By Dr Krzysztof Urbanowicz, Founder of QWID
When we designed QWID’s cryptographic layer, we made a decision that some considered excessive: every transaction is secured by not one but two post-quantum signature algorithms, each built on entirely different mathematics. In this article, I want to explain why that choice is not excessive at all — it’s the minimum responsible approach for a system meant to protect value for decades.
A Quick Word on How Digital Signatures Work
When you authorise a blockchain transaction, you produce a digital signature using your private key. The network verifies that signature using your public key. If the math checks out, the transaction is valid. The security of the entire system depends on one thing: that nobody can forge a valid signature without the private key.
Today’s blockchains use ECDSA for this. Post-quantum blockchains need algorithms that remain secure even against quantum computers. But which algorithm? That’s where it gets interesting.
Falcon-512: Security From Geometric Lattices
Falcon is built on the mathematics of lattices — regular geometric structures in high-dimensional space. Imagine a grid of points extending in hundreds of dimensions. The hard problem at the core of Falcon is this: given a point somewhere in that space, find the closest lattice point. In two or three dimensions, this is trivial. In 512 dimensions, it’s computationally brutal — even for a quantum computer.
More precisely, Falcon relies on the “Short Integer Solution” problem over NTRU lattices. To sign a message, the signer uses a secret short basis of the lattice (the private key) to find a short vector. To verify, the network checks that the vector is indeed short enough — something anyone can do with just the public basis.
Falcon-512 was standardised by NIST at Security Level 1, equivalent to 128-bit AES — the same security level that protects classified government communications today. It’s efficient, well-studied, and produces remarkably compact signatures for a post-quantum scheme.
MAYO-5: Security From Multivariate Polynomials
MAYO comes from a completely different branch of mathematics: multivariate quadratic equations. The hard problem here is solving a system of many polynomial equations in many variables over a finite field. While a single quadratic equation is easy, a tangled system of them in dozens of variables becomes intractable — a problem known to be NP-hard in general.
MAYO-5 is a refined version of the classic “oil and vinegar” signature scheme, one of the oldest ideas in post-quantum cryptography. The signer knows a secret structure that separates the variables into two types (the “oil” and “vinegar”), making it easy to find solutions. Without that secret structure, a forger faces an impenetrable wall of intertwined equations.
MAYO-5 is evaluated at NIST Security Level 5 — equivalent to 256-bit AES. That’s the highest standard NIST defines, designed to resist attacks from both classical and quantum adversaries with substantial resources.
Why Two Different Families Matter
Here’s the core insight: Falcon and MAYO have nothing in common mathematically.
Falcon’s security depends on the hardness of lattice problems. MAYO’s security depends on the hardness of multivariate polynomial systems. A breakthrough that cracks one gives you zero advantage against the other. They don’t share assumptions, techniques, or structural weaknesses.
This is not redundancy for its own sake. History has shown that cryptographic algorithms can fail in unexpected ways. When MD5 was broken, systems relying solely on MD5 were immediately vulnerable. Those using multiple independent hash functions had time to adapt.
By requiring both Falcon-512 and MAYO-5 signatures on every QWID transaction, we ensure that even if one algorithm suffers a catastrophic break — whether from a new mathematical insight, a novel quantum attack, or an implementation flaw — your assets remain protected by the other. An attacker would need to independently defeat both algorithms, rooted in two separate branches of mathematics, simultaneously.
The Numbers
Here’s how the two algorithms compare side by side:
| Property | Falcon-512 | MAYO-5 |
|---|---|---|
| Math family | Lattice-based | Multivariate |
| NIST security level | Level 1 (128-bit) | Level 5 (256-bit) |
| Public key size | 897 bytes | 5,554 bytes |
| Signature size | < 752 bytes | < 838 bytes |
| Private key size | 1,281 bytes | 40 bytes |
| Mnemonic support | — | Yes (48 words) |
Notice something interesting: MAYO-5’s private key is only 40 bytes — small enough to derive from a 48-word mnemonic phrase. This means QWID users can back up their highest-security key using the same familiar word-list approach they know from Bitcoin, but with NIST Level 5 post-quantum security.
Crypto-Agility: The Escape Hatch
Even dual-layer protection isn’t enough if you can’t adapt. Cryptography is a living field. New attacks emerge. Standards evolve. Any system that bakes in a single cryptographic choice and offers no path to change it is building on sand.
QWID includes a unique feature we call decentralised cryptographic governance. If either Falcon-512 or MAYO-5 is ever found to be weakened or compromised, the QWID community can:
- PAUSE the affected algorithm via on-chain voting — immediately removing it from transaction validation while the other algorithm continues to protect the network.
- UPGRADE to a replacement algorithm through a governance proposal, migrating the network to a new scheme without a disruptive hard fork.
This is crypto-agility at the protocol level. No other blockchain we’re aware of offers this capability. Most chains would require years of debate, a contentious fork, and a massive coordination effort to swap their signature scheme. QWID can do it through a structured community vote.
Building for Decades, Not Quarters
The dual-algorithm approach adds some overhead — larger transactions, more computation per signature verification. We considered this carefully. The added cost is modest (a few kilobytes per transaction), and we believe it’s a small price for the guarantee that QWID’s security doesn’t depend on any single mathematical conjecture holding true forever.
We’re building infrastructure meant to secure value for decades. In that timeframe, algorithms will be broken, standards will change, and quantum computers will arrive. QWID is designed to survive all of it.
Explore the full technical details in our GreenPaper at qwid.org.