Post-Quantum Cardano

Hi, this is Charles Hoskinson broadcasting live from warm, sunny Colorado. Today is February 20th, 2025, and we're going to talk about things that can be done to make Cardano post-quantum. I know a lot of people are interested in this topic. As you saw in my prior video, the quantum computer world is heating up quite a bit, and many amazing developments are happening. Meirana is a huge step forward, and Microsoft is not far behind.

There are many great companies working on quantum computers and building things in the quantum space. I believe that in 5 to 10 years, we will probably make substantial progress to the point where we really have to start thinking about updating and modernizing our cryptography. It turns out that it's not just my belief; it's also the belief of the United States government. The National Institute of Standards and Technology (NIST) proactively got together with many experts, including some of our cryptographers, to create some standards. An article from August 13, 2024, states that NIST released the first three finalized post-quantum encryption standards.

They wrote some Federal Information Processing Standards (FIPS): FIPS 203, FIPS 204, FIPS 205, and FIPS 206. FIPS 203 is about general encryption, and there are two signature schemes. One uses the Crystals Dilithium algorithm, which has been renamed to ML DSA, the Module Lattice-based Digital Signature Algorithm. The other is from Sphinx, which has a long and interesting legacy. If you ever used Zcash, Zuko was affiliated with that, and this comes from the Alran community.

Alran is one of the pioneers in post-quantum standards, and they created something called Falcon, a true lattice-based digital signature algorithm. In fact, Alran wrote a blog post titled "Leading on Post-Quantum Technology," where they mentioned their work with NIST and discussed some of their developments. They have state proofs that are post-quantum secure, compact certificates, and they developed a lot of other things. We worked with the Alran team on an extension to Mithril called Alba. We can certainly follow a similar approach, and they also talked about updating the VRF function to be post-quantum secure.

In general, you need to model a post-quantum adversary, and they have a pretty interesting write-up, which I highly recommend. I’ll provide the link to it. You can see some really innovative schemes emerging, particularly Lattice Fold from Dan Bonet and Bigny Chen. It just came out, and it's hot off the press. Lattice Fold Plus is an intellectual tour de force; this is one of the best folding papers I've ever seen.

The math is sharp, and there are many novel and interesting aspects. The field size is only 64 bits, and there are all kinds of goodies here. This is an amazing paper. Long story short, it's a compact folding scheme where you have proof-carrying data, and you roll up information. What I propose we ought to do in Cardano is address the challenge we have with elliptic curve cryptography, which is the basis of security for most things.

Everything involves a signature, and these signatures are based on elliptic curve crypto. The problem is we have Shor's algorithm, which, if you have a quantum computer, can compromise that security. There are things we can do to harden and evade, but in general, this is an insecure scheme assuming your adversary has a quantum computer. What many people in the blockchain space do is say, "Oh, we have a post-quantum signature scheme, so we’re quantum secure." That couldn't be further from the truth.

Just because you've adopted one of those NIST standards or something more exotic doesn't necessarily mean you're quantum secure. In cryptography, you invent a concept of an adversary, and we’ll call him Mr. A. This adversary has a collection of capabilities that you decide upfront for your security model and proof. When you say you are secure, you are stating that you are secure against an adversary with a specific set of capabilities.

You need to consider what type of capabilities Mr. A has. For example, how much compute power do they have? Do they have access to your computer? You can ask practical questions, such as whether they are online or offline, and special capabilities like having a quantum computer.

Anytime you think about a security model, you must consider Mr. A and what capabilities you are granting him. When we write a cryptographic proof or security proof, we rely on principles the CIA triad, which states that the security of the system should depend on the secrecy of the keys and nothing else. In other words, the algorithms can be backward engineered and understood by the adversary. If something keeps it secure through obscurity, it’s not considered secure.

There are dozens of good design principles in information security, and even if the algorithms are perfect, they run in hardware, which can be compromised through side-channel attacks. A great example is a paper from Israel years ago where researchers broke PGP by using a microphone to listen to the frequency changes in a laptop's processor while keys were being encrypted and decrypted. Over time, they could recover the private key. Remarkable, right? PGP is secure based on RSA's assumptions, but we don't assume that the adversary has this special capability, nor do we assume a specific environment in the security model.

While it’s secure in general, this particular case would defeat the security scheme. You can defeat things in a classical sense, in an electrical engineering sense, or even with a $5 wrench by coercing someone until they give you a key. You can defeat things with special capabilities a quantum computer. It’s remarkable stuff, and I’m really excited about these developments, which is why I study cryptography. I've spent a long time in this field, and our research group has written 240 papers.

We’re pretty good at it, and Input Output is fortunate to have one of the best chief scientists in the world. To make Cardano secure, we need a three-step process. First, we must develop a quantum secure model for Cardano. This means auditing all the algorithms Cardano is using and determining which ones are vulnerable against a quantum adversary. We need to define a canonical quantum adversary, which is an interesting question with various opinions in the cryptographic community about what we should assume.

The second step is to separate Cardano into two pieces: the Cardano blockchain and the Cardano proof chain. This proof chain acts as a meta-blockchain. We have technology like Mithril, which is similar to what Alran is doing with their compact certificates. We can upgrade this to a post-quantum signature system, and there are many options available. This proof chain can run as an audit log of history, providing an unforgeable system with signatures related to the original history.

Effectively, this acts as a checkpoint system, and over time, it can become a programmable proof chain used to prove properties of things from Cardano itself. Since this is an emergent construct, there’s no reason not to implement post-quantum technology here. The reason we typically avoid it on the main chain is that many post-quantum signature schemes are 5 to 10 times the size of elliptic curves and are much slower. They are doubly slower: slower due to the algorithms themselves and slower because there’s no hardware optimization. Your computer processors, whether AMD, Intel, ARM, or Apple, have specialized circuitry that optimizes standardized crypto like AES and hashes, making them 50 to 100 times faster.

When you switch from optimized crypto to a non-standard crypto, you face a slowdown from the algorithm and lack hardware optimization. This means your TPS rate for your blockchain goes down by a factor of five to ten, and your block sync time increases significantly. That’s one reason we didn’t launch Cardano with one of these primitive schemes: it was slower, and it wasn’t standardized yet. If Cardano were running a non-standard post-quantum signature scheme, those who adopt the standard ones would run 50 to 100 times faster, putting us at a hardware disadvantage. We had to wait for NIST to finalize the standards, which is why FIPS 203, 204, 205, and 206 are so important.

Now that they’re available, hardware manufacturers will start building custom capabilities to speed these types of things up. The second stage is to develop this proof chain. It would be extremely interesting to see if we could develop something with Lattice Fold Plus, as it would provide a powerful folding scheme that’s programmable with Cardano and adds significant value. A lighter approach would be a chain of Mithril certificates with some finality behind them, signed with a post-quantum scheme. The third phase is eventual integration.

As the post-quantum signature schemes advance and we develop a post-quantum VRF, which is essential for random number generation in proof of stake, we can merge the meta-chain and the main chain into one homogeneous structure. They would run concurrently, and consensus would be connected this way. Getting a post-quantum Mithril certificate for proofs of equivocation and other uses is trivial for us, allowing us to begin the post-quantum movement more rapidly. We have to make some hard decisions about whether we want to live in hash land or lattice land. Lattice-based systems offer more mathematical complexity, while many developers prefer hashes because they are simpler and easier to implement.

However, lattice systems provide more opportunities for programmability, updatability, and conciseness. Hashes tend to be larger and more limited in use and utility. In terms of time horizons, we will augment our budget request to ensure sufficient funding to bring in world experts to help us figure out the fundamental science of a quantum adversary during 2025 and 2026. In the interim, I believe we can pick a NIST standard and implement it with Mithril, starting to work on this proof chain concept. This would create an audit log of Cardano’s history as a quantum-resistant checkpoint, which can be done within a two to three-year horizon.

There are many ways to accelerate this, and the evolution of Mithril is already pushing in that direction. As we consider merging these concepts, it’s also important to reevaluate foundational elements, including the ledger model itself. Is UTXO still the best accounting system, or are there different ways to look at it? There’s also the concept of intents in the blockchain space and various algebraic representations, such as algebraic ledgers. Bruno came up with the idea of cheric ledgers, which combine multiple ledger architectures.

This is relevant because if we’re going to fundamentally change all the cryptography in our system, it’s good housekeeping to also look at how we architect the data representations. What authenticated data structures do we use? An authenticated data structure (ADS) is something a Merkle tree. We should also consider how private data remains on-chain and how data is represented. Many people talk about DAGs, but we can also explore different representations, especially when dealing with identity, which typically involves graph data structures.

This is a three-year-plus project, and hopefully, we’ll get hardware to optimize this and see more maturity in the standards. The entire U.S. government has to move in this direction; in fact, the NSA has already transitioned their SWED A protocols to post-quantum. They are doing this because of the archive data attack.

How long do we have? That’s the big question. One thing you learn in information security is that security is always temporal. Things are only secure for a bounded period. For example, if you hire a security guard to protect your gold, that guard is effective only for a certain time.

Eventually, the guard may retire or quit, and during that time, the security is compromised. Algorithms, compute power, and techniques are always evolving. A great example is the Enigma machine used by the Nazis, which was believed to be unhackable until computers were developed. With computers, it became possible to decode messages that were previously extremely difficult to break by hand. Quantum computers are just another evolution of this, as they can compromise classical crypto algorithms.

What’s really cool about cryptography is the cat-and-mouse game between algorithms and computers. This eternal journey means we will always need to adapt. With Meirana from Microsoft and other advancements, we now need a new mouse. The good news is that Cardano is very well positioned for all of this. We have some of the best cryptographers in the world working at IO, and we’re well connected with institutions like Stanford, CMU, and the University of Edinburgh.

It’s not an access or brilliance problem; it’s a prioritization issue. I get asked every month or two about our plans regarding quantum computers, especially with recent announcements like Willow and Microsoft’s new capacitors. People get excited and wonder if this means Cardano is broken. The answer is no, but we are starting to believe that what was once a 20 to 30-year horizon is now a 5 to 10-year horizon for quantum capabilities. This increases the urgency to think about these problems in a more structured way.

We don’t have to be geniuses; we just need to make decisions as an ecosystem about the trade-offs we’re willing to accept, how quickly we want to integrate things, and how we will do so. Input Output’s research must focus on first principles-based adversarial modeling and quantum security modeling. We need a universal composition notion in the world of quantum computers, which is interdisciplinary. We need to bring in experts and have great discussions. The good news is we have people like Alexander in our group who are domain experts.

We have the right people; they just need to be incentivized to work collaboratively across the industry. This is a supplemental budget request, not a large one, but it’s fundamental. Every protocol must be systematically checked, so we need to update our research papers for this type of adversary. There are already several good candidates for a proof ledger that rely on Mithril or Mithril-adjacent technologies. Certain projects, like Midgard, could potentially be modified to facilitate this for Cardano.

This would be the first step in introducing post-quantum artifacts into Cardano’s ecosystem, creating a historical stopgap with records that cannot be tampered with. The third step involves overhauling and updating the system to merge these concepts. It’s an opportunity to go beyond extended UTXO and capture some of the exciting developments happening in the space. We may even use a different mathematical structure than a UTXO graph for Cardano’s accounting system, along with new authenticated data structures. Vitalik talks a lot about Merkle Patricia tries and Veral trees, which add new hashing techniques like Poseidon hashes.

The game of cat and mouse continues; the moment we develop a cool post-quantum scheme, some brilliant theorist will come up with a new algorithm. Modern public cryptography has served us well since 1976, and elliptic curve cryptography has been effective since the 1980s and 1990s. It’s impressive that these algorithms have lasted so long, especially when many technologies have become obsolete. If you don’t believe me, look at old devices like Blackberry phones or Nokia feature phones. The algorithms from those eras are still relevant today, which is remarkable.

However, we must retool many systems, and the tools and techniques we’ve become accustomed to may no longer be usable. Elliptic curves are one of the most amazing inventions in mathematics. Neil Koblitz, a friend of mine, deserves more credit for his work in this area. The brilliance of taking elliptic curves and finding practical use cases has created generations of good cryptography. He wrote a paper called "The Serpentine Path of Elliptic Curve Crypto," explaining the benefits and challenges of integrating it into the broader cryptographic space.

Now, we’re moving in a different direction and dealing with different math. The good news is that there are elegant mathematical solutions and ways to update elliptic curves to be quantum resistant, such as super singular isogenies. However, these are complex and not necessarily secure. We’ll see how that develops. In any event, Cardano is not caught with its pants down; we’re ready for this.

We were just waiting for NIST to do its job, and they have. We’re proud of them for that. Now we need to have conversations through the Technical Steering Committee and the Product Committee at IO. We’ll conduct foundational research and collaborate with specialized companies to determine which algorithms we need to update and modernize. If we use any foreign crypto, we will have to audit it.

We’ll work closely with the developers of those libraries to perform formal security audits on all cryptographic implementations to ensure they are secure. I know every single person who uses Cardano appreciates that we do things right. We use formal methods and are rigorous in our approach. It’s rare for these systems to be hacked. When you change your plumbing, you need a master plumber because leaks can be expensive to fix.

We don’t want that to happen. I hope this helps everyone who has been asking about Cardano’s post-quantum strategy. Please use this video as a kickoff point for conversations happening at Intersect, through the TSC, and in our research group. If people are really interested, we can organize a workshop at the University of Edinburgh, where they can meet some of the cryptographers. Thanks for listening, everyone.

Cheers!