PQC algorithm
KAZ-SIGN — a quantum-resistant digital signature scheme — replaces conventional RSA/ECC signatures for merchant identity and API message authentication.
Home / Quantum-Safe
★ A Malaysian FirstThe first payment platform
in Malaysia to support
Post-Quantum Cryptography.
We didn't wait for quantum computers to break the internet's cryptography. SecurePay is the first payment fintech to ship KAZ-SIGN PQC into a live payment gateway — quantum-resistant signatures, hardened API, end-to-end. Validated under the PTPKM PQC Sandbox Program, 100% milestone delivered November 2025.
100% milestone delivered
~2.3 ms end-to-end
100% validation accuracy
Why post-quantum?
The cryptography that protects payments today won't survive tomorrow's computers
Today's payment infrastructure is secured by RSA and ECC — public-key algorithms whose security rests on math problems that classical computers can't solve in any practical time. Sufficiently large quantum computers, using Shor's algorithm, will break those assumptions.
- Adversaries can "harvest now, decrypt later" — capture today's signed traffic and break it once quantum hardware matures.
- Payment integrity and merchant identity must remain verifiable for years — well beyond the expected arrival of cryptographically-relevant quantum computers.
- Post-Quantum Cryptography (PQC) is the migration path: algorithms designed to remain secure against both classical and quantum attackers.
The shift
From RSA / ECC → KAZ-SIGN PQC
A practical roadmap, validated end-to-end on the SecurePay Payment Gateway — so Malaysian merchants can adopt quantum-resistant signatures without waiting for the threat to arrive.
Our approach
KAZ-SIGN, integrated where it matters most — at the API
Every API request from a SecurePay merchant is digitally signed by the merchant and verified by the platform. Replacing that signature scheme with a post-quantum algorithm hardens the most exposed surface of a payment gateway — the transaction message itself.
SecurePay as PQC‑enhanced CA
SecurePay operates an in-house PQC‑Enhanced Certificate Authority (backed by SoftHSM) that issues PQC certificates to onboarded merchants after KYC.
Quantum-secure API
Every API call carries a KAZ-SIGN signature. SecurePay's platform validates it against the merchant's PQC certificate before authorising the transaction — end-to-end quantum-safe.
How it works
From key pair to validated transaction
The flow follows standard PKI conventions — but every cryptographic primitive in the chain is post-quantum.
Generate PQC key pair
The merchant generates a KAZ-SIGN public/private key pair locally. The private key never leaves the merchant.
Generate PQC CSR
A Certificate Signing Request is generated from the public key — the formal request for a digital identity.
Submit CSR to the CA
The merchant submits the CSR to SecurePay's PQC-enhanced Certificate Authority for vetting.
CA signs & issues certificate
After KYC, the CA signs the CSR and issues a valid PQC certificate — completing the digital-identity registration.
Verify certificate locally
The merchant verifies the issued certificate locally to confirm its authenticity and integrity before use.
Send certificate to SecurePay
The verified certificate is registered with the SecurePay platform's merchant certificate store.
Quantum-secure API calls
Merchant signs each API request with the KAZ-SIGN private key; SecurePay verifies with the registered public key and authorises the transaction.
Quantum-safe end‑to‑end
Identity, certificate issuance, and message authentication all run on PQC primitives. No part of the trust chain depends on RSA or ECC.
Validated under load
Production-grade performance
Benchmarked end-to-end across the full KAZ-SIGN workflow — generate, sign, issue, verify — on both dedicated hardware and shared cloud, at 500, 1,000 and 2,000 concurrent operations.
~2.3 msEnd-to-end on hardware (full workflow)
~0.2 msVerify-signature latency (hardware)
3–5×Faster on hardware vs cloud across all stages
2,000Concurrent ops tested — latency stays flat
Validation
100% accuracy. Zero verification failures.
Across the full security test suite — 500, 1,000 and 2,000-iteration runs — every signature was correctly verified and every malformed CSR correctly rejected. No false positives. No false negatives.
- All 8 milestone test cases passed (key generation, CSR, CA signing, local verification, API signing, signature verification, security checks).
- System correctly distinguishes valid vs malformed certificates and signatures under all tested loads.
- POC demonstrated end-to-end with Yezza as the merchant, signing real API messages on SecurePay's gateway.
Why this matters
A real foundation for national PQC migration
The POC delivers three concrete outcomes that any merchant or regulator can build on:
- Confirmed KAZ-SIGN is API-compatible with SecurePay's existing gateway framework.
- Measured the cost of PQC at every stage so it can be capacity-planned in production.
- Provides a reference architecture for a national PQC migration strategy.
Project timeline
Five phases. All delivered in 2025.
Under the PTPKM PQC Sandbox Program, from requirements to a 100% milestone presentation in four months.
Planning & Design
Aug 2025. Requirements, architecture, resource allocation. ✓ Completed
Development
Sep 2025. Core PQC integration, API development, certificate management. ✓ Completed
Validation & Testing
Oct 2025. Sandbox testing, security audits, performance optimisation. ✓ Completed
IP Submission
Nov 2025. IP valuation, documentation, formal registration submission. ✓ Completed
Final Presentation
Nov 2025. Full system demonstration, project closeout. ✓ Completed
Quantum-ready, today