The Quantum Threat Isn't Your Keys — It's Your Data

Everyone in blockchain is racing to protect signing keys from quantum computers. Lightning Labs just shipped a zk-STARK proof-of-concept for Bitcoin key migration. Ethereum is planning PQ signature schemes. Naoris Protocol launched a Dilithium-5 mainnet.

They're solving the right problem — for half the threat.

Signing vs. Encryption: Two Different Timelines

A quantum computer that breaks ECDSA can forge signatures going forward. Someone could steal your coins tomorrow. That's bad, but it's a future problem — the quantum computer has to exist first, and you can detect the attack as it happens.

A quantum computer that breaks ECDH can decrypt everything ever encrypted under keys it can recover. Every medical record, identity document, financial statement, and trade secret that was encrypted today and stored on IPFS, in a database, or in a data wallet — all of it becomes readable retroactively.

The NSA calls this "harvest now, decrypt later." Adversaries are already recording encrypted data traffic, storing it, waiting. When quantum arrives, they don't need to attack in real time. They just open the archive.

The signing fix protects your ability to prove ownership. The encryption fix protects what you own. Both matter. But one is being ignored.

The Data Wallet Problem

A data wallet encrypts and stores long-lived content:

• Identity documents — birth certificates (80+ year confidentiality), passports, driver's licenses
• Medical records — HIPAA requires protection for decades
• Financial records — tax records, banking communications
• Vehicle service history — the life of the truck
• AI agent state — identity, memory, sealed execution context
• Code delivered to HSMs — firmware, key material, secure updates

None of this data has a 60-second session lifetime like a TLS connection. It persists for years. Decades. A lifetime. And every byte of it that was encrypted with classical cryptography today is a harvest-now-decrypt-later target.

Blockchain is supposed to be the ownership layer for this data. But if the encryption protecting the data is quantum-vulnerable, the blockchain proves you own something anyone can read.

What CNSA 2.0 Actually Says

The NSA's Commercial National Security Algorithm Suite 2.0 (September 2022) is specific:

• ML-KEM-1024 (FIPS 203) for key encapsulation — data-at-rest
• ML-DSA-65/87 (FIPS 204) for digital signatures
• AES-256 for symmetric encryption
• Deadline: prefer PQ by 2025 for software and data protection

Note: ML-KEM-768 is acceptable for TLS (ephemeral sessions). For data-at-rest, CNSA 2.0 mandates ML-KEM-1024. Every blockchain project using ML-KEM-768 is following the TLS crowd. Data wallets aren't TLS. They're archives.

What We Built

We built @rootz/pq-crypto — a post-quantum encryption package for Rootz data wallets. Not a signature scheme. Not a key migration tool. An encryption system for data that needs to remain confidential for decades.

Algorithms (CNSA 2.0 compliant)

• ML-KEM-1024 (FIPS 203) — key encapsulation for data-at-rest
• ML-DSA-65 (FIPS 204) — post-quantum digital signatures
• AES-256-GCM — data encryption (already quantum-safe)
• SHA-384 — hashing (192-bit post-quantum security)
• Hybrid combiner: ML-KEM-1024 + X25519 (secure if either assumption holds)

Architecture

• Per-owner Merkle tree with PQ-encrypted leaves
• HD epoch key derivation (master seed → deterministic per-epoch keys)
• Key recovery chain (each new key wraps the previous — walk backward from any key)
• Shamir 3-of-5 seed backup (information-theoretically secure, quantum-irrelevant)
• Dual-chain time anchoring (Polygon + Naoris — two independent cryptographic assumptions)
• Self-describing envelopes (the wallet carries the algorithm, not the application)

Status

• 8 modules, 21 integration tests passing
• V6 integration: zero contract changes (the chain stores opaque bytes)
• PQ-FIRST Secret on Polygon: 0x7fe5ed6f0f687866050e57e9ce710054de97ba57
• Security reviewed with specific remediation for all findings

Why This Matters More Than You Think

1. The Envelope, Not the Chain

We don't put PQ signatures on-chain. That would cost 50–200 million gas (exceeding block limits). Instead, all PQ verification happens on the client. The blockchain stores a 32-byte root hash. That's it. The PQ crypto lives where the keys live — on the device.

The chain is a clock. The wallet is the trust boundary.

2. Algorithm Agility

Every encrypted item contains its algorithm identifier. When NIST finalizes a better algorithm, migration is a new Note in the wallet — not a protocol upgrade, not a hard fork, not a coordinated network migration.

This is the lesson from 25 years of hardware trust boundary design. Wave Systems' Embassy chip (1998) separated the trust boundary from the algorithm: LOAD algorithm + keys → RUN inside boundary → SAVE sealed state. TCG formalized this as "algorithm agility" in TPM 2.0 (2013). That decision, made 13 years before NIST finalized PQ standards, is what makes today's TPM PQ transition possible without new hardware.

The Rootz PQ data wallet applies the same principle to software envelopes. The data carries its own algorithm. The TEE doesn't care what's inside — it LOADs, RUNs, SAVEs.

3. Two Recovery Paths for 50-Year Archives

Data that persists for decades needs recovery mechanisms that survive device failure, company failure, and algorithm failure:

Two completely independent paths using different mechanisms. Losing access requires losing both.

4. Security Level 4

Apple defined a security level framework for iMessage PQ3:

• Level 0: No encryption
• Level 1: E2E encryption, no PQ
• Level 2: PQ at key establishment only (Signal PQXDH)
• Level 3: PQ + periodic rekeying (Apple PQ3)

We extend it:

5. Classified-Grade Time for a Penny

Dual-chain anchoring: one nonce to Polygon (ECDSA), one nonce to Naoris (Dilithium-5). Two independent cryptographic assumptions. Two independent validator sets. No shared infrastructure.

To forge a timestamp, an attacker must compromise both chains simultaneously. This is the NSA's dual-channel doctrine applied to public blockchains. The cost: less than $0.01 per settlement.

The Comparison Nobody Is Making

Signal and Apple solved PQ for ephemeral messages. Lightning Labs is solving PQ for coin ownership. Nobody is solving PQ for the data that blockchain-based systems actually store.

What's Next

The package is built. The V6 integration is coded. The first PQ Secret is on Polygon. What comes next:

• Live PQ Notes — Desktop V6 writing and reading PQ-encrypted Notes through the full stack
• Merkle tree in Desktop — local PQ-signed chain with epoch auto-rotation
• Dual-chain settlement — Polygon + Naoris anchoring on configurable schedule
• Team PQ key exchange — PQ keys shared via Notes (no contract changes)
• Expert review — construction review by TCG/NSA-experienced cryptographers
• Audit funding — independent audit of the noble-post-quantum library

All within our control. No external dependencies. The algorithms are NIST-standardized. The library is MIT-licensed. The contracts don't change.

The Punchline

The blockchain industry is asking: "How do we make PQ signatures work on-chain?"

Wrong question.

The right question: "How do we make PQ encryption protect the data that blockchains are supposed to secure?"

The answer is a wallet that carries its own algorithm, encrypts its contents with NIST-standardized post-quantum cryptography, signs its Merkle tree with post-quantum signatures, anchors its existence to dual independent chains, and migrates to new algorithms by writing a Note — not by upgrading a protocol.

The wallet is the trust boundary. The algorithm is the payload. The chain is the clock.

---

Built on 25 years of hardware trust boundary design (Wave Systems Embassy → TCG TPM 2.0 → Rootz). Technical details in the PQ Data Wallet White Paper and Design Document.

Steven Sprague — Rootz
April 2026