← Innovation Labs/Lab L6StealthCryptography & trust

Post-Quantum Trust Lab — ML-KEM · ML-DSA · Hybrid · C2PA · Confidential Compute

Q: Is this real, or theatre?

Real. NIST has standardised ML-KEM (FIPS 203) and ML-DSA (FIPS 204). The hybrid TLS rollout is a concrete engineering programme, not a slide.

Q: What about latency?

Hybrid TLS adds < 2ms p95 in our load tests at production CPU profiles. We publish the numbers per fleet.

Q: Why C2PA on AI outputs?

Downstream consumers — regulators, customers, auditors — increasingly demand verifiable provenance. C2PA is the open standard winning that race.

Q: Confidential compute, really?

For sovereign tenants in finance, defence and health it's table stakes. We ship reference patterns on AMD SEV-SNP, Intel TDX and AWS Nitro.

Harvest-now-decrypt-later is the threat regulators won't say out loud. The Lab ships crypto-agile services, hybrid PQ TLS, ML-KEM / ML-DSA migration, and verifiable AI provenance via C2PA — so when the cliff hits, you're already over it.

Research thesis

Crypto-agility is now a design property, not an upgrade project. Build it in or pay later.

PQ-ready new services

100%

Hybrid TLS overhead

< 2 ms p95

Provenance coverage

100% AI outputs

Become a design partner →See live experiments

Active experiments

What the lab is testing right now

Hybrid TLS at scale

X25519 + ML-KEM-768 in production load; latency, CPU and rotation impact measured.

ML-DSA signing pipelines

Code-signing, container-signing, and SBOM signing migrated to ML-DSA-65.

C2PA on AI outputs

Every AI artefact carries a verifiable provenance manifest — model, prompt class, lineage, signer.

Confidential agents

Agent runtime in TEEs (SEV-SNP / TDX / Nitro) for sovereign tenants and regulated data.

Shippable artefacts

Everything the lab ships

Crypto-agility framework
Algorithm-agnostic SDK so primitives can be swapped without touching app code.
Hybrid TLS rollout
Fleet-wide hybrid PQ TLS with rollback, telemetry and FIPS-mode toggles.
Signing migration kit
ML-DSA pipelines for code, containers, SBOMs, model weights and prompts.
Provenance plane
C2PA manifests on every AI output; verifier service for downstream consumers.
Confidential compute patterns
TEE-backed agent runtime for sovereign and regulated workloads.

Lab team

Cryptography Principal
Confidential Compute Engineer
Provenance / C2PA Lead
Migration Architect

Partners we collaborate with

NIST PQCCloudflare ResearchMicrosoft ConfidentialAMD SEVIntel TDXAWS NitroC2PA

Example output · Manifest · c2pa.assertion.ai-outputjson

{
  "claim_generator": "axp/agent.runtime/2026.05",
  "assertions": [
    { "label": "axp.model",     "data": { "id": "gpt-5",        "version": "2026-04" } },
    { "label": "axp.prompt",    "data": { "class": "renewals",  "redacted": true     } },
    { "label": "axp.lineage",   "data": { "graph_uri": "axp://lineage/r_8821"        } },
    { "label": "axp.evals",     "data": { "score": 0.96, "suite": "renewals.v7"      } }
  ],
  "signature": {
    "alg":  "ML-DSA-65",
    "cert": "axp/pqc/cert/2026/lab6/03.cer",
    "ts":   "2026-05-04T11:42:18Z"
  }
}

Engagement timeline

Weeks 1–12 · first hybrid TLS in prod by week 6

1
Weeks 1–4
Crypto inventory + agility
Inventory primitives, ship algorithm-agnostic SDK, agree migration windows.
2
Weeks 4–8
Hybrid TLS + signing
Hybrid PQ TLS in production, ML-DSA signing pipelines live, telemetry on overhead.
3
Weeks 8–12
Provenance + confidential
C2PA manifests on every AI output, confidential agent runtime in TEEs for sovereign tenants.

Flagship pods

Productionised by these squads

PQ TLS Migration Pod

Code & Model Signing Pod

AI Provenance Pod

Confidential Agent Pod

Selected publications

Receipts, not just thesis

Hybrid PQ TLS at production scale: latency under 2ms
Real World Crypto·2026
C2PA for AI outputs: a deployment study across 4 sectors
AXP Internal Whitepaper·2026

FAQs

What partners actually ask

Is this real, or theatre?

Real. NIST has standardised ML-KEM (FIPS 203) and ML-DSA (FIPS 204). The hybrid TLS rollout is a concrete engineering programme, not a slide.

What about latency?

Hybrid TLS adds < 2ms p95 in our load tests at production CPU profiles. We publish the numbers per fleet.

Why C2PA on AI outputs?

Downstream consumers — regulators, customers, auditors — increasingly demand verifiable provenance. C2PA is the open standard winning that race.

Confidential compute, really?

For sovereign tenants in finance, defence and health it's table stakes. We ship reference patterns on AMD SEV-SNP, Intel TDX and AWS Nitro.

Design-partner programme · L6 Post-Quantum Trust Lab

Co-build Post-Quantum Trust Lab with us in Weeks 1–12.

We'll respond within one business day with a scoping note, a fixed-price outcome contract, and a named principal cleared for your domain. Design partners get first-look access, joint publication rights and roadmap influence.

• Outcome-priced — no T&M.
• Sovereign by default — your data, your region, your keys.
• Refund-backed if the contracted KPI isn't hit.
• Joint publication rights and conference slots.