Crypto-Agility Compliance

How QuantumHarmony aligns with ANSSI post-quantum cryptography recommendations

What is Crypto-Agility?

"Crypto-agility is the ability to extend and/or replace cryptographic components within IT-systems, without affecting their functionality, while minimising the downtime during the update." — ANSSI, Views on Crypto-Agility (January 2026)

With quantum computers emerging, systems must switch cryptographic algorithms when vulnerabilities are discovered. ANSSI (France national cybersecurity agency) published guidelines on January 19, 2026.

Compliance Summary

ANSSI Recommendation	Requirement	QuantumHarmony
R1 Algorithmic Agility	Switch algorithm families	✓ SPHINCS+, Falcon, Dilithium
R2 Consistency	Same crypto across sub-systems	✓ Native runtime
R3 Functionality	Design for worst-case sizes	✓ 49KB SPHINCS+ supported
R4 Secure Updates	Hash-based signatures	✓ SPHINCS+ signed upgrades
R5 Replay Protection	Prevent replay attacks	✓ Nonces + temporal ratchet
R6 Downgrade Protection	No fallback to deprecated crypto	✓ On-chain PQ enforcement

Detailed Implementation

1Algorithmic Crypto-Agility

"Algorithmic crypto-agility should be implemented whenever the context allows it."

QuantumHarmony supports multiple PQ families:
Signatures: SPHINCS+ (hash-based), Falcon, ML-DSA/Dilithium (lattice)
KEM: ML-KEM (Kyber) via QKD • Hash: SHA-3, BLAKE3 • Symmetric: AES-256-GCM, ChaCha20

2Consistency Across Sub-systems

"Crypto-agility should be implemented consistently across all sub-systems."

Native blockchain runtime, not SDK wrapper:
Consensus: PQ on-chain • Network: PQ-encrypted P2P • Storage: PQ-signed blocks • Client: Same suite

4Secure Updates

"Stateless hash-based signatures are the most trustful for updates."

Runtime upgrades use SPHINCS+ — exactly what ANSSI recommends.
Substrate forkless upgrades • Governance vote for crypto changes • HSM support

6Downgrade Protection

"Deprecated cryptographic algorithms must not be allowed."

On-chain enforcement — no weak fallback:
PQ signatures mandatory • Validators reject non-PQ • No negotiation to weaker algorithms

Why On-Chain Matters

"The ability of the system to be updated dynamically is the cornerstone of efficient crypto-agility." — ANSSI

Approach	PQ Verification	ANSSI R6?
Off-chain PQ + on-chain ECDSA	Backend/IPFS	✗ ECDSA-only still valid
Native PQ blockchain	On-chain	✓ PQ enforced by consensus

If PQ is verified off-chain and classical ECDSA on-chain, a quantum attacker breaking ECDSA still succeeds. This is the downgrade attack ANSSI warns against.

Compliance Statement

QuantumHarmony is designed in accordance with ANSSI crypto-agility recommendations (January 2026), implementing algorithmic crypto-agility with native post-quantum cryptography and on-chain enforcement.