Cryptography & Post-Quantum Logo

Cryptography & Post-Quantum

Cryptographic Architecture for Regulated Systems

From FIPS validation to post-quantum migration — hands-on cryptographic engineering

The Challenge

Cryptography is the foundation of every secure system, but it is also the component most likely to be implemented incorrectly, configured insecurely, or left unvalidated against the compliance standards that govern it.

Organizations in regulated environments face three simultaneous pressures:

  1. Validation obligations — FIPS 140-3, Common Criteria, and PCI require rigorous proof that cryptographic implementations are correct
  2. The quantum transition — NIST has finalized post-quantum standards (ML-KEM, SHL-DSA); migration planning is no longer theoretical
  3. Historical debt — deprecated algorithms, hardcoded keys, unmanaged certificates, and ad-hoc crypto scattered across codebases

I bring 30 years of hands-on cryptographic implementation and certification experience to help organizations navigate all three.

Core Services

FIPS 140-3 & Common Criteria Support

  • Cryptographic module boundary definition and architecture documentation
  • FIPS mode configuration and validated entropy source integration
  • Security lab coordination, technical Q&A, and defect resolution
  • Algorithm support analysis and deprecated API remediation (OpenSSL 3.x migration)
  • Common Criteria readiness assessment for cryptographic protocols

Post-Quantum Cryptography Migration

  • PQC readiness assessment — inventory of vulnerable algorithms and key exchange mechanisms
  • Migration architecture for ML-KEM (FIPS 203) and SHL-DSA (FIPS 205)
  • Hybrid deployment strategies (classical + PQC) for TLS, messaging, and firmware signing
  • Performance analysis and parameter selection for constrained environments
  • Developer guidance and implementation review

Cryptographic Architecture & Implementation

  • White-box cryptography design and integration
  • HSM, TPM, and Secure Enclave integration architecture
  • PKI / X.509 trust chain design and certificate lifecycle management
  • Key management system architecture and provisioning workflows
  • PKCS#11 and CSP middleware design
  • Symmetric and asymmetric protocol selection and hardening

Secure Software Cryptographic Integration

  • OpenSSL, MbedTLS, and WolfSSL integration and hardening
  • Cryptographic API design for application developers
  • Secure random number generation and entropy architecture
  • Side-channel and fault injection awareness in software implementations

Relevant Experience

Ciena — FIPS 140-3 & Common Criteria (2025–Present)

Led migration to OpenSSL 3.5.0 across an embedded Linux (Yocto) router platform. Configured FIPS mode with approved entropy sources. Analyzed and reengineered deprecated cryptographic APIs for post-quantum readiness. Supported FIPS 140-3 code review (lab Q&A, defect resolution) and participated in Common Criteria readiness assessment focusing on cryptographic protocol and algorithm support.

Bank of Canada — Cryptographic Architecture for CBDC (2022–2025)

Defined cryptographic security principles for a central bank digital currency. Implemented a non-custodial digital currency wallet PoC with MbedTLS and white-box cryptography. Evaluated and benchmarked mobile cryptographic implementations.

Amadis — PCI-MPoC Cryptographic Controls (2019–2022)

Implemented advanced cryptographic controls for a mobile payment acceptance platform: white-box cryptography, TLS mutual authentication, X.509 certificate management, and secure key provisioning. Produced cryptographic documentation for PCI-MPoC certification.

Irdeto — Key Management & DRM Cryptography (2011–2019)

Maintained enterprise cryptographic key management systems for set-top box provisioning (HSM-backed). Designed and implemented X.509 certificate parsing and trust chain validation. Built application protection using white-box cryptographic techniques.

ActivCard / Gemalto — Cryptographic Middleware (1998–2004)

Designed PKCS#11 and MS CSP cryptographic middleware for smart card-based single sign-on and digital signature solutions. Led certification of smart card cryptographic products.

Technical Depth

Area Technologies & Standards
Libraries OpenSSL 3.x, MbedTLS, WolfSSL, liboqs
Standards FIPS 140-3, Common Criteria, NIST SP 800-series, FIPS 203/205
PQC Algorithms ML-KEM (Kyber), SHL-DSA (SPHINCS+), lattice-based cryptography
Classic Crypto AES, RSA, ECDSA, EdDSA, X25519, SHA-3, HMAC
Infrastructure HSM, TPM, Secure Enclave, PKCS#11, X.509/PKI
Protection White-box cryptography, code obfuscation, anti-tampering
Languages C, C++, Python, Kotlin, Java

Engagement Models

  • FIPS / CC readiness assessment — evaluate cryptographic architecture against certification requirements
  • PQC migration planning — inventory, risk assessment, and phased migration roadmap
  • Cryptographic architecture review — design assessment for key management, PKI, or protocol implementation
  • Implementation support — hands-on guidance during cryptographic integration or library migration
  • Expert witness / technical advisory — certification lab support, technical Q&A, documentation review

Contact me to discuss your cryptographic architecture or migration needs.