PosQuantum
TTL-PQC · CNSA 2.0

Post-quantum keys with minimal time-to-live

Automatic Kyber768 + X25519 rotation on critical endpoints. Each key lives for 30 seconds up to 24 hours only. Kills the “harvest-now, decrypt-later” risk at the root.

Available at Gate α (1 Jul 2026) · Same commercial format as PQSL Cloud · Compatible with 11 pqsl-core bindings.

Request quote See plans
HARVEST NOW · DECRYPT LATER

Why TTL is the game-changer

Attackers are already capturing today’s traffic to decrypt with a future quantum computer. If your session key lives for months, every captured packet falls under a single key. With TTL-PQC, a compromise only exposes the last 30 seconds of data.

Minimum exposure window

At TTL 30 s, a harvest attack only captures the last 30 seconds before rotation. Blast radius cut by 99.99%.

CNSA 2.0 resistance

Hybrid Kyber768 + X25519 — safe against Shor (PQ) and classical ECDLP. Compliant with CNSA 2.0 through 2030.

Zero operational downtime

Atomic rotation: 1 extra RTT per cycle, no TCP session restart. Overhead measured at <0.3 ms in production environments.

How it works under the hood

5 critical steps executed on every rotation cycle, with zero manual intervention.

01

Initial session

Client + server derive a session key via hybrid Kyber768 + X25519 handshake (CNSA 2.0).

02

TTL timer

A monotonic timer fires rotation at the configured TTL (30 s–24 h). Does not rely on wall clock.

03

Atomic re-encapsulation

New Kyber + X25519 encapsulation lands in an atomic transaction: no downtime, no packet loss, no retransmissions.

04

Ed25519 audit trail

Each rotation produces one JSON event { epoch, sha3(key), ts } Ed25519-signed — exported in real time to your SIEM.

05

Old key zeroize

After the 30 s grace window, the previous key is overwritten in memory (zeroize) and never persisted.

TTL configurable per use-case

Four standard values — or choose any intermediate value via SDK / API.

30 sTTL
Ultra-short

High-value payments, SWIFT, HFT trading

SLA99.95 %
5 minTTL
Standard

Corporate APIs, webhooks, microservices

SLA99.9 %
1 hTTL
Long-session

Customer portals, dashboards, BI

SLA99.9 %
24 hTTL
Maximum

Fleet IoT batch, backups, daily ETL

SLA99.9 %

Enterprise on-demand — price calibrated on volume (endpoints / EPS) + regions + SLA.

Where TTL-PQC is the obvious pick

Three verticals where regulators already demand frequent key rotation.

Banking & Payments

SWIFT CSP and PCI-DSS require frequent key rotation. TTL-PQC rotates Kyber768+X25519 every 30 s on critical sockets, leaving zero window for an attacker to accumulate usable ciphertexts by 2030.

Suggested TTL30 s

Telecom & 5G Core

GSMA FS.31 already flags N2/N3 and roaming interconnect as the #1 “harvest-now” target. TTL-PQC runs near the UPF, with routes rendered cryptographically invalid every 5 min.

Suggested TTL5 min

Government & Defence

ANSSI, BSI and NATO C-M(2002)49 mandate proof of periodic key rotation for classified comms. The Ed25519-sealed audit trail of TTL-PQC logs every cycle with timestamp + SHA3 of the key itself.

Suggested TTL1 h

5-line integration

Drop-in SDKs for Node.js, Python and Go. More bindings available via pqsl-core (11 languages).

Node.js
import { TtlPqcClient } from '@posquantum/ttl-pqc'

const client = new TtlPqcClient({
  endpoint: 'ttl.posquantum.com',
  apiKey: process.env.POSQUANTUM_API_KEY!,
  ttlSeconds: 300,        // rotación cada 5 min
  algorithm: 'kyber768+x25519',
  signature: 'ed25519',    // audit trail
})

await client.start()            // handshake híbrido inicial
const ct = await client.encrypt(Buffer.from('payload'))
const pt = await client.decrypt(ct)
// Interno: keys são rodadas atomicamente aos 300 s.
// Chave antiga sobrevive 30 s (grace) e depois zeroize.
Python
from posquantum.ttl_pqc import TtlPqcClient
import os

client = TtlPqcClient(
    endpoint="ttl.posquantum.com",
    api_key=os.environ["POSQUANTUM_API_KEY"],
    ttl_seconds=60,                # rotação 60 s
    algorithm="kyber768+x25519",
    signature="ed25519",
)

client.start()                    # handshake inicial
cipher = client.encrypt(b"sensitive")
plain = client.decrypt(cipher)

# Cada rotação emite evento no audit log assinado.
for event in client.audit_tail():
    print(event["epoch"], event["sha3"], event["sig"])
Go
import (
  "os"
  ttlpqc "github.com/posquantum/ttl-pqc-go"
)

client, _ := ttlpqc.New(ttlpqc.Options{
    Endpoint:   "ttl.posquantum.com",
    APIKey:     os.Getenv("POSQUANTUM_API_KEY"),
    TTL:        30 * time.Second,   // HFT/SWIFT
    Algorithm:  "kyber768+x25519",
    Signature:  "ed25519",
})

_ = client.Start(ctx)
ct, _  := client.Encrypt(ctx, payload)
pt, _  := client.Decrypt(ctx, ct)
// audit_log escreve 1 linha Ed25519-sealed por rotação

TTL-PQC vs static keys

Six critical differences the auditor will check in 2026.

FeatureTTL-PQCStatic PQ keys
“Harvest-now” window
30 s – 24 h (configurable)
Months / years (static key)
NIST PQC algorithms
Kyber768 + X25519 + ML-DSA
X25519 / RSA / ECC only
Zero-downtime rotation
Sim (atómica)
No (restarts handshake)
Crypto-sealed audit trail
Ed25519 por rotação
Depends on TLS log
SWIFT CSP / DORA compliance
Native rotation proof
Requires external process
Operational complexity
Drop-in SDK (5 lines)
Custom key rotation scripts

Ready to neutralise harvest-now?

Share your scenario — endpoints, volume, SLA, jurisdiction — and we build a TTL-PQC quote in 48h. Complex proposals with HSM / multi-region up to 5 business days.

Request quote See full catalogueAudit & SBOM