Delphi components for post-quantum cryptography (PQC). ML-KEM, ML-DSA and SLH-DSA key encapsulation and digital signatures via Windows CNG, OpenSSL 3.5 and liboqs. Delphi 7 to Delphi 13 compatible. NIST FIPS 203, FIPS 204, FIPS 205 compliant. Designed for ICP-Brasil V12 migration (IN ITI 35/2026). Community Edition — free and open-source (MPL 2.0).
English | Portugues
QuantumShield is a free, open-source Delphi component library for post-quantum cryptography (PQC). It enables Delphi developers to add quantum-resistant key exchange (ML-KEM / FIPS 203), digital signatures (ML-DSA / FIPS 204) and hash-based signatures (SLH-DSA / FIPS 205) to their applications — from legacy Delphi 7 ERPs to modern Delphi 13 projects.
Built specifically for the Brazilian market, QuantumShield addresses the mandatory PQC migration imposed by ICP-Brasil IN ITI 35/2026, which requires all digital certification systems to support ML-DSA and ML-KEM by March 2029.
It wraps three cryptographic backends — Windows CNG (Win11 24H2+), OpenSSL 3.5, and liboqs — behind a single IQSCryptoProvider interface with automatic backend selection. No code changes needed when switching backends.
| Standard | Algorithms | Category |
|---|---|---|
| FIPS 203 (ML-KEM) | ML-KEM-512, ML-KEM-768, ML-KEM-1024 | Key Encapsulation |
| FIPS 204 (ML-DSA) | ML-DSA-44, ML-DSA-65, ML-DSA-87 | Digital Signature |
| FIPS 205 (SLH-DSA) | 12 parameter sets (SHA2/SHAKE × 128/192/256 × s/f) | Hash-based Signature |
18 algorithms total, all with keygen, sign/verify (signatures) or encap/decap (KEM).
uses
QS_Core_Types, QS_Core_Interfaces, QS_Infra_ProviderFactory;
var
Prov: IQSCryptoProvider;
KP: TQSKeyPair;
Sig: TQSSignature;
Msg, Ctx: TQSBytes;
begin
// Auto-selects best backend (CNG > OpenSSL > liboqs)
Prov := TQSProviderFactory.CreateProviderFor(qsaMLDSA65);
// Generate ML-DSA-65 keypair
KP := Prov.SignatureGenerateKeyPair(qsaMLDSA65);
try
// Sign
Msg := TQSBytes(nil);
SetLength(Msg, 11);
Move(AnsiString('Hello PQC!')[1], Msg[0], 11);
SetLength(Ctx, 0);
Sig := Prov.Sign(KP.PrivateKey, Msg, Ctx);
try
// Verify
Assert(Prov.Verify(KP.PublicKey, Msg, Sig, Ctx));
WriteLn('Post-quantum signature verified!');
finally
Sig.Free;
end;
finally
KP.Free;
end;
end;Download from slproweb.com (Win32 or Win64). Place libcrypto-3-x64.dll next to your EXE or on the system PATH.
On Windows 11 24H2+, ML-DSA works natively via CNG without OpenSSL.
Delphi 7:
Open packages/D7/QSCore_D7.dpk → Install
Open packages/D7/QSProviderOpenSSL_D7.dpk → Install
Open packages/D7/QSInfra_D7.dpk → Install
Delphi 10+:
Open packages/D10/QSCore.dpk → Install
Open packages/D10/QSProviderOpenSSL.dpk → Install
Open packages/D10/QSInfra.dpk → Install
Add src\Core, src\Providers\OpenSSL, src\Infrastructure, src\Services to your project search path.
| Layer | Contents |
|---|---|
| Core | Types, constants (FIPS sizes), errors, SecureBuffer (anti-DCE wipe), Base64, hex/UTF-8 utils, PEM/DER serialization, domain classes |
| Providers | CNG (Win11 24H2), OpenSSL 3.5, liboqs — all 18 algorithms |
| Infrastructure | Auto-selection factory, platform detection, config singleton, provider registry |
| Services | TQSSignerService (sign/verify bytes, strings, streams), TQSKeyExchangeService (KEM keygen/encap/decap) |
| Tests | 400+ DUnit tests, NIST KAT harness with .rsp parser, cross-provider interop matrix, benchmark suite |
| Samples | D7_BasicSigning, D7_KeyExchange |
The following modules will be available in future paid editions:
| Module | What it does | Why it matters |
|---|---|---|
| XML/XAdES Signer | Sign NF-e, CT-e, NFS-e with ML-DSA (RFC 9881) | Required for Brazilian fiscal document emission |
| CMS/PKCS#7 | SignedData envelopes with ML-DSA/SLH-DSA | S/MIME, code signing, timestamp tokens |
| ICP-Brasil V12 | Chain validation, policy engine (A1/A3/A4/Selo), OIDs | Regulatory compliance with IN ITI 35/2026 |
| X.509 Cert Validator | Parse and validate PQC certificates | Verify V12 certs from Brazilian CAs |
| Hybrid Signer | RSA-PSS/ECDSA + ML-DSA dual signature | Transition period 2026-2029 |
| TLS 1.3 PQC | x25519_mlkem768 via TaurusTLS/Indy | Secure connection to SEFAZ/GOV.BR |
| VCL Components | TQSSigner, TQSKeyExchange, TQSXMLSigner, TQSICPValidator | Drop on form, configure in Object Inspector |
Additional modules and commercial support plans coming soon.
| Delphi | Win32 | Win64 |
|---|---|---|
| 7 | ✅ | — |
| 2009+ | ✅ | — |
| XE2+ | ✅ | ✅ |
| 12–13 | ✅ | ✅ |
| Windows | CNG PQC | OpenSSL 3.5 | liboqs |
|---|---|---|---|
| 7 / 8.1 | ❌ | ✅ | ✅ |
| 10 | ❌ | ✅ | ✅ |
| 11 24H2+ | ✅ | ✅ | ✅ |
| Server 2025 | ✅ | ✅ | ✅ |
┌─────────────────────────────────────────────┐
│ Your Application │
├─────────────────────────────────────────────┤
│ TQSSignerService │ TQSKeyExchangeService │
├─────────────────────────────────────────────┤
│ TQSProviderFactory (auto) │
├──────────┬──────────────┬───────────────────┤
│ CNG │ OpenSSL 3.5 │ liboqs │
│ (Win11) │ (any Win) │ (fallback) │
├──────────┴──────────────┴───────────────────┤
│ ML-KEM-512/768/1024 │ ML-DSA-44/65/87 │
│ SLH-DSA (12 sets) │ │
└─────────────────────────────────────────────┘
- Private keys live only inside
IQSSecureBufferwith anti-DCE wipe (dynamicRtlSecureZeroMemoryor XOR-sink fallback) - Secret comparison via
QSConstantTimeEquals(no early exit) - All DLLs loaded dynamically via
GetProcAddress— noexternalimports, no crash on missing DLLs - Typed
EQS*exceptions — never bareException - Zero warnings, zero hints policy (Article IX of the project constitution)
# Delphi 7
Open tests\DUnit\QSTests_DUnit.dpr → Run
# NIST KAT vectors (requires vector download)
scripts\download-nist-vectors.bat
scripts\run-kats-for-release.batFull documentation in Portuguese: docs/pt-BR/
- Getting Started (15 minutes)
- Migration RSA → ML-DSA
- Security Model
- Delphi 7 Guide
- ICP-Brasil Integration
- FAQ
Community Edition is licensed under the Mozilla Public License 2.0.
Commercial modules (XML Signer, CMS, ICP-Brasil, Hybrid, TLS, VCL Components) will be available under a proprietary license.
Contributions to the Community Edition are welcome. Please read the constitution before submitting a PR — it defines the 9 inviolable articles every contribution must respect (D7 baseline, dynamic loading, secure memory, typed exceptions, zero warnings, etc.).