Rust crate adds post-quantum attestation and supply-chain provenance
pqrascv-core binds device quotes to SLSA provenance and ML-DSA-65, bringing post-quantum trust tooling to no_std Rust for embedded targets.

A Rust crate is trying to solve two problems at once: prove a device is in the right state, and prove the firmware on that device came from a clean build path. pqrascv-core does that with a no_std + alloc design, which puts it squarely in the world of constrained hardware, embedded boards, and other places where server-first security tooling usually does not fit.
The project’s attestation flow is blunt and practical. A verifier sends a 32-byte random nonce, the prover collects platform measurements through a measurement::RoT backend, attaches in-toto and SLSA provenance, then ML-DSA-65 signs a CBOR-encoded AttestationQuote. The docs also list feature flags for std, alloc, hardware-tpm, and dice, which suggests the crate is meant to bridge software-only deployments and hardware-root-of-trust setups rather than force a single model on every system.

That matters because the cryptography underneath is already on a new clock. NIST published FIPS 204, the Module-Lattice-Based Digital Signature Standard, on August 13, 2024, and it became effective on August 14, 2024. NIST says ML-DSA is believed to remain secure even against adversaries with a large-scale quantum computer. In the forum post that introduced the project, the author pointed to the same pressure point: devices deployed today may still be in service when cryptographically relevant quantum computers arrive.
The supply-chain side is just as concrete. SLSA defines provenance as verifiable information used to track software artifacts back through the supply chain, and its v1 provenance predicate is the recommended way to satisfy SLSA v1.0 provenance requirements. The IETF RATS architecture, meanwhile, defines remote attestation as a process for determining whether a device is in an intended operating state by conveying evidence and appraisal results. pqrascv-core stitches those ideas together instead of treating them as separate layers.
That is what makes the crate stand out in Rust. Its docs say it targets bare-metal Cortex-M4, RISC-V, WASM, and Linux, so this is not just a neat server-side experiment. It points toward a Rust ecosystem where firmware trust, build transparency, and post-quantum signatures are being designed into the same flow from the start. For connected devices and regulated systems, that is the kind of plumbing that can shape architecture long before the first quantum warning turns into a production problem.
This article was produced by Prism’s automated news system from verified source data, official records, and press releases, then run through automated quality and moderation checks before publishing. The system is built and supervised by the people who set the standards it runs under. Read our full AI policy.
Did this article answer your question?


