Cryptography & Post-Quantum Security
Cryptography & Post-Quantum
Applied Cryptography and Certification Support
From FIPS validation to post-quantum migration — hands-on cryptographic engineering
The Challenge
Cryptography is the foundation of every secure system, but it is also the component most likely to be implemented incorrectly, configured insecurely, or left unvalidated against the compliance standards that govern it.
Organizations in regulated environments face three simultaneous pressures:
- Validation obligations — FIPS 140-3, Common Criteria, and PCI require rigorous proof that cryptographic implementations are correct
- The quantum transition — NIST has finalized post-quantum standards (ML-KEM, SHL-DSA); migration planning is no longer theoretical
- Historical debt — deprecated algorithms, hardcoded keys, unmanaged certificates, and ad-hoc crypto scattered across codebases
I bring hands-on implementation and certification-support experience across OpenSSL, MbedTLS, WolfSSL, white-box cryptography, PKI/X.509, HSM-backed key management, mobile wallets, embedded Linux platforms, and payment systems.
Core Services
FIPS 140-3 & Common Criteria Support
- Cryptographic module boundary definition and architecture documentation
- FIPS mode configuration and validated entropy source integration
- Security lab coordination, technical Q&A, and defect resolution
- Algorithm support analysis and deprecated API remediation (OpenSSL 3.x migration)
- Common Criteria readiness assessment for cryptographic protocols, TLS, and X.509 behavior
Post-Quantum Cryptography Migration
- PQC readiness assessment — inventory of vulnerable algorithms and key exchange mechanisms
- Migration architecture for ML-KEM (FIPS 203) and SHL-DSA (FIPS 205)
- Hybrid deployment strategies (classical + PQC) for TLS, messaging, and firmware signing
- Performance analysis and parameter selection for constrained environments
- Developer guidance and implementation review
Cryptographic Architecture & Implementation
- White-box cryptography design and integration
- HSM, TPM, and Secure Enclave integration architecture
- PKI / X.509 trust chain design and certificate lifecycle management
- Key management system architecture and provisioning workflows
- PKCS#11 and CSP middleware design
- Symmetric and asymmetric protocol selection and hardening
- Hardened certificate parsing and trust-chain validation
Secure Software Cryptographic Integration
- OpenSSL, MbedTLS, and WolfSSL integration and hardening
- Cryptographic API design for application developers
- Secure random number generation and entropy architecture
- Side-channel and fault injection awareness in software implementations
When to Engage
Cryptographic work benefits from early review, especially when certification, protocol compatibility, or long-lived data confidentiality is involved:
- A product must satisfy FIPS 140-3, Common Criteria, PCI, or internal cryptographic policy requirements
- A platform is migrating to OpenSSL 3.x, FIPS providers, new entropy sources, or updated protocol stacks
- Leadership needs a post-quantum migration plan that identifies vulnerable assets, vendor dependencies, and sequencing
- Engineering teams need help turning cryptographic requirements into APIs, key-management flows, and testable implementation decisions
Relevant Experience
Ciena — FIPS 140-3 & Common Criteria Support (2025–Present)
Led secure migration to OpenSSL 3.5 across an embedded Linux (Yocto) router platform, reengineering deprecated APIs into a FIPS-ready and post-quantum-ready foundation. Strengthened TLS and cryptographic behavior by fixing defects, removing weak and deprecated algorithms, enforcing modern cipher suites, and improving certificate validation. Supported FIPS 140-3 and Common Criteria work through code review, gap assessment, evaluator Q&A, compliance testing, and remediation.
Bank of Canada — Cryptographic Architecture for CBDC (2022–2024)
Defined mobile platform security and cryptographic key-management principles for a central bank digital currency. Implemented a non-custodial digital currency wallet proof of concept with key management, secure storage, transaction signing, MbedTLS, white-box cryptography, application hardening, and runtime security posture monitoring.
Amadis — PCI-MPoC Cryptographic Controls (2019–2022)
Architected and implemented cryptographic controls for mobile payment acceptance: white-box cryptography, TLS, X.509, PKI, runtime application self-protection, mobile threat defense, and certification documentation for PCI-MPoC with Riscure and UL labs.
Irdeto — Key Management & DRM Cryptography (2011–2019)
Maintained HSM-backed cryptographic key management for set-top box provisioning, maintained obfuscated software secure elements, and designed a hardened X.509 certificate parser and trust-chain validator for TLS/PKI handling.
Technical Depth
| Area | Technologies & Standards |
|---|---|
| Libraries | OpenSSL 3.x, MbedTLS, WolfSSL, liboqs |
| Standards | FIPS 140-3, Common Criteria, NIST SP 800-series, FIPS 203/205 |
| PQC Algorithms | ML-KEM (Kyber), SHL-DSA (SPHINCS+), lattice-based cryptography |
| Classic Crypto | AES, RSA, ECDSA, EdDSA, X25519, SHA-3, HMAC |
| Infrastructure | HSM, TPM, Secure Enclave, PKCS#11, X.509/PKI |
| Protection | White-box cryptography, application hardening, runtime application self-protection, anti-tampering |
| Languages | C, C++, Python, Kotlin, Java, Swift |
Engagement Models
- FIPS / CC readiness assessment — evaluate cryptographic architecture against certification requirements
- PQC migration planning — inventory, risk assessment, and phased migration roadmap
- Cryptographic architecture review — design assessment for key management, PKI, or protocol implementation
- Implementation support — hands-on guidance during cryptographic integration or library migration
- Expert witness / technical advisory — certification lab support, technical Q&A, documentation review
Typical Deliverables
- Cryptographic inventory and algorithm-risk assessment
- FIPS 140-3 or Common Criteria readiness gap analysis
- PQC migration roadmap with priorities, dependencies, and hybrid-transition guidance
- Key-management, certificate-lifecycle, and entropy-source architecture review
- Implementation review notes for OpenSSL, MbedTLS, WolfSSL, HSM, TPM, or PKCS#11 integrations
Related Insights
- Post-Quantum Cryptography Migration: A Comprehensive Strategy Guide
- QTLS: Building Quantum-Safe TLS for the Post-Quantum Era
- ML-KEM: A Practical Introduction to the Post-Quantum Key Encapsulation Mechanism
- SHL-DSA: A Practical Introduction to the Post-Quantum Signature Algorithm
Contact me to discuss your cryptographic architecture or migration needs.