Quantum-Safe Lab

Comprehensive quantum protection laboratory: PQ-QUIC, PQ-MASQUE, hybrid cryptographic schemes and crypto-agility

Active Started: December 2025

Project Overview

Quantum-Safe Lab is a research laboratory focused on integrating post-quantum cryptographic algorithms into modern network protocols. The project covers PQ-QUIC, PQ-MASQUE, hybrid cryptographic schemes, and crypto-agility mechanisms for seamless migration.

The laboratory is divided into Open Lab (public research and open-source tools) and Closed Lab (NDA-protected projects for corporate partners).

Laboratory Structure

Open Lab

Public Research

Open research, publications, open-source tools. Available to all community members.

  • PQ-QUIC reference implementation
  • Hybrid TLS tests
  • Public benchmark data
  • Documentation and tutorials

Closed Lab

NDA-Protected Projects

Closed research for corporate partners. Individual projects under NDA.

Access:

  • CloudBridge Team
  • Trusted Researchers
  • Selected Corporate Partners

Why Closed?

To protect:

  • Unique developments
  • Commercial value
  • National technological security

Access through sponsorship and partnership

Support Development

PQ-QUIC / PQ-MASQUE Architecture 

┌─────────────────────────────────────────────────────────────────────────────┐
│                        PQ-QUIC / PQ-MASQUE Architecture                     │
├─────────────────────────────────────────────────────────────────────────────┤
│                                                                             │
│  ┌───────────────┐         ┌──────────────────┐         ┌───────────────┐   │
│  │    Client     │         │   CloudBridge    │         │    Server     │   │
│  │               │◄───────►│      Relay       │◄───────►│               │   │
│  └───────┬───────┘         └────────┬─────────┘         └───────┬───────┘   │
│          │                          │                           │           │
│          │      PQ-QUIC Handshake   │                           │           │
│          │◄─────────────────────────►                           │           │
│          │   X25519 + ML-KEM-768    │                           │           │
│          │                          │                           │           │
│  ┌───────┴──────────────────────────────────────────────────────┴────────┐  │
│  │                        Hybrid Key Exchange                            │  │
│  │  ┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐    │  │
│  │  │   X25519 (ECDH) │ +  │   ML-KEM-768    │ =  │  Hybrid Secret  │    │  │
│  │  │   Classical     │    │   Post-Quantum  │    │   Combined      │    │  │
│  │  └─────────────────┘    └─────────────────┘    └─────────────────┘    │  │
│  └───────────────────────────────────────────────────────────────────────┘  │
│                                                                             │
│  ┌───────────────────────────────────────────────────────────────────────┐  │
│  │                        PQ-MASQUE Tunnel                               │  │
│  │  ┌─────────────┐    ┌─────────────┐    ┌─────────────┐                │  │
│  │  │ CONNECT-UDP │───►│  PQ-TLS 1.3 │───►│ UDP Proxy   │                │  │
│  │  │ CONNECT-IP  │    │  ML-DSA Sig │    │ Forwarding  │                │  │
│  │  └─────────────┘    └─────────────┘    └─────────────┘                │  │
│  └───────────────────────────────────────────────────────────────────────┘  │
│                                                                             │
│  ┌───────────────────────────────────────────────────────────────────────┐  │
│  │                        Crypto-Agility Layer                           │  │
│  │  ┌─────────────┐    ┌─────────────┐    ┌─────────────┐                │  │
│  │  │ Algorithm   │───►│ Hot-swap    │───►│ Zero-       │                │  │
│  │  │ Registry    │    │ Engine      │    │ Downtime    │                │  │
│  │  └─────────────┘    └─────────────┘    └─────────────┘                │  │
│  └───────────────────────────────────────────────────────────────────────┘  │
│                                                                             │
└─────────────────────────────────────────────────────────────────────────────┘

Hybrid post-quantum protection architecture with crypto-agility

Key Directions

PQ-QUIC

ML-KEM (Kyber) integration into QUIC handshake for post-quantum key exchange protection. Hybrid mode X25519+ML-KEM for backward compatibility.

PQ-MASQUE

Post-quantum protection for MASQUE tunnels (CONNECT-UDP, CONNECT-IP). ML-DSA signatures for server authentication.

Hybrid Schemes

Combination of classical (X25519, ECDSA) and post-quantum (ML-KEM, ML-DSA) algorithms for maximum protection and compatibility.

Crypto-Agility

Framework for hot-swapping cryptographic algorithms without downtime. Automatic key rotation and migration.

Current Status

Completed

  • NIST FIPS 203-205 standards research
  • Proof-of-concept hybrid TLS 1.3 with ML-KEM
  • Crypto-agility layer architecture

In Progress

  • PQ-QUIC prototype based on quiche
  • ML-DSA integration into MASQUE proxy
  • Performance benchmarks PQ vs classical

Planned

  • PQ-QUIC reference implementation release
  • Whitepaper «PQ-Ready CloudBridge»
  • Integration into CloudBridge Relay production

Technical Details

Algorithms

  • • ML-KEM-768 (Key Encapsulation)
  • • ML-DSA-65 (Digital Signatures)
  • • X25519 (Classical ECDH)
  • • Ed25519 (Classical Signatures)
  • • AES-256-GCM (Symmetric Encryption)

Technologies

Go 1.22+ Rust liboqs quiche BoringSSL OpenSSL 3.x

Target Metrics

  • • PQ-QUIC handshake: <100ms
  • • Hybrid overhead: <15%
  • • Crypto-agility migration: <1min
  • • Key size increase: ~2-3x

Standards

  • • NIST FIPS 203 (ML-KEM)
  • • NIST FIPS 204 (ML-DSA)
  • • IETF draft-ietf-tls-hybrid-design
  • • RFC 9000 (QUIC)
  • • RFC 9298 (MASQUE)

Related Projects & Technologies

Related Research

Technologies

Project Resources

GitHub Repository PQC Technologies Become Partner