PQC ARCADE • GAME MANUAL v1.0

Learn how to upgrade your cryptography to post-quantum.

This manual walks you from “What is PQC?” to “How do I ship it in CI/CD?” using Kyber, Dilithium and Falcon — all in a retro Arcade style.

MANUAL STATUS ONLINE ✔

Version: 1.0.0

Algorithms: Kyber • Dilithium • Falcon

Audience: engineers • security • DevOps

Quickstart — Use PQC Arcade in 60 seconds

PQC Arcade generates ready-to-run Python templates for Kyber and Dilithium.

1. Install dependencies

pip install -r requirements.txt

2. Run main file

python main.py

3. Run tests

pytest -q

Learning Media

Recorded lessons for PQC beginners.

PQC Audio Explainer

PQC Video Lesson

Download the Python SDK

  • main.py
  • tests.py
  • README.md
  • requirements.txt
⬇ Download SDK

Common Errors & Fixes

Invalid JSON format

This happens when a comma, quote, or bracket is missing. 

{
  "algorithm": "kyber768",
  "language": "python"
  "use_case": "general"   // ❌ missing comma
}

Unsupported algorithm

Quardian currently supports: kyber512, kyber768, kyber1024, dilithium2, dilithium3, dilithium5.

Missing required fields

All three fields are required: algorithm, language, use_case. 

{
  "algorithm": "kyber768"
  // ❌ missing language and use_case
}

Generated tests fail

This usually happens if the generated core Kyber/Dilithium functions were modified. Download a fresh SDK template to reset the project.

Security Notes

PQC Arcade is a code generator — no encryption or signing happens on the server.

  • No private keys leave your machine.
  • No cryptographic operations are executed server-side.
  • No key material is logged or stored.
  • Output is local, safe, reproducible.


PQC ARCADE MANUAL — VERSION 1.0

Post-Quantum Cryptography (PQC) is a family of algorithms designed to stay secure even if attackers have powerful quantum computers. Instead of relying on factoring or discrete logs (like RSA or ECC), PQC uses problems from lattices and error-correcting codes that we do not know how to break efficiently with quantum algorithms.

PQC does not require a quantum computer. You run it on normal servers — it’s “quantum-safe”, not “quantum-powered”.

Why RSA & ECC fail in a quantum world

Classical public-key crypto like RSA and ECC relies on math problems that are hard for classical computers, but efficiently solvable with a large quantum computer using Shor’s algorithm.

  • RSA — based on factoring large integers.
  • ECC — based on discrete logarithms on elliptic curves.
  • Shor’s algorithm — breaks both in polynomial time on a fault-tolerant quantum computer.

Even if we don’t have such machines today, attackers can already perform Harvest-Now, Decrypt-Later (HNDL):

  • Record encrypted traffic today.
  • Store it cheaply in the cloud.
  • Decrypt when quantum machines become available.

Quantum Threat Model

The quantum threat is mostly about long-lived secrets and recorded data:

  • TLS sessions protecting health, finance, or government data.
  • Backups and archives stored for 5–20 years.
  • Root keys for certificate authorities or identity systems.

If an attacker can break the key exchange or signature years later, everything recorded in the past becomes readable or forgeable.

Kyber — ML-KEM for key exchange

Kyber (standardized as ML-KEM) is a lattice-based Key Encapsulation Mechanism (KEM). Instead of doing a classical Diffie-Hellman exchange, you:

  1. Generate a long-term PQC keypair.
  2. Encapsulate a shared secret to a public key.
  3. Decapsulate with the secret key to recover the same secret.

Kyber has different security levels: Kyber-512/768/1024. In NIST terms: ML-KEM-512/768/1024. 


alice_pk, alice_sk = generate_keypair()
ciphertext, ss_bob = encrypt(alice_pk)      # Bob → Alice
ss_alice = decrypt(ciphertext, alice_sk)    # Alice decapsulates

assert ss_alice == ss_bob   # shared secret established

In PQC Arcade, Kyber is used for “key_exchange”, “api_encryption” and “tls_handshake” templates across Python.

Dilithium — ML-DSA signatures

Dilithium (standardized as ML-DSA) provides quantum-safe digital signatures. It replaces RSA/ECDSA in places where we need authenticity and integrity:

  • Code signing (containers, binaries, packages).
  • API authentication tokens.
  • Firmware updates for devices.

pk, sk = generate_keypair()
signature = sign(message, sk)

ok = verify(signature, message, pk)
assert ok

Falcon — compact lattice signatures

Falcon is another NIST-selected signature scheme. Compared to Dilithium:

  • Smaller signatures (good for bandwidth-sensitive use-cases).
  • More complex implementation; often used where size really matters.

A typical deployment strategy is:

  • Use Dilithium for most software / infrastructure signing.
  • Use Falcon where packets must be extremely small.

Core PQC use cases in real systems

  • TLS & VPNs — hybrid key exchange (X25519 + Kyber).
  • APIs — PQC-based mTLS, signed JWTs with ML-DSA/Falcon.
  • DevOps — signed container images, artefacts, and manifests.
  • IoT / Edge — firmware updates signed with Dilithium/Falcon.
  • Data-at-rest — PQC key wrapping for long-term encryption keys.

Migration blueprint (practical steps)

  1. Discover — list where RSA/ECC appear: TLS, SSH, VPNs, PKI, tokens, databases, backups.
  2. Prioritise — tag long-lived data and high-impact systems (health, finance, government, identity).
  3. Pilot hybrid — enable X25519+Kyber in one environment, and ECDSA+Dilithium signatures where possible.
  4. Roll out patterns — standardise libraries, templates, and CI jobs so teams all use the same approach.
  5. Phase out legacy-only — deprecate pure RSA/ECC in front-door channels.

PQC Arcade helps by giving teams the same starting templates for each algorithm, language and use case.

Hybrid crypto — don’t rip, layer

Instead of switching everything to PQC overnight, many organisations use hybrid constructions. Examples:

  • Key exchange: X25519 + Kyber → combine both shared secrets into one.
  • Signatures: ECDSA + Dilithium → send both signatures for a transition period.

This keeps security at least as strong as the best of the two schemes and makes migration easier from a compliance perspective.

Integrating PQC into CI/CD

In a DevOps pipeline, PQC typically appears in three places:

  1. Build stage — sign artefacts (containers, packages, SBOMs) with Dilithium/Falcon.
  2. Deploy stage — verify signatures before deployment; configure TLS with hybrid key exchange.
  3. Runtime monitoring — ensure services still expose PQC/hybrid ciphersuites and not legacy-only ones.

PQC Arcade’s templates and SDKs can be called directly from CI scripts to generate example integrations or bootstrap new microservices.

API security & KEM-based auth

For APIs, PQC shows up in two layers:

  • Transport — mTLS with hybrid X25519+Kyber key exchange.
  • Application — signed tokens or signed requests using Dilithium/Falcon.

KEMs like Kyber can also be used to derive per-client or per-session keys for high-value APIs: 


# 1. Client fetches server PQC public key
# 2. Client encapsulates shared secret with Kyber
ciphertext, ss_client = encapsulate(server_pk)

# 3. Server decapsulates and uses same shared secret
ss_server = decapsulate(ciphertext, server_sk)

assert ss_client == ss_server
# use ss_* as input to HKDF → API encryption key

Signing strategies (code, data, identities)

Common patterns:

  • Code signing — CI signs container digests; clusters verify before running.
  • Data signing — audit logs and analytics streams signed to prevent tampering.
  • Identity — identity providers issue PQC-anchored tokens or certificates.

Deployment patterns

  • Gateway-first — enable hybrid PQC at API gateways / load balancers.
  • Service-by-service — migrate critical microservices first (payments, auth, keys).
  • Environment-by-environment — dev → staging → prod with monitoring at each step.

Do’s & Don’ts for engineers

DO

  • Use well-maintained libraries; avoid “home-grown” PQC.
  • Prefer hybrid (classical + PQC) in public-facing protocols.
  • Automate checks in CI to avoid regressions.
  • Document which versions and parameters you use.

DON’T

  • Log private keys or shared secrets.
  • Mix experimental code into production without review.
  • Assume “PQC” means “any GitHub repo labelled quantum”.
  • Forget about performance and key size when picking schemes.

ASCII diagrams

High-level view of a hybrid TLS handshake with Kyber: 


Client                                     Server
------                                     ------

ClientHello  -------------------------->  supported: X25519 + Kyber
                       (classical + PQC suites advertised)

                     <------------------  ServerHello + Kyber public key

# Classical ECDH key
ECDH(X25519)  ------------------------->  shared_secret_classical

# PQC KEM key
Kyber.encaps(pk_server)  ------------->  ciphertext, ss_client
Kyber.decaps(ciphertext, sk_server)  --  ss_server

# Combine
master_secret = HKDF(ss_classical || ss_pqc)

... derive TLS keys and start encrypted application data ...

Glossary

PQC
Post-Quantum Cryptography — algorithms designed to resist quantum attacks.
KEM
Key Encapsulation Mechanism — a pattern for establishing shared secrets.
ML-KEM
NIST name for the Kyber family of KEMs.
ML-DSA
NIST name for the Dilithium family of signature schemes.
Hybrid
Combining classical and PQC algorithms (for example X25519 + Kyber).
HNDL
Harvest-Now, Decrypt-Later — storing encrypted data to break in the future.

Quardian’s approach

Quardian focuses on quantum-safe infrastructure, cryptographic automation, and developer tooling. PQC Arcade is the “playable manual” on top of that foundation.

  • PQC DevOps automation and monitoring.
  • Lattice-based integrations for APIs, data pipelines, and VPNs.
  • Secure distributed systems that are quantum-resistant by default.
  • Developer SDKs for Python is built around a clean API.
PQC Arcade is a Quardian sub-project designed to make PQC feel less like a research paper, and more like a tool you can actually ship.