Architecture geth v1.17.3 Live Compare Downloads Quantum Nodes About Team Careers Blog Get in touch
Specification · Draft · forward-looking

XDSS-PQ — Post-Quantum Trade-Document Signature Standard

● Draft v1.0 June 2026 · Status: forward-looking / in development · Aligned with NIST FIPS 203/204/205/206
XDSS-PQ on the Quantum page →

Draft & forward-looking. This is a Draft v1.0 specification describing a standard under active development. Algorithm parameters, schema fields, and timelines are subject to change as NIST standards finalise (notably FIPS 206) and as the design is reviewed. It is not a guarantee of any future product, certification, or outcome.

Abstract

XDSS-PQ is a proposed post-quantum signature standard for long-lived trade-finance documents on the XDC Network. It binds a document to two independent NIST-aligned post-quantum signaturesML-DSA (FIPS 204) and Falcon / FN-DSA (draft FIPS 206) — under AND semantics: a document is valid only if both signatures verify. Security therefore holds unless both algorithms are broken. The standard targets the 20–30 year legal validity window of instruments such as bills of lading and letters of credit, and is designed to remain verifiable and unforgeable long after any cryptographically-relevant quantum computer (“Q-Day”) arrives. This document defines the motivation, threat model, algorithm choices, document schema, and a hybrid migration path.

Contents
  1. Abstract & status
  2. Motivation
  3. Threat model
  4. Algorithm choices
  5. Document schema
  6. Migration & hybrid signing
  7. Standards alignment
  8. References

1Status of this document

This is a Draft v1.0, dated June 2026, published for discussion within the XDC ecosystem and the broader community. It is forward-looking: it describes a standard and reference design that are still being developed, not a shipped or certified product. Where it references draft standards (in particular FIPS 206 / FN-DSA), those underlying specifications may still change. Terms such as “must” and “should” describe the intended behaviour of conforming implementations of this draft, not a legal obligation.

2Motivation

Trade-finance instruments are unusual among signed digital artefacts: their legal lifespan is measured in decades. A bill of lading or letter of credit signed today may need to be presented, audited, or contested 20 to 30 years from now. The cryptography that authenticates such a document must therefore remain trustworthy across that entire horizon.

Classical signatures (ECDSA over secp256k1) do not offer that guarantee against a future quantum adversary. This creates a Trust-Now-Forge-Later (TNFL) exposure: a document trusted and relied upon today could, after a sufficiently capable quantum computer exists, be retroactively forged — for example to assert false ownership of the underlying goods or receivable. Because the document’s value persists for decades, the risk cannot be deferred; instruments signed now are already within the exposure window.

XDSS-PQ exists to remove that exposure for the documents that matter most, using only NIST-aligned, openly specified algorithms — so the standard can be independently reviewed and adopted as a reference, rather than depending on proprietary cryptography.

3Threat model

XDSS-PQ is designed against the following adversary and assumptions:

  • Future quantum adversary. An attacker who, at some point within the document’s validity window, gains access to a cryptographically-relevant quantum computer capable of running Shor’s algorithm against the elliptic-curve and RSA problems. Public 2025 resource-estimate research has materially lowered the estimated quantum resources required to break RSA-2048, reinforcing the case for migrating well ahead of any fixed “Q-Day” (see References).
  • Harvest-now / forge-later. The adversary may record documents and public keys today and act on them years later. Defences must protect documents signed before the adversary becomes capable.
  • Single-algorithm cryptanalysis. A post-quantum scheme that is standardised today may later be weakened by classical or quantum cryptanalysis. The design must not collapse if one chosen PQ algorithm is broken.
  • Out of scope. Endpoint key theft, social-engineering of signers, compromise of the issuing organisation’s processes, and the integrity of off-chain physical goods are outside the cryptographic scope of this standard, though deployments should address them operationally. Hash functions (Keccak-256 / SHA-3) are treated as quantum-resistant; Grover’s algorithm yields only a quadratic speed-up and does not break them.

The central design response to single-algorithm cryptanalysis is the hybrid AND construction described next.

4Algorithm choices

XDSS-PQ binds each document with two independent post-quantum signatures over the same canonical payload:

XDSS-PQ signature algorithms
Role Algorithm Standard Sig size Why
Primary ML-DSA (Dilithium) FIPS 204 ~2.4 KB NIST’s primary lattice signature standard; among the best-audited PQ signature schemes.
Compact Falcon / FN-DSA FIPS 206 (draft) ~666 B The most compact NIST-track PQ signature; a different lattice construction from ML-DSA, giving algorithm diversity.

The two algorithms are deliberately different constructions, so that a cryptanalytic advance against one is unlikely to apply to the other.

4.1 AND semantics — both_required

🔗

A document is valid only if BOTH the ML-DSA signature AND the Falcon signature verify. Forging a document therefore requires breaking both FIPS-standardised algorithms simultaneously — not just one. The security of XDSS-PQ holds unless both schemes are broken.

Formally, for a document D with signatures s_mldsa and s_falcon over the canonical encoding of D:

  • valid(D) = verify_mldsa(pk_mldsa, D, s_mldsa) AND verify_falcon(pk_falcon, D, s_falcon)
  • If either verification fails, the document is invalid. There is no fallback to a single signature.

This is strictly stronger than either algorithm alone and is the defining property of the standard ("valid_if": "both_required" in the schema below).

5Document schema

An XDSS-PQ document is a JSON object that carries the issuer reference, the dual signatures, the explicit both_required rule, the validity window, and compliance declarations. The schema below mirrors the reference example published on the XDC Quantum page:

xdss-pq/v1.0 · trade document schemaQUANTUM SAFE
{ "standard": "XDSS-PQ/1.0", "document_type": "bill_of_lading", "issuer": "xdc://0xA3f2...91CC", "payload_hash": "keccak256:0x…", "signatures": { "ml_dsa": "<FIPS-204 · 2.4KB>", "falcon": "<FIPS-206 · 666B>", "scheme": "hybrid-dual-sig", "valid_if": "both_required" }, "valid_until": "2058-12-31", "compliance": ["EU-PQC-2030", "NIST-FIPS", "MLETR"] }

5.1 Field semantics

  • standard — the XDSS-PQ version identifier.
  • document_type — the instrument class (e.g. bill_of_lading, letter_of_credit).
  • issuer — the on-chain identity of the issuing party.
  • payload_hash — a quantum-resistant hash (Keccak-256) binding the signatures to the exact document content.
  • signatures.ml_dsa / signatures.falcon — the two PQ signatures over the canonical payload.
  • signatures.valid_ifmust be both_required; a verifier rejects any other value or a missing signature.
  • valid_until — the intended validity horizon (a decades-long window).
  • compliance — declarative alignment tags (e.g. EU PQC 2030, NIST FIPS, MLETR).

A document is accepted only when both signatures verify against the issuer’s registered keys and valid_if equals both_required.

6Migration & hybrid signing

XDSS-PQ is intended to be adopted without disruption to existing issuance flows, using a phased, additive path:

  1. Hybrid issuance. New documents are signed with the dual ML-DSA + Falcon scheme from day one, while existing classical workflows continue in parallel where required for interoperability.
  2. Key registry. Issuer PQ public keys are published to an on-chain key registry so any verifier can independently check both signatures.
  3. Verification precompiles. ML-DSA and Falcon verification are expensive in the EVM without native support; dedicated precompiles are planned to make on-chain verification economically practical. This mirrors Ethereum’s PQ precompile research, which XDC’s EVM compatibility allows it to adopt rather than rebuild.
  4. Long-term verifiability. Because validity depends on the two PQ signatures and a quantum-resistant hash, an XDSS-PQ document signed in, say, 2028 is designed to remain verifiable and unforgeable through its valid_until date — long after Q-Day.

This standard addresses trade-document signing specifically. Related migrations on the XDC Network — validator signing (Falcon for XDPoS), wallet keys (ML-DSA), and transport security (ML-KEM hybrid TLS) — are described in the broader PQ migration roadmap and are complementary to, but separate from, this document.

7Standards alignment

XDSS-PQ is built on, and declares alignment with, the following:

  • NIST FIPS 203 (ML-KEM) — for the hybrid transport security that protects documents in transit.
  • NIST FIPS 204 (ML-DSA) — the primary document signature.
  • NIST FIPS 205 (SLH-DSA) — a conservative hash-based option referenced for high-value governance contexts in the wider roadmap.
  • NIST FIPS 206 (FN-DSA / Falcon, draft) — the compact second document signature.
  • MLETR — the UNCITRAL Model Law on Electronic Transferable Records, for legal recognition of electronic trade documents.
  • EU PQC roadmap (2030) and NIST IR 8547 (2035 deprecation) — as forward-looking regulatory targets the standard is designed to meet ahead of time.

8References

  1. NIST, FIPS 203 — Module-Lattice-Based Key-Encapsulation Mechanism Standard (ML-KEM), 2024. csrc.nist.gov/projects/post-quantum-cryptography
  2. NIST, FIPS 204 — Module-Lattice-Based Digital Signature Standard (ML-DSA), 2024. csrc.nist.gov/projects/post-quantum-cryptography
  3. NIST, FIPS 205 — Stateless Hash-Based Digital Signature Standard (SLH-DSA), 2024. csrc.nist.gov/projects/post-quantum-cryptography
  4. NIST, FIPS 206 — FFT over NTRU-Lattice-Based Digital Signature Standard (FN-DSA / Falcon), draft. csrc.nist.gov/projects/post-quantum-cryptography
  5. NIST, IR 8547 — Transition to Post-Quantum Cryptography Standards (ECDSA and other quantum-vulnerable algorithms deprecated by 2035). csrc.nist.gov/projects/post-quantum-cryptography
  6. C. Gidney (Google Quantum AI), 2025 resource-estimate research substantially lowering the estimated quantum resources to factor RSA-2048 (reported as roughly a 20× reduction versus prior estimates); summarised in Google Research, “Safeguarding Cryptocurrency by Disclosing Quantum Vulnerabilities Responsibly.” research.google/blog/safeguarding-cryptocurrency-by-disclosing-quantum-vulnerabilities-responsibly Cited qualitatively; exact hardware figures remain subject to active research.
  7. R. Kakkad, “XDC Network’s Quantum-Proof Future” (quantum threat landscape for XDC’s institutional focus), 19 March 2024. xdc.dev — Ritesh Kakkad, 2024
  8. XinFinOrg, XDPoSChain — poc_falcon branch (Falcon block signing & QC verification proof-of-concept; ~666-byte signatures), August 2025. github.com/XinFinOrg/XDPoSChain/tree/poc_falcon
  9. UNCITRAL, Model Law on Electronic Transferable Records (MLETR), 2017.

Forward-looking notice. Dates, parameters, and regulatory-alignment targets in this draft are goals and estimates, not guarantees. “Q-Day” references describe probabilities, not fixed dates. This document will be revised as standards finalise and review proceeds.