A post-quantum key encapsulation gateway built on ℤ₆ cyclic topology. Key exchange uses HKDF-SHA256 + AES-256-GCM with no lattice, no NTT, and no isogenies — just 64-element Z6 keys packed into 24 bytes, validated in constant time at the edge.
The Z6 PQC Gateway replaces continuous lattice-based KEMs with discrete ℤ₆ arithmetic. Each element is a phase in {0,1,2,3,4,5} — no floating point, no noise sampling, no NTT polynomial multiplication.
All operations are mod-6: add, subtract, multiply in ℤ₆. Deterministic, constant-time, trivially side-channel resistant. No continuous parameters to leak.
Phase states are projected onto the nearest Z6 lattice point. Noise within ±π/6 is absorbed; noise at the π/6 boundary triggers an enforced collapse — detectable, non-forgeable.
All ephemeral key material is zeroed immediately after use. Private keys, shared secrets, and intermediate buffers are overwritten in a finally block — guaranteed cleanup.
Run a complete key encapsulation cycle in your browser. Client and server generate ℤ₆ key pairs, negotiate a shared secret, and the topological shield validates every step.
The Z6 topological shield enforces phase quantization at every gateway hop. No active error correction — just geometry.
Every Z6 element is projected to the nearest multiple of π/3. Deviation beyond ±π/6 triggers a detectable topological collapse.
At the exact midpoint between two Z6 states (deviation = π/6), the shield rejects the operation with a 403 — no ambiguity, no false acceptance.
Shield projection uses integer rounding — no branches on secret data. The validation cost is identical for all 6 phase states.
The shield adds no per-request latency, no memory allocation, and no additional network round-trips. It runs inline in the Worker's fetch handler.
This is a live security research interface. Submit crafted public keys to the gateway and see which defenses trigger. All attacks are logged as anonymous metrics — no key data is stored. Can you find a key that passes every check?
Quick-craft attack vectors to probe the shield:
Paste a base64url-encoded public key (24 bytes) or leave empty to generate random:
Only attack type, danger score, and which checks triggered are stored locally. No key data is ever saved.
The Z6 topological moat was tested across IBM and IonQ quantum processors. Results confirm that ℤ₆ phase quantization absorbs ZZ crosstalk and preserves multi-qubit entanglement under spatial isolation.
IBM Heron R2 (ibm_fez) demonstrated 95.2% average GHZ fidelity and 98.44% peak using the Z6 moat protocol. The spatial buffer (distance-2+ isolation) absorbs ZZ parasitic coupling without dynamical decoupling overhead.
IonQ Forte-1 validated the Z6 moat on trapped-ion hardware. Bell state fidelity: 97.9%. 4-qubit GHZ: 96.0%. The moat protocol is hardware-agnostic — no trapped-ion specific calibration required.
Z6 parity invariants are formally derived in Lean4 (ParityKernelV6). The kernel proves that ℤ₆ phase closure is a topological invariant — no empirical constants imported. All SM parameter derivations are kernel-native.
Systematic bus validation (Phases 2-6) showed dynamical decoupling ineffective (49.2%→49.8%), strict time-binning also ineffective (48.9%→48.6%). Only spatial moat isolation (distance-2+ buffer) restored coherence to 90.5-91.1%.
Every component is self-contained. No external dependencies, no hardware assumptions, no trusted setup.
Mod-6 arithmetic (add, sub, mul) and continuous-to-discrete phase mapping. Every real angle is snapped to the nearest π/3 step with a bounded deviation.
Each Z6 element fits in 3 bits (values 0-5). 64 elements pack into 24 bytes. Serialization is a single O(n) bit-shift loop — no alloc, no compression.
Client and server exchange ℤ₆ public keys. Shared secret is wrapped with HKDF-SHA256 + AES-256-GCM — context-bound to the server public key. NIST-standard, constant-time, memory-scrubbed.
In the finally block of every request, all Uint8Array and number[] buffers are filled with zero. No ephemeral key material survives past the response.
Every property of the Z6 PQC gateway is verified — arithmetic, packing, topological shield, key agreement, and memory safety.
Make a real request to the Z6 PQC Gateway, verify the topological shield header, and perform a live KEM handshake.
Use the KEM shared secret to derive an AES-256-GCM key and encrypt/decrypt messages. Your Z6 public key serves as the identity.
Generate shared secrets for multiple public keys in a single request (one per line):
Quantum-safe ℤ₆ topology + classical HKDF-SHA256/AES-256-GCM. Deploy to your own Cloudflare account. No external dependencies, no third-party APIs.
Reproducible measurements against the live gateway. Method and harness published; no modelled figures.
| Operation | Median |
|---|---|
| Z6 keygen (64 elements → 24 B pack) | 7.9 µs |
| X25519 keypair generate | 35.9 µs |
| X25519 ECDH derive | 34.1 µs |
| HKDF-SHA256 derive (256-bit) | 29.6 µs |
| AES-256-GCM encrypt / decrypt (32 B) | 16.5 / 23.5 µs |
| Server-side KEM compute (latency minus /api/health baseline) | ~0.6 ms |
| Primitive | Public key | KEM transit total | Fits 1500 B MTU |
|---|---|---|---|
| X25519 | 32 B | 64 B | Yes |
| ML-KEM-768 (NIST published) | 1,184 B | 2,272 B | No |
| Z6 lattice KEM (measured) | 24 B | 160 B | Yes |
| Concurrency | Requests | Throughput | p50 | p95 | p99 | Success |
|---|---|---|---|---|---|---|
| 10 | 80 | 145 r/s | 43 ms | 242 ms | 276 ms | 100% |
| 25 | 200 | 401 r/s | 49 ms | 116 ms | 259 ms | 100% |
| 50 | 400 | 388 r/s | 115 ms | 163 ms | 192 ms | 100% |
Method & limits. 680/680 handshakes succeeded. Throughput is bounded by the measuring client and its network path, not by the gateway — these are client-observed figures from one vantage, not a datacentre-side capacity ceiling. Layer A compares local primitive cost: Z6 keygen is cheap because it samples and bit-packs, whereas X25519 keygen performs scalar multiplication, so this is a cost comparison, not a security comparison. The Z6 KEM is a compact custom construction — not a NIST-vetted scheme like ML-KEM — so the 24-byte key is a footprint result, not a claim of equivalent security. The data layer (AES-256-GCM, HKDF-SHA256) is NIST-standard.
Every KEM below was benchmarked on the same machine with the same method, using the reference C implementations (PQClean) of the NIST standard and alternate schemes. Nobody builds exactly this, so the comparison is against what the industry actually deploys for post-quantum key agreement.
| Scheme | Status | Public key | Transit | Keygen | Encaps | Decaps | Fits MTU |
|---|---|---|---|---|---|---|---|
| X25519 (classical baseline) | RFC 7748 | 32 B | 64 B | 31.1 µs | 32.9 µs | 32.9 µs | Yes |
| ML-KEM-512 | NIST FIPS 203 | 800 B | 1,568 B | 34.7 µs | 39.9 µs | 50.5 µs | No |
| ML-KEM-768 (the deployed choice) | NIST FIPS 203 | 1,184 B | 2,272 B | 57.4 µs | 63.1 µs | 77.9 µs | No |
| ML-KEM-1024 | NIST FIPS 203 | 1,568 B | 3,136 B | 87.2 µs | 93.3 µs | 114.1 µs | No |
| HQC-128 | NIST alternate | 2,249 B | 6,682 B | 1,437 µs | 2,931 µs | 4,778 µs | No |
| Classic McEliece-348864 | NIST alternate | 261,120 B | 261,216 B | 83,947 µs | 105 µs | 18,881 µs | No |
| Z6 lattice KEM | Research — unvetted | 24 B | 160 B | 10.2 µs | 18.3 µs | 7.3 µs | Yes |
Z6 is the smallest and fastest row in the table. That result is real and reproducible — and on its own it does not make Z6 a better choice than ML-KEM. Three reasons:
| Axis | ML-KEM-768 | Z6 lattice KEM |
|---|---|---|
| Security analysis | Multi-year NIST process, public cryptanalysis, security proofs | None. No external review, no proof, no published attack surface |
| Stated security level | NIST Category 3 | 165-bit key space — a keyspace size, not an assessed security level |
| Interoperability | X25519MLKEM768: one hybrid the whole industry converged on | Proprietary. Interoperates with nothing |
| Regulatory standing | FIPS-validated path for the 2030 federal deadlines | Not FIPS, not eligible |
| Deployment | Majority of browser traffic to major CDNs | This gateway |
Why smaller and faster is not automatically better. ML-KEM's 1,184-byte key and its keygen cost buy something specific: module-lattice operations whose hardness has been studied publicly for years. Z6 keygen samples 64 elements and bit-packs them, so it is cheap precisely because it does less mathematical work. A fair reading is that Z6 occupies a different point on the curve — extremely compact and MTU-resident, with an unquantified security margin — not that it dominates ML-KEM.
The interoperability lesson. The TLS ecosystem converged on a single hybrid (X25519MLKEM768) and deployment followed quickly; by mid-2026 post-quantum key agreement covers the majority of browser traffic to Cloudflare, and Executive Order 14412 set federal deadlines of 2030 for post-quantum encryption. IPsec went the other way — vendors shipped proprietary post-quantum key agreements that could not interoperate, and the migration was delayed by years. Z6 is, by construction, in that second category. It is a research protocol exploring what a compact ℤ₆ construction can do, not a drop-in replacement for a standardised KEM.
Method: PQClean reference implementations via pqcrypto, median of 3–300
iterations per operation depending on scheme cost, single machine, same process. Z6 timings are
a local reimplementation of the deployed construction (sample → pack, HKDF-SHA256,
AES-256-GCM); Z6 transit is measured from a live gateway envelope. Sizes for the NIST schemes
are the implementations' own, matching the published parameters. Harness is reproducible.