V100 does not use one post-quantum algorithm. It uses three families of post-quantum algorithms, each rooted in a different mathematical hardness assumption. This is not security theater. It is a deliberate engineering decision based on a simple principle: cryptographic confidence scales with the number of independent mathematical assumptions an attacker must defeat simultaneously.
This post is a technical deep dive into each algorithm family — what problem it solves, what mathematical assumption it relies on, how it performs in V100's video pipeline, and why a single family is not enough. If you are looking for a gentler introduction, start with What Is Post-Quantum Encryption? and come back here for the details.
Why Three Families, Not One
In classical cryptography, deploying a single algorithm family was considered acceptable. RSA alone protected both key exchange and digital signatures for decades. The mathematical assumption was well-studied (integer factorization hardness), and the risk of a sudden break was considered low.
Post-quantum cryptography is in a fundamentally different position. The algorithms are newer. The mathematical assumptions are less battle-tested. NIST spent eight years evaluating candidates, but lattice-based cryptography — the foundation of both ML-KEM and ML-DSA — has been studied for a fraction of the time that factoring has. The possibility that a future breakthrough could weaken or break lattice assumptions is not paranoia. It is responsible risk management.
V100's three-family design ensures that breaking the system requires simultaneously defeating three independent mathematical problems:
Three hardness assumptions
A breakthrough in lattice cryptanalysis that weakens MLWE would compromise ML-KEM and ML-DSA but leave FALCON (NTRU) and SLH-DSA (hash-based) intact. An advance against NTRU lattices specifically would affect FALCON but not ML-KEM/ML-DSA or SLH-DSA. And even if all lattice-based schemes were simultaneously broken — an extraordinary and unlikely event — the hash-based SLH-DSA signatures would remain completely unaffected, because their security depends only on SHA3-256 being collision-resistant.
Pillar 1: ML-KEM-768 — Quantum-Safe Key Exchange
ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism), standardized as NIST FIPS 203 and formerly known as CRYSTALS-Kyber, is V100's primary key exchange mechanism. It replaces classical ECDH (elliptic-curve Diffie-Hellman) for establishing shared session keys between video participants.
How ML-KEM Works (Simplified)
ML-KEM is a key encapsulation mechanism (KEM), not a key agreement protocol. The distinction matters. In ECDH, both parties contribute to the shared secret symmetrically. In ML-KEM, one party (the "encapsulator") generates a random shared secret, encrypts it using the other party's public key, and sends the ciphertext. The recipient ("decapsulator") uses their private key to recover the shared secret.
The security of ML-KEM rests on the Module Learning With Errors (MLWE) problem. In simplified terms: imagine a system of noisy linear equations over polynomial rings. The "noise" (small random errors) makes it computationally infeasible to recover the secret, even with a quantum computer. The best known quantum algorithms for solving MLWE have exponential runtime, providing no meaningful advantage over classical approaches.
ML-KEM-768 Parameters
| Parameter | ML-KEM-768 | X25519 (classical) |
|---|---|---|
| Public key size | 1,184 bytes | 32 bytes |
| Ciphertext size | 1,088 bytes | 32 bytes |
| Shared secret | 32 bytes | 32 bytes |
| Encapsulation time | ~30 µs | ~50 µs |
| Decapsulation time | ~35 µs | ~50 µs |
| Quantum-safe | Yes | No |
The key trade-off is size: ML-KEM-768 public keys are 37 times larger than X25519 keys. In a video context, this means approximately 1.2 KB of additional signaling data per participant during session setup. For perspective, a single 720p video frame is 50–100 KB. The PQ key material is a fraction of a single frame.
V100's Hybrid Design
V100 does not use ML-KEM alone. It combines ML-KEM-768 with X25519 in a hybrid key exchange. Both algorithms independently produce a shared secret, and the two secrets are combined via SHA3-256(x25519_shared || kyber_shared). This hybrid approach provides two guarantees: if ML-KEM has an unforeseen weakness, the session is still classically secure via X25519. If a quantum computer breaks X25519, the session is still quantum-safe via ML-KEM. Both must fail simultaneously for a compromise.
Pillar 2: ML-DSA-65 — Quantum-Safe Digital Signatures
ML-DSA (Module-Lattice-Based Digital Signature Algorithm), standardized as NIST FIPS 204 and formerly known as CRYSTALS-Dilithium, is V100's primary digital signature scheme. It replaces classical ECDSA and RSA signatures for proving integrity and authenticity of meeting artifacts.
What ML-DSA Signs in V100
Digital signatures serve a different purpose than encryption. Encryption protects confidentiality — ensuring only authorized parties can read the data. Signatures protect integrity and non-repudiation — proving that data has not been modified and was produced by a specific entity.
In V100, ML-DSA-65 signs: meeting recordings (proving the recording was not tampered with), AI-generated transcripts (proving the transcript accurately reflects the audio), meeting summaries and notes, participant attendance and join/leave logs, and session metadata. Each signed artifact carries a 3,293-byte ML-DSA-65 signature that can be independently verified. That signature will remain valid and unforgeable even after quantum computers exist.
ML-DSA-65 Parameters
| Parameter | ML-DSA-65 | Ed25519 (classical) |
|---|---|---|
| Public key size | 1,952 bytes | 32 bytes |
| Signature size | 3,293 bytes | 64 bytes |
| Sign time | ~180 µs | ~60 µs |
| Verify time | ~75 µs | ~90 µs |
| Quantum-safe | Yes | No |
ML-DSA-65 signatures are 51 times larger than Ed25519 signatures. For artifact signing (recordings, transcripts), this overhead is negligible — a 3 KB signature on a 100 MB recording is rounding error. For inline protocol messages where compactness matters, V100 uses FALCON-512 instead, which produces signatures under 700 bytes.
The MLWE Connection
Both ML-KEM and ML-DSA are based on the Module Learning With Errors problem. They share the same underlying mathematical assumption. This is efficient — a single well-studied hardness assumption provides both key exchange and signatures — but it is also a single point of failure. If a breakthrough in lattice cryptanalysis compromises MLWE, both ML-KEM and ML-DSA fall together. This is precisely why V100 also deploys FALCON and SLH-DSA: independent hardness assumptions that survive an MLWE break.
Pillar 3: FALCON-512 — Compact NTRU-Lattice Signatures
FALCON (Fast-Fourier Lattice-based Compact Signatures over NTRU) is a digital signature scheme selected by NIST alongside ML-DSA. Where ML-DSA offers fast verification and general-purpose signing, FALCON offers the smallest signatures of any post-quantum lattice scheme — a critical advantage for bandwidth-constrained real-time video signaling.
Why FALCON Matters for Video
Video signaling messages — session negotiation, participant joins, key rotation events, heartbeats — are sent frequently and must be compact. ML-DSA-65 signatures at 3,293 bytes are acceptable for signing a recording file but would add meaningful overhead if attached to every signaling message in a 200-participant conference.
FALCON-512 produces signatures of approximately 666 bytes — nearly five times smaller than ML-DSA-65. For signaling messages that average 200–500 bytes, the difference between a 3,293-byte and a 666-byte signature attachment is significant. FALCON enables V100 to sign every protocol message with a post-quantum signature without bloating the signaling channel.
FALCON-512 Parameters
| Parameter | FALCON-512 | ML-DSA-65 |
|---|---|---|
| Public key size | 897 bytes | 1,952 bytes |
| Signature size | ~666 bytes | 3,293 bytes |
| Hardness assumption | NTRU lattice | Module-LWE |
| V100 usage | Signaling messages | Artifact signing |
NTRU: A Different Lattice
FALCON is based on the NTRU lattice problem, which is mathematically related to but distinct from the Module-LWE problem that underpins ML-KEM and ML-DSA. NTRU was introduced in 1998 by Hoffstein, Pipher, and Silverman — making it one of the oldest post-quantum cryptographic proposals. The NTRU problem asks the attacker to recover a short vector in a specific lattice structure defined by the polynomial ring of NTRU. The best known attacks against NTRU lattices use different algorithmic approaches than those targeting MLWE, which is why a breakthrough against one does not automatically imply a break of the other.
This independence is the critical property for V100's security model. FALCON provides a second lattice-based family with a distinct hardness assumption from ML-KEM/ML-DSA. If a cryptanalytic advance compromises MLWE specifically (but not lattice problems in general), FALCON signatures remain intact.
The Failsafe: SLH-DSA (Hash-Based Signatures)
SLH-DSA (Stateless Hash-Based Digital Signature Algorithm), standardized as NIST FIPS 205 and formerly known as SPHINCS+, is the most conservative post-quantum signature scheme. Its security depends on a single assumption: the collision resistance and second pre-image resistance of hash functions. If SHA-256 (or SHA3-256) remains secure, SLH-DSA remains secure. Full stop.
Hash functions have been studied for far longer than lattice problems. SHA-256 has been in production since 2001. SHA3 was standardized in 2015. The mathematical understanding of hash function security is mature in a way that lattice-based cryptography is not. SLH-DSA leverages this maturity to provide a signature scheme that will survive even if every lattice-based assumption is broken.
The trade-off is size. SLH-DSA signatures are substantially larger than both ML-DSA and FALCON: the fast variant (SLH-DSA-SHA2-128f) produces signatures of approximately 17,088 bytes. For this reason, V100 uses SLH-DSA selectively — for long-lived attestations like H33-74 substrate anchors where maximum long-term assurance is required, not for high-frequency signaling messages.
How All Three Families Work Together in V100
Algorithm family assignment in V100
| Function | Algorithm | Family | Why This Algorithm |
|---|---|---|---|
| Session key exchange | ML-KEM-768 + X25519 | MLWE | Only NIST-standardized PQ KEM; hybrid for defense-in-depth |
| Artifact signatures | ML-DSA-65 | MLWE | Fast verification; size irrelevant for large artifacts |
| Signaling signatures | FALCON-512 | NTRU | Smallest PQ signatures; independent hardness from MLWE |
| Long-lived attestation | SLH-DSA | Hash-based | Most conservative assumption; survives all lattice breaks |
| Key derivation | SHA3-256 | Symmetric | Already quantum-safe (symmetric); combines both KE secrets |
Each algorithm is assigned to the function where its strengths matter most. ML-KEM-768 handles key exchange because it is the only NIST-standardized PQ KEM. ML-DSA-65 handles artifact signatures because verification speed matters for compliance workflows and signature size is irrelevant on large files. FALCON-512 handles signaling because compactness matters in high-frequency protocol messages. SLH-DSA handles long-lived attestations because the hash-based assumption provides maximum durability across decades.
Performance in V100's Video Pipeline
All three algorithm families run in V100's production pipeline with zero perceptible impact on video call quality. The PQ operations happen during session setup (key exchange) and after the call (artifact signing). During the call itself, media encryption uses AES-256-GCM with the PQ-derived session key, which has identical performance to classical encryption.
PQ operation timing in V100 pipeline
The H33 cryptographic infrastructure that powers V100's PQ stack has been benchmarked at over 1.6 million authentications per second on Graviton4 hardware using batched Dilithium (ML-DSA) signing. The per-authentication cost is 42 microseconds including FHE, attestation, and ZKP verification. At this scale, PQ overhead is not a concern — it is a solved engineering problem.
For the full protocol walkthrough including code examples, see Post-Quantum Encrypted Meetings. For the substrate attestation layer that ties all three families together, see H33-74: How 74 Bytes Prove Your Video Call Was Never Tampered With.
Three algorithm families. Three independent mathematical bets.
V100 is the only video API protected by ML-KEM, ML-DSA, FALCON, and SLH-DSA across three independent hardness assumptions. Breaks if and only if MLWE lattices, NTRU lattices, and stateless hash functions are simultaneously broken. Start your free trial and see the PQ-E2E badge on your first call.