Protocol Summary

QSMP defines two operational variants, SIMPLEX and DUPLEX, to support unidirectional and bidirectional trust models. SIMPLEX is optimized for client to server deployments where the client verifies the server identity and establishes a protected channel quickly. DUPLEX extends the same foundations to mutual authentication, independent contributions from both parties, and explicit key confirmation suitable for high assurance links.

Both variants establish a symmetric tunnel after the handshake and then protect all application traffic with authenticated encryption. Packet metadata is bound as associated data, enabling integrity for both payload and relevant header fields, and enabling replay resistance through sequence and time validation.

Motivation and Problem Definition

Messaging systems that rely on negotiable, multi-layer protocol stacks often carry avoidable complexity and downgrade risk. In long-lived systems, the combination of classical public key dependencies and opaque negotiation logic complicates formal assurance and makes transition planning harder. QSMP was designed to be deterministic, profile-driven, and explicit about what is authenticated, what is derived, and what is accepted.

The protocol also targets operational constraints. It keeps session state minimal, supports rapid establishment, and is intended to scale across high-volume client-server deployments as well as persistent bilateral channels where continuity and governance are primary requirements.

Architecture and Mechanism

QSMP uses post-quantum key encapsulation and post-quantum signatures for establishment, then derives directional traffic keys using deterministic hashing and domain-separated key derivation. In SIMPLEX, the client encapsulates to the server, verifies the server’s authenticated material, and derives independent transmit and receive keys. In DUPLEX, both parties contribute key establishment material, producing two shared secrets that are combined into higher strength session keys and then confirmed explicitly.

Traffic protection uses authenticated encryption with strict header binding. Standard packet fields (flags, sequence, size, and timestamp) are authenticated along with the ciphertext, enforcing message integrity, temporal validity, and replay protection without inflating the framing structure.

Security Model

QSMP is designed around authenticated and confidential channel establishment goals, providing confidentiality, integrity, and authentication in the presence of an active network adversary. Forward secrecy is achieved through ephemeral establishment material, and the protocol supports optional ratcheting to refresh symmetric keys and, when needed, re-run encapsulation to refresh establishment state.

• Downgrade resistance by binding configuration strings and cryptographic profiles into authenticated transcripts.
• Replay protection through validated timestamps and monotone sequence processing.
• Explicit key confirmation (DUPLEX) to ensure both parties agree on the established keys.
• Session isolation by deriving independent directional keys and discarding ephemeral material on teardown.

Implementation and Integration

QSMP is implemented to support deterministic behavior and compliance-driven environments. It is designed for portability across common operating systems and for integration beneath higher-level applications as a transport security substrate. SIMPLEX favors low latency establishment and small per-connection state, while DUPLEX is intended for persistent, high trust channels that benefit from mutual authentication and ongoing key refresh.

QSMP also serves as a foundation layer for other QRCS systems, providing a consistent handshake structure, traffic protection semantics, and cryptographic profile discipline that can be reused across tunneling, relay, and infrastructure protocols.

Use Cases and Applications

QSMP is suitable where long-term confidentiality and verifiable session establishment are required:

• Finance and payments for low-latency transaction channels with post-quantum resilience.
• Government and defense for mutually authenticated, persistent communications links.
• Enterprise and cloud as a deterministic alternative to negotiated transport security in zero-trust environments.
• IoT and embedded for compact state messaging and telemetry protection at scale.
• Critical infrastructure for authenticated control-plane messaging with strict replay resistance.

Conclusion

QSMP is a post-quantum messaging protocol designed to be explicit, deterministic, and deployable. Its SIMPLEX and DUPLEX variants cover both scalable client-server messaging and high assurance mutual authentication, while preserving strong channel guarantees and clean operational behavior.

By combining post-quantum establishment with authenticated encryption, strict transcript binding, and optional ratcheting, QSMP provides a durable messaging substrate for modern infrastructures that must remain secure across long planning horizons.