Trust by construction

The cryptographic primitives, the standards, the audit story.

Everything you'd ask if you were the auditor reviewing 4Qubits.

PQC algorithms

ML-DSA-87

FIPS 204 — every ledger entry signed; 5 — security category 5

ML-KEM-1024

FIPS 203 — KEM for SDK channels; security category 5

SLH-DSA-SHA2-256s

FIPS 205 — conservative backup signature

SHA-256 + RFC 6962

Hash chain + Merkle tree with domain-separated leaf/inner hashing

HMAC-SHA256 (HS256)

JWT signing, dependency-free; air-gap friendly

liboqs 0.10+

Strict mode; no SIKE; FIPS-aligned defaults

Frameworks & mandates

SEC Cyber Disclosure Rule

Item 106 — director cybersecurity oversight evidence

OCC 2023-22

Heightened operational risk standards for large banks

OSFI B-13

Canadian operational risk and resilience

DORA Art. 9

EU digital operational resilience — ICT risk management

NYDFS 500.17

Cybersecurity events / governance reporting

PCI DSS v4.0 §12.3.3

Cryptographic suite review every 12 months

OMB M-23-02

Federal PQC inventory mandate (complete by 2025)

NSM-10 / NSA CNSA 2.0

National Security Systems PQC by 2030 (firmware) / 2033 (full)

NIST SP 800-53 (high)

Audit, accountability, identity, system & comms protection

NIST SP 800-57

90-day key crypto-period for high-sensitivity material

How we make it auditable

WORM ledger by contract

Ledger entries never deleted. SEC 17a-4(f), SOX §802, FINRA 4511 retention.

RFC 6962 inclusion proofs

Public verifier recomputes the root in your browser; no need to trust the portal.

Dual-TSA anchoring

Optional RFC 3161 timestamp tokens against two independent TSAs.

pgaudit on Postgres

DDL + WRITE captured at the database. Connection logging on for AU-2 / AU-3.

Forward-secure epoch keys

expires_utc + rotated_from_key_id provenance for every signing key.

Reproducible builds (Vault)

Single-binary verifier; deterministic, hash-pinned image.