Quantum computers have the potential to break traditional cryptographic algorithms, which could compromise the confidentiality and integrity of data. While the threat of quantum computers might intuitively seem to be somewhere in the distant future, NIST has stated that classical cryptography (RSA, DSA, ECDSA, ECDH) is not safe beyond the year 2035, while the Australian ASD takes an even more aggressive stance by setting the boundary to 2030.
To counter this future threat, we are excited to announce that Streamr now supports quantum-resistant algorithms for identity, signatures, encryption, and key exchange, ensuring that your data remains secure even in a post-quantum world. The new features are available in the Streamr SDK version 103.0.0 onwards.
Table of Contents
Background
Streamr’s roots are in the Ethereum ecosystem, which has previously shaped many of its cryptographic choices. Traditionally, Streamr has employed the Elliptic Curve Digital Signature Algorithm (ECDSA) using the secp256k1 curve, aligning with the standards of Ethereum and other EVM-compatible blockchains such as Polygon. This choice ensured compatibility with the broader EVM space, allowing users to utilize their existing Ethereum identities for signing data.
However, the digital identity layer on Streamr has recently been refactored to allow for a wide range of cryptographic algorithms to be used for signatures, key exchange, and encryption. This first expansion of available cryptography adds a set of post-quantum methods as alternatives for ECDSA for identity and signing as well as RSA for key exchange, both of which are considered vulnerable to future quantum attacks.
On the other hand, AES-256, which Streamr has employed for symmetric end-to-end encryption from the start, is already considered quantum resistant. Achieving a fully quantum-resistant security stack therefore only requires the signature and key exchange algorithms to be replaced with post-quantum alternatives.
Quantum-Resistant Features
The first edition of Streamr’s quantum-resistant security stack includes:
- ML-DSA-87 for identity and signatures: This algorithm provides quantum-resistant digital signatures, ensuring the authenticity and integrity of data.
- ML-KEM-1024 + HKDF + AES-256 for key exchange: This combination allows for secure key exchanges that are resistant to quantum attacks.
- AES-256 for data encryption: A robust encryption standard that remains secure against quantum threats.
Recently, ML-DSA and ML-KEM, as defined in FIPS-204 and FIPS-203 respectively, have been recognized as standards by the National Institute of Standards and Technology (NIST). This endorsement underscores their robustness and reliability, paving the way for their widespread adoption as essential components of secure communication protocols in the quantum era.
How to Activate Quantum Security
Quantum-safe cryptography can be used on any data in any stream. In Streamr, the publisher is basically in control of the cryptography: each publisher can choose the algorithms they use to sign and encrypt the data. This happens off-chain within the Streamr Network itself, so it is not dependent on any features of the adjacent blockchain.
Activating quantum security on Streamr is straightforward. By configuring ML-DSA identities on your publishers and subscribers, you automatically start using the quantum-resistant methods. Here’s a quick example:
const streamr = new StreamrClient({
auth: {
publicKey: '...', // hex encoded ML-DSA-87 public key
privateKey: '...', // hex encoded ML-DSA-87 private key
keyType: 'ML_DSA_87'
}
})You can generate the ML-DSA-87 keys using a suitable tool or library of your choice, or use the tooling available on Streamr. For example, using the Streamr CLI tool:
streamr identity generate --key-type ML_DSA_87Or programmatically using the MLDSAKeyPairIdentity class that ships with the Streamr SDK:
const identity = MLDSAKeyPairIdentity.generate()
const publicKey = await identity.getUserId()
const privateKey = await identity.getPrivateKey()Since the identity layer on Streamr has been refactored, the stream access control section on the Streamr Hub now generalizes user identity to Public Keys instead of assuming all permissions are granted to Ethereum accounts. Note that Grant, Edit, and Delete permissions can still be only given to Ethereum accounts, because those operations require an on-chain transactions.
In the Streamr Hub, permissions for quantum-secure keys can be viewed and edited like any other permission assignments. For example, in the screenshot above, the entry 0xd7a… is a ML-DSA public key, which is shown in truncated form due to being many times longer than an Ethereum address. In contrast, the entry 0x2c0… is an Ethereum address.
Enforcing Quantum Security
While using ML-DSA identities automatically activates quantum security, such publishers and subscribers still won’t reject any incoming messages or requests secured with non-quantum-safe methods. If you’d like to go one step further and reject any non-quantum-safe data or interaction, you can supply these additional settings:
const streamr = new StreamrClient({
auth: ..., // as per above
encryption: {
requireQuantumResistantKeyExchange: true,
requireQuantumResistantSignatures: true,
requireQuantumResistantEncryption: true
}
})Performance Considerations
While quantum-resistant algorithms provide enhanced security, they require more computational resources. For instance, on an Apple M2 laptop and with the currently used library @noble/post-quantum, computing an ML-DSA-87 signature takes approximately 12ms and verification takes about 4ms. In choosing the library, our focus was on simplicity and cross-platform compatibility, but later on a switch to a native or WASM implementation could speed up the computations.
It’s also worth noting that ML-DSA public keys and signatures are significantly longer compared to ECDSA, which leads to an increase in the header size of each message. The overhead added by ML-DSA-87 vs. ECDSA is around 7kB per message. It’s important to consider these factors when deploying quantum-resistant configurations, especially in high-frequency messaging scenarios.
What About Blockchains?
Streamr uses smart contracts on blockchains to store and reference stream permissions. Even if all of the cryptography used on Streamr Network is quantum secure, don’t the adjacent blockchains still remain a potential source of quantum vulnerability?
Yes, quantum computing is indeed a serious threat to most blockchains, including Bitcoin, Ethereum, and most other chains, given that their signatures and account identities have traditionally been based on elliptic curves. However, given that there are trillions of value at stake, one can only assume that all blockchain ecosystems take the quantum threat very seriously and upgrade their networks accordingly before it’s too late. While we can’t do much to influence those ecosystems, the Streamr protocol can work in tandem with any smart contract chain. Quantum security will increasingly need to be one of the factors that determine which blockchain ecosystems Streamr will expand to.
Future-Proofing Sensitive Data Across Critical Sectors
The introduction of quantum-resistant security in Streamr unlocks powerful new applications across industries where long-term data confidentiality and integrity are mission-critical. Sectors like finance, healthcare, energy, and defense can now confidently stream sensitive real-time data without fearing that future quantum breakthroughs will retroactively compromise it. In particular, military and intelligence applications—where intercepted communications are routinely archived with the assumption they can be decrypted later—stand to benefit greatly from quantum-safe encryption. By securing data from the outset, Streamr disrupts this model and ensures operational secrecy remains intact, even decades into the future. This upgrade also lays the groundwork for compliance with emerging standards around post-quantum cryptography, positioning Streamr users ahead of the curve as governments and enterprises begin mandating quantum-safe protocols.
Conclusion
With the integration of quantum-resistant methods, Streamr is paving the way for secure data exchange in the quantum era. We invite you to explore these new features and ensure your data remains protected against future threats. For more detailed information, please refer to our Security and Cryptography documentation.
