Add a post-quantum signature to any file —
that anyone can verify.
A standards-compliant classical signature keeps your documents valid in Adobe Acrobat and under Malaysia's Digital Signature Act 1997, while an external NIST-PQC signature (ML-DSA / SLH-DSA) adds quantum resistance — verifiable by anyone, with no special software required.
Hybrid signing · Any file type · Public verification portal · PDF, Word, images, media & more
The problem
You can't put a post-quantum signature inside a PDF today
The PDF and CAdES/PAdES signature formats have not yet incorporated the NIST PQC algorithms — so standard signing tools can only add classical RSA/ECC signatures. Those signatures will not survive a cryptographically relevant quantum computer, and future forgeability threatens the long-term validity of everything you sign now.
PDF can't carry a PQC signature
As of 2025, the PDF standard and PAdES/CMS profiles do not define the NIST PQC algorithms, so no compliant PDF signing tool can embed one natively.
Classical signatures won't survive quantum
RSA and ECC signatures rely on math a quantum computer is expected to break — putting the long-term validity of today's signed documents at risk.
Signing is stuck on PDF
Most solutions only sign PDFs. Word, Excel, PowerPoint, images, audio and video have no standardised quantum-safe signing path.
No easy way to verify PQC
There is no public, no-software way for a recipient to check a post-quantum signature — verification usually demands specialised crypto tooling.
A disruptive switch breaks workflows
A PQC-only cutover would break existing verifiers and interoperability. Organisations need a migration path, not a hard fork.
Legal recognition depends on PKI
Under the DSA 1997, legal standing flows from an X.509 certificate issued by an MCMC-licensed CA — a purely PQC certificate has no defined recognition today.
How it works
Two signatures, one document
A hybrid workflow layers a quantum-safe signature on top of a proven classical one — so you keep legal validity and interoperability today, and gain quantum resistance for tomorrow.
1 · Classical signature for validity
For PDFs, the document is first signed with a standards-compliant RSA/ECC signature and a visible signature block, embedded as a PAdES- or CMS-based signature. It opens and validates in Adobe Acrobat and Foxit with no extra software — and, when the certificate comes from an MCMC-licensed CA, it carries legal standing under the DSA 1997.
2 · External PQC signature for quantum resistance
The entire signed file is then hashed and signed again with a NIST post-quantum algorithm — ML-DSA (FIPS 204) or SLH-DSA (FIPS 205). Because PDF can't yet hold a PQC signature, this one lives outside the file as an external signature — which is why the same approach works for any file type, not just PDF.
3 · Anyone verifies — no software needed
The signed document carries a clickable link to a public verification portal. Recipients drag in the file, follow the embedded link, or enter a reference ID — and see validity, signer identity, the algorithms used, timestamp, integrity and revocation status. The classical layer stays verifiable in Acrobat; the PQC layer is verified through the portal or API, with no client-side PQC software.
Non-PDF files skip the classical step and are signed directly with the external PQC signature, leaving the original file completely unchanged.
The signature package
A verifiable, self-describing record
Every external PQC signature is stored as a package that records the signature value(s), the signing algorithm identifier(s), the signer's PQC certificate reference, the original file hash and the signing timestamp — everything the verification engine needs to prove integrity and authenticity later.
- Document hashed with the SHA-3 family (SHA3-256 / 384 / 512).
- Sign with one or several PQC algorithms at once for maximum assurance.
- Per-algorithm verification status when multiple signatures are present.
{
"document_hash": {
"alg": "SHA3-512",
"value": "b1f4…c09a"
},
"signatures": [
{
"alg": "ML-DSA-65", // NIST FIPS 204
"standard": "FIPS 204",
"signer_cert_ref": "pqc-ca:signer/2481",
"value": "9d3e…7f21"
},
{
"alg": "SLH-DSA-SHA2-192s", // NIST FIPS 205, long-term
"standard": "FIPS 205",
"signer_cert_ref": "pqc-ca:signer/2481",
"value": "0a7c…be44"
}
],
"signed_at": "2026-07-02T09:14:22Z",
"verify_url": "https://verify.mypqc.my/d/DOC-2481-A9"
}
Capabilities
Everything you need to sign — and to be believed
Sign any file type
PDFs, Office documents, images, text, audio, video — anything. The external PQC signature leaves the original file untouched.
Public verification, zero software
A public, no-login portal and REST API let any recipient confirm validity, signer identity, algorithms, timestamp and integrity.
Multi-algorithm assurance
Sign a single document with several PQC algorithms at once — for example ML-DSA plus SLH-DSA — with per-algorithm verification results.
Long-term archival signatures
SLH-DSA (FIPS 205) rests on conservative hash-based assumptions, making it well suited to signatures that must hold for decades.
Multi-signer & batch signing
Route documents through multiple signers, each with their own visible signature position, and sign in bulk for high-volume workflows.
Crypto-agile by policy
The signing algorithm is a policy choice you can change at any time — swap or add algorithms as standards and threats evolve, without re-engineering.
Managed PQC keys & certificates
Generate classical and PQC keypairs, obtain X.509 certificates from the platform CA, and store keys in an encrypted keystore or an HSM via PKCS#11.
REST API for integrators
An OpenAPI 3.0 signing and verification API over TLS 1.3, with API-key or mTLS auth and webhook callbacks for async pipelines.
Tamper-evident audit trail
Every signing and verification operation is logged with tamper-evident audit records, and revocation is checked via OCSP/CRL.
A sovereign algorithm option, alongside the NIST standards
For organisations that want a locally-developed option and reduced dependence on foreign crypto standards, KAZ-SIGN — a Malaysian post-quantum signature scheme — can be selected alongside the NIST-standardised ML-DSA and SLH-DSA. It is an optional, policy-selectable sovereign choice, not a NIST-standardised algorithm.
Because algorithm selection is crypto-agile, this choice is a policy decision you can change at any time — offering a sovereign option never means locking yourself out of the global NIST ecosystem.
Use cases
Built for documents that have to be trusted
Wherever a signature carries weight — legally, financially or operationally — a hybrid classical + PQC signature protects it now and for the long term.
Government documents
Sign official records, permits, notices and correspondence with a sovereign, quantum-safe signature that remains verifiable in standard readers and stands up for decades.
Contracts & agreements
Give contracts a visible signature that opens in Acrobat plus an external PQC signature — so counterparties can verify authenticity and integrity without any special tooling.
Banking & regulated industries
Add quantum resistance to statements, instructions and disclosures with tamper-evident audit trails and public verification — supporting long-retention record requirements.
Standards & compatibility
Aligned with the algorithms your auditors expect
MyPQC Document Signing implements the finalized NIST post-quantum signature algorithms and preserves compatibility with the classical PKI standards that carry legal weight today.
| Layer | Algorithms / standards | Role |
|---|---|---|
| Classical signature | RSA-3072+, ECDSA (P-256 / P-384); PAdES or CMS profiles; X.509 | Visible signature in the PDF; validates in Acrobat/Foxit; DSA 1997 standing via an MCMC-licensed CA cert |
| PQC signature | ML-DSA (NIST FIPS 204), SLH-DSA (NIST FIPS 205) | External quantum-resistant signature over the whole file, verifiable via the portal/API |
| Sovereign option | KAZ-SIGN (optional, policy-selectable) | Malaysian sovereign scheme offered alongside the NIST algorithms — not NIST-standardised |
| Hashing | SHA-3 family (SHA3-256 / 384 / 512) | Document hash computed before signing |
| Verification & trust | OCSP / CRL revocation; OpenAPI 3.0; TLS 1.3 | Public verification portal & API, no client-side PQC software required |
A note on the Digital Signature Act 1997
Under Malaysia's Digital Signature Act 1997, a signature gains legal standing when it is verified against a valid X.509 certificate issued by a Certification Authority licensed by the MCMC. MyPQC's classical signing layer is designed to support that workflow, and can be deployed with certificates from an MCMC-licensed CA — this is a deployment capability, not an automatic guarantee. The PQC layer then adds quantum resistance on top.
Sign for today's law and tomorrow's threats
See how hybrid classical + post-quantum signing keeps your documents valid now and quantum-safe for the long term.