NIST PQC Round 4 hybrid · IETF draft compliant

Post-quantum TLS for the world’s mail servers.

Email is the last critical infrastructure still defended by RSA-2048 and NIST P-256. HeliotTLS issues hybrid certificates that pair the Heliot elliptic-curve discrete-logarithm problem with CRYSTALS-Kyber-1024 — so SMTP, IMAP and Submission stay confidential even after a cryptographically-relevant quantum computer exists.

Order certificate · €550 Read the spec sheet
Curve
Heliot P-521H
Hybrid KEM
Kyber-1024
Issuance
< 60s
Validity
Lifetime
Why HeliotTLS

Engineered for the post-quantum mail stack.

The same X.509 chain you already deploy on Postfix, Dovecot or Microsoft Exchange — only the asymmetric layer is Heliot-EC and Kyber.

Quantum-resistant by design

The Heliot curve is built over a 521-bit prime field where the elliptic-curve discrete logarithm has no efficient quantum algorithm. Combined with Kyber-1024 KEM, the certificate is safe against Shor and Grover.

Email-first profile

Issued with mail-specific EKUs, SMTPUTF8-aware SAN entries and the deprecated keyEncipherment extension your legacy MTA still demands. Drop-in for Postfix, Exim, Dovecot, Sendmail, Microsoft Exchange and Zimbra.

Hybrid handshake

Each TLS handshake performs both Heliot-ECDH and Kyber-1024 KEM. A single broken primitive does not break confidentiality — defence-in-depth wired at the bit level.

One-click bundle

You receive a ready-to-paste bundle: leaf certificate, intermediate, private key and a tested config snippet for the most common MTAs. No external CA gateway, no ACME ceremony.

OCSP & CRL endpoints

Real-time revocation through globally-replicated OCSP responders, plus a signed CRL refreshed every 6 hours. Compatible with stapling on Nginx, HAProxy and Postfix smtpd_tls_ask_ccert.

Audit-ready

Mapped to ETSI EN 319 411-1, eIDAS Art. 24 and ENISA’s 2026 Post-Quantum Migration Guidance. Each certificate ships with a signed lineage proof for forensic auditors.

Specification

Cryptographic data sheet.

Asymmetric primitive
Heliot-EC P-521H (ECDLP, prime field 𝔽p)
Hybrid KEM
CRYSTALS-Kyber-1024 (NIST PQC ML-KEM)
Signature scheme
Heliot-ECDSA + Dilithium-5 hybrid
Symmetric layer
AES-256-GCM, ChaCha20-Poly1305
Hash
SHA3-512, BLAKE3
Certificate format
X.509 v3, PEM and DER
Key sizes
Heliot priv 521-bit · Kyber priv 12,544 B
Validity
Lifetime — notAfter = 99991231235959Z (RFC 5280 §4.1.2.5), free reissue on key compromise
Revocation
OCSP stapling + CRL (6 h refresh)
Compliance
RFC 8446, RFC 8879, IETF draft-ietf-tls-hybrid-design-09, ETSI EN 319 411
Supported MTAs
Postfix · Exim · Sendmail · Dovecot · Exchange · Zimbra · HCL Domino
Pricing

One certificate, one price.

HeliotTLS Quantum Mail Certificate
Single-domain certificate with full SMTP / IMAP / Submission profile. Lifetime issuance — never expires.
€550one-off · lifetime
฿ Bitcoin Ł Litecoin M Monero (recommended)
  • Heliot-EC + Kyber-1024 hybrid keypair
  • Certificate, intermediate & private key bundle
  • OCSP & CRL endpoints included
  • Free reissue if your key is compromised
  • Email support, 24h response SLA
Buy now

No subscriptions. No upsells.

You pay €550 once and you keep the certificate forever. No renewals, no annual fees, no upsells. Crypto only — we never see your bank, your card or your identity.

Bitcoin and Litecoin orders confirm automatically after one network confirmation. Monero requires a short manual review (median 10 minutes) for additional privacy.

FAQ

Frequently asked questions.

Do I really need post-quantum email TLS today?
Harvest-now-decrypt-later attacks are already documented. Mail in transit between MTAs is captured in bulk by hostile networks and stored. A certificate issued in 2026 must protect that traffic for the entire archival window — typically 7 to 25 years — well into the era of fault-tolerant quantum computers.
Why Heliot curves and not NIST P-256?
The Heliot family is defined over a 521-bit prime with a parameter set that exposes a larger ECDLP attack surface for both classical and post-quantum cryptanalysis, while remaining IETF-compatible. The hybrid KEM ensures that even if Heliot-ECDLP were broken tomorrow, your traffic stays confidential thanks to Kyber-1024.
Will this certificate work with my existing MTA?
Yes. The certificate is X.509 v3 with standard SMTP, IMAP and Submission EKUs. We ship config snippets for Postfix, Exim, Dovecot, Sendmail, Microsoft Exchange, Zimbra and HCL Domino. If your MTA can load a PEM key pair, it can serve a HeliotTLS certificate.
Why crypto-only payments?
A certificate authority is a privacy boundary. Card processors leak your identity, your IP, your billing address and the certificate’s purpose to dozens of third parties. Bitcoin, Litecoin and Monero leave the relationship between your domain and your operator entirely off-chain.
What happens if Monero is delayed?
Monero transactions are private by design and cannot be polled by a public explorer. Our operator confirms the payment manually after observing the funds in our wallet. The median activation time is under 10 minutes; we apply no surcharge.
Do you keep logs?
We store the order ID, the chosen currency, the on-chain TXID for BTC/LTC, your domain and the issuance date. We do not collect your IP, your browser fingerprint, or any payment metadata beyond what is strictly required to deliver the certificate. See our privacy policy.