Cryptographic Bill of Materials
The PQC Migration Handbook (TNO / AIVD / CWI) tells organisations to start by publishing a cryptographic inventory — every primitive in use, its standard, and its role. So here is ours, in full. Throndar is designed and assessed against the NIST post-quantum standards (FIPS 203 / 204 / 205) — not certified, and we make no “quantum-proof” claim. Just an honest, machine-readable account you can audit.
Loading the inventory…
Mapped to the handbook's 3-phase migration
- 1 · Diagnosis — this CBOM is our cryptographic inventory. Every primitive in the answer-provenance layer is post-quantum or hybridised; classical TLS 1.3 still protects the browser transport (a platform-provided hedge), and the internal bridge hop adds a hybrid X25519 + ML-KEM-1024 key exchange.
- 2 · Planning — crypto-agility is built in: three independent signature families mean we can drop any one without re-architecting.
- 3 · Execution — already done for new data: every answer is signed with post-quantum primitives today, and verifiable in your browser.
Need this for your own stack?
This page is our own CBOM. An Evidence Pack Express produces the same signed artifact for your codebase — executive summary, A–F readiness grade, findings, CycloneDX 1.6 CBOM, and a migration plan. Self-attested and signature-verifiable; not a certification.
Get an Evidence Pack for your stack →Learn more
Machine-readable: /api/cbom · Verify an answer · Transparency ledger · Live keys