David Nugent

It’s currently too hard for users and developers to figure out which open-source software is secure and trustworthy. The most prominent assessment tool I’ve found is OpenSSF Scorecard, which assesses projects for security risks through a series of automated checks, assigning each project a score out of 10. Unfortunately, it hasn’t proliferated enough yet. Most users have never encountered Scorecard, so it doesn't affect their choices. And if it doesn’t directly affect weekly downloads or clout, most maintainers aren’t incentivised enough to adopt it. Scorecard also isn’t a fully comprehensive security assessment. Whether it’s Scorecard or something else, I do believe automated assessments have strong potential. At Breaks & Ciphers I’ve been considering some features that could result in a successful movement: * Fact-checking: a trustworthy assessment can’t currently be achieved solely through static checks or AI (hallucinations, prompt injections). There need to be incentives designed to encourage fact-checking or approval of automated results, similar to X’s Community Notes feature. * Stages instead of scores: a scoring system may be too daunting for maintainers if their projects start out with very low scores. One alternative I like is a stage-by-stage framework, where projects work their way up through several security and trust model stages over time. I saw the effectiveness of this approach in the L2BEAT initiative, and there is a similar Walletbeat initiative in beta (both linked in the replies for those interested in learning about these). Perhaps we need a Softwarebeat. * Inform the user: the security and trust status of the project needs to be shown clearly in GitHub, app stores, and package providers. Otherwise users and developers won’t hear about it, and maintainers won’t care about it. Even if we can’t get GitHub or Google Play onboard at the beginning, we could demonstrate the effectiveness by achieving integration in smaller platforms, such as the Obtainium APK installer. Reply or DM me with your thoughts!

After a couple of months travelling, I am announcing a small R&D lab, Breaks & Ciphers, which is focused on open-source cybersecurity, cryptography, and privacy. I want to live in a world where the software we use is highly secure, including security against mass surveillance by advertising agencies and intelligence agencies. I don’t believe this will happen if the software we use daily continues to be owned by companies whose primary incentive is to maximise shareholder value. I believe this is achievable through open-source software, now more than ever before, because today’s engineers can build good software on much tighter resources. There was once an implicit deal between society and big tech: we give you our data, you provide us with great free products, good jobs, and positive economic impact. Whether through greed or other reasons, big tech has betrayed this deal. Products become worse for our health to maximise profits (slot machine algorithms, AI slop, TikTok-like videos). Jobs cuts are encouraged in favour of centralised AI. Wealth doesn’t trickle down effectively, and the divide seems to be accelerating. On the surveillance side, whistleblowers and leaks over the years have demonstrated how some states are willing to violate the privacy of innocent people across the globe via software exploits and backdoors. The current geopolitical climate leads me to believe we may see further steps backward in this area. As a citizen of a neutral country, Ireland, I think it's completely reasonable to demand the ability to verify that the technology I use does not contain backdoors or vulnerabilities accessible by foreign states. At Breaks & Ciphers, we will do consistent work toward regaining our security and privacy. We will analyse trust models deeply to provide recommendations on which software to use, along with how we can improve these trust models over time. We’ll make contributions and security improvements to open-source projects. We’ll produce new open-source projects when necessary. While the need for Breaks & Ciphers comes from quite a sad state of the digital world, I don’t see the road forward as a lonely, dark path. I see it as a hopeful path where the thousands of engineers, researchers, journalists, activists, lawyers, communities and organisations who have fought for people’s digital sovereignty can win. And we’re going to have tonnes of fun and fulfillment along the way. For examples of software to be optimistic about, think of Signal, GrapheneOS, Tor. But I’m not recommending these yet, you’ll need to wait for the research!

New paper from our team. Post-quantum HD wallets with full non-hardened public key derivation. Watch-only wallets, xpubs, hierarchical key management, etc. all with provable security under standard lattice assumptions. BIP32 non-hardened derivation depends on the linear algebra of elliptic curves. You add an offset to a parent public key and get a valid child public key. Post-quantum lattice schemes break this in two ways. Some schemes round their public keys during key generation, which destroys linearity. And even without rounding, each derivation adds noise that changes the statistical profile of derived keys, breaking unlinkability. In this work, we built two constructions. The first uses ML-DSA for hardened-only derivation with full security proofs. The second, the main result, uses Raccoon-G, a variant of Raccoon with Gaussian-distributed secrets. We skip the rounding step and publish the full public key to preserve linearity. On top of this, Gaussians are stable under addition, so derived keys stay in the same distributional family as fresh ones. That gives you non-hardened derivation with provable unlinkability and unforgeability under standard lattice assumptions. The tradeoff is larger keys and signatures, and a bounded derivation depth. In practice the depth bound is not restrictive since real wallet structures like BIP44 only use non-hardened derivation for the last two levels anyway. We implemented both constructions in Rust. Paper and Github below.

🛠️ Hardware wallets: the post-quantum upgrade problem Hardware wallets are constrained embedded devices built to operate in a hostile environment. They sign transactions, keep keys off the host, and remain safe even if the connected computer is compromised. They tolerate physical attackers via things like secure elements, hardened boot chains, and side-channel mitigations which define what the device can safely do, and what it cannot. NIST finalized its first post-quantum signature standards in August 2024 (ML-DSA FIPS 204 and SLH-DSA FIPS 205). Whether existing hardware wallets can run these schemes safely, inside the trust boundaries they shipped with, depends on where signing executes, how firmware updates are verified, how much resource headroom exists, and how much side-channel risk the platform can absorb. Wallet hardware takes years to design and ship. Secure elements take years to develop and certify. Major chain migrations take years because they require consensus and coordination. Those timelines stack. If the ecosystem wants widely deployed post-quantum transaction signing in hardware wallets before quantum risk becomes acute, the engineering work has to start while elliptic curves are still the default. CONTINUE BELOW 👇👇👇

Respectfully Saylor is wrong here on quantum. Specifically, he is wrong on four claims (I'm only focusing on the technical ones). Let me walk through each one. Claim 1: The consensus of the cyber security community is that quantum is not a threat for the next 10 years and thus no immediate action is needed. There is no such consensus. The opposite is true: every major national security and standards body in the world is actively mandating post-quantum migration right now, because the migrations themselves take a decade or more. NSA CNSA 2.0 requires all new National Security Systems to be quantum-safe before 2035 with most of that work being done in the next 5. NIST published finalized PQC standards (ML-KEM, ML-DSA, SLH-DSA) in August 2024 and released IR 8547 setting a target to deprecate all quantum-vulnerable public-key algorithms after 2030 and disallow completely by 2035. The UK NCSC set migration milestones for 2028, 2031, and 2035. These are not responses to a distant hypothetical. These are programs with compliance deadlines because the organizations that set them have concluded that starting now is barely early enough. Historically, it has taken a long time from the moment that a new algorithm is standardized until it is fully integrated into information systems. Past cryptographic migrations confirm this. The SHA-1 deprecation took about 7 years. The AES migration took around 5 years. The TLS 1.3 rollout took 3-5 years despite offering clear performance benefits. NIST has already concluded that PQC migration is fundamentally more complex than any of these precedents. The timeline argument ignores harvest-now-decrypt-later entirely. Adversaries are collecting encrypted data today for future decryption. The U.S. Federal Reserve published an analysis of this in September 2025, using Bitcoin as a case study. The threat is already active. Claim 2: When quantum hits, everything upgrades; banks, the internet, defense, Bitcoin. The internet is already upgrading. 52% of human web traffic on Cloudflare used post-quantum key exchange by December 2025, nearly doubling from 29% at the start of the year. Chrome ships ML-KEM for TLS. Apple enabled PQ TLS in iOS 26. OpenSSH has defaulted to post-quantum key agreement since version 9.0. Signal has post-quantum encryption. AWS and Google Cloud support PQC in their KMS products. Apple added ML-DSA and ML-KEM to CryptoKit as production APIs. Banks and payment networks are centralized. Visa pushes a firmware update or SWIFT changes a protocol spec. TLS upgrades are invisible to end users (if you use Chrome you use a TLS version that supports post-quantum and you didn't even know). These systems can and will migrate without their customers doing anything. Bitcoin cannot do this. Bitcoin requires a fork with global decentralized consensus. A PQC signature migration is categorically harder than previous forks: ML-DSA-44 signatures are 2,420 bytes versus 64 bytes for Schnorr, a 38x increase that breaks Bitcoin's existing SegWit weight economics, Script stack limits (520-byte maximum), and transaction propagation assumptions. A single ML-DSA-44 signature plus public key is several times larger than an entire typical single-input P2WPKH spend today. BIP-360 and QBIP exist as (great) proposals. Sadly, neither has an activation timeline. Enterprise PQC migration is much easier. These are organizations with executive authority to mandate changes, dedicated security teams, and established procurement processes. Bitcoin has none of these. Blockchain governance is structurally slower than centralized governance. The "everything upgrades together" framing also ignores the permanently exposed key problem. When banks upgrade TLS, old sessions don't matter, they were ephemeral. When Bitcoin upgrades, the ~6.9 million BTC with already-exposed public keys on the immutable ledger are still sitting there. You cannot un-publish a public key from a blockchain. Those coins need to be actively moved by their owners to new quantum-safe addresses. Approximately 1.72 million BTC in P2PK addresses, including Satoshi's estimated 1.1 million BTC, are likely permanently exposed because the private keys are lost. There is no banking equivalent to this. Banks do not maintain a public, permanent, immutable record of every customer's authentication key going back 17 years. Claim 3: Digital assets have the most advanced cryptographic security; more than banking, credit cards, stocks, etc This conflates trustlessness with cryptographic strength. They are not the same property. Bitcoin uses ECDSA over secp256k1. Your bank's TLS connection uses ECDHE over P-256 or X25519. These are the same class of cryptographic primitive, elliptic curve schemes whose security rests on the hardness of the discrete logarithm problem. Shors algorithm breaks both identically. Neither is "more advanced" than the other. What differs is what we call the defense-in-depth architecture around that primitive. A credit card tap-to-pay transaction involves: TLS with ephemeral key exchange, an EMV chip with hardware-bound keys in a certified secure element, tokenization so the merchant never sees the real card number, session-based key rotation, fraud detection, transaction reversal capability, and regulatory insurance. A Bitcoin transaction involves: one ECDSA signature. That is the entire authorization layer. No fraud department, no chargeback, no identity verification layer that can distinguish a legitimate owner from a quantum attacker holding the same derived private key. Once a forged signature is accepted by consensus, the transfer is irreversible. The systems Saylor describes as less secure are, in fact, already deploying post-quantum protections that Bitcoin has not yet started. They can do this because they are centralized. Bitcoin's decentralization, its core value proposition, is precisely what makes its quantum migration harder, slower, and later than every system he compared it to. Claim 4: The crypto community will be the first to spot the threat and move. This assumes a CRQC will be publicly announced. Nation-state adversaries have zero incentive to disclose a quantum capability. The entire intelligence value of a CRQC is that no one knows you have it. You harvest quietly, you decrypt quietly, you exploit quietly. What would "spotting it" look like on Bitcoin? A quantum attacker does not exploit a bug, bypass a firewall, or compromise a server. They produce valid signatures indistinguishable from the legitimate owner's, because mathematically, they hold the same key. If an attacker begins draining P2PK addresses, each theft is a correctly signed transaction. There is no intrusion detection system for the Bitcoin blockchain. Transactions are valid or they aren't. By the time someone notices a pattern across thousands of UTXOs, the damage is done and irreversible. And the empirical record directly contradicts the "first to move" claim. The current state of readiness: one BIP with no activation timeline, an ongoing debate about whether to freeze Satoshi's coins, and a quantum-vulnerable exposure surface that is only going up. The exposure is increasing, not decreasing, because address reuse continues to add more and more BTC to the vulnerable set. Meanwhile, the rest of the internet has already deployed PQC to billions of users without anyone noticing. Where things actually stand We maintain the Bitcoin Risq List, an open-source, continuously updated tracker of quantum-vulnerable Bitcoin at the address level. As of block height 936,882 (February 2026): approximately 6.9 million BTC across 13.9 million addresses have exposed public keys. Solana is 100% quantum-vulnerable as their address structure exposes the full public key. Deloitte's analysis found 65% of Ethereum is in quantum-vulnerable accounts. The internet started its post-quantum transition in 2022. National security systems have a 2027 compliance mandate. NIST targets deprecating and disallowing all quantum-vulnerable public-key algorithms well before 2035. The blockchain industry, which directly protects bearer value with the exact cryptographic primitives that a quantum computer breaks, has a BIP and a debate. The question is not whether quantum is a threat to digital assets. It is whether the industry will begin its migration before the window closes. The gap between the internet's pace of PQC adoption and the blockchain industry's pace is not a gap in awareness. It is a gap in urgency and importantly, the gap is not closed by asserting that the threat doesn't exist.

If you're implementing ML-DSA and trying to decide between pure ML-DSA and HashML-DSA in FIPS 204, use pure ML-DSA. Wrote up the full reasoning but here's the short version. ML-DSA does not work like ECDSA (or RSA-PSS). With ECDSA, your application hashes the message, then the signing algorithm signs the digest. Two separate steps. ML-DSA takes the entire message as input. Internally it hashes the message together with the signer's public key fingerprint using SHAKE-256, producing a 64-byte value called mu. Everything after that, the lattice arithmetic, rejection sampling, signature encoding, operates only on mu. The message is never touched again. The public key binding is important. It means mu is unique to a specific signer, giving ML-DSA a property called non-resignability that ECDSA does not have. An attacker who intercepts mu cannot use it to forge a signature under a different key. HashML-DSA was added to the standard because some vendors wanted the old hash-then-sign workflow back. You hash with something like SHA-512, pass the digest to a modified ML-DSA that flips a domain separation byte and encodes the hash function's OID into the signature. The problem is this turns the hash function into a formal parameter of the primitive. Either the hash is fixed by your protocol (making HashML-DSA redundant) or it varies and the verifier depends on an untrusted parameter. The good news, we do not need HashML-DSA. Nothing stops you from hashing at the application layer and passing the digest to pure ML-DSA as the message. ML-DSA hashes it again internally, binds it to the public key, and produces a standard signature. The double hash is negligible, your hash function choice stays in your protocol spec where it belongs, and ML-DSA stays a self-contained primitive with a clean security proof. The ecosystem pretty much aligns with this. RFC 9881 prohibits HashML-DSA in X.509. RFC 9882 excludes it from CMS. TLS 1.3 ML-DSA draft defines only pure mode. NSA's CNSA 2.0 disallows it. Full write-up including the External Mu mechanism for split signing architectures below.

Hash-based signatures are the only post-quantum scheme that doesn't require a new cryptographic assumption. The security argument has two parts: SHA-256 is hard to invert, and each key is used exactly once. If you break either condition and the scheme fails. I wrote a 3-part series implementing all of this from scratch in Rust: SHA-256, Lamport signatures, and a key-recovery attack that shows what happens when you violate the one-time rule. Lamport signatures are almost absurdly simple. Generate 512 random 32-byte values (your private key), hash them all with SHA-256, publish the hashes as your public key. To sign, hash the message to get 256 bits, and for each bit reveal one secret value from the corresponding private key pair. To verify, the verifier hashes the message to get the same 256 bits, then hashes each revealed signature value and checks that it matches the correct slot in the public key. Only someone who knew the original secrets could produce values that hash to the published public key. The entire scheme is randomness and a single hash function. No number theory, no elliptic curves, no lattices. The major security concern is that each signature reveals exactly half the private key. A second signature on a different message reveals values from the opposite side of some private key pairs, because different messages hash to different bits. By about 10 signatures under the same key, every one of the 512 secret values has been exposed. At that point the attacker owns the key. I demo this by forging a signature on "Send all funds to the attacker" that verified successfully against the original public key, using nothing but the values leaked from observed signatures under the same key pair. This is why production schemes look the way they do. SPHINCS+ (NIST's SLH-DSA) is stateless. It does not rely on the signer remembering which one-time keys were used. Instead, each signature includes fresh per-signature randomness, and that randomness is mixed into the hash that decides which one-time keys (which leaves) get used. That makes reusing the same one-time key across two different messages negligibly unlikely, even if an attacker can choose the messages. XMSS takes a similar approach but is stateful, meaning the signer must track which leaves have been consumed. If that state is lost, duplicated, or rolled back (backup restores, failover, replicated systems), you get key reuse, and you're back to exactly the vulnerability above. I do think lattice-based schemes like ML-DSA will end up as the practical drop-in replacement for most digital signatures. They're faster and the keys are smaller. But hash-based signatures are the only family where security reduces to something we've trusted for decades which is kinda cool. Links below.

My write up on the recent ERC-4337 EntryPoint vulnerability. Once again a great example, threat model everything! This is even more important as account abstraction becomes the likely candidate for post-quantum accounts on Ethereum. The security boundaries go far beyond “which algorithm should we pick”

Great approach, but we need to be careful not to simply wait for EIP-8141 to be merged before we start rolling out PQ. 4337 is already doing real work today: deployed wallets, live UX, and an active ecosystem experimenting with PQ signatures right now. If most post-quantum accounts only arrive with a future native AA fork, we risk pushing migration too far out. The right framing feels like overlap: use 4337 as the proving ground for PQTS and crypto-agility, then converge those lessons into 8141 once it is ready. That transition path matters as much as the end state, especially if we want users protected before a quantum deadline rather than after it.

If you have ever said "we are crypto-agile", I do not think you are lying. I think you are using the definition the industry quietly converged on, which is "we can rotate keys and keep our crypto libraries reasonably up to date". That is good hygiene, and it is already more than a lot of teams manage. The problem is that hygiene is not what you need when the algorithm itself has to change, and that is what post-quantum is forcing. The uncomfortable part is that most systems are built to add cryptography, not delete it. Adding is usually localized, you can enable a new suite and call it progress. Deleting forces you to confront every hidden coupling, every unknown client, and every "temporary" compatibility path that became permanent. This is why crypto changes become migrations, and why so many teams discover they are not crypto-agile only when they try to turn something off. Post-quantum is going to feel like this, except with more moving parts and more pressure to get it right. If you treat it as a one-time swap, you will likely pay the migration cost once and still end up ossified again. The better framing is that post-quantum is a forcing function for crypto-agility, building the capability to change cryptography repeatedly under messy constraints, without turning every transition into a crisis.