CAI-AUTH — Cipher AI Authenticator
Technical Specifications & Market Data
For CTOs, CISOs, and technology decision-makers evaluating post-quantum authentication.
The Market Imperative
Why CEOs and Boards Need to Act Now
The Harvest Now, Decrypt Later Risk
Nation-state adversaries (China, Russia, North Korea) are systematically capturing and storing encrypted enterprise communications today. When a cryptographically relevant quantum computer arrives (est. 2030–2035), they will decrypt:
- M&A communications and IP
- Authentication tokens and session data
- Customer PII and financial records
- Strategic plans and board communications
The Regulatory Exposure
| DORA (EU) | Quantum risk mandatory. Banks & fintechs. Deadline 2027. |
| NIS2 | State-of-the-art auth required. 18 sectors. Fines up to €10M. |
| eIDAS 2.0 | EU digital identity must be quantum-safe. 2026 onward. |
| NSA CNSA 2.0 | PQC mandatory for all US government systems by 2030. |
Protocol Specification — CHAP-1
| Parameter | Classical Layer | Post-Quantum Layer | Hybrid (CHAP-1) |
|---|---|---|---|
| Algorithm | Ed25519 | ML-DSA-65 | Ed25519 + ML-DSA-65 |
| Standard | RFC 8032 | NIST FIPS 204 | CAI-AUTH Hybrid Spec v1 |
| Security level | 128-bit classical | NIST Level 3 (192-bit PQC) | Both simultaneously |
| Private key size | 32 bytes | 4,032 bytes | 4,064 bytes combined |
| Public key size | 32 bytes | 1,952 bytes | 1,984 bytes combined |
| Signature size | 64 bytes | 3,293 bytes | 3,357 bytes combined |
| Sign latency (ARM) | ~2ms | ~180ms | ~182ms (imperceptible) |
| Verify latency (server) | <1ms | ~14ms | ~15ms |
Security Architecture
Dual-signature verification formula:
HybridSig(m) = (Ed25519.Sign(sk_ed, m), ML-DSA-65.Sign(sk_ml, m))
HybridVerify(m, sig, pk) = Ed25519.Verify(pk_ed, m, sig.ed) AND ML-DSA-65.Verify(pk_ml, m, sig.ml)
The security proof: an adversary must solve both the discrete logarithm problem (Ed25519) AND the module lattice problem (ML-DSA-65) simultaneously. No known quantum algorithm solves lattice problems efficiently.
Threat Coverage Matrix
| Attack Vector | Threat Actor | Classical Auth | CAI-AUTH |
|---|---|---|---|
| Brute force / credential stuffing | Cybercriminals | ✅ | ✅ |
| Phishing / token theft | APT groups | Partial | ✅ Device-bound |
| Shor's algorithm on ECDSA/RSA | Nation-state (post-2030) | ❌ FAIL | ✅ ML-DSA holds |
| Store-Now-Decrypt-Later (SNDL) | Nation-state (active today) | ❌ FAIL | ✅ Both PQC-safe |
| MITM at enrollment | Network attackers | Partial | ✅ Signed challenge + TLS |
| Replay attack | Network attackers | Partial | ✅ Timestamp + nonce |
| Server breach (credential DB) | External attackers | Hashed passwords leaked | ✅ Public keys only — useless without device |
| Hypothetical ML-DSA flaw | Future cryptanalysis | N/A | ✅ Ed25519 fallback |
Competitive Intelligence
| Vendor | PQC Status | Mobile SDK | FIPS 204 | SNDL Protection | Available Now |
|---|---|---|---|---|---|
| Google Authenticator | Not planned | ❌ | ❌ | ❌ | ❌ |
| Microsoft Authenticator | Roadmap 2026+ | ✅ | ❌ | ❌ | ❌ |
| Yubico (FIDO2) | Roadmap 2025+ | Hardware only | ❌ | ❌ | ❌ |
| Okta / Auth0 | Research phase | ✅ | ❌ | ❌ | ❌ |
| Ping Identity | Evaluating | ✅ | ❌ | ❌ | ❌ |
| CAI-AUTH | ✅ Production | ✅ | ✅ | ✅ | ✅ Today |
Source: Vendor public roadmaps and NIST PQC migration tracking, Q1 2026. All competitors list PQC as “future work” or “in evaluation.”
Integration Architecture
What CAI-AUTH replaces
- TOTP apps (Google Auth, Authy)
- SMS OTP (SIM-swappable)
- Push notifications (phishable)
- Hardware tokens (FIDO2 — not PQC)
- Biometric-only systems (no key material)
What CAI-AUTH integrates with
- Any HTTPS backend (REST API)
- OAuth 2.0 / OIDC flows (JWT extension)
- SAML 2.0 (assertion signing)
- Active Directory / LDAP (as 2FA layer)
- Existing Android app (add-on, 4-8h)
Total Cost of Ownership — SDK Licensing
| Tier | Target | Model | Pricing | Includes |
|---|---|---|---|---|
| Starter | SMBs, startups | SaaS per seat | $5–15/user/mo | Cloud-hosted, standard SLA |
| Enterprise | Banks, telcos, large enterprise | SDK license | $50K–$500K/yr | Self-hosted, AAR + server SDK, 99.9% SLA, HSM support |
| Government | EU/NATO institutions | Custom deployment | $1M+ | Air-gapped option, source escrow, compliance audit |
| White-label | Banks building own auth product | OEM license | Custom | Full rebrand, FIPS 204 compliance documentation |
Implementation Timeline
| Android SDK install | 2 hours |
| Existing Android app | 4–8 hours |
| Python backend | 1 hour |
| Java/Spring backend | 4 hours |
| Full enterprise rollout | < 30 days |
Current MVP Status
- ✅ Rust core: Ed25519 + ML-DSA-65 hybrid
- ✅ Android app: QR enrollment flow
- ✅ FastAPI server: enrollment + auth
- ✅ 200ms end-to-end on Pixel 7
- ⏳ Enterprise SDK: Q2 2026
- ⏳ iOS support: Q3 2026
- ⏳ First bank client: Q3 2026
Request Technical Briefing
Detailed technical documentation, security audit reports, and integration architecture for your team. Available under NDA for qualified enterprises.
contact@caitech.ro • caitech.ro • CAI Technology SRL