March 14, 2026
ABSTRACT: This paper describes a secure bootstrapping method that allows a fixed pair of devices to provision a post-quantum-resistant (PQR) security association over an untrusted transport without transmitting cleartext. The design introduces a short-lived bootstrap symmetric key (PSK0 / tunnel-0 key) used only to establish a cryptographic tunnel within which a mutually authenticated PQR key exchange creates a shared secret known only to the pair. The exchange uses NIST-standardized post-quantum primitives (ML-KEM and ML-DSA) together with an SHA-512–based KDF. Tunnel-0 and the authenticated key exchange always initiate the provisioning process. After provisioning completes, the devices enter an operational mode in which periodic rekeying mixes fresh randomness with the current session secret via HKDF to limit compromise impact and provide forward secrecy. Rekeying follows a process similar to provisioning, using an ephemeral ML-KEM exchange and an HKDF-based key schedule; policy can also require periodic re-authentication using ML-DSA.
© 2026 Forward Edge-AI, Inc. All rights reserved.