量子安全嵌入式系统

Post-quantum on the MCU. Below the OS line.

Project Hierophant runs natively on microcontrollers — OS-free, bare-metal post-quantum cryptography for industrial IoT, sovereign edge devices, and sensor networks with anonymous OTA firmware updates that reveal nothing about the fleet.

Review the Architecture Request SDK Access
IoT MESH · PQ GATEWAY · ANONYMOUS OTA NODES 06/06 VERIFIED · FLEET METADATA: NIL
000+090 +180+270+360 QUANTUM HORIZON CLASSICAL CRYPTO: BROKEN ← PQ PROTECTED · KYBER-1024 SAFE QBIT THREAT ZONE → IoT MESH AUDIT LOG DEVICE IDS EMITTED : NIL FLEET SIZE VISIBLE : NIL INTERNET HOPS : 0 NON-IP · PQ EMBEDDED
我们的立场

The attack surface of a sovereign network is defined by its smallest device.

Every sovereign communications stack eventually terminates at an edge device — a sensor, a controller, a gateway. If that device runs conventional cryptography on a standard operating system with a commercial update mechanism, it is the weakest point in the sovereign chain. A post-quantum-encrypted state channel is only as quantum-safe as the MCU that generates the session keys. An OS-free secure gateway is only as tamper-resistant as the firmware update process that can silently replace it. Hierophant extends the sovereign protocol layer all the way to the microcontroller: bare-metal MCU runtime with no OS attack surface, native post-quantum key generation, non-IP mesh integration, and anonymous OTA firmware distribution that reveals nothing about which devices exist or what versions they run.

威胁模型

Five threats at the edge and MCU layer.

These five vulnerabilities define the edge device threat model for sovereign and critical infrastructure IoT — the attack surface that conventional IoT security products do not address at the cryptographic protocol layer.

01

IoT Device Compromise via OS Vulnerability

OS CVE · Remote Code Execution · Firmware Backdoor

Most IoT and embedded devices run lightweight versions of Linux or RTOS variants with publicly documented vulnerability histories. An adversary exploiting an OS-layer CVE on an industrial IoT gateway gains full control of the device, its cryptographic keys, and all communications it handles. An OS-free device running bare-metal protocol firmware has no OS vulnerability class — there is no operating system to exploit, no kernel to privilege-escalate through, and no shell to drop into.

02

Firmware Downgrade Attack

Firmware · Version Rollback · Downgrade

An adversary who can reach the firmware update mechanism of an embedded device can force a rollback to a version with known vulnerabilities — even if the device has been fully patched. Firmware downgrade attacks are documented against industrial PLCs, smart meters, and gateway devices. A cryptographically authenticated update chain with version floor enforcement prevents rollback regardless of adversary network access to the update channel.

03

Fleet Mapping via OTA Monitoring

OTA Traffic · Fleet Enumeration · Reconnaissance

Conventional firmware update systems connect devices to update servers in a way that reveals fleet composition to any observer monitoring the update traffic — device count, model types, geographic distribution, and current version status. Adversaries monitoring OTA update events can enumerate critical infrastructure IoT fleets, identify vulnerable devices by version, and locate them geographically before an attack. The update event is a reconnaissance opportunity.

04

Harvest-Now-Decrypt-Later on Sensor Data

HNDL · Quantum · Sensor Intelligence

Industrial sensor data — power grid load patterns, water treatment parameters, pipeline pressure readings, environmental monitoring — reveals operational patterns with intelligence value over extended time horizons. Adversaries are archiving this sensor telemetry today for retroactive quantum decryption. Post-quantum protection on sensor data is not a future consideration — the archive is being built now, and the sensitivity window for infrastructure operational patterns extends decades.

05

Supply Chain Implants in MCU Silicon

Foreign Silicon · Hardware Implant · Trust Chain

Microcontrollers and embedded processors sourced from foreign supply chains may contain silicon-level implants that operate below the firmware layer — beyond the reach of any software security audit or firmware verification mechanism. An implanted MCU can extract cryptographic keys, suppress tamper detection, or provide a covert channel regardless of what software runs on top of it. Sovereign supply chain hardware is the only answer at the silicon level.

能力栈

Eight layers. Every device.

Hierophant quantum-safe embedded is the MCU SDK and reference hardware that extends the sovereign protocol stack to the smallest device in the network — from gateway to sensor to actuator.

01

MCU-Native ZK Protocol

The Hierophant ZK protocol runs natively on microcontrollers with as little as 64KB of RAM. No operating system required. No protocol stack abstraction layer. The ZK proof generation, key agreement, and message authentication run directly on the MCU in a minimal firmware footprint designed for resource-constrained embedded environments.

MCU SDK · 64KB RAM · No OS Required
02

Post-Quantum MCU Encryption

NIST post-quantum cryptography optimized for constrained MCU environments — hardware-accelerated where available, software-only fallback where not. Full post-quantum protection runs on the same class of microcontroller used in industrial IoT and smart grid devices today, without requiring a hardware upgrade.

NIST PQC · MCU-Optimized
03

OS-Free Bare-Metal Runtime

The Hierophant embedded runtime has no operating system. No Linux kernel. No RTOS. No shell. No process manager. The protocol firmware is the entire software stack — below it is the hardware, above it is the application interface. The OS vulnerability class does not exist on a device that runs no OS.

No OS · No Kernel · No Shell · Bare-Metal
04

Sovereign IoT Network Integration

MCU devices join the sovereign non-IP mesh without IP address assignment or DNS registration. Sensors and controllers communicate with each other and with gateway nodes through the ZK mesh protocol. The IoT device appears in no IP-layer network record, no router log, and no internet address space registry.

Non-IP Mesh · No IP Address · Invisible
05

Non-IP Private Networks

The IoT mesh operates without internet protocols throughout — including at the MCU layer. Sensors and controllers connected to a non-IP mesh are immune to the entire class of IP-layer attacks: port scanning, exploit delivery via TCP/IP, botnet recruitment, and internet-routed command injection. Non-IP is not just privacy — it removes the attack surface entirely.

No TCP/IP · No Port Scan Surface · Non-IP IoT
06

Anonymous OTA for MCUs

Firmware updates delivered over the sovereign mesh without the update server learning which devices connect, their current firmware versions, or their locations. Each device receives the update through an anonymous channel. No OTA traffic analysis can enumerate the fleet, identify vulnerable version cohorts, or geolocate devices. The update completes; the fleet remains invisible.

Anonymous OTA · No Fleet Enumeration · Blind Server
07

Tamper-Evident IoT Hardware

Reference hardware with physical tamper detection that wipes key material on intrusion attempt. Austrian-manufactured MCU boards with EU-sourced components and full supply chain audit trail. Hardware attestation certifies that the device has not been physically modified since manufacturing. Tamper-evident seals provide visual inspection path for field security audits.

Tamper-Detect · Key Wipe · EU Supply Chain
08

Regulatory Compliance Layer (IEC 62443)

Hierophant embedded generates the cryptographic audit evidence required for IEC 62443 industrial cybersecurity certification and EU Cyber Resilience Act device compliance. Post-quantum encryption, authenticated firmware updates, and tamper-evident hardware together satisfy the technical security baseline for KRITIS-relevant IoT devices, with compliance artifacts generated automatically during operation.

IEC 62443 · CRA · KRITIS IoT · Compliance
In Deployment

When the device is the weakest link.

Three scenarios where edge device vulnerabilities compromised larger sovereign communications architectures and Hierophant embedded removed the attack surface at the MCU layer.

Sovereign Industrial IoT Network

A national energy operator deploys a post-quantum secure sensor grid across 400 substations.

Each substation MCU runs Hierophant bare-metal firmware. No IP addresses are assigned. Sensor telemetry traverses the non-IP sovereign mesh. An adversary scanning the energy operator's network finds no IoT devices at IP addresses — the sensors are not in the IP address space. Adversary intelligence on substation sensor deployment, firmware versions, and communication patterns: nil.

Energy GridNon-IP IoTInvisible Fleet
Anonymous Firmware Fleet Update

A critical infrastructure operator needs to update 1,200 field MCUs with a security-critical firmware patch without disclosing fleet composition to adversary intelligence.

Updates distribute through the anonymous OTA channel. The update server processes requests without logging device identities or versions. Adversary traffic analysis of the OTA event sees anonymous encrypted traffic with no identifiers mapping to specific devices, models, or locations. 1,200 devices receive the patch; adversary intelligence sees nothing that maps to a fleet update event.

Anonymous OTAFleet InvisibleZero Disclosure
Post-Quantum Sensor Grid

A national environmental monitoring network generates sensor data with 20-year operational sensitivity.

Each sensor MCU encrypts telemetry with NIST post-quantum cryptography before transmission. The non-IP mesh carries the encrypted data to the sovereign gateway. Adversary bulk collection of sensor network traffic yields encrypted data with no PQ-breakable content today and no classical-era encryption that can be broken when quantum hardware arrives. The sensor archive is protected for the full operational sensitivity window of the data.

PQ Sensor Data20yr ProtectionNon-IP Mesh
数据说明

Device baseline.

Four properties of the Hierophant embedded stack that hold at the MCU level — the device floor for sovereign IoT deployment.

OS Attack Surface
No OS · No Kernel · Bare-Metal
Fleet Metadata in OTA
Anonymous · Blind Server · Non-IP
64KB
Minimum MCU RAM
Constrained Devices · No GPU Required
PQ
All Sensor Data Encrypted
NIST FIPS 203/204
继续

Adjacent capabilities.

Quantum-safe embedded MCUs are the hardware foundation for these three sovereign communications and control surfaces.

National Security

关键基础设施

ZK SCADA command verification and NIS2-compliant OT security built on the same MCU-native protocol foundation — the embedded layer of industrial sovereign control.
Emerging Threats

AI代理安全

Hardware attestation for AI agent execution environments — sovereign MCU hardware as the trust root for autonomous agent systems.
任务能力

Autonomous Systems & Drone Mesh

MCU-native PQC is the onboard cryptography for autonomous drone platforms — the embedded security layer for every node in the sovereign drone mesh.
认可

Trusted by those who cannot afford to be wrong.

来自国防和安全社区的独立验证——不是增长指标奖项,而是正确解决难题的认可。

Austrian Armed Forces · 2026
ADIC 2026 — Austrian Defence Innovation Conference
Project Hierophant 在2026年奥地利国防创新大会上进行了展示,这是奥地利联邦军(Bundesheer)和盟国国防部评估国防技术的主要论坛。
Austrian Armed Forces · bundesheer.at ↗
Press · Defence Media
Militär Aktuell — GetTrusted Cybersecurity Coverage
奥地利领先国防与安全出版物 Militär Aktuell 报道了 Project Hierophant 的后量子主权通信方式及其对国家安全架构的重要性。
阅读报道 · militaeraktuell.at ↗
Hardware · hierophant.at
奥地利制造安全硬件
在欧盟供应链监督下在奥地利制造的专用无操作系统硬件。无操作系统意味着无操作系统漏洞类别。具有物理访问保护的加固外壳。国家供应链审计追踪。
硬件目录 · hierophant.at ↗
GetTrusted Escrow GmbH · 奥地利维也纳

Every device. Post-quantum. Anonymous.

Request SDK Access 硬件目录