Automated release from CI pipeline
Changes:
adr-108: Kyber post-quantum key exchange for cross-installation federation (#731)
Closes the quantum-resistance gap explicitly deferred from ADR-107.
Final ADR in the privacy + federation chain.
Replaces DH key exchange in ADR-107's Layer 4 secure aggregation with
Kyber-768 KEM (NIST FIPS 203, CNSA 2.0 default).
Migration timeline:
- Phase 0 (NOW 2026): Classical X25519 (ADR-107 default)
- Phase 1 (2026-Q4 -> 2027): Kyber-768 opt-in via --enable-pqc flag
- Phase 2 (2027-Q2 -> 2028): Hybrid (X25519 + Kyber-768) becomes default
- Phase 3 (2030+): Pure Kyber-768 (classical retired)
Why hybrid for Phase 2 (belt-and-braces):
- Protects against future Kyber breaks (Kyber is ~5 years old)
- Protects against classical breaks (X25519 backup)
- Protects against implementation bugs in either primitive
- Cost: ~3 kB/round/installation extra (negligible)
Why now (record-now-decrypt-later):
Adversaries can record federated updates today and decrypt them in
2035 when quantum capabilities arrive. Without ADR-108, the (epsilon,
delta) guarantees of ADR-106 silently expire when quantum computers
arrive. Proactive migration is cheap insurance.
Why Kyber-768 (not 512 or 1024):
- NIST FIPS 203 (2024); ~AES-192 equivalent
- CNSA 2.0 recommended default
- Used by Cloudflare, Google, AWS in 2024-2026 rollouts
- Public key 1184 B, ciphertext 1088 B, secret 32 B
- 512 lacks CNSA 2.0 sign-off; 1024 doubles bandwidth without benefit
LOC: +220 on top of ADR-107.
Total federation budget ADR-105+106+107+108: ~1,550 LOC.
Threat model: 8 threats, every row has mitigation. Hybrid mode is
the belt-and-braces against both Kyber breaks AND classical breaks.
ADR CHAIN COMPLETE: 7 ADRs in the privacy + federation chain:
ADR-100 (cog packaging) -> ADR-103 (cog example) -> ADR-104 (MCP/CLI)
-> ADR-105 (within-installation federation) -> ADR-106 (DP + isolation)
-> ADR-107 (cross-installation + SA) -> ADR-108 (PQC key exchange).
No remaining unspecified privacy gap at any threat horizon (classical
or quantum).
Future ADRs catalogued:
- ADR-109: PQC signatures (Dilithium replaces Ed25519 in ADR-100)
- ADR-110: PQC hardware acceleration on Cognitum-v0
- ADR-111: PQC for cog-store distribution
Composes:
- R3 / R14 / R15 / R7 / R12 PABS: privacy chain intact through quantum transition
- R10 / R11 (long-deployment): benefit most from forward secrecy as data ages
Honest scope:
- Kyber ~5 years old; hybrid mitigates uncertainty
- 'When do we need this?' uncertain (2030 aggressive / 2050+ conservative)
- ESP32-S3 timing ~10 ms per handshake estimated negligible; needs measurement
- Phase 3 retirement of classical needs future decision
Coordination: ticks/tick-28.md, no PROGRESS.md edit.
Docker Image:
ghcr.io/ruvnet/RuView:40e5a4d6f2c0b46a108d7e85e1c988adbf498531