Architecture playbook: crypto-agility for the post-quantum era. Learn more
Sign · Quantum-safe document signing

Add a post-quantum signature to any file — that anyone can verify.

A standards-compliant classical signature keeps your documents valid in Adobe Acrobat and under Malaysia's Digital Signature Act 1997, while an external NIST-PQC signature (ML-DSA / SLH-DSA) adds quantum resistance — verifiable by anyone, with no special software required.

Hybrid signing · Any file type · Public verification portal · PDF, Word, images, media & more

The problem

You can't put a post-quantum signature inside a PDF today

The PDF and CAdES/PAdES signature formats have not yet incorporated the NIST PQC algorithms — so standard signing tools can only add classical RSA/ECC signatures. Those signatures will not survive a cryptographically relevant quantum computer, and future forgeability threatens the long-term validity of everything you sign now.

PDF can't carry a PQC signature

As of 2025, the PDF standard and PAdES/CMS profiles do not define the NIST PQC algorithms, so no compliant PDF signing tool can embed one natively.

Classical signatures won't survive quantum

RSA and ECC signatures rely on math a quantum computer is expected to break — putting the long-term validity of today's signed documents at risk.

Signing is stuck on PDF

Most solutions only sign PDFs. Word, Excel, PowerPoint, images, audio and video have no standardised quantum-safe signing path.

No easy way to verify PQC

There is no public, no-software way for a recipient to check a post-quantum signature — verification usually demands specialised crypto tooling.

A disruptive switch breaks workflows

A PQC-only cutover would break existing verifiers and interoperability. Organisations need a migration path, not a hard fork.

Legal recognition depends on PKI

Under the DSA 1997, legal standing flows from an X.509 certificate issued by an MCMC-licensed CA — a purely PQC certificate has no defined recognition today.

How it works

Two signatures, one document

A hybrid workflow layers a quantum-safe signature on top of a proven classical one — so you keep legal validity and interoperability today, and gain quantum resistance for tomorrow.

1 · Classical signature for validity

For PDFs, the document is first signed with a standards-compliant RSA/ECC signature and a visible signature block, embedded as a PAdES- or CMS-based signature. It opens and validates in Adobe Acrobat and Foxit with no extra software — and, when the certificate comes from an MCMC-licensed CA, it carries legal standing under the DSA 1997.

2 · External PQC signature for quantum resistance

The entire signed file is then hashed and signed again with a NIST post-quantum algorithm — ML-DSA (FIPS 204) or SLH-DSA (FIPS 205). Because PDF can't yet hold a PQC signature, this one lives outside the file as an external signature — which is why the same approach works for any file type, not just PDF.

3 · Anyone verifies — no software needed

The signed document carries a clickable link to a public verification portal. Recipients drag in the file, follow the embedded link, or enter a reference ID — and see validity, signer identity, the algorithms used, timestamp, integrity and revocation status. The classical layer stays verifiable in Acrobat; the PQC layer is verified through the portal or API, with no client-side PQC software.

Non-PDF files skip the classical step and are signed directly with the external PQC signature, leaving the original file completely unchanged.

The signature package

A verifiable, self-describing record

Every external PQC signature is stored as a package that records the signature value(s), the signing algorithm identifier(s), the signer's PQC certificate reference, the original file hash and the signing timestamp — everything the verification engine needs to prove integrity and authenticity later.

  • Document hashed with the SHA-3 family (SHA3-256 / 384 / 512).
  • Sign with one or several PQC algorithms at once for maximum assurance.
  • Per-algorithm verification status when multiple signatures are present.
pqc-signature-package.json
{
  "document_hash": {
    "alg": "SHA3-512",
    "value": "b1f4…c09a"
  },
  "signatures": [
    {
      "alg": "ML-DSA-65",     // NIST FIPS 204
      "standard": "FIPS 204",
      "signer_cert_ref": "pqc-ca:signer/2481",
      "value": "9d3e…7f21"
    },
    {
      "alg": "SLH-DSA-SHA2-192s", // NIST FIPS 205, long-term
      "standard": "FIPS 205",
      "signer_cert_ref": "pqc-ca:signer/2481",
      "value": "0a7c…be44"
    }
  ],
  "signed_at": "2026-07-02T09:14:22Z",
  "verify_url": "https://verify.mypqc.my/d/DOC-2481-A9"
}

Capabilities

Everything you need to sign — and to be believed

Sign any file type

PDFs, Office documents, images, text, audio, video — anything. The external PQC signature leaves the original file untouched.

Public verification, zero software

A public, no-login portal and REST API let any recipient confirm validity, signer identity, algorithms, timestamp and integrity.

Multi-algorithm assurance

Sign a single document with several PQC algorithms at once — for example ML-DSA plus SLH-DSA — with per-algorithm verification results.

Long-term archival signatures

SLH-DSA (FIPS 205) rests on conservative hash-based assumptions, making it well suited to signatures that must hold for decades.

Multi-signer & batch signing

Route documents through multiple signers, each with their own visible signature position, and sign in bulk for high-volume workflows.

Crypto-agile by policy

The signing algorithm is a policy choice you can change at any time — swap or add algorithms as standards and threats evolve, without re-engineering.

Managed PQC keys & certificates

Generate classical and PQC keypairs, obtain X.509 certificates from the platform CA, and store keys in an encrypted keystore or an HSM via PKCS#11.

REST API for integrators

An OpenAPI 3.0 signing and verification API over TLS 1.3, with API-key or mTLS auth and webhook callbacks for async pipelines.

Tamper-evident audit trail

Every signing and verification operation is logged with tamper-evident audit records, and revocation is checked via OCSP/CRL.

A sovereign algorithm option, alongside the NIST standards

For organisations that want a locally-developed option and reduced dependence on foreign crypto standards, KAZ-SIGN — a Malaysian post-quantum signature scheme — can be selected alongside the NIST-standardised ML-DSA and SLH-DSA. It is an optional, policy-selectable sovereign choice, not a NIST-standardised algorithm.

Because algorithm selection is crypto-agile, this choice is a policy decision you can change at any time — offering a sovereign option never means locking yourself out of the global NIST ecosystem.

Use cases

Built for documents that have to be trusted

Wherever a signature carries weight — legally, financially or operationally — a hybrid classical + PQC signature protects it now and for the long term.

Government documents

Sign official records, permits, notices and correspondence with a sovereign, quantum-safe signature that remains verifiable in standard readers and stands up for decades.

Contracts & agreements

Give contracts a visible signature that opens in Acrobat plus an external PQC signature — so counterparties can verify authenticity and integrity without any special tooling.

Banking & regulated industries

Add quantum resistance to statements, instructions and disclosures with tamper-evident audit trails and public verification — supporting long-retention record requirements.

Standards & compatibility

Aligned with the algorithms your auditors expect

MyPQC Document Signing implements the finalized NIST post-quantum signature algorithms and preserves compatibility with the classical PKI standards that carry legal weight today.

NIST FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA) were finalized in August 2024. KAZ-SIGN is a sovereign option offered alongside them, not a NIST standard.
LayerAlgorithms / standardsRole
Classical signatureRSA-3072+, ECDSA (P-256 / P-384); PAdES or CMS profiles; X.509Visible signature in the PDF; validates in Acrobat/Foxit; DSA 1997 standing via an MCMC-licensed CA cert
PQC signatureML-DSA (NIST FIPS 204), SLH-DSA (NIST FIPS 205)External quantum-resistant signature over the whole file, verifiable via the portal/API
Sovereign optionKAZ-SIGN (optional, policy-selectable)Malaysian sovereign scheme offered alongside the NIST algorithms — not NIST-standardised
HashingSHA-3 family (SHA3-256 / 384 / 512)Document hash computed before signing
Verification & trustOCSP / CRL revocation; OpenAPI 3.0; TLS 1.3Public verification portal & API, no client-side PQC software required

A note on the Digital Signature Act 1997

Under Malaysia's Digital Signature Act 1997, a signature gains legal standing when it is verified against a valid X.509 certificate issued by a Certification Authority licensed by the MCMC. MyPQC's classical signing layer is designed to support that workflow, and can be deployed with certificates from an MCMC-licensed CA — this is a deployment capability, not an automatic guarantee. The PQC layer then adds quantum resistance on top.

Sign for today's law and tomorrow's threats

See how hybrid classical + post-quantum signing keeps your documents valid now and quantum-safe for the long term.