The Time Horizon Problem
Security engineers think in threat models. A threat model specifies who the adversary is, what capabilities they have, and what they are trying to achieve. Design the security architecture to defeat that adversary, and the system is secure enough.
AI memory creates a threat model that most security teams have not encountered before: the adversary you need to defeat may not yet have the capability to attack you, but they will by the time the data you are protecting is no longer sensitive.
This is the harvest-now-decrypt-later problem. A nation-state adversary does not need to break your encryption today. They need to store the ciphertext today and break it when sufficiently powerful quantum computers become available — projected, by various government and private estimates, somewhere between 5 and 15 years. The data you encrypt in 2026 may still be sensitive in 2036. The encryption protecting it needs to survive that entire window.
For AI memory systems storing enterprise institutional knowledge, this timeline is not academic. The knowledge ARX protects — learned context about how organizations make decisions, what they prioritize, how they manage risk — is exactly the kind of long-lived sensitive asset that harvest-now-decrypt-later attacks target.
What NIST Has Already Decided
In August 2024, NIST finalized its first three post-quantum cryptographic standards: FIPS 203 (ML-KEM, for key encapsulation), FIPS 204 (ML-DSA, for digital signatures), and FIPS 205 (SLH-DSA, for stateless hash-based signatures). These standards represent over a decade of open competition, cryptanalysis, and validation by the global cryptographic research community.
NIST’s guidance is explicit: agencies and critical infrastructure operators should begin migrating to these algorithms now, not when quantum computers arrive. The migration window is long, the technical complexity is significant, and waiting until the threat is imminent is waiting too long.
ARX is building to this standard.
The Current Foundation: AES-256-GCM and SHA-3
Before describing where ARX is going, it is worth being precise about where it stands today and why the current cryptographic foundation is not merely adequate — it is the right base for a post-quantum migration.
AES-256-GCM provides authenticated encryption with associated data. The “authenticated” part is not optional decoration. GCM mode produces a 128-bit authentication tag alongside the ciphertext. Any modification to the ciphertext — including modifications by an attacker who has obtained the ciphertext but not the key — produces a tag mismatch on decryption. The artifact is rejected. This is not just confidentiality. It is integrity. An attacker who cannot break the encryption also cannot modify the stored memory without detection.
AES-256 is notably resistant to quantum attacks. Grover’s algorithm can theoretically halve the effective key space of a symmetric cipher, reducing AES-256’s security to approximately 128 bits under quantum attack. 128-bit security is still considered computationally infeasible to break. AES-256 is explicitly listed in NSA’s CNSA 2.0 suite — the suite of algorithms approved for protecting classified information — for symmetric encryption.
SHA-3 — specifically the Keccak-f[1600] permutation standardized in FIPS 202 — provides the content-addressed fingerprinting that underlies VTM’s integrity verification. Unlike SHA-2, SHA-3 is based on a sponge construction rather than a Merkle-Damgard construction, providing resistance against length extension attacks that affect SHA-2 variants. SHA-3-256 provides 128-bit collision resistance under classical computation and is considered quantum-resistant for its primary use case (preimage resistance) at its full output size.
These two algorithms — the ones ARX uses today — are the symmetric-key primitives that cryptographic agencies are recommending for long-term use precisely because they hold up well against the quantum threat model.
The Gap: Asymmetric Cryptography
The quantum vulnerability in most cryptographic systems is not in the symmetric primitives. It is in the asymmetric cryptography used for key exchange and digital signatures.
RSA, Diffie-Hellman, and elliptic curve cryptography are all broken by Shor’s algorithm running on a sufficiently powerful quantum computer. This is not speculation. The mathematics is established. The open question is when quantum computers with sufficient qubit counts and error correction will exist, not whether they will.
ARX’s roadmap includes migration from any elliptic curve key exchange to ML-KEM (FIPS 203) and from any EC-based signatures to ML-DSA (FIPS 204) for the components of the architecture that require asymmetric cryptography. This migration is planned, not improvised — the symmetric foundation (AES-256-GCM, SHA-3) is already post-quantum ready, which means the migration surface is bounded and manageable.
Zero Trust Architecture for Memory Access
Cryptographic strength at the data level is necessary but not sufficient. The access control layer that determines who can read and write memory artifacts must be equally rigorous.
ARX is designed on zero trust principles. The phrase is overused; the architecture is not.
Zero trust means every request for a memory artifact is authenticated and authorized independently, regardless of where the request originates. There is no trusted network perimeter that grants implicit access. A request from inside the enterprise network receives the same authentication challenge as a request from outside. A service that authenticated five minutes ago must authenticate again for the next request.
In practice, this means:
No ambient authority. No service or user has standing permission to access memory artifacts. Every access is granted per-request based on current credentials and current policy. A compromised credential does not grant access to future requests after the credential is revoked — there are no sessions that survive revocation.
Mutual authentication. Both the client and the server authenticate to each other. A service requesting a memory artifact must prove its identity. The artifact store must prove its identity to the requestor. Man-in-the-middle attacks are defeated not by trusting the network but by requiring proof on both sides.
Least privilege by default. A service that needs to read a specific class of memory artifacts receives authorization scoped to that class, not to the entire artifact store. Lateral movement within the system — an attacker who compromises one service and uses it to access artifacts outside its scope — requires defeating additional authorization layers.
Audit logging on every access. Every read, write, and verification operation is logged with a cryptographic timestamp. The log is itself tamper-evident. This is the compliance layer that makes the zero trust posture auditable.
FIPS 140-3: The Compliance Target
FIPS 140-3 is the current U.S. federal standard for cryptographic module validation. It specifies requirements for the design, implementation, and operation of cryptographic modules used in federal systems and products sold to the federal government.
ARX is targeting FIPS 140-3 compliance. This is not marketing language. It is a specific technical commitment with specific consequences.
FIPS 140-3 compliance requires, among other things: that cryptographic algorithms be approved algorithms (AES-256, SHA-3 — both approved); that the cryptographic module boundary be clearly defined; that the module support authenticated administration; that key management processes be documented and auditable; and that the implementation be formally tested by an accredited cryptographic module testing laboratory.
The Rust implementation of ARX’s cryptographic pipeline — pure Rust, no C FFI, deterministic behavior across platforms — is the architectural choice that makes FIPS 140-3 certification achievable. A cryptographic pipeline that crosses language boundaries or depends on platform-specific native libraries is a pipeline that requires significantly more audit surface to certify. Rust’s memory safety guarantees eliminate the class of implementation errors that most commonly cause FIPS certification failures.
Why This Matters Beyond Compliance
FIPS 140-3 certification matters for federal procurement. That is obvious. What is less obvious is why the compliance target matters for enterprises that have no immediate federal contracts.
The FIPS certification process is a proxy for cryptographic rigor. A module that passes FIPS 140-3 has been designed to handle key material securely, has documented and tested its implementation against a comprehensive threat model, and has been validated by an independent third party. These properties are valuable regardless of whether the specific regulation requires them.
Enterprises in financial services, healthcare, and defense prime contracting are under increasing regulatory pressure to document the security properties of the AI infrastructure they deploy. “We are built on FIPS 140-3 compliant cryptographic modules” is an answer that regulators understand and auditors can verify. “Our encryption is strong” is not.
The AI memory market is early. The regulatory frameworks are not written yet. The enterprises that build on cryptographically rigorous infrastructure now will not need to retrofit compliance later when the frameworks arrive. The ones that optimize for speed to market will.
The Threat Is Not Hypothetical
In January 2025, the NSA issued guidance stating that organizations should assume that adversaries are currently harvesting encrypted data for future decryption. This is not a theoretical warning. It is an operational assessment based on observed behavior.
The institutional knowledge stored in AI memory systems — the learned preferences, the accumulated decision context, the organizational reasoning patterns — is exactly the kind of data that a patient adversary would harvest now and decrypt later. It is long-lived, high-value, and increasingly central to how organizations operate.
The cryptographic architecture of ARX is designed for the adversary that will exist when the data is still in use, not only the adversary that exists today. That is the only defensible position for infrastructure that makes guarantees about memory integrity.
Sukh Sidhu is the Founder and CEO of ARX, building the stateful runtime layer for enterprise AI. ARX is targeting FIPS 140-3 compliance on zero trust architecture. He can be reached at info@arxqm.com.
Sources:
- NIST Post-Quantum Cryptography Standards, FIPS 203/204/205, August 2024.
- NSA CNSA 2.0 Suite, 2024.
#PostQuantum #Cryptography #FIPS1403 #ZeroTrust #AES256GCM #SHA3 #AIMemory #AIGovernance #EnterpriseAI #ARX