Built for the post-quantum era.
KXCO Bank uses NIST's 2024 post-quantum standards — ML-KEM-768 for key exchange and ML-DSA-65 for signatures — across every transaction, message, and webhook. Your data is encrypted with AES-256-GCM, your private keys are derived with Argon2id, and our platform identity is anchored in a publicly verifiable post-quantum key.
Harvest-now-decrypt-later does not work here.
Cryptographic primitives
Digital signatures
Module-lattice signature scheme (Dilithium3). Used for every on-chain transaction, per-request API authentication, and outbound webhook identity. Security level 3 — equivalent to AES-192.
Key encapsulation
Module-lattice KEM (Kyber768). Encrypts on-chain messages, file attachments, and payment memos with dual-slot delivery to both sender and recipient. Security level 3.
Symmetric encryption
Protects bank account fields, session cookies, and the symmetric envelope inside every ML-KEM exchange. Grover's algorithm leaves 128-bit effective security — still computationally infeasible.
Password-based KDF
Memory-hard derivation for user private keys: 64 MB working set, 3 passes. GPU and quantum brute-force are equally bottlenecked by memory bandwidth.
Sub-key derivation
All sub-keys are domain-separated derivations from a single root: ML-KEM-768 from secp256k1 seed, ML-DSA-65 from secp256k1 seed, platform PQ identity from the master key.
Hybrid webhook MAC
Paired with ML-DSA-65 on every outbound webhook. Symmetric and quantum-safe; the post-quantum signature adds non-repudiation that HMAC alone cannot.
What this gives you
- ✓Every transaction on the KXCO chain is signed with ML-DSA-65 — the NIST FIPS 204 standard finalised in August 2024.
- ✓Institution API requests can be authenticated with per-request ML-DSA-65 signatures, replacing classical bearer tokens entirely.
- ✓Outbound webhooks carry a hybrid signature — HMAC-SHA-256 for compatibility plus ML-DSA-65 for non-repudiation. Receivers can verify offline using any FIPS 204 library.
- ✓On-chain messages and files are encrypted with ML-KEM-768, with dual-slot delivery so sender and recipient each decrypt independently — no shared secrets.
- ✓Bank account numbers, IBANs, and sort codes are encrypted at rest with AES-256-GCM, keyed by a separate admin master key, with per-field 96-bit nonces and authenticated tags.
- ✓User private keys are derived with Argon2id — memory-hard at 64 MB, three passes — designed to resist both GPU farms and quantum brute-force.
- ✓Platform identity is anchored in a deterministic ML-DSA-65 keypair, published at a well-known endpoint for counterparties to pin and verify against.
Compared to a typical bank
Most banks today secure your data with RSA and elliptic-curve cryptography — both of which fall to Shor's algorithm on a sufficiently large quantum computer. Encrypted traffic captured today can be decrypted retroactively, the moment that hardware exists.
KXCO Bank uses NIST's post-quantum replacements in production today. We do not just claim "quantum readiness" — we ship FIPS 203 and FIPS 204 algorithms, and our public signing key is published openly so every counterparty can verify our claims independently.
Standards alignment
| NIST FIPS 204 | ML-DSA-65 signatures — finalised August 2024 |
| NIST FIPS 203 | ML-KEM-768 key exchange — finalised August 2024 |
| NIST SP 800-131A | AES-256, SHA-512, HMAC-SHA-256 — post-2030 approved |
| NSA CNSA 2.0 | All algorithms used here are on the approved list |
| OWASP 2024 (passwords) | Argon2id for high-value secrets, bcrypt cost 12 for user passwords |
| Implementation | @noble/post-quantum — audited reference TypeScript |
| Production patterns | kxco-post-quantum— open-source npm package, MIT |
Industry benchmark
The KXCO Quantum Index
Quarterly tracking of post-quantum cryptography adoption across 30 major BaaS providers, custodians, settlement consortia, and Tier-1 banks. Six indicators per provider, scored 0–6. KXCO scores 6/6. Most of the industry scores 0.
Want the full technical detail?
The security architecture page documents every cryptographic control with file references back into deployed code. The developer integration spec shows how to verify our signatures from your own service.
Algorithms cited above are NIST-standardised and FIPS-aligned in implementation. KXCO Bank does not yet hold a CMVP-validated FIPS module certificate.