Post-quantum cryptography
Heads up — Why PQC? Harvest now, decrypt later: ciphertext saved today could fall to a future quantum computer. New polls use hybrid classical + NIST PQC (ML-KEM, ML-DSA); pair with Encryption model overview for the full stack.
InviziPoll implements post-quantum cryptographic protections to defend against the "harvest now, decrypt later" threat — where adversaries archive today's encrypted traffic for future decryption by quantum computers.
Algorithms
- Key encapsulation: X-Wing hybrid construction pairing X25519 with ML-KEM-768 (FIPS 203, Security Category 3).
- Digital signatures: ML-DSA-65 (FIPS 204, Security Category 3) replaces standalone Ed25519 for new material.
Implementation approach
- Post-quantum operations run in the browser using audited, standard cryptographic libraries.
- Key material is held in the browser's secure storage so sensitive operations stay on the client.
Storage and versioning
- Stored ciphertext is treated as opaque binary.
- A version field distinguishes legacy classical material from post-quantum hybrid ciphertext and signatures.
Upgrading existing workspaces
Workspaces that started on classical cryptography may upgrade key material to post-quantum protections during normal use (for example, when you sign in). The process is designed to complete in a consistent state; if it does not finish in one session, it retries later—your vault should never be left in an inconsistent split state.
Post-quantum protections cover admin and workspace key material. Respondent anonymity guarantees are independent of the algorithm choice.