NIST finalized FIPS 204 (Dilithium) and FIPS 205 (SLH-DSA) in August 2024. Most chains responded with roadmap statements. Eighteen months later, ours just shipped both.
Not on a testnet. Not as a flag-gated experiment. As the primary signature on every chain entry, across four nodes in four jurisdictions, replacing Ed25519 entirely.
It took one focused week. Most of that week was deciding what *not* to do.
The first decision was strength. Dilithium has three NIST levels. Level 3 is the one most production systems are migrating to — it matches AES-192 against quantum attack and has reasonable signature sizes (about 3 KB). Level 5 is the maximum: AES-256 equivalent, 4.6 KB signatures.
I asked myself: who is the adversary? Cryptographically relevant quantum computers do not exist yet, but governments are recording encrypted traffic now to decrypt later. The adversary that matters is a nation-state actor in 2035 with a real CRQC, looking back at this week's chain entries.
Against that adversary, Level 5 is not paranoid. It is the rational floor.
The second decision was hybrid versus pure. The orthodox post-quantum migration is to swap one signature scheme for another. Dilithium replaces Ed25519. Done.
I did not want to do that. The whole point of going to lattice cryptography is that we are not certain it will hold. Lattice cryptanalysis is an active research area. Surprises happen.
If lattice falls and you signed everything with only Dilithium, every entry ever written becomes forgeable retroactively. That is not a hypothetical — it is exactly what happens to RSA and ECC the day a sufficiently large quantum computer ships.
So we sign everything three times. Dilithium-5 (lattice). Ed25519 (classical, defense in depth). SLH-DSA-SHAKE-256f (hash-based, the conservative fallback). Three independent mathematical foundations. An attacker has to break all three to forge anything.
The signature footprint went from 64 bytes to about 95 KB per entry. A 1500x increase. I took the trade. Storage is cheap. A single bad bet on a signature scheme is irreplaceable.
The third decision was the boundary. We could rebuild everything — consensus, transport, storage, key management. Or we could pick the layer that mattered most this week and ship it cleanly.
I picked signing. Mesh transport got mTLS. Serialization got a canonical protobuf format. Key storage stayed on disk with file permissions — HSM is queued for next round.
The rule I kept reminding myself: ship the cryptographic floor first. The integrity layer next. The consensus and HSM stuff can land later because they do not change the security guarantees of entries already written.
By Friday, every entry across Helsinki, Oregon, Singapore, and Ashburn was triple-signed in canonical v2 protobuf with mTLS between peers. Four jurisdictions, no shared vendor, no Render dependency.
The week before, TreeChain was a single-signature mesh with a vendor in the loop. The week after, it is the cryptographic floor we wanted.
Most of the difference was deciding fast and not flinching.