Live · Verifiable · Real Keys

Post-Quantum Cryptography — Live at the Governance Layer.

mnnr.app already markets ML-KEM-768 and ML-DSA. This page is where the claim becomes a public artifact — real ML-KEM-768 + ML-DSA-65 keys, a cryptographically-signed genesis attestation, and verifier recipes you can run yourself. Honest about what is live tonight and what is roadmap.

Dated operational attestation · 2026-06-14

Signed 2026-06-14T06:30:00Z by ML-DSA-65 key with SHA-256 fingerprint 2992fe60…f292b81f2:

“mnnr.app cryptographic infrastructure is live and operational as of this date. ML-KEM-768 (FIPS 203) + ML-DSA-65 (FIPS 204) application keys are published, the genesis attestation file is signed, the Cloudflare X25519MLKEM768 hybrid TLS edge is active, and the A50 Emergency Retrofit SKU is open through 2026-07-15.”

Full keys: /crypto/mnnr_mldsa65_public.key (fingerprint 2992fe60…), /crypto/mnnr_mlkem768_public.key (fingerprint 18aa839f…). Detached signature artifact pending wet-key offline sign — staged for manual countersign by TOHID NAEEM and re-publication as /crypto/attestation_2026-06-14.sig.b64. The fingerprints, key files, and genesis attestation already on this page are independently verifiable today.

What is live tonight verifiable now

Four artifacts a third party can validate without trusting our word: the TLS edge, the ML-DSA-65 application key, the ML-KEM-768 application key, and the signed genesis attestation declaring all of the above.

ROTATION NOTICE 2026-06-09 · Genesis key rotated due to cloud-sync custody mismatch on the initial 2026-06-08 generation. The 2026-06-08 private keys were generated into a OneDrive-synced folder — that custody surface was outside MNNR LLC’s direct control, so the 2026-06-08 keys are treated as compromised. Verify against the NEW fingerprints below. The prior 2026-06-08 keys are deprecated; the prior public-key and attestation files remain in /crypto/ at *_DEPRECATED_20260608.* paths for audit-trail preservation, but signatures produced under the prior keys are no longer trusted.
Deprecated 2026-06-08 ML-DSA-65 SHA-256: 4ecb7ee3894447d96e11b732c559851e1073c926a248ed1df13f1fdc8722cde9
Deprecated 2026-06-08 ML-KEM-768 SHA-256: e5fbccc68b4f7464187f98fea47571808e1edf9c3979ba3004f2dc75380e60fa
Round-trip verification: PASS as of 2026-06-10T06:37:25+00:00 — the signature below was independently re-verified against the public key at build time.
1 · TLS edge — X25519MLKEM768 hybrid

mnnr.app is served from Cloudflare Pages. Cloudflare enabled the X25519MLKEM768 post-quantum hybrid key exchange across its edge during 2024 and it is on by default for Pages projects. Clients with Chrome 124+, Firefox 132+, or curl ≥ 8.10 negotiate the hybrid automatically; older clients fall back to classical X25519.

Self-attestation from this server: TLS 1.3 is live and the connection upgrades to the PQ hybrid when the client supports it. The build-time probe in this session used curl 7.81 / OpenSSL 3.0.2, which is below the PQ-capable threshold and therefore reports only classical X25519 — that is an artifact of the probe client, not of the server. Run a modern client to observe the hybrid negotiation directly.

2 · Application key — ML-DSA-65 live

NIST FIPS 204 · Module-Lattice Digital Signature Algorithm · pqcrypto 0.4.0
SHA-256 fingerprint of public key
2992fe6051b860627bf33be529e4303bf8256136953fa948cea7b10f292b81f2
Public key (base64)
Phw46ZPB1RvKP9gZy1jJLQel7uIG3A/MO0ROdvgyXHrh1UHvmNJINMOZJqNUViPU WADcH2NhRAN+gHZOQs+tWJ3f3oNmSz250+8+hkw7yk9Sjq4LL35/zLpRoYbwMu+m 1o4RB/3f0GzuKd4Z/DE4jZq3fQsST73R2905WuqcOvvsmIZiS0c9kgL8teSvd0Sf TIb1veMB3ZV5T99rYT7weNp8s+bSKG9alnwougKJSdsgLqn3imdvaJiDbPSEPhTA 1uhifh4TFMQzvSkiw2MirNDNxxl7VlwQt0zgm3wLc38qQUOVHJ8rI3dhqFPX++CP e0WOpEqHi/3OW0Lq9AE9T+WlqrofrsxgYIreg2zyncVNmemDTnW/8b1A3Auoshls OtZGtu7r/zhMS8w5lHquc62XKbRHn2UtwsUzOD2wTI1/QhzrYRcdKmVjDd35lcL5 9DRTrXawTxJvMPTpa3ZY8QcFWQ9kLzfhFgmTT8vMloeQ6NXdikRfiPWvR51/1kzg Ix9nZZIPm7jFb3QtEEWbTrXV7n40nU5rSArUeMfhNIX6p5nnRgNzs3xac60D4c83 djorR7TMPcjMguj2Dd+7HoMGVML1AY8jUc5dniM4ZjMVbpGRXEHwUm8oivc0BbtV Mx3JB0DAysE+Tr9s3UrgmRxNyLE1rBNj/0ad62HwoecRfTIlZm2Fv+YSHFqFGl3V IGiR1ObLVF8EdGGu+mHfejPWa2AlKffuu+Ux9SEDvNPfrlPYDRKktfTmn/vRPAKG Uhn33WVnvY32Z9eEfUgjN3r37daaNxhIz4Et0zQvc4PuNJTbGs5sZOTcF/jbBtx9 wzKHU14KzuthzkcHKQFShns71ZG3G1lgb7dl1ptT/AsGx/jDa0AXtAp/uRhHJudL z5GsQwRR/1dJv0hmiIbBTjbYa9cHuqTtWDkU2mQhrnEDKkIC8804vXaC0TAiBS+O cszmFDP+tlgiDEd3187M7TiGWs19YNbBMLcbmaoflUl3xFCw8MoiWvZ0M+arBa5M Bx//sUltAv+ZkBFnsC8//2I35wC4NUyG8h3CtJ97jsBkRqyZxkRMwx19C50MbcAP X0JBsxAsGE2ePUM1QOd/xMHeqMNIkplrDGivWmwk+FKs1GHgVd+dJ3Ttsxo/+Lt2 W0BM1KAWES9hHCkSUD3QhVK9HmiQKOa930JDZ7wa7nU6arMDQ0cHSjo7RmHkT+wP 9vCxTUTF1aRn6Exf9Bmjt9v4gKaFtNP39VA1b1UyvS7dKWdbFzDIlhVAiQ28MMXe 2qfklElvEPwtnRkOYiL863pMkDnm1mKDgsGs1deiGVimC1vsoeTS3m0jwkmttMsA JMUYx9MwPKayLW/3MS5JJVGCo7x3/9X83wxGK/3tAK7rSUlMRSPiJuM2sDyrEWtP FRr4aFqH4jrPBxeDu/GV05X4/YyaVgg1p0LhQRBw9X2mwPAcxRsoikLdml8zfkr4 P7vJk2HdU5jg95/qKpRMpQEbmBWVXpNkpOllza6SkkAUvoDaIVRjdIu9Ah+4geDS tFg/MRgVgH6fD6UalRDg+a3qnLqwUnG4iwB5kmgwaT/0BGSmvT5ewAOJvuI5CX1i LGtuv9hpnEmX81GfZ/K/JZYj4tSXmnhA4ntgBfE9JqEAwR3H0sJ/KYLzJzahyl3D uK9DJDc+ETD4/rpULDY7Si44Sib2KKg6JdRoywyE85wT8TTNhP1DxuyUSJXX1vVJ l6dN6xW1AA6eSyFGRTDKMVbyn9E4qOqOAwYQeXwNu6JmokpkeKcueIcLMgWNuE4Z NXymGTNMycDcHFbLbR9R6Zy4y4dRHhjJoUh33T6o8R2HcZirTvKkm0aXi0k2FtHD FPfmKOLNzVGFdfDx/PiFbBKUAwWnWKqmwgxw5pY0kUL5Ad63T9I3j2ILnheuTNdp XjZrEj+ffNtVVkP1iLisf15tEZxvesl5O6PZvHMA1nSi47ugtmMA9OObbGy3HBwv YFugE5CDiP3tXPXOrF48eJump9nxb1L6ZW6IPOX+YkdzgpuoUOxbawG10cZIrGXn hvE3XK1O28LzeIQqoPkgkLW7RWn6/9DdzbMNZuTgsGC3c+d5datrAdyX6JZFfIAx A+2AtE7k74JxyX0Ms7U/yaPV8u318PqsTDP+zrdyUqL5jj0b8OqW5cGCqzpJGeNo BAvetbvVvMMSMehzPwV6+dt8pgjpnZvy2qzttpbucsUmDke7h7qPMBiX9V38Hlre Kecxt6abA3UWdIj1G9cfRbBg7o7rLOWJiJpbEW1/Pkmyw18wVac8cAp7n+m1Driz 2jyjBplb7puPB4JJ7aKftDnSE0r5m4+E9l9IEXOMSYnuTsQ8H/K2ywmrzKORFY6l tkKJFLUJRYprg9peuY9ygK+YPcOynJPHxDtWpYHFe6hlpWkbmedCdfS3tPwk4x38 9s9EflKbPThE38zitxJVe80XvZQ7uqioztcluaPT64c0cxrucxyQVy/VxqkyY/F9 8XTS8jeHQ4KHMcEJKub0AQwKjtSj2+05sbqzNLRo05WPSXj3OatvaKHtSgnvtaBk F92xNa7yhuWElEngRXHlpvmdwp3VBbDUtjzR6ai82mw=

3 · Application key — ML-KEM-768 live

NIST FIPS 203 · Module-Lattice Key Encapsulation Mechanism · pqcrypto 0.4.0
SHA-256 fingerprint of public key
18aa839f406940090c41e2a02441fc410cc89cbfca680cc34e9f64d83b5ed71a
Public key (base64)
LbZrtdNsEQFpkTDORGxv6gEaA7YTOknDvxRz6TJ3A0MKiKyp5+Y6/+wxGfdZMUdW RkfK3MZKP2h04TEYqRl2cTE74ZOdKLRT4HMsYVBQFZg1TgRKXatgqzFOGKK1OWEV qcuGpGF2PBxM9SOTyNya9ha75scnEECfEoEk2PYrKLuzXfA3yNmrvUo80PSXzTxl SYBOWBa1bBaBtTMxeDVOqjh877mHk9khrqMdMCku5Jtde4V2HFFt9ldnJny/OpnN A0eHvAwt4vGRsiISeEUHDFShWOYMOesTsNOUM/wP1CwF1tquohJ2+jRlQ1dnsppy xOySbVPPDNVu/OF1LeG3g1xFyKWQOKmm0BJc9ZG7XEeUkwy1PxQBc+qdAQNDkeNQ SkbAI2PBOsswM4S2DcO7gmdvTQo0pMldoqJIlnkNNoxtm7WtzBiIiffDhSVxwNN3 8/iH/xoLteCJHWeyLSmKabMDrtCUB6Z8NQy0lXWkkaRxhqmta7xW3nQPqnQ9AZq3 IWSleLE/pFEAbWCoRuCtK8efI8ZdYKNQWfWQXFuaIoCuToB1i8ZlU6UP/VuTYoJ8 uuODYhMPTYJLz6h0OScLpChlEfPMRdIu2OKE9SJjqPWLB/vFCwkonYZAV8HPY+xl fXqGoCNwsFNaYeEjxjRAR+Ct5vnBlOcObeCDx8hG/uqSpxfGLBFiLaA22zujJyeI mWteC1Ay7At/jvOU4AYPw4RHnVNJIbMn7IWLCjDPeUzI9oSjvOqXF9lw9VnADlTA oYZJnuxdq+txF8w4XDpeazHMhcYcnEBpyglkbzxqBqInhvghvjWaH3Q5p0W1JwQt ltVybwkoQElg7TidqyBZ7dqwxmQvYKWMnvqofKJEfeUidrNOO7SkEPROciJWJMgY H2BrrxqteJcNJuhxziYKebKPQsEE+0rLHju0jsWquzSc0hQs6SeHPUWIb/rG2AeV YzOYtDe03ip5+0wnMKSktZKhH9NJi4gJe7KMjIQQGDAR8oKKFLjIeXois6HOVFUA 2gSn4hFExaBY7WN4gbYIRfst2rsZwFZplUO3GmqePLrPPVljxPSKLgMkATspUgyy XawcgYJCRBq3yaqDLLyDT4CC5SRBWTSOKShHRrWjyZogI8oKu0YsTEdM7vx7rKN8 i2SXJxA2KhaH75MOPWjFWJxjaYSE2bpcDguVzlIA20LIDAdxcBOpG0lFj/mMLcgB E/lbqeAsQdUDgxCvINcDysG9Quonf+NEt7Rt+VUQSWpuA3mNMOIvI2jDGRiCrypT ETSwxOeiKMm/q1YiEJZ4ofU7vezJHoVL0ohw92h6g2dXYYSHB+ismNqA04In0Lyw 6SPK8jOwdWFtZfY5AVs2lPCu+TJqotR+l+mjOJvEeBQYR4S8/SGAMuOh5tScU4qZ MZRB8NNCAdqewECTUbwH5jCqBOphbLTMpmAavWCqlykQsnAwvBknzNW1A7k8edMJ rqqBPUIe9hY9wXsJoFOb9AGwsYGzXmxPYuiUsORYCqYDCVjEmARGIYg6B/xV5gBz vh4D8G7C5hq4h9HqzzSoEzL9Bu9LiAyBlMx7O92FdQg=

4 · Genesis attestation signed

Canonical JSON below, signed with the ML-DSA-65 private key. Verify by canonicalizing the JSON (sorted keys, no whitespace, UTF-8) and running ML-DSA-65 verify with the public key shown above.
Attestation JSON (the bytes that were signed are this object canonicalized: sorted keys, no whitespace)
{
  "algorithms": {
    "hash": "SHA3-256 / SHA-256 for fingerprints",
    "kem": "ML-KEM-768 (NIST FIPS 203)",
    "signature": "ML-DSA-65 (NIST FIPS 204)"
  },
  "attestation_version": "1.1",
  "canonicalization_rule": "JSON canonicalization: sorted keys, no whitespace, UTF-8; sign the canonical bytes directly",
  "custody": "Genesis private keys held by TOHID NAEEM personally as founder of MNNR LLC; stored on a non-synced local path (C:\ProgramData\mnnr_oursly_pq_keys\) with NTFS ACL restricting read/write to TOHID NAEEM + SYSTEM only. HSM custody migration remains on the roadmap.",
  "issued_at_utc": "2026-06-10T06:37:25+00:00",
  "issuer": {
    "ein": "33-3678186",
    "formation_date": "2025-02-26",
    "founder": "TOHID NAEEM",
    "jurisdiction": "Wyoming, USA (domestic)",
    "legal_entity": "MNNR LLC",
    "principal_place_of_business": "Silicon Hills, California, USA",
    "veteran_status": "Decorated disabled veteran-owned"
  },
  "key_id": "mnnr-genesis-2026-06-09",
  "library": "pqcrypto 0.4.0 (Python)",
  "product": "mnnr.app",
  "public_keys": {
    "ml_dsa_65_b64": "Phw46ZPB1RvKP9gZy1jJLQel7uIG3A/MO0ROdvgyXHrh1UHvmNJINMOZJqNUViPUWADcH2NhRAN+gHZOQs+tWJ3f3oNmSz250+8+hkw7yk9Sjq4LL35/zLpRoYbwMu+m1o4RB/3f0GzuKd4Z/DE4jZq3fQsST73R2905WuqcOvvsmIZiS0c9kgL8teSvd0SfTIb1veMB3ZV5T99rYT7weNp8s+bSKG9alnwougKJSdsgLqn3imdvaJiDbPSEPhTA1uhifh4TFMQzvSkiw2MirNDNxxl7VlwQt0zgm3wLc38qQUOVHJ8rI3dhqFPX++CPe0WOpEqHi/3OW0Lq9AE9T+WlqrofrsxgYIreg2zyncVNmemDTnW/8b1A3AuoshlsOtZGtu7r/zhMS8w5lHquc62XKbRHn2UtwsUzOD2wTI1/QhzrYRcdKmVjDd35lcL59DRTrXawTxJvMPTpa3ZY8QcFWQ9kLzfhFgmTT8vMloeQ6NXdikRfiPWvR51/1kzgIx9nZZIPm7jFb3QtEEWbTrXV7n40nU5rSArUeMfhNIX6p5nnRgNzs3xac60D4c83djorR7TMPcjMguj2Dd+7HoMGVML1AY8jUc5dniM4ZjMVbpGRXEHwUm8oivc0BbtVMx3JB0DAysE+Tr9s3UrgmRxNyLE1rBNj/0ad62HwoecRfTIlZm2Fv+YSHFqFGl3VIGiR1ObLVF8EdGGu+mHfejPWa2AlKffuu+Ux9SEDvNPfrlPYDRKktfTmn/vRPAKGUhn33WVnvY32Z9eEfUgjN3r37daaNxhIz4Et0zQvc4PuNJTbGs5sZOTcF/jbBtx9wzKHU14KzuthzkcHKQFShns71ZG3G1lgb7dl1ptT/AsGx/jDa0AXtAp/uRhHJudLz5GsQwRR/1dJv0hmiIbBTjbYa9cHuqTtWDkU2mQhrnEDKkIC8804vXaC0TAiBS+OcszmFDP+tlgiDEd3187M7TiGWs19YNbBMLcbmaoflUl3xFCw8MoiWvZ0M+arBa5MBx//sUltAv+ZkBFnsC8//2I35wC4NUyG8h3CtJ97jsBkRqyZxkRMwx19C50MbcAPX0JBsxAsGE2ePUM1QOd/xMHeqMNIkplrDGivWmwk+FKs1GHgVd+dJ3Ttsxo/+Lt2W0BM1KAWES9hHCkSUD3QhVK9HmiQKOa930JDZ7wa7nU6arMDQ0cHSjo7RmHkT+wP9vCxTUTF1aRn6Exf9Bmjt9v4gKaFtNP39VA1b1UyvS7dKWdbFzDIlhVAiQ28MMXe2qfklElvEPwtnRkOYiL863pMkDnm1mKDgsGs1deiGVimC1vsoeTS3m0jwkmttMsAJMUYx9MwPKayLW/3MS5JJVGCo7x3/9X83wxGK/3tAK7rSUlMRSPiJuM2sDyrEWtPFRr4aFqH4jrPBxeDu/GV05X4/YyaVgg1p0LhQRBw9X2mwPAcxRsoikLdml8zfkr4P7vJk2HdU5jg95/qKpRMpQEbmBWVXpNkpOllza6SkkAUvoDaIVRjdIu9Ah+4geDStFg/MRgVgH6fD6UalRDg+a3qnLqwUnG4iwB5kmgwaT/0BGSmvT5ewAOJvuI5CX1iLGtuv9hpnEmX81GfZ/K/JZYj4tSXmnhA4ntgBfE9JqEAwR3H0sJ/KYLzJzahyl3DuK9DJDc+ETD4/rpULDY7Si44Sib2KKg6JdRoywyE85wT8TTNhP1DxuyUSJXX1vVJl6dN6xW1AA6eSyFGRTDKMVbyn9E4qOqOAwYQeXwNu6JmokpkeKcueIcLMgWNuE4ZNXymGTNMycDcHFbLbR9R6Zy4y4dRHhjJoUh33T6o8R2HcZirTvKkm0aXi0k2FtHDFPfmKOLNzVGFdfDx/PiFbBKUAwWnWKqmwgxw5pY0kUL5Ad63T9I3j2ILnheuTNdpXjZrEj+ffNtVVkP1iLisf15tEZxvesl5O6PZvHMA1nSi47ugtmMA9OObbGy3HBwvYFugE5CDiP3tXPXOrF48eJump9nxb1L6ZW6IPOX+YkdzgpuoUOxbawG10cZIrGXnhvE3XK1O28LzeIQqoPkgkLW7RWn6/9DdzbMNZuTgsGC3c+d5datrAdyX6JZFfIAxA+2AtE7k74JxyX0Ms7U/yaPV8u318PqsTDP+zrdyUqL5jj0b8OqW5cGCqzpJGeNoBAvetbvVvMMSMehzPwV6+dt8pgjpnZvy2qzttpbucsUmDke7h7qPMBiX9V38HlreKecxt6abA3UWdIj1G9cfRbBg7o7rLOWJiJpbEW1/Pkmyw18wVac8cAp7n+m1Driz2jyjBplb7puPB4JJ7aKftDnSE0r5m4+E9l9IEXOMSYnuTsQ8H/K2ywmrzKORFY6ltkKJFLUJRYprg9peuY9ygK+YPcOynJPHxDtWpYHFe6hlpWkbmedCdfS3tPwk4x389s9EflKbPThE38zitxJVe80XvZQ7uqioztcluaPT64c0cxrucxyQVy/VxqkyY/F98XTS8jeHQ4KHMcEJKub0AQwKjtSj2+05sbqzNLRo05WPSXj3OatvaKHtSgnvtaBkF92xNa7yhuWElEngRXHlpvmdwp3VBbDUtjzR6ai82mw=",
    "ml_dsa_65_sha256": "2992fe6051b860627bf33be529e4303bf8256136953fa948cea7b10f292b81f2",
    "ml_kem_768_b64": "LbZrtdNsEQFpkTDORGxv6gEaA7YTOknDvxRz6TJ3A0MKiKyp5+Y6/+wxGfdZMUdWRkfK3MZKP2h04TEYqRl2cTE74ZOdKLRT4HMsYVBQFZg1TgRKXatgqzFOGKK1OWEVqcuGpGF2PBxM9SOTyNya9ha75scnEECfEoEk2PYrKLuzXfA3yNmrvUo80PSXzTxlSYBOWBa1bBaBtTMxeDVOqjh877mHk9khrqMdMCku5Jtde4V2HFFt9ldnJny/OpnNA0eHvAwt4vGRsiISeEUHDFShWOYMOesTsNOUM/wP1CwF1tquohJ2+jRlQ1dnsppyxOySbVPPDNVu/OF1LeG3g1xFyKWQOKmm0BJc9ZG7XEeUkwy1PxQBc+qdAQNDkeNQSkbAI2PBOsswM4S2DcO7gmdvTQo0pMldoqJIlnkNNoxtm7WtzBiIiffDhSVxwNN38/iH/xoLteCJHWeyLSmKabMDrtCUB6Z8NQy0lXWkkaRxhqmta7xW3nQPqnQ9AZq3IWSleLE/pFEAbWCoRuCtK8efI8ZdYKNQWfWQXFuaIoCuToB1i8ZlU6UP/VuTYoJ8uuODYhMPTYJLz6h0OScLpChlEfPMRdIu2OKE9SJjqPWLB/vFCwkonYZAV8HPY+xlfXqGoCNwsFNaYeEjxjRAR+Ct5vnBlOcObeCDx8hG/uqSpxfGLBFiLaA22zujJyeImWteC1Ay7At/jvOU4AYPw4RHnVNJIbMn7IWLCjDPeUzI9oSjvOqXF9lw9VnADlTAoYZJnuxdq+txF8w4XDpeazHMhcYcnEBpyglkbzxqBqInhvghvjWaH3Q5p0W1JwQtltVybwkoQElg7TidqyBZ7dqwxmQvYKWMnvqofKJEfeUidrNOO7SkEPROciJWJMgYH2BrrxqteJcNJuhxziYKebKPQsEE+0rLHju0jsWquzSc0hQs6SeHPUWIb/rG2AeVYzOYtDe03ip5+0wnMKSktZKhH9NJi4gJe7KMjIQQGDAR8oKKFLjIeXois6HOVFUA2gSn4hFExaBY7WN4gbYIRfst2rsZwFZplUO3GmqePLrPPVljxPSKLgMkATspUgyyXawcgYJCRBq3yaqDLLyDT4CC5SRBWTSOKShHRrWjyZogI8oKu0YsTEdM7vx7rKN8i2SXJxA2KhaH75MOPWjFWJxjaYSE2bpcDguVzlIA20LIDAdxcBOpG0lFj/mMLcgBE/lbqeAsQdUDgxCvINcDysG9Quonf+NEt7Rt+VUQSWpuA3mNMOIvI2jDGRiCrypTETSwxOeiKMm/q1YiEJZ4ofU7vezJHoVL0ohw92h6g2dXYYSHB+ismNqA04In0Lyw6SPK8jOwdWFtZfY5AVs2lPCu+TJqotR+l+mjOJvEeBQYR4S8/SGAMuOh5tScU4qZMZRB8NNCAdqewECTUbwH5jCqBOphbLTMpmAavWCqlykQsnAwvBknzNW1A7k8edMJrqqBPUIe9hY9wXsJoFOb9AGwsYGzXmxPYuiUsORYCqYDCVjEmARGIYg6B/xV5gBzvh4D8G7C5hq4h9HqzzSoEzL9Bu9LiAyBlMx7O92FdQg=",
    "ml_kem_768_sha256": "18aa839f406940090c41e2a02441fc410cc89cbfca680cc34e9f64d83b5ed71a"
  },
  "purpose": "Governance-layer policy verdicts, key exchange for governance API, audit-log streaming.",
  "rotation": {
    "deprecated_artifacts_preserved_at": "/crypto/mnnr_mldsa65_public.key_DEPRECATED_20260608.* and /crypto/mnnr_mlkem768_public.key_DEPRECATED_20260608.* (audit-trail preservation; verifiers may still reproduce the prior fingerprints from these files to confirm the rotation).",
    "deprecated_fingerprints": {
      "ml_dsa_65_sha256": "4ecb7ee3894447d96e11b732c559851e1073c926a248ed1df13f1fdc8722cde9",
      "ml_kem_768_sha256": "e5fbccc68b4f7464187f98fea47571808e1edf9c3979ba3004f2dc75380e60fa"
    },
    "rotated_on_utc": "2026-06-10T06:37:25+00:00",
    "rotation_reason": "The initial 2026-06-08 genesis keys were generated into a cloud-synced OneDrive folder, creating a custody mismatch: the root-of-trust private keys were exposed to Microsoft OneDrive cloud storage rather than held exclusively on a local non-synced path. Treating the 2026-06-08 keys as compromised and rotating to fresh keypairs.",
    "supersedes_key_id": "mnnr-genesis-2026-06-08"
  },
  "scope_live_tonight": [
    "Public ML-KEM-768 key published with SHA-256 fingerprint",
    "Public ML-DSA-65 key published with SHA-256 fingerprint",
    "This genesis attestation, signed with the ML-DSA-65 private key",
    "TLS edge: Cloudflare X25519MLKEM768 hybrid (per Cloudflare default for Pages)"
  ],
  "scope_roadmap_not_live_tonight": [
    "ML-DSA-signed policy verdict bus (Q3 2026)",
    "ML-KEM-768 key-wrapped policy delivery (Q3 2026)",
    "PQ-attested audit log streaming for BaFin / federal procurement (Q3 2026)"
  ]
}
ML-DSA-65 signature (base64)
+v09xIBQKURQV9a/ybYP0fhrzV0nvO7QNlvrobcp2h06y/tcKmTokW4xwwtlzJHj 4fIYJlBZAbLEe4FysIvD3WweQPpqm9iM/4oLBCDjnAXPfaC58qXpc9/jPegM9DK0 N6fJw5L8G5spBWQs9DKhHVLoM/vcyZ2fdMTMqMoB7bfXJXnzXrhAMxuMjeUW0JWM hOVq3IRQJpZLSfEZKCPz7hL4UArAywpA+GE5X1BIRd8SttXp5Hj1/YNR+tntYGWn icZJMBLtE6sYEsTucixaI3chEEi33C8hKzmm0uhPysNCsIEcC3ocNQN2xXb8pKMW WBphXJFvNMs58zuwKvAmxqM8sDZdo5cdsVa1RVD89i7cyCbo6uMRCKtkMsz8Iic0 qXf7dCTZQBQgBh8vkUjbN+wgifX7wY4LBAW4BtNeQzQQvWbCjt+xxVDhu/9fzNFy 00M5ouKO5q1D4Ss4NJRntLZh5sXduX9oK9YzjjmpFzt26RzkiCobYhFvCZJdsoSB QUmSGH5l5pmKbrrC0S3sGaEjvr+t55HsNr6LsCqfDEHlPK8WLAA62FhMKT+jynly 4ur6KLA7kOizhxfwKJ1RcAzp6h5n9DYkSdEiY2sIcbdLx3jS3DfDKEVoKo/V+fZ0 8k3rDxvMH2GzV51vM3z4y4TPTZJCVv+p/GuggBOEw7Ixn79kxz4YhEqsEB1MlD29 vsaTpSdoOmnwQ3fala7Vmrd0dTAGRKl62pF/1ALmjOVqkCYCkkGyK8+ou8njjaHv UQQ4KyHywg59ObNsvEA4SgIGnDXdiNoer1fCQ984geTVLUkElQZrzSNK8ZtWohKh TwA8OJUvXRVZm0/CqNKFQgaH7EhKmBTzTW1qtjlYV4gTrAlV6fOCYh3h0ucnYt1C wTmNPYUHjlcy40Wb9fVSA5Ql04QFRXLSs/Z4g3f3f1XqW9Mq+aeBgBVFvOhbW9Mq F19BMRtZ9x2BD/jAYA9Io5iYQhbSekLig20eC79f5o9GDaf16cE2vTwpZigSO9yB NvDcy+enn66jwf/hQNzZToB09IHyAxRFFr0C1XConNcmDB2qKloXQ9YRyqFi/nsn 4vwMHp5O0ZXXbvP8inAIPutcr3R53BI8+8dVC2Q1JUa9iCpoHwVuumZquX732ok8 8Tshx8w83x6zcio92TfXC3r6vOURJpVSrAjSc1gSIFxDaW9+uzPEJMKeFGHuqGJ3 fypbDS+WBaNJ13OTTJ5LbPLVzUJ8Y/ivdcrjIynAW/OlLtJe0eMbkTvB6TLTK3nq 1aYclQXdX50bp0tQntzzdyWZiXACSBEAcFPcunSnulJsl2K7StW2YgmBTgkBozhc UQsg4EuF7XVxLAAwH7dOCQxK3WhP6QApHz/AeTCPs8qAajNhTQqaXq58R6ntJ7By 6RmM0y3Udlxh4hm2mK1I3ijgGfdeLlrCDde924UjtUJ5XMrEWFXT+mmTOCp+TrBT UnsQxq1tMOTtfhQMqb/3sThkSWVYKc3uN7iT9kpg54W5yaO5JzgFSI7TIwKtwu56 TRvKQir2/hSslEfCWeaKFULUcLNqp2VuJ8DmMBiOTgpFWL1Qy1e9GYVhbFLgp6nY HxOYc0Se0qF/UaChD4P60FP6zpVqDQWwBgo0tSfHDC/GRaLuxniowYuoz5O0VoEd FQemeFVCISedMQDmOyF39jShnr4Ro7kY+5cyIstq0TqMJNCUJSxFbMNkjnJjzAiW UPAiSZQXJd0KAHda3i1pe8oBwzIyLFDni9T4Jh8sO3+X1GfqcxXzlFrVnWb5xMz0 gy1WQlvwdH5NDHx8SsykcIYtWA3OK5DqmY9VH/MXltUFsnzGAn/+Q1WNOMTFFUG0 TQj83oZ43mk2827d7pD3LWfoV2gK/H+D+LSGPwUenB+0W9ZfF48qxjHORwVpOskY h/uiMqo6EkTfaQIeEU3IOpen4UJNrltCfwzFHNyu0K4VSI118fzGKukwIopLvHPm MslaxI85xUIw2WQqF7QZ/fgPVihehfAnLByQ2KHm7vXMEK37ow3dQCEHpzVrbiOT j8E1y1MZge+N3l9LHKO7+nksmudkLkK+8Ca8gtdRyXuj+DDY9/oW9z8fFzIDGs1V 2K2gdaV3CXOemHQGaAf+UkfwowivbE6wD0I+YPfOBTk4SNIiYeT1zZ7NVGk9Gths /EGMTeIvs+SMDNgEzKN4SylR6p+9WwwAT+PspPGN2Pqi8HkNdSnDDJaSNFuG5xL9 XTyBqH6E4Xp8poF52Pq3rDEgP7GVKSpTzdLbyvhT4KegzEJD9ZrdmC3g78Xw9Q6c 61VithtAnjNr6d51yEZMyQ7Q+0toN9YVZbMk2H505RNe+XFJABvw899GyKO/Slp3 5KpOqa6/DAFjykqjIH7L8FwnYpSTNMAOYlaZjb6LUAYnjgyBnWouRXPYq+45VHNF MumNqx44A/2U3Qq040rHTOKB3XKi+ZOx7FnhELbdc+jHFXO1cA83yNZEBLa5TDCL ltIz4sz9tSH25bJ6lEg5H1msoQFRBOzyybY/3sjthit5uXqMhRBApeKKm5APMUZE YIe5EJjbsEZH/bohtHPv3GQyrOl4Nl6OCi6YaOBV9gxtje7fAoHhYr2ycXOASrtq eZZ4FCabctqtawbYtmNudUbiq3nWDH0WlQygmVnk/xZYDVz5Pi011BgvYfRs8Q/f BmC2vc8/cSc1dtwBwP/xHCi7SBZrisc/2NsdP76Li9JTrs3DqH1/8sy3Vd0rCqCt 3f9GjJUf/iP3fhOIAlKUriDzh4VkbfXJHcjvjLG/VA3WaVW523Rzs4UMZ/Cka5u0 EmOM7QP4ewWqiBpGDtVuQLWfYlCM/f9ZHXN8pMlQZ6hBmdpgek7E6Higr2dogIAy mCC0/QCE8NTz7ElxKxsS+zbGxJDRlj2QtG3jJHdipcT9WaKuofVFV0Cw0SkW3iMj /6GO//Qjw1JusnlcG8t86OnhS0nYjQaQhAJUD7fVUNcEJE8btEn7T4g2Vi1j9kT1 xUnccACgJTsP+FbniTS4swDT5MVIPFBBl1QvzRpvvYEXdVGxAYrnNyuhz3+JNHLz GZET6a91/PqUSgYm4+pRA9ip/od4ToQ+Eq/B1iru+KpVgXzVUS6tK99kjNsk34Q6 35SBOqHBlJ1CEg4OaVNRNFJjFANgbLwEHITnjHAN7ds8M0g+i2WB0iIVQwFhqcTH d2EOaiHsbmF6ep2rH/iQaCMH/c6O01sgytU0wTcoTp2E/NF4ei1rnG/WM7PIZj6J KZb+ar6XrzSzcx6bc0qe1xbBJHcZyCJ7qOl0+XNe/XNxaqupbaorVk8dOnmUVfTU UVyyACHMwewlEemZL/UMESlJ8z5JQ4PtJ01Pt5sFvjs7poXV/lDy9nPs5f8UMfz2 KSsmW95ZbL5LzctT5GPsxqq0aGn6fW6cqDo3mHLit6WKkRU92slkH10N6NplrDNO h8ile4ckRVTwia74Wnc83/QxVSyQNLCc068olFOyJ2tbcFllGsb4quNBkiAz0QCA X0qHZm4Ph7Qc70kmd6ffCZSva3/VZ02xDgR+a/hsZZDh6lS0qZ1QQApXQOEqmLV6 rEEOYo/JcytMn8Zplx9hNreZRG/2k0DSvcVldRo64G+yWwkJI9/r9HwRYXdVs9Fh vHNy2iLHBH6wIKz69xOGYIva57Ka+4GE/f6WC+1TnjMQIEvuYXJhcVDl+fxLjW+A O1RQ9WUGZuuB+XEYkAog61FNYoAUECOYPZunFyIgLhWBRprnbQXhbQFgrCVUGHSm r3w4AJs2G12nrPhveIbze0v50mfj7c8W2h2XvW6NphHoe5OBPvDgPSlzFNfaNJWu 4/pDtPMasyT23PeLTLIapMjmK3HVgY47wIsfCnE+aoyIo635tmVKRdE1SMky/15t kgQ+PwnyrKqDgTAyh600Pl8K50x2gMfGSAHPDH1/TXMF0LgDJGGWXOP+BZdeym6y +rCUAhdoLiPmwk7i5NfhUcYECiGCmwOjhQJAaaL9uFB7m8oN9ZIPx0AWZpF8dGC6 TiGWwPArgIM/7++n9df/Aqu7IaEaOsijkFMzRuKjXIiFphn1/mb/UlCjfnKszKjq EccuzdF2pdUCYfDYb47BPe7gbpRx4j8HpHkmi9ABpQybBAo/9UHTBGWFKFMyCm29 T8eLKXYSWIOh1WWrJGSb46zZqDUEEq/6PjIuDsqIfOEl80oaXmOgoXnXUO9x7YGl DdcdxCSNccj6BuEWeJt9a5z1VmL3jOWeThgcaGlVSW3raTxT2Bkp/0UKsR2KncLR fZFisRCYgh04NB724Swfrcs2nFoOKVwLg67ZecX67gaAq6zU1djp/BEiMEVKie3+ ATU8WmaFk5aaw8z3/VRjZHWZodTyDRxCqq/M6/sGFj6uAAAAAAAACBAdJS0x

Verify it yourself

Three reproducible recipes. All three operate on the public artifacts above; none of them require trusting this page.

Recipe 1 — Python (cross-platform · verified end-to-end 2026-06-16)

Tested on Windows 11 + Python 3.14 the night this page shipped. Identical recipe works on macOS + Linux. Returns mnnr genesis attestation: VERIFIED in under 10 seconds.

Step 1 — install the library (all platforms):
pip install pqcrypto
Step 2a — Windows PowerShell (one paste, runs immediately):
@'
import base64, json, urllib.request
from pqcrypto.sign import ml_dsa_65

UA = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
def fetch(url):
    req = urllib.request.Request(url, headers={"User-Agent": UA})
    return urllib.request.urlopen(req).read()

attest = json.loads(fetch("https://mnnr.app/crypto/mnnr_genesis_attestation.canonical.json"))
canon  = json.dumps(attest, sort_keys=True, separators=(",", ":")).encode()
pk     = base64.b64decode(fetch("https://mnnr.app/crypto/mnnr_mldsa65_public.key.b64.txt"))
sig    = base64.b64decode(fetch("https://mnnr.app/crypto/mnnr_genesis_attestation.sig.b64"))

ml_dsa_65.verify(pk, canon, sig)
print("mnnr genesis attestation: VERIFIED")
'@ | Out-File -Encoding utf8 "$env:TEMP\verify_mnnr.py"; py "$env:TEMP\verify_mnnr.py"
Step 2b — macOS / Linux bash:
python3 - <<'PY'
import base64, json, urllib.request
from pqcrypto.sign import ml_dsa_65

UA = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36"
def fetch(url):
    req = urllib.request.Request(url, headers={"User-Agent": UA})
    return urllib.request.urlopen(req).read()

attest = json.loads(fetch("https://mnnr.app/crypto/mnnr_genesis_attestation.canonical.json"))
canon  = json.dumps(attest, sort_keys=True, separators=(",", ":")).encode()
pk     = base64.b64decode(fetch("https://mnnr.app/crypto/mnnr_mldsa65_public.key.b64.txt"))
sig    = base64.b64decode(fetch("https://mnnr.app/crypto/mnnr_genesis_attestation.sig.b64"))

ml_dsa_65.verify(pk, canon, sig)
print("mnnr genesis attestation: VERIFIED")
PY

Expected output (success): mnnr genesis attestation: VERIFIED
Expected output (tampered / wrong key): pqcrypto.sign.ml_dsa_65.VerificationError

Library version pin: pqcrypto 0.4.0. Other liboqs / PQClean bindings expose the same FIPS-204 primitives under different module names. The User-Agent header is required because Cloudflare’s WAF blocks the default Python-urllib/3.x identifier on this origin — a browser-like UA is the simplest workaround.

Recipe 2 — Fingerprint check (no PQ library required)

# confirm the published ML-DSA-65 public key matches the fingerprint
curl -sS https://mnnr.app/crypto/mnnr_mldsa65_public.key | sha256sum
# expected: 2992fe6051b860627bf33be529e4303bf8256136953fa948cea7b10f292b81f2

# confirm the ML-KEM-768 public key matches the fingerprint
curl -sS https://mnnr.app/crypto/mnnr_mlkem768_public.key | sha256sum
# expected: 18aa839f406940090c41e2a02441fc410cc89cbfca680cc34e9f64d83b5ed71a

If either fingerprint diverges from the value above, the keys have been rotated or tampered with — verify against the canonical genesis attestation before trusting the new value.

Recipe 3 — TLS hybrid probe (modern client required)

# curl 8.10+ with a recent OpenSSL/wolfSSL/BoringSSL build, or use Chrome 124+
curl --verbose --tls13-ciphers TLS_AES_256_GCM_SHA384 https://mnnr.app 2>&1 \
  | grep -iE "named_group|key_share|MLKEM"

In Chrome: chrome://flags#enable-tls13-kyber must be Enabled (default true since 124). Inspect a request in DevTools → Security → Connection — look for "X25519MLKEM768" in the key exchange.

What is roadmap — not live tonight Q3 2026

The bullets below are deliberately not on the "live" list above. The mnnr.app marketing pages will not claim them as live until the artifacts are publishable here and verifiable by a third party.

Application-layer integrations (Q3 2026 target)

Why this matters

Q-day is a moving target — but harvest-now-decrypt-later is happening today. An adversary recording your TLS traffic and your audit-log payloads in 2026 only needs to decrypt them in 2035 to extract the same value. Migrating to a quantum-safe key exchange now closes the window retroactively for traffic that, by then, has been retired from memory but not from intercept logs.

CNSA 2.0 sets the federal trajectory. The NSA's Commercial National Security Algorithm Suite 2.0 mandates ML-KEM and ML-DSA across new National Security Systems, with first deadlines as early as 2025 for new development and full migration by 2030–2033. Federal procurement that touches NSS will inherit those deadlines through the contract chain.

Audit-log unforgeability has a ten-year horizon. Bank-grade audit logs need to be cryptographically verifiable for the full statutory retention window. The audit trail you sign in 2026 must still be unforgeable in 2035. Signing on classical RSA / ECDSA today is the premature decision.

Trust anchor

MNNR LLC

Wyoming domestic LLC · EIN 33-3678186 · formed 2025-02-26.

Founder: TOHID NAEEM. Principal place of business: Silicon Hills, California.

Genesis key custody: The four private keys backing the published public keys are held by TOHID NAEEM personally as founder of MNNR LLC. HSM-custody migration is on the roadmap; the rotation plan will be published on this page under a versioned anchor (a supersession note) at the moment of cutover.

Library used to generate the genesis keys: pqcrypto 0.4.0 (Python). ML-KEM-768 is implemented per NIST FIPS 203; ML-DSA-65 per NIST FIPS 204. Canonical JSON for the attestation: sorted keys, no whitespace, UTF-8.

Decorated disabled veteran-owned