet-pqc info

Run interactive demo

tibet-pqc demo

How It Works

[Legacy Device]  --RSA/ECC-->  [PQC Shield Router]  --ML-KEM-->  [Internet]
  (unchanged)                       |                              (quantum-safe)
                              TIBET audit-trail
                              JIS quantum-ID
  1. Legacy device sends data encrypted with classic crypto (RSA, ECDSA, etc.)
  2. PQC Router intercepts at the network boundary
  3. Router wraps the data in a post-quantum shell (ML-KEM, ML-DSA)
  4. Data travels quantum-safe over the internet
  5. TIBET creates an audit trail of the transition
  6. JIS provides quantum-resistant device identity

The legacy device never needs to change.

NIST Standards (August 2024)

Standard Algorithm Purpose Replaces
FIPS 203 ML-KEM (Kyber) Key Encapsulation RSA, ECDH
FIPS 204 ML-DSA (Dilithium) Digital Signatures RSA, ECDSA
FIPS 205 SLH-DSA (SPHINCS+) Hash-based Signatures RSA, DSA

Sector Profiles

Profile Sector Classic Crypto → PQC SNDL Risk Compliance
banking Financial RSA-2048 ML-KEM-1024 Critical PCI DSS, DORA, NIS2
healthcare Medical RSA-2048 ML-KEM-768 Critical HIPAA, MDR, FDA
government Gov/Defense RSA-4096 ML-KEM-1024 Critical CNSA 2.0, eIDAS 2.0
scada Industrial RSA-1024 ML-KEM-512 High IEC 62443, NIS2
telecom Telecom ECDSA-P256 ML-DSA-65 Critical 3GPP, GSMA, NIS2
iot IoT ECDSA-P256 ML-KEM-512 Medium ETSI, CE RED
generic IT RSA-2048 ML-KEM-768 High SOC2, ISO 27001
tibet-pqc profiles
tibet-pqc profiles --json

TIBET Provenance

Every shield operation creates a TIBET token:

Layer Content
ERIN What was shielded (data hash, algorithm transition)
ERAAN Device dependencies (JIS identity, firmware)
EROMHEEN Context (router, timestamp, network)
ERACHTER Intent (compliance requirement, SNDL protection)

This gives you proof of when each system was migrated to PQC — critical for compliance audits.

Part of the TIBET ecosystem

Package Purpose
tibet-core Protocol core
tibet-y2k38 Y2K38 Time Bridge
tibet-pol Process Integrity Checker
tibet-pqc Post-Quantum Crypto Router
tibet-overlay Identity Overlay
tibet-twin Digital Twin Guard

License

MIT — Humotica AI Lab 2025-2026

Authors

Credits

Designed by Jasper van de Meent. Built by Jasper and Root AI as part of HumoticaOS.


Stack-positie: Groep specialized · Eigen tijdlijn — niet onderdeel van de ainternet/evidence-spine · ← tibet-y2k38 · tibet-gateway → · See STACK.md · See demo/golden-path/ for the spine end-to-end.

Enterprise

For private hub hosting, SLA support, custom integrations, or compliance guidance:

Enterprise enterprise@humotica.com
Support support@humotica.com
Security security@humotica.com

See ENTERPRISE.md for details.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

tibet_pqc-0.1.1.tar.gz (14.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

tibet_pqc-0.1.1-py3-none-any.whl (17.1 kB view details)

Uploaded Python 3

File details

Details for the file tibet_pqc-0.1.1.tar.gz.

File metadata

  • Download URL: tibet_pqc-0.1.1.tar.gz
  • Upload date:
  • Size: 14.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.5

File hashes

Hashes for tibet_pqc-0.1.1.tar.gz
Algorithm Hash digest
SHA256 d930790ca6c7a8a0830eaf75e855b1a36e63407e50899835a25426a03f3704f3
MD5 8180ea068417ec32167b3cbf9eaae14c
BLAKE2b-256 6d80b77f91bb134f6a45fd2731ee740da7aae58f343f259c12d389d52940b868

See more details on using hashes here.

File details

Details for the file tibet_pqc-0.1.1-py3-none-any.whl.

File metadata

  • Download URL: tibet_pqc-0.1.1-py3-none-any.whl
  • Upload date:
  • Size: 17.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.5

File hashes

Hashes for tibet_pqc-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 a936be439585c83417cf4b10ebb8003eb26e51c1d84de10a337bf139425152e3
MD5 0b07fd252b66d13c275a4044ec7c7598
BLAKE2b-256 a5d902a0247bbbd5596c04ab55635cd11d1bc61cb86222d19bb7c7c062cbfe2d

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page