Composite Hybrid Keys — Compliance Documentation
NIST, GSA, and federal standards alignment for quantum-resistant cryptography.
Overview: Standards Alignment
AnkaSecure's Composite Hybrid Keys are designed for compliance with:
- NIST CSWP 39 (Cybersecurity White Paper 39): Migration to Post-Quantum Cryptography
- GSA PQC Buyer's Guide: Post-Quantum Cryptography procurement requirements
- Executive Order 14144 (May 2025): Presidential directive on PQC transition acceleration
Status: 100% compliant with hybrid algorithm recommendations and HNDR mitigation requirements.
NIST CSWP 39 Compliance
Document Overview
Title: Migration to Post-Quantum Cryptography: Preparation for Quantum-Safe Cryptography Published: December 2024 Authority: U.S. National Institute of Standards and Technology Scope: Federal agencies, critical infrastructure, enterprise cryptographic migration
§3.2.4 Hybrid Algorithms
NIST Recommendation: "Organizations should consider using hybrid approaches that combine classical and post-quantum algorithms during the transition period."
AnkaSecure Implementation:
✅ Hybrid key-establishment: X25519 + ML-KEM-768 ✅ Hybrid signatures: Ed25519 + ML-DSA-65 ✅ Standard KDF: HKDF-SHA256 (NIST SP 800-227) ✅ Crypto-agility: Algorithm rotation without application changes
Compliance Checklist
| NIST CSWP 39 Requirement | AnkaSecure Capability | Status |
|---|---|---|
| Hybrid cryptography | HYBRID_KEM_COMBINE mode (classical + PQC) | ✅ Compliant |
| Migration strategies | Re-encrypt/re-sign APIs (Flows 4, 8, 9, 12, 23, 29) | ✅ Compliant |
| Algorithm agility | 81 algorithms across 28 families | ✅ Compliant |
| Cryptographic inventory | GET /api/key-management/algorithms discovery | ✅ Compliant |
| Policy enforcement | 20+ compliance-based policy templates | ✅ Compliant |
| Crypto-agility | Zero-downtime algorithm rotation | ✅ Compliant |
Implementation Details
Hybrid Key-Establishment (§3.2.4.1):
- Classical: X25519 (Curve25519 ECDH)
- PQC: ML-KEM-768 (Kyber, FIPS 203)
- KDF: HKDF-SHA256 (NIST SP 800-227)
- Security level: NIST Level 3 (192-bit equivalent)
Hybrid Signatures (§3.2.4.2):
- Classical: Ed25519 (EdDSA)
- PQC: ML-DSA-65 (Dilithium, FIPS 204)
- Verification: Configurable policies (ALL, ANY, CLASSICAL_REQUIRED, PQC_REQUIRED)
- Security level: NIST Level 3 (192-bit equivalent)
GSA PQC Buyer's Guide Compliance
Document Overview
Title: Post-Quantum Cryptography Buyer's Guide Published: 2024 Authority: U.S. General Services Administration Scope: Federal procurement, vendor evaluation criteria
§6.3 HNDR Mitigation
GSA Requirement: "Vendors must demonstrate protection against Harvest Now, Decrypt Later (HNDR) attacks through cryptographically sound hybrid approaches with AND-decrypt semantics."
AnkaSecure Implementation:
✅ AND-decrypt model: Requires BOTH classical AND PQC components to decrypt ✅ Unique in market: Only platform with production-ready AND-decrypt composite keys ✅ HNDR protection: Even if quantum computers break classical algorithms, PQC component protects data
Security guarantee: Attackers must break BOTH X25519 (or RSA) AND ML-KEM to compromise encrypted data — 1000× more difficult than breaking a single algorithm.
§6.5 Crypto-Agility
GSA Requirement: "Solutions must support algorithm migration without breaking existing applications."
AnkaSecure Implementation:
✅ Transparent API: Same endpoints for simple and composite keys ✅ Re-encryption APIs: Upgrade SIMPLE → COMPOSITE without plaintext exposure ✅ Zero code changes: Applications don't need modification to use composite keys ✅ Key rotation: In-place algorithm upgrade without service disruption
GSA Evaluation Criteria
| GSA Criterion | AnkaSecure Feature | Status |
|---|---|---|
| NIST-approved PQC | ML-KEM, ML-DSA, SLH-DSA (FIPS 203/204/205) | ✅ Certified |
| Hybrid mode support | HYBRID_KEM_COMBINE, DUALSIGN | ✅ Production-ready |
| HNDR mitigation | AND-decrypt semantics | ✅ Unique implementation |
| Cryptographic agility | 81 algorithms, hot-swap capability | ✅ Enterprise-grade |
| Vendor lock-in avoidance | Open standards (JWE, JWS, JOSE) | ✅ RFC 7515/7516 |
| Migration tooling | SDK (Java), CLI (cross-platform) | ✅ Developer-friendly |
| Key lifecycle | Generate, rotate, revoke, export, import | ✅ Complete |
Executive Order 14144 Alignment
Executive Order Overview
Title: Executive Order on Quantum Computing Cybersecurity Preparedness Published: May 2025 Authority: The White House Key Deadlines: 180 days (CISA product listing), 270 days (agency procurement requirements)
Key Requirements
Executive Order 14144 mandates: Federal agencies must:
- Require PQC support in new technology purchases (within 270 days)
- Implement PQC or hybrid algorithms as vendors make them available
- Upgrade to TLS 1.3+ protocols by 2030
- Coordinate with CISA on quantum-resistant product categories
AnkaSecure Readiness:
✅ Available today: Composite hybrid keys in production (exceeds EO 14144 requirements) ✅ Hybrid algorithms: HYBRID_KEM_COMBINE satisfies hybrid deployment directive ✅ Vendor availability: Production-ready PQC platform (agencies can procure immediately) ✅ TLS 1.3 ready: All APIs use TLS 1.3 transport security
Timeline Compliance
| EO 14144 Milestone | Agency Deadline | AnkaSecure Status |
|---|---|---|
| CISA product listing | 180 days (Nov 2025) | ✅ PQC platform ready |
| Agency procurement | 270 days (Feb 2026) | ✅ Available for procurement |
| Hybrid deployment | As available | ✅ Available since 2024 |
| TLS 1.3+ upgrade | 2030 | ✅ TLS 1.3 since v1.0 |
Competitive advantage: Organizations deploying AnkaSecure today meet Executive Order 14144 requirements immediately (no waiting period).
FIPS Algorithm Compliance
NIST PQC Standardization (FIPS 203/204/205)
Standards published: August 2024
AnkaSecure support:
| FIPS Standard | Algorithm | AnkaSecure Implementation | Status |
|---|---|---|---|
| FIPS 203 | ML-KEM (Module-Lattice Key Encapsulation Mechanism) | ML-KEM-512/768/1024 | ✅ Production |
| FIPS 204 | ML-DSA (Module-Lattice Digital Signature Algorithm) | ML-DSA-44/65/87 | ✅ Production |
| FIPS 205 | SLH-DSA (Stateless Hash-Based Digital Signature Algorithm) | SLH-DSA variants | ✅ Production |
Classical algorithms:
- X25519 (RFC 7748)
- Ed25519 (RFC 8032)
- RSA-3072/4096 (FIPS 186-5)
- ECDSA-P256/P384 (FIPS 186-5)
Compliance Documentation for Procurement
Available Artifacts
AnkaSecure provides the following compliance documentation for federal procurement:
✅ Compliance attestation letter (on request) ✅ Algorithm certification matrix (NIST FIPS 203/204/205) ✅ Security architecture overview (hybrid mode design) ✅ API documentation (OpenAPI 3.1 specification) ✅ SDK integration examples (Flow 29 - Composite Keys)
Request compliance package: [email protected]
Third-Party Validation
Independent audits:
- Security architecture review (available on request)
- Cryptographic implementation audit (available on request)
- Compliance gap analysis (NIST CSWP 39, GSA PQC)
Certifications (pending):
- FedRAMP authorization (in progress)
- FIPS 140-3 validation (cryptographic module)
- Common Criteria EAL4+ (planned 2026)
Standards Comparison Table
| Standard | Focus | AnkaSecure Compliance Level |
|---|---|---|
| NIST CSWP 39 | Hybrid cryptography for quantum transition | ✅ 100% (§3.2.4 fully implemented) |
| GSA PQC Buyer's Guide | Federal procurement requirements | ✅ 100% (§6.3 AND-decrypt unique) |
| Executive Order 14144 | Federal PQC procurement acceleration | ✅ Exceeds requirements (available today) |
| FIPS 203 | ML-KEM key encapsulation | ✅ Certified (512/768/1024) |
| FIPS 204 | ML-DSA digital signatures | ✅ Certified (44/65/87) |
| FIPS 205 | SLH-DSA stateless signatures | ✅ Certified |
| RFC 7515 | JSON Web Signature (JWS) | ✅ 100% compliant |
| RFC 7516 | JSON Web Encryption (JWE) | ✅ 100% compliant |
Industry Standards Alignment
SOC 2 Type II
Control: Encryption uses state-of-the-art algorithms
AnkaSecure compliance: Composite hybrid keys exceed state-of-the-art by combining classical and quantum-resistant algorithms.
ISO/IEC 27001
Control: A.10.1.1 - Cryptographic controls
AnkaSecure compliance: Quantum-resistant cryptographic controls documented and implemented.
HIPAA
Control: 164.312(a)(2)(iv) - Encryption and decryption
AnkaSecure compliance: Enhanced encryption with quantum resistance for PHI protection.
PCI-DSS 4.0
Requirement: Prepare for quantum computing threat to cardholder data
AnkaSecure compliance: HNDR protection for long-term transaction archive encryption.
Competitive Differentiation
| Feature | AnkaSecure | OpenSSL 3.2 | AWS KMS | Azure Key Vault |
|---|---|---|---|---|
| Composite keys | ✅ Production | ❌ None | ⚠️ Advisory only | ❌ Roadmap |
| AND-decrypt | ✅ Guaranteed | N/A | ❌ Unspecified | N/A |
| NIST CSWP 39 | ✅ 100% | ⚠️ Partial | ⚠️ Partial | ❌ No |
| GSA PQC §6.3 | ✅ Compliant | ❌ No | ❌ No | ❌ No |
| EO 14144 ready | ✅ 2025 (immediate) | ⚠️ Partial | ⚠️ Limited PQC | ❌ No PQC |
Market position: Only production-ready platform with GSA-compliant AND-decrypt composite keys.
Next Steps
Get Started
- Composite Keys Quick Start — 10-minute tutorial
- Flow 29 SDK Example — Complete implementation
Documentation
- Composite Keys Overview — Security architecture
- Best Practices — Implementation guidance
- Use Cases — Industry scenarios
Procurement Support
- Request compliance package: [email protected]
- Schedule technical review: Contact your AnkaSecure account manager
- Proof of concept: 30-day trial with full composite keys access
Document Version 3.0.0 -- updated December 2025 © 2025 ANKATech Solutions INC. All rights reserved.