Skip to main content

Module keys_post_quantum

hashiverse_lib::tools

Module keys_post_quantum 

Source
Expand description

§Post-Quantum Cryptography resilience

§The problem

Hashiverse identities are derived from public keys: ID = Blake3[ ed25519_pub || Blake3[Falcon_pub][0..16] || Blake3[Dilithium_pub][0..16] ]

Because the identity is the key, there is no upgrade path that preserves identity — switching algorithms would require replacing every server and client ID on the network. Post-quantum support must therefore be baked in from the start, not bolted on later.

§Current design

Rather than signing everything with PQ algorithms today (which carry large key and signature sizes and lack window.crypto.subtle browser support), each identity commits to two PQ public keys via their 16-byte Blake3 hashes:

  • FN-DSA / Falcon (FIPS 205) — smaller signatures than Dilithium; preferred first-step upgrade when Ed25519 is threatened.
  • ML-DSA / Dilithium (FIPS 204) — fallback if Falcon is later compromised. Already under consideration for window.crypto.subtle, making it the most likely candidate for full browser-native signing support in future.

The commitments are shipped with every message as part of the identity header; the full PQ public keys are not shipped today and private keys remain unused until quantum-day.

§Upgrade path

  • Ed25519 compromised → network upgrades to Falcon. The full Falcon public key begins shipping with every message and is used to verify Falcon signatures. Receivers confirm Blake3[Falcon_pub][0..16] == commitment_falcon embedded in the sender’s identity.
  • Falcon compromised → network similarly upgrades to Dilithium.
  • Dilithium threatened → a migration to future PQ algorithms would be needed, likely requiring a “please follow me on my new identity” protocol. The same protocol would also serve other identity migration use cases (e.g. a compromised key).

§Why not SPHINCS+ (FIPS 205)?

SPHINCS+ has the strongest security assumptions of the standardised PQ algorithms, but its signatures are multiple kilobytes — infeasible for a high-throughput messaging network. A 16-byte commitment to a SPHINCS+ key was considered as an ultimate fallback, but the cost of including it in every message header outweighs the benefit of covering an already unlikely scenario (both Falcon and Dilithium broken simultaneously).

Functions§

pq_commitment_bytes_from_seed