1. Introduction

PALISADE is a post-quantum-native virtual private tunneling protocol designed to provide confidentiality, integrity, forward secrecy, replay protection, reduced metadata exposure, and explicit support for migration and roaming in the presence of both classical and quantum adversaries.

Unlike classical VPN protocols such as IKEv2, OpenVPN, and WireGuard, PALISADE relies exclusively on NIST-approved post-quantum cryptographic algorithms for all public-key identity authentication, key establishment, and session resumption functions, and does not provide a classical fallback in the security-critical path.

PALISADE introduces:

• Encrypted headers — Only 8 bytes of fixed framing remain in cleartext
• Traffic shaping — Three modes (off, random padding, constant-rate)
• Post-Quantum 0-RTT resumption — Single-use tickets with replay protection
• Defined migration and roaming behavior — Including both soft and hard migration
• Strict epoch and sequence-based nonce discipline — Preventing AEAD nonce reuse
• Formal key schedule — HKDF-based with explicit key separation and domain isolation