4.1 PALISADE‑CORE: Mandatory Compliance Profile

PALISADE-CORE defines the minimal set of cryptographic algorithms and protocol features that all compliant PALISADE implementations MUST support. This profile exists to guarantee baseline interoperability and security across independent implementations.

PALISADE‑CORE requires:

• One KEM: ML‑KEM‑768 (or an equivalent security-level KEM explicitly designated by a future PALISADE cryptographic registry).
• One Signature Scheme: Dilithium‑3.
• One AEAD: XChaCha20‑Poly1305.
• Encrypted Packet Headers: All packet headers except for a fixed-length framing prefix are encrypted and authenticated.
• No migration support.
• No early data (0‑RTT).
• No timestamp field.
• No extensions, except the Epoch Overlap extension defined in Section 16.

All other protocol capabilities described in this document are OPTIONAL and belong to the PALISADE‑PLUS feature tier. Implementations MAY support these additional features, but they are not required for conformance to PALISADE‑CORE.

4.2 PALISADE-PLUS: PALISADE-CORE with Additional Features

PALISADE-PLUS OPTIONALLY extends PALISADE-CORE with:

1. Optional 0-RTT session resumption using single-use tickets
2. Migration and roaming support, including both soft and hard migration
3. Optional traffic shaping, including random padding and constant-rate modes
4. Policy-driven rekeying behavior beyond the minimum requirements

Support for PALISADE-PLUS features is negotiated during the handshake. Implementations that do not support PALISADE-PLUS remain fully interoperable under PALISADE-CORE.