00 Cryptography

Post-Quantum Cryptography

NIST-standardized post-quantum cryptography for the web.

Quantum computers will, one day, be powerful enough to break the public-key cryptography that secures most of today's internet. UltimaOS already uses the next generation: NIST-standardized post-quantum algorithms designed to resist both classical and quantum attacks, deployed by default for every account.

01 Overview

Section overview

Why post-quantum matters now.

01

Harvest now, decrypt later

Adversaries are already recording encrypted traffic today, intending to decrypt it once a sufficiently powerful quantum computer exists. Any data with a useful lifetime beyond 5 to 10 years is at risk: medical records, legal documents, R&D, customer databases.

02

NIST finalized the standards

After an eight-year competition, NIST published FIPS 203 (ML-KEM) and FIPS 204 (ML-DSA) in August 2024. These are the algorithms governments, banks and infrastructure providers are migrating to. UltimaOS adopted them on day one.

03

Classical crypto will eventually fail

RSA-2048 and ECDSA-P256, the public-key workhorses of the current internet, will be broken by a large-scale quantum computer running Shor's algorithm. Migration is not optional — only a question of timing.

02 Details

Section details

How UltimaOS implements post-quantum.

UltimaOS uses NIST-standardized lattice cryptography for every public-key operation, paired with classical symmetric primitives that are themselves believed to be quantum-resistant. The result is a hybrid stack where no single algorithm failure compromises the system.

01

ML-KEM-768 for key exchange

Fresh 256-bit symmetric session keys are encapsulated with ML-KEM-768 (FIPS 203) for every new conversation, file share, and call. The resulting shared secret seeds a symmetric session encrypted with XChaCha20-Poly1305.

02

ML-DSA-65 for signatures

Account identities, invitations, device enrollments, and signed audit records use ML-DSA-65 (FIPS 204). Signatures are 1,959 bytes — larger than ECDSA but acceptable for an interactive workspace.

03

XChaCha20-Poly1305 for payloads

All content — messages, files, calendar events, AI conversations — is encrypted with XChaCha20-Poly1305, an authenticated symmetric cipher. Symmetric primitives with 256-bit keys have no known quantum speedup beyond Grover's bound.

04

Hash-based backup for software updates

Software updates are signed with a hash-based signature scheme (SLH-DSA / FIPS 205) as a second layer of insurance. If a flaw is ever discovered in lattice signatures, the update channel remains verifiable.

03 Key points

Key takeaways

What you need to know.

  1. 01

    No action required from users

    Post-quantum cryptography is on by default for every account. You do not need to enable anything, install anything, or learn anything. The migration is invisible to the end user.

  2. 02

    No downgrade option exists

    There is no setting to fall back to RSA or ECDSA. Allowing downgrade would create a downgrade-attack surface where an attacker forces a weaker handshake. Post-quantum is the only mode.

  3. 03

    Performance is acceptable

    ML-KEM-768 key generation takes about 0.05 ms, encapsulation 0.07 ms. ML-DSA-65 signing is ~0.2 ms, verification ~0.5 ms. The bandwidth cost is a few extra kilobytes per handshake — negligible for a chat/workspace product.

  4. 04

    Future-proof for at least 20 years

    The combination of lattice KEM, lattice signatures, and 256-bit symmetric encryption is expected to remain secure against both classical and quantum adversaries for at least two decades, based on current consensus in the cryptographic community.

04b References

Authoritative sources

Standards and references.

05 Frequently asked

Common questions

Questions about post-quantum cryptography.

What is post-quantum cryptography?
Short answer

Post-quantum cryptography refers to cryptographic algorithms designed to resist attacks by both classical and quantum computers. NIST ran an eight-year competition and standardized the first set of post-quantum algorithms (FIPS 203, 204 and 205) in August 2024. (NIST PQC program)

Is UltimaOS quantum-safe?
Short answer

Yes. UltimaOS uses NIST-standardized post-quantum algorithms (ML-KEM-768, ML-DSA-65) for all public-key operations and 256-bit symmetric encryption (XChaCha20-Poly1305) for all data at rest. The cryptographic stack is considered safe against both classical and quantum adversaries. (FIPS 203 · FIPS 204)

When will quantum computers break RSA?
Short answer

Estimates vary. Conservative projections put a cryptographically-relevant quantum computer at 10 to 20 years away, but some experts argue sooner given recent breakthroughs. The safe assumption for any data with a multi-year lifetime is that the threat is already relevant — the harvest-now-decrypt-later attack model.

Why is the European Union pushing post-quantum?
Short answer

The EU has identified quantum-safe cryptography as a strategic priority through the EuroQCI program and the EU Cybersecurity Strategy. Member-state CSIRTs and infrastructure providers are mandated to migrate to post-quantum algorithms in the coming years.

Can I verify your cryptography independently?
Short answer

Yes. The cryptographic stack is described in detail in the UltimaOS whitepaper. All algorithms used are NIST-standardized with public specifications. Independent audits are performed annually; reports are published on the security disclosure page.

Does post-quantum make UltimaOS slower?
Short answer

Negligibly. Post-quantum key exchange adds a few milliseconds at the start of a conversation and a few kilobytes of network traffic. Day-to-day use is indistinguishable from classical cryptography.

What happens if a post-quantum algorithm is broken?
Short answer

Lattice-based cryptography has been studied for over 25 years with no significant breaks. UltimaOS additionally signs software updates with a hash-based signature (SLH-DSA) as an independent fallback. If a fundamental break is ever discovered, UltimaOS would migrate to a new algorithm — and the security disclosure page would document the process publicly.

Is UltimaOS part of any post-quantum standards body?
Short answer

UltimaOS follows NIST standards as published. The team tracks IETF standardization (the pq-crypto and tls working groups) and contributes to open-source implementations reviewed by the cryptographic community.