Skip to content

Post-quantum cryptography

WaveLedger uses NIST-standardized post-quantum primitives for every piece of in-band cryptography. There is no classical-crypto fallback.

Why

Shor's algorithm, run on a sufficiently large quantum computer, breaks all widely-deployed asymmetric primitives in polynomial time. That includes:

  • RSA — used in TLS, code signing, and most certificate authorities
  • ECDSA — used in Bitcoin, Ethereum, and most other chains
  • Ed25519 — used in many newer chains and SSH
  • Diffie-Hellman (classical + elliptic-curve variants)

Symmetric primitives (AES, SHA-3) are weakened by Grover's algorithm, but only quadratically — a 256-bit key becomes "128-bit-equivalent", which remains infeasible to brute-force. NIST classifies AES-256 and SHA3-512 as PQ Category 5.

A chain that must keep proving past transactions valid 40 years from now cannot afford to use cryptography breakable by a quantum computer 20 years from now.

The primitive set

Use Primitive NIST standard
Transaction signatures ML-DSA-87 FIPS 204
Key encapsulation (planned: encrypted handoff, p2p session keys) ML-KEM-1024 FIPS 203
Hashes (block hash, merkle root, tx id, address derivation) SHA3-512 FIPS 202
Wallet backup encryption AES-256-GCM + Argon2id SP 800-208 (Cat 5)

ML-DSA, ML-KEM, and SHA3 are all NIST-standardized as of 2024-25. There are no proprietary primitives in the chain.

Sizes

PQ keys and signatures are larger than classical equivalents.

Quantity Bytes vs Ed25519
ML-DSA-87 public key 2,592 81× larger
ML-DSA-87 signature 4,627 72× larger
ML-KEM-1024 public key 1,568
ML-KEM-1024 ciphertext 1,568

A transaction with one signature is ~5 KB on the wire. Block size is not artificially capped; the effective limit is MAX_TRANSACTIONS_PER_BLOCK = 100 (network parameter, raisable on mainnet).

Scope and caveats

  • Symmetric crypto is not post-quantum replaced — it is post-quantum safe by virtue of being symmetric. AES-256 has 128 bits of quantum security; SHA3-512 has 256 bits of quantum collision resistance.

  • Side-channel resistance is not in scope. ML-DSA implementations have published timing-attack mitigations; the reference Python implementation (dilithium-py) is not hardened.

  • Long-term forward secrecy of historical data depends on the ciphers remaining unbroken. If ML-DSA is broken in 2055, every transaction ever signed becomes forgeable in retrospect. The same caveat applies to every signature scheme ever invented.

Future extensions

Hardware-backed signing.

Crypto agility

The chain provides a runtime signature scheme registry — see verify_sig(scheme, ...) in Fourier and SLH-DSA-SHA2-128s as the second registered scheme. Contracts select which scheme to require, and new schemes can be added without a hard fork.

The intent: if any single scheme is broken or deprecated, the chain keeps running on the others during migration.

Further reading