Runs entirely in your browser · no server, no SSH

Post-Quantum signature demo

PaychainX seals every payment in a tamper-evident audit proof, then wraps it in a hybrid post-quantum envelope. The classical hash and signature are real and reproducible here today. Real ML-DSA arrives through the PQ sidecar on the roadmap. We clearly label what is live versus roadmap.

Hybrid post-quantum lattice audit
Why now

The post-quantum clock is federal, and it is running

On June 22, 2026 the President signed an Executive Order, Securing the Nation Against Advanced Cryptographic Attacks, directing the move to NIST post-quantum standards. It calls out the harvest now, decrypt later threat, where adversaries capture encrypted data today to break it once a quantum computer exists. The deadlines are concrete:

Key establishment to PQCby Dec 31, 2030
Digital signatures to PQCby Dec 31, 2031
FAR contractor complianceby Dec 31, 2030
StandardsFIPS 203 ML-KEM, FIPS 204 ML-DSA

PaychainX is built for this. The audit envelope already reserves the exact NIST slots, pq_sig: ml-dsa for signatures and pq_kem: ml-kem for key establishment, so the migration is wired into the architecture today, ahead of the federal timeline. A payments platform that can prove a quantum-resistant audit trail is years ahead of processors that have not started. Read the Executive Order.

1 · Classical audit proof Live today

Every payment commits to a tamper-evident proof: proof_hash = SHA‑256(canonical(payload)), where canonical JSON sorts keys recursively. This reproduces the gateway's real audit proof (hash_algorithm: sha256) in your browser.

press compute
press compute
not verified yet
Real cryptography: changing one character of the payload changes the hash, so verification fails. Try the Tamper button.

2 · Hybrid post-quantum envelope Roadmap upgrade Demonstrated live

Today's live proof is the SHA-256 audit above. The roadmap upgrade is drop-in and happens in two steps: widen the integrity digest to SHA‑512, then populate the reserved signature field with a post-quantum signature (pq_sig: ml-dsa, pq_kem: ml-kem) from a vetted sidecar. This panel demonstrates that upgraded envelope in your browser: it computes pq_hash = SHA‑512(canonical(pq, payload)) and an HMAC-SHA512 stand-in for the signature, with a hybrid_attestation block. The envelope shape never changes, which is what makes the migration drop-in.

compute the proof above, then build the envelope
Honest split: the SHA-512 hash and HMAC-SHA512 value are real and reproducible here, but they represent the roadmap upgrade, not the live proof. The gateway's live proof today is SHA-256 (the signature and signature_algorithm fields exist but are null). Real ML-DSA is supplied by the PQ sidecar and is on the roadmap, not claimed as live.

Key lifecycle

Classical audit live

Every payment emits a SHA-256 proof_hash over canonical JSON.

Proof schema pre-wired

The proof record reserves the signature and signature_algorithm fields, ready for the PQ upgrade.

ML-DSA sidecar

Swap the in-process fallback for a vetted ML-DSA provider via the PQ sidecar.

4
Hybrid enforced

Set pq_mode to hybrid-enforced so every audit requires a valid PQ signature.

5
Key rotation

Rotate pq_key_id on schedule; old keys stay verify-only until events expire.

pq_mode progression

offclassical audit only
hybrid-ready (today)PQ envelope built, not required
hybrid-enforcedvalid PQ signature required
pq_sigml-dsa (sidecar)
pq_kemml-kem (sidecar)

Backwards compatible at every step. The envelope shape never changes, so merchants integrate once and the PQ guarantees strengthen underneath them.