Post-Quantum Readiness & Cryptography

<h2 id="post-quantum-readiness--cryptography" class="position-relative d-flex align-items-center group"> <span>Post-Quantum Readiness &amp; Cryptography</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="post-quantum-readiness--cryptography" aria-haspopup="dialog" aria-label="Share link: Post-Quantum Readiness &amp; Cryptography"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h2><div id="headingShareModal" class="heading-share-modal" role="dialog" aria-modal="true" aria-labelledby="headingShareTitle" hidden> <div class="hsm-dialog" role="document"> <div class="hsm-header"> <h2 id="headingShareTitle" class="h6 mb-0 fw-bold">Share this section</h2> <button type="button" class="hsm-close" aria-label="Close"> <i class="fa-solid fa-xmark"></i> </button> </div> <div class="hsm-body"> <label for="headingShareInput" class="form-label small text-muted mb-1 text-uppercase fw-bold" style="font-size: 0.7rem; letter-spacing: 0.5px;">Permalink</label> <div class="input-group mb-4 hsm-url-group"> <input id="headingShareInput" type="text" class="form-control font-monospace" readonly aria-readonly="true" style="font-size: 0.85rem;" /> <button class="btn btn-primary hsm-copy" type="button" aria-label="Copy" title="Copy"> <i class="fa-duotone fa-clipboard" aria-hidden="true"></i> </button> </div> <div class="small fw-bold mb-2 text-muted text-uppercase" style="font-size: 0.7rem; letter-spacing: 0.5px;">Share via</div> <div class="hsm-share-grid"> <a id="share-twitter" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> <i class="fa-brands fa-twitter me-2"></i>Twitter </a> <a id="share-linkedin" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> <i class="fa-brands fa-linkedin me-2"></i>LinkedIn </a> <a id="share-facebook" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> <i class="fa-brands fa-facebook me-2"></i>Facebook </a> </div> </div> </div> </div> <style> .heading-share-modal { position: fixed; inset: 0; display: flex; justify-content: center; align-items: center; background: rgba(0, 0, 0, 0.6); z-index: 1050; padding: 1rem; backdrop-filter: blur(4px); -webkit-backdrop-filter: blur(4px); } .heading-share-modal[hidden] { display: none !important; } .hsm-dialog { max-width: 420px; width: 100%; background: var(--bs-body-bg, #fff); color: var(--bs-body-color, #212529); border: 1px solid var(--bs-border-color, rgba(0,0,0,0.1)); border-radius: 1rem; box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.25); overflow: hidden; animation: hsm-fade-in 0.2s ease-out; } @keyframes hsm-fade-in { from { opacity: 0; transform: scale(0.95); } to { opacity: 1; transform: scale(1); } } [data-bs-theme="dark"] .hsm-dialog { background: #1e293b; border-color: rgba(255,255,255,0.1); color: #f8f9fa; } .hsm-header { display: flex; justify-content: space-between; align-items: center; padding: 1rem 1.5rem; border-bottom: 1px solid var(--bs-border-color, rgba(0,0,0,0.1)); background: rgba(0,0,0,0.02); } [data-bs-theme="dark"] .hsm-header { background: rgba(255,255,255,0.02); border-color: rgba(255,255,255,0.1); } .hsm-close { background: transparent; border: none; color: inherit; opacity: 0.5; padding: 0.25rem 0.5rem; border-radius: 0.25rem; font-size: 1.2rem; line-height: 1; transition: opacity 0.2s; } .hsm-close:hover { opacity: 1; } .hsm-body { padding: 1.5rem; } .hsm-url-group { display: flex !important; align-items: stretch; } .hsm-url-group .form-control { flex: 1; min-width: 0; margin: 0; background: var(--bs-secondary-bg, #f8f9fa); border-color: var(--bs-border-color, #dee2e6); border-top-right-radius: 0; border-bottom-right-radius: 0; height: 42px; } .hsm-url-group .btn { flex: 0 0 auto; margin: 0; margin-left: -1px; border-top-left-radius: 0; border-bottom-left-radius: 0; height: 42px; display: flex; align-items: center; justify-content: center; padding: 0 1.25rem; z-index: 2; } [data-bs-theme="dark"] .hsm-url-group .form-control { background: #0f172a; border-color: #334155; color: #e2e8f0; } .hsm-share-grid { display: flex; flex-direction: column; gap: 0.5rem; } .hsm-share-grid .btn { display: flex; align-items: center; justify-content: center; font-size: 0.9rem; padding: 0.6rem; border-color: var(--bs-border-color); width: 100%; } [data-bs-theme="dark"] .hsm-share-grid .btn { color: #e2e8f0; border-color: #475569; } [data-bs-theme="dark"] .hsm-share-grid .btn:hover { background: #334155; border-color: #cbd5e1; } </style> <script> (function(){ const modal = document.getElementById('headingShareModal'); if(!modal) return; const input = modal.querySelector('#headingShareInput'); const copyBtn = modal.querySelector('.hsm-copy'); const twitter = modal.querySelector('#share-twitter'); const linkedin = modal.querySelector('#share-linkedin'); const facebook = modal.querySelector('#share-facebook'); const closeBtn = modal.querySelector('.hsm-close'); let lastFocus=null; let trapBound=false; function buildUrl(id){ return window.location.origin + window.location.pathname + '#' + id; } function isOpen(){ return !modal.hasAttribute('hidden'); } function hydrate(id){ const url=buildUrl(id); input.value=url; const enc=encodeURIComponent(url); const text=encodeURIComponent(document.title); if(twitter) twitter.href=`https://twitter.com/intent/tweet?url=${enc}&text=${text}`; if(linkedin) linkedin.href=`https://www.linkedin.com/sharing/share-offsite/?url=${enc}`; if(facebook) facebook.href=`https://www.facebook.com/sharer/sharer.php?u=${enc}`; } function openModal(id){ lastFocus=document.activeElement; hydrate(id); if(!isOpen()){ modal.removeAttribute('hidden'); } requestAnimationFrame(()=>{ input.focus(); }); trapFocus(); } function closeModal(){ if(!isOpen()) return; modal.setAttribute('hidden',''); if(lastFocus && typeof lastFocus.focus==='function') lastFocus.focus(); } function copyCurrent(){ try{ navigator.clipboard.writeText(input.value).then(()=>feedback(true),()=>fallback()); } catch(e){ fallback(); } } function fallback(){ input.select(); try{ document.execCommand('copy'); feedback(true);}catch(e){ feedback(false);} } function feedback(ok){ if(!copyBtn) return; const icon=copyBtn.querySelector('i'); if(!icon) return; const prev=copyBtn.getAttribute('data-prev')||icon.className; if(!copyBtn.getAttribute('data-prev')) copyBtn.setAttribute('data-prev',prev); icon.className= ok ? 'fa-duotone fa-clipboard-check':'fa-duotone fa-circle-exclamation'; setTimeout(()=>{ icon.className=prev; },1800); } function handleShareClick(e){ e.preventDefault(); const btn=e.currentTarget; const id=btn.getAttribute('data-share-target'); if(id) openModal(id); } function bindShareButtons(){ document.querySelectorAll('.h-share').forEach(btn=>{ if(!btn.dataset.hShareBound){ btn.addEventListener('click', handleShareClick); btn.dataset.hShareBound='1'; } }); } bindShareButtons(); if(document.readyState==='loading'){ document.addEventListener('DOMContentLoaded', bindShareButtons); } else { requestAnimationFrame(bindShareButtons); } document.addEventListener('click', function(e){ const shareBtn=e.target.closest && e.target.closest('.h-share'); if(shareBtn && !shareBtn.dataset.hShareBound){ handleShareClick.call(shareBtn, e); } }, true); document.addEventListener('click', e=>{ if(e.target===modal) closeModal(); if(e.target.closest && e.target.closest('.hsm-close')){ e.preventDefault(); closeModal(); } if(copyBtn && (e.target===copyBtn || (e.target.closest && e.target.closest('.hsm-copy')))) { e.preventDefault(); copyCurrent(); } }); document.addEventListener('keydown', e=>{ if(e.key==='Escape' && isOpen()) closeModal(); }); function trapFocus(){ if(trapBound) return; trapBound=true; modal.addEventListener('keydown', f=>{ if(f.key==='Tab' && isOpen()){ const focusable=[...modal.querySelectorAll('a[href],button,input,textarea,select,[tabindex]:not([tabindex="-1"])')].filter(el=>!el.hasAttribute('disabled')); if(!focusable.length) return; const first=focusable[0]; const last=focusable[focusable.length-1]; if(f.shiftKey && document.activeElement===first){ f.preventDefault(); last.focus(); } else if(!f.shiftKey && document.activeElement===last){ f.preventDefault(); first.focus(); } } }); } if(closeBtn) closeBtn.addEventListener('click', e=>{ e.preventDefault(); closeModal(); }); })(); </script><p>As we approach the Post-Quantum (PQ) era, the security landscape for enterprise data storage is shifting fundamental paradigms. Geode is architected not just for today’s threats, but for the “store now, decrypt later” attacks of tomorrow. Our cryptographic choices prioritize <strong>Forward Secrecy</strong>, <strong>Crypto-Agility</strong>, and <strong>Quantum-Resistance</strong>.</p> <h3 id="the-post-quantum-threat-model" class="position-relative d-flex align-items-center group"> <span>The Post-Quantum Threat Model</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="the-post-quantum-threat-model" aria-haspopup="dialog" aria-label="Share link: The Post-Quantum Threat Model"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h3><p>Quantum computers capable of running Shor’s algorithm will eventually break classical public-key cryptography (RSA, ECC). While symmetric encryption (AES) remains relatively secure (requiring larger key sizes), the mechanisms we use to <em>exchange</em> those keys are vulnerable.</p> <p><strong>Geode’s Defense Strategy:</strong></p> <ol> <li><strong>Enforce Perfect Forward Secrecy (PFS)</strong> today.</li> <li><strong>Maximize Key Strengths</strong> for classical algorithms.</li> <li><strong>Architect for Hybrid Key Exchange</strong> (Classical + PQ).</li> <li><strong>Field-Level Encryption (FLE)</strong> independent of transport security.</li> </ol> <h3 id="cryptographic-primitives" class="position-relative d-flex align-items-center group"> <span>Cryptographic Primitives</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="cryptographic-primitives" aria-haspopup="dialog" aria-label="Share link: Cryptographic Primitives"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h3><p>Geode employs a “defense-in-depth” approach to cryptography, selecting algorithms that offer the highest security margins per bit of performance.</p> <h4 id="transport-layer-data-in-motion" class="position-relative d-flex align-items-center group"> <span>Transport Layer (Data in Motion)</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="transport-layer-data-in-motion" aria-haspopup="dialog" aria-label="Share link: Transport Layer (Data in Motion)"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><p>Geode uses <strong>QUIC + TLS 1.3</strong> exclusively. We have removed support for older protocols that lack mandatory forward secrecy or support weak cipher suites.</p> <ul> <li><strong>Protocol</strong>: TLS 1.3 (RFC 8446) / QUIC (RFC 9000)</li> <li><strong>Key Exchange</strong>: X25519 (Curve25519) - <em>High performance, constant-time execution.</em></li> <li><strong>Signatures</strong>: Ed25519 - <em>Deterministic signatures, resistant to side-channel attacks.</em></li> <li><strong>Symmetric Encryption</strong>: <ul> <li><code>TLS_AES_256_GCM_SHA384</code> (Default)</li> <li><code>TLS_CHACHA20_POLY1305_SHA256</code> (Mobile/ARM optimization)</li> </ul> </li> </ul> <p><strong>Why this matters for Post-Quantum:</strong> By enforcing TLS 1.3, we mandate <strong>Forward Secrecy</strong>. If a server’s long-term private key is compromised in the future (even by a quantum computer), past sessions recorded today cannot be decrypted because the session keys were ephemeral and never transmitted over the wire.</p> <h4 id="transparent-data-encryption-tde" class="position-relative d-flex align-items-center group"> <span>Transparent Data Encryption (TDE)</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="transparent-data-encryption-tde" aria-haspopup="dialog" aria-label="Share link: Transparent Data Encryption (TDE)"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><p>For Data at Rest, Geode uses an envelope encryption scheme designed for long-term security.</p> <ul> <li><strong>Data Encryption Key (DEK)</strong>: AES-256-GCM</li> <li><strong>Key Wrapping</strong>: AES-256-KW (Key Wrap) or RSA-OAEP-4096 (migrating to Hybrid PQ-KEM)</li> <li><strong>Key Derivation</strong>: Argon2id (memory-hard, resistant to GPU/ASIC cracking)</li> </ul> <p>We mandate <strong>AES-256</strong> rather than AES-128. Grover’s algorithm suggests that a quantum computer could reduce the effective security of symmetric keys by half. AES-256 retains 128 bits of security against quantum brute-force, which is considered safe.</p> <h3 id="forward-secrecy--key-rotation" class="position-relative d-flex align-items-center group"> <span>Forward Secrecy &amp; Key Rotation</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="forward-secrecy--key-rotation" aria-haspopup="dialog" aria-label="Share link: Forward Secrecy &amp; Key Rotation"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h3><p>Forward Secrecy is the property that compromise of long-term keys does not compromise past session keys. Geode implements this at multiple layers:</p> <h4 id="1-network-session-rotation" class="position-relative d-flex align-items-center group"> <span>1. Network Session Rotation</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="1-network-session-rotation" aria-haspopup="dialog" aria-label="Share link: 1. Network Session Rotation"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><p>QUIC streams in Geode rotate keys automatically based on data volume or time, ensuring that even within a single long-lived connection, a key compromise limits exposure to a small window of time.</p> <h4 id="2-database-key-rotation" class="position-relative d-flex align-items-center group"> <span>2. Database Key Rotation</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="2-database-key-rotation" aria-haspopup="dialog" aria-label="Share link: 2. Database Key Rotation"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><p>Geode’s Key Management System (KMS) integration supports automated rotation of the Master Key encryption keys. When a key is rotated:</p> <ul> <li>New data is encrypted with the new key.</li> <li>Old data is lazily re-encrypted (or eagerly via background jobs).</li> <li>Old keys are securely destroyed.</li> </ul> <h3 id="path-to-quantum-resistance" class="position-relative d-flex align-items-center group"> <span>Path to Quantum Resistance</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="path-to-quantum-resistance" aria-haspopup="dialog" aria-label="Share link: Path to Quantum Resistance"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h3><p>Geode’s architecture is built for <strong>Crypto-Agility</strong>—the ability to swap out cryptographic primitives without rewriting the core application.</p> <h4 id="hybrid-key-exchange-upcoming" class="position-relative d-flex align-items-center group"> <span>Hybrid Key Exchange (Upcoming)</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="hybrid-key-exchange-upcoming" aria-haspopup="dialog" aria-label="Share link: Hybrid Key Exchange (Upcoming)"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><p>We are actively integrating hybrid key exchange mechanisms (X25519 + Kyber/ML-KEM). This “hybrid” approach combines the battle-tested security of classical ECC with the quantum-resistance of lattice-based cryptography. This ensures that:</p> <ul> <li>If the PQ algorithm has a flaw, the classical ECC still protects the data.</li> <li>If a quantum computer attacks, the PQ algorithm protects the data.</li> </ul> <h4 id="post-quantum-signatures" class="position-relative d-flex align-items-center group"> <span>Post-Quantum Signatures</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="post-quantum-signatures" aria-haspopup="dialog" aria-label="Share link: Post-Quantum Signatures"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h4><p>For authentication and integrity (e.g., commit logs, backups), we are evaluating <strong>Dilithium (ML-DSA)</strong> and <strong>SPHINCS+</strong> for future implementation. The larger signature sizes of these algorithms are mitigated by Geode’s efficient binary protocol and compression layers.</p> <h3 id="comparison-of-algorithmic-choices" class="position-relative d-flex align-items-center group"> <span>Comparison of Algorithmic Choices</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="comparison-of-algorithmic-choices" aria-haspopup="dialog" aria-label="Share link: Comparison of Algorithmic Choices"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h3><table> <thead> <tr> <th style="text-align: left">Feature</th> <th style="text-align: left">Legacy Standard</th> <th style="text-align: left">Geode Standard</th> <th style="text-align: left">Post-Quantum Readiness</th> </tr> </thead> <tbody> <tr> <td style="text-align: left"><strong>Symmetric</strong></td> <td style="text-align: left">AES-128-CBC</td> <td style="text-align: left"><strong>AES-256-GCM</strong></td> <td style="text-align: left">✅ Quantum Safe (128-bit margin)</td> </tr> <tr> <td style="text-align: left"><strong>Hashing</strong></td> <td style="text-align: left">SHA-1 / SHA-256</td> <td style="text-align: left"><strong>BLAKE3 / SHA-384</strong></td> <td style="text-align: left">✅ Collision Resistant</td> </tr> <tr> <td style="text-align: left"><strong>Key Exchange</strong></td> <td style="text-align: left">RSA-2048</td> <td style="text-align: left"><strong>X25519</strong></td> <td style="text-align: left">⚠️ Vulnerable (Requires Hybrid Upgrade)</td> </tr> <tr> <td style="text-align: left"><strong>Signatures</strong></td> <td style="text-align: left">RSA-2048</td> <td style="text-align: left"><strong>Ed25519</strong></td> <td style="text-align: left">⚠️ Vulnerable (Requires Dilithium Upgrade)</td> </tr> <tr> <td style="text-align: left"><strong>Transport</strong></td> <td style="text-align: left">TLS 1.2</td> <td style="text-align: left"><strong>TLS 1.3 (QUIC)</strong></td> <td style="text-align: left">✅ Enforced Forward Secrecy</td> </tr> </tbody> </table> <h3 id="implementation-for-developers" class="position-relative d-flex align-items-center group"> <span>Implementation for Developers</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="implementation-for-developers" aria-haspopup="dialog" aria-label="Share link: Implementation for Developers"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h3><p>To leverage Geode’s Post-Quantum readiness features:</p> <ol> <li><strong>Use Official Clients</strong>: Our Go, Python, Rust, Node.js, and Zig clients negotiate the highest shared security protocol automatically.</li> <li><strong>Enable Key Rotation</strong>: Configure your KMS provider to rotate keys every 90 days.</li> <li><strong>Avoid Static Keys</strong>: Never hardcode encryption keys. Use the environment-based KMS integration.</li> <li><strong>Use Field-Level Encryption</strong>: For highly sensitive fields (PII, secrets), use Geode’s client-side FLE, which ensures the server (and any potential quantum attacker of the database files) never sees the plaintext.</li> </ol> <h3 id="conclusion" class="position-relative d-flex align-items-center group"> <span>Conclusion</span> <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="conclusion" aria-haspopup="dialog" aria-label="Share link: Conclusion"> <i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i> <span class="visually-hidden">Share link</span> </button> </h3><p>The transition to the Post-Quantum era is not a single event but a process. Geode’s commitment to <strong>Forward Secrecy</strong>, <strong>AES-256 defaults</strong>, and <strong>Modular Cryptography</strong> ensures your data remains secure against both today’s hackers and tomorrow’s quantum computers.</p>