§ QuantumShield IoT · Firmware integrity

Firmware that can't be forged or rolled back.

QuantumShield signs each firmware release as a manifest with a hybrid post-quantum signature (Ed25519 + ML-DSA-87 + optional SLH-DSA). A device verifies, before it flashes: the manifest is from the pinned vendor, the binary it received hashes to the signed digest, the version is strictly newer than what's installed, and the model matches. An attacker can't slip in a different binary — or re-flash an old, signed-but-vulnerable image.

Verify before you flash.

Sign → ship → verify-before-flash.

  1. The vendor hybrid-signs a manifest binding the model, version, and the firmware binary's hash.
  2. The release ships over OTA with the manifest alongside the binary.
  3. The device hashes what it received, checks the signature against its pinned vendor keys, confirms the version is newer and the model matches — and only then flashes.
import { signFirmware, verifyFirmware } from 'pqfirmware'
Reference implementation · in active development · independently verifiable · unaudited

QuantumShield is an unaudited reference implementation of post-quantum firmware-manifest signing and anti-rollback. It is "tamper-evident and rollback-resistant under the declared trust model," not "unbreakable" — device-side key custody, a secure boot root of trust, and a durable installed-version store remain the integrator's responsibility. Reference software for evaluation and pilots, not a certified product. Nothing here is an offer of any security, token, or financial instrument.