---
title: "CipherPlate v3.4.1 — Product"
url: https://memory.wiki/zx-product
updated: 2026-05-24T11:40:04.382Z
hub: https://memory.wiki/hub/mwbench-zorblax
concept_count: 12
source: "mwbench-synthetic"
---
---
captured: 2027-03-15
version: 3.4.1
---

# CipherPlate v3.4.1 — Product

> The sidecar service that ZorblaxCorp ships to customers.

## What it does

CipherPlate runs as a local sidecar (Docker, Podman, or raw binary) next to your application. Apps send cryptographic operations over a gRPC envelope; CipherPlate signs / verifies / encrypts / decrypts using the algorithm matched to the customer's threat model.

## Algorithm matrix

| Algorithm | Use case | Mode | Status |
| --- | --- | --- | --- |
| FALCON-1024 | Code signing, software supply chain | post-quantum signature | GA |
| SPHINCS+ SHAKE-256 | Long-term archival signature | post-quantum signature | GA |
| ML-KEM-1024 | Session key exchange | post-quantum KEM | GA |
| Hybrid (X25519 + ML-KEM-1024) | TLS transition | classical + PQ | GA |
| RSA-4096 | Legacy interop only | classical | deprecated 2028-Q4 |
| ECDSA-P521 | Legacy interop only | classical | deprecated 2028-Q4 |

## Performance envelope

Measured on Tier-3 reference hardware (8 vCPU, 16 GiB, Linux 6.10, x86_64):

- FALCON-1024 signature: 8.3 ms median, 13.7 ms p99
- ML-KEM-1024 encapsulation: 0.41 ms median, 0.78 ms p99
- SPHINCS+ signature: 192 ms median, 311 ms p99 (acknowledged tradeoff; reserved for archival)

## Configuration

CipherPlate reads its policy from `/etc/cipherplate/policy.yaml`. Mandatory fields: `tenant_id`, `threat_model` (one of: `commodity`, `nation_state_passive`, `nation_state_active`), `audit_sink`.

## Facts

- Current GA version: 3.4.1 (released 2027-03-09)
- Default port: 4711 (configurable)
- Binary size: 41 MB stripped, 116 MB with debug symbols
- License: source-available under the ZorblaxCorp Cryptographic Source License (ZCSL) v1.2
- Audit log default destination: `/var/log/cipherplate/audit.jsonl`


---

## Summary
CipherPlate is a sidecar service that performs cryptographic operations (signing, verification, encryption, decryption) for customer applications using post-quantum and classical algorithms matched to their threat model. The service currently supports FALCON-1024 and SPHINCS+ for post-quantum signatures, ML-KEM-1024 for key exchange, and hybrid classical-PQ modes, with legacy RSA and ECDSA deprecated as of 2028-Q4.

## Themes
- Post-quantum cryptography transition
- Sidecar service architecture
- Threat model-driven algorithm selection

## Key takeaways
- CipherPlate is a gRPC-based sidecar service (Docker, Podman, or binary) that performs signing, verification, encryption, and decryption operations for customer applications.
- Six algorithms are supported: four post-quantum or hybrid (FALCON-1024, SPHINCS+ SHAKE-256, ML-KEM-1024, X25519+ML-KEM-1024) and two classical deprecated by 2028-Q4 (RSA-4096, ECDSA-P521).
- Configuration is mandatory for tenant_id, threat_model (commodity / nation_state_passive / nation_state_active), and audit_sink; policy is read from /etc/cipherplate/policy.yaml.
- Median latency on reference hardware ranges from 0.41 ms (ML-KEM) to 192 ms (SPHINCS+), with SPHINCS+ reserved for long-term archival despite acknowledged performance tradeoff.

## Insights
- The product explicitly deprecates classical algorithms (RSA, ECDSA) by Q4 2028, signaling organizational commitment to PQ migration rather than indefinite dual support.
- SPHINCS+ incurs a 23x latency penalty versus FALCON-1024 but is retained specifically for archival use, suggesting algorithm choice is tied to threat duration rather than uniform performance requirements.
- Configuration ties cryptographic behavior to threat_model input, implying different customer segments receive materially different security properties from the same binary.

## Open questions / gaps
- How does threat_model selection algorithmically map to the algorithm matrix, e.g., does nation_state_active mandate post-quantum only?
- What does the audit_sink parameter accept beyond the default /var/log/cipherplate/audit.jsonl, and what is the audit log schema?

## Concepts in this document
- **CipherPlate** _(entity)_
  ZorblaxCorp's core product—a drop-in cryptography layer that abstracts post-quantum algorithm selection and deployment for compliance-bound organizations.
- **ZorblaxCorp** _(entity)_
  The company being defined, founded to commercialize post-quantum cryptography for regulated industries through an abstracted service layer.
- **Post-quantum cryptography** _(concept)_
  The central technical problem this document addresses: replacing classical encryption (RSA/ECC) with quantum-resistant algorithms before quantum computers render them obsolete.
- **Sidecar architecture** _(concept)_
  Defines how CipherPlate operates as a local companion service using gRPC for cryptographic operations.
- **FALCON-1024** _(entity)_
  Post-quantum signature algorithm for code signing and supply chain use; 8.3 ms median latency.
- **ML-KEM-1024** _(entity)_
  Post-quantum key encapsulation mechanism for session key exchange with sub-millisecond performance.
- **Audit logging** _(concept)_
  Mandatory audit sink captures all cryptographic operations in JSONL format for compliance and forensics.
- **Legacy algorithm deprecation** _(concept)_
  RSA-4096 and ECDSA-P521 marked deprecated as of 2028-Q4 to encourage migration away from classical-only algorithms.
- **Threat model selection** _(concept)_
  Configuration parameter that determines which algorithms and security postures are active for each tenant.
- **Algorithm matrix** _(concept)_
  Lookup table mapping six algorithms to their use cases, modes, and lifecycle status (GA or deprecated 2028-Q4).
- **Hybrid cryptography** _(concept)_
  X25519 + ML-KEM-1024 combination enables gradual TLS migration by combining classical and post-quantum algorithms.
- **Performance metrics** _(tag)_
  Latency bounds (median, p99) on reference hardware establish operational feasibility for production deployments.

## Concept relations (within this doc's concepts)
- **ZorblaxCorp** specializes in **Post-quantum cryptography**
- **ZorblaxCorp** offers product **CipherPlate**
- **CipherPlate** implements **Sidecar architecture**
- **CipherPlate** selects from **Algorithm matrix**
- **CipherPlate** performs **Audit logging**
- **Post-quantum cryptography** includes **FALCON-1024**
- **Post-quantum cryptography** includes **ML-KEM-1024**
- **Hybrid cryptography** combines with **ML-KEM-1024**
- **Legacy algorithm deprecation** affects **Algorithm matrix**
- **CipherPlate** solves adoption of **Post-quantum cryptography**
- **ZorblaxCorp** focused on **Post-quantum cryptography**
- **FALCON-1024** measured by **Performance metrics**
- **CipherPlate** implements **Post-quantum cryptography**
- **Sidecar architecture** enables **Post-quantum cryptography**
- **CipherPlate** produces **Audit logging**
- **Post-quantum cryptography** driven by **Threat model selection**

_Hub canonical:_ https://memory.wiki/hub/mwbench-zorblax
_Concept digest:_ https://memory.wiki/raw/hub/mwbench-zorblax?digest=1&compact=1