Cryptsoft Demonstrates Hybrid-PQC Authentication Token Use for Quantum-Safe Systems and Infrastructure

Cryptsoft has successfully demonstrated a Hybrid Post-Quantum Cryptography (PQC) authentication token proof-of-concept (POC) combining a low-memory rust implementation of ML-DSA-65 with Fetian’s OpenSK dongle to deliver hybrid PQC passkey authentication for the Cryptsoft KMIP C Server.This POC demonstrates a practical path to implementing the quantum-safe authentication systems, systems that up to now have been a critical missing element allowing for the build-out of PQC security systems and infrastructure.

The solution builds on top of one of the development branches of the OpenSK project, but replaces the cryptographic implementation with the ML-DSA-65 implementation from Bouncy Castle’s bc-rust alpha release which was then tuned for embedded platform use. To enable PQC algorithm support in highly embedded platforms like OpenSK-class devices, a memory-efficient design throughout key generation, signing, and verification was required.

Public-key material is derived incrementally, and fully expanded private-key state is reconstructed only when needed for signing. During signing, the implementation avoids materializing large vectors and processes signing state sequentially, row by row or component by component, recomputes commitment and response data as needed, hashes incrementally, and packs results directly into the output buffer. Verification follows the same model by reconstructing only the required data and streaming hash inputs rather than building large intermediate structures. These techniques were applied in earlier attempts by the OpenSK project on a lower security strength and non-standardised version of Dilithium and we have adapted these approaches to the bc-rust alpha ML-DSA-65 implementation.