TWT-B3 — Real ML-DSA-65 on 14 SDKs
Keygen, sign, verify live via liboqs (Rust, Python, C, C++, Swift, PHP, Perl, Fortran), circl (Go), BouncyCastle (Java, C#, VB.NET) and noble-post-quantum (TypeScript). PQC benchmarks extended to 12 SDKs.
Achievements
TWT 1.5 is shipping. 16 SDKs, 2000+ tests, 108+ benchmarks, real ML-DSA-65 on 14 SDKs, IETF Internet-Draft v2, SonarQube Quality Gate green. Snapshot of 2026-05-15.
16 / 16
SDKs delivered
6 prod + 8 additional + 2 frontend
2,000+
Tests green
Across all 16 SDKs
108+
Benchmarks
All under 30 ms
90+/100
OWASP score
Top 10 coverage
IETF v2
Internet-Draft
draft-toonwebtoken-twt-02
Recent milestones
-
-
TWT-B3.2 — Real TOON wire format on v2 path
7 SDKs now emit real TOON (not JSON) on the v2 generator path, matching the draft-02 wire format specification.
-
Dual MIT/Apache-2.0 license across all 16 SDKs
License harmonized following the Rust crate model, enabling enterprise adoption and potential Apache Foundation transfer.
-
AppSec remediation complete — 81/81 items closed (Tiers 0–6)
Comprehensive AppSec audit: all CRITICAL, HIGH, MED, and LOW findings resolved. SonarQube 0 blockers, 0 critical issues. Cross-SDK adversarial corpus deployed.
-
SonarQube Quality Gate green — 0 bugs, 0 vulnerabilities
Reliability / Security / Maintainability all rated A. New code coverage 82.6% (≥ 80 threshold).
-
TWT 1.5 — production-ready snapshot
Tracks A & C closed. D2/D4 + E1/E2/E3 + E5-partial delivered. Production-readiness assessment published.
-
TWT-E3 — Internet-Draft v1 published
draft-toonwebtoken-twt-00 with byte-for-byte reproducible test vectors. Now updated to draft-02 with MLDSA65 optional.
-
TWT-C1 — Benchmarks under 30 ms across 12 SDKs
108+ benchmarks total. Worst-case: TypeScript at 6.01 ms (5× safety margin). Fastest PQC verify: Rust at 56 µs.
Tests & benchmarks per SDK
| SDK | Tests | Benchmarks |
|---|---|---|
| Python | 322 | 9 |
| TypeScript | 190 | 9 |
| Java | 179 | 9 |
| C# | 185 | 9 |
| Go | 138 | 9 |
| Swift | 150 | 7 |
| PHP | 157 | 7 |
| Perl | 152 | 7 |
| VB.NET | 156 | 7 |
| Rust | 110 | 9 |
| C | 52 | — |
| C++ | 13 suites | 7 |
| Fortran | 13 suites | 7 |
| React | 53 | — |
| Vue | 53 | — |
| Delphi | Review | — |
Benchmark highlights (ML-DSA-65 PQC)
All operations measured on Apple Silicon (arm64). Budget: < 30 ms per operation.
| SDK | Keygen | Sign | Verify | 30 ms margin |
|---|---|---|---|---|
| Rust | 61 µs | 237 µs | 56 µs | 126× |
| Python | 84 µs | 253 µs | 67 µs | 58× |
| Go | 103 µs | 269 µs | 83 µs | 76× |
| Java | 90 µs | 252 µs | 84 µs | 56× |
| C# | 128 µs | 415 µs | 470 µs | 54× |
| C++ | 80 µs | 250 µs | 62 µs | 120× |
| Swift | 100 µs | 300 µs | 80 µs | 100× |
| TypeScript | 1.25 ms | 6.01 ms | 1.31 ms | 5× |
| PHP | 142 µs | 440 µs | 213 µs | 68× |
| Perl | 79 µs | 274 µs | 67 µs | 109× |
| Fortran | 174 µs | 231 µs | 73 µs | 130× |
| VB.NET | 474 µs | 1.66 ms | 204 µs | 18× |
Every SDK is at least 5× under the 30 ms budget. Native liboqs bindings deliver sub-ms PQC; pure JS (TypeScript) is the slowest at ~6 ms — still well within budget.
Audits & compliance
OWASP Top 10 — 90+/100 coverage
8/10 items covered (A01/A02/A04/A05/A07/A08/A09/A10). A03/A06 are out-of-scope (no DB / no client-side rendering attack surface).
AppSec audit — 81/81 remediation items closed
Comprehensive 6-tier audit (Tiers 0–6): all CRITICAL, HIGH, MED, and LOW findings resolved. SonarQube 0 blockers, 0 critical issues. 22,504 LOC across 154 files.
NIST FIPS alignment
FIPS 198-1 (HMAC-SHA256), 197 (AES-256-GCM), FIPS 204 (ML-DSA-65) — real crypto on 14 SDKs via liboqs 0.15, circl 1.6.3, BouncyCastle 1.79.
Regulatory profile mapping
FINMA, nFADP, GDPR, EU AI Act, HIPAA — 5 profiles, 20 requirements, 5 documented gaps.
Dual MIT/Apache-2.0 license
All 16 SDKs dual-licensed following the Rust crate model, enabling enterprise adoption and OSI compliance.