{"version":"TBR-v1","build":"#41","signature_pillars":[{"family":"classical","alg":"Ed25519","std":"RFC 8032","role":"hedge against PQ implementation bugs"},{"family":"lattice","alg":"ML-DSA-65","std":"FIPS 204","role":"primary post-quantum pillar"},{"family":"hash","alg":"SLH_DSA_PURE_SHAKE_256F","std":"FIPS 205","role":"hash-family hedge against lattice cryptanalysis"}],"verify_rule":"all-of-3 (every pillar must verify)","verify_rule_rationale":"EUF-CMA security of a parallel signature combiner requires the verifier to accept only when EVERY pillar passes. 2-of-3 acceptance would let a single-pillar break forge the receipt.","hybrid_kem":{"kem_lattice":{"alg":"ML-KEM-768","std":"FIPS 203"},"kem_code":{"alg":"Classic-McEliece-6688128f","std":"NIST PQC Round-4 alternate"},"combiner":"NIST SP 800-56C Rev. 2 parallel-KDF, SHAKE256","security_model":"1-of-2 (secure if either KEM remains hard)"},"entropy":{"sources_used":[{"name":"kernel_csprng","via":"os.urandom (getrandom(2) on Linux)"},{"name":"kernel_csprng_python","via":"secrets.token_bytes"}],"optional_sources_disabled_by_default":[{"name":"hw_rdseed","env":"HIVE_USE_RDSEED","default":"off"},{"name":"qrng_card","env":"HIVE_QRNG_DEVICE","default":"unset"}],"mixer":"HKDF-SHA3-256 (RFC 5869 form, SHA-3 family)","domain_separation":"info=b'hive-cre-entropy-v1'","fips_validation":"None claimed. We do not assert FIPS 140-3 §AS09.42 conformance. The operator's deployment platform may itself be FIPS-validated; that conformance is inherited, not claimed here.","explicitly_not_used":["neural organoid signals","ion channel noise","plant action potentials","protein folding MD simulators","microbial motility patterns","21 independent biological sources","RL-optimised entropy weighting"],"rationale":"Hive does not operate a wet lab and does not have calibrated biological entropy sources. Specs that claim such sources at scale typically fall back to emulation, which never satisfies FIPS 140-3 §AS09.42. We disclose this honestly rather than carry the marketing claim."},"explicitly_not_implemented":["2-out-of-3 threshold combiners (insecure for signatures, mislabeled for KEMs)","Single zkSNARK satisfying SOC 2 / ISO 27001 / HIPAA / FedRAMP simultaneously","Neural-organoid / ion-channel / plant-action-potential entropy sources","LeNet-5 side-channel detector (not a real construction in this domain)","FIPS 140-3 conformance claim without a validation certificate","'Continuous attestation' / 'End of Annual Audit' marketing claims"]}