Post-quantum cryptography

AML and financial records on Proofenance are retained for five years under current legislation. That horizon overlaps the period when the industry expects large-scale quantum computers to be developed and threaten classical public-key cryptography. Proofenance is prepared for that reality.

Why this is important

Any online system that authorises access with classical digital signatures, and has not migrated to post-quantum cryptography, shares this flaw. It is not unique to Proofenance. When staff view documents while signed in, each access is backed by one of those signatures. An attacker who records them today could use a future quantum computer to reverse-engineer them and forge new access to every resource your team can currently open online.

The solution is post-quantum cryptography (PQC): digital signature standards built specifically to resist future quantum computers. Unlike the classical signatures most systems use today, a PQC signature recorded now cannot later be reverse-engineered to forge new access, which is why it is the right foundation for authorising document access over a long retention period.

Where we use PQC

  • Data in use

    PDFs, images, and ProofMarked reports open inside the signed-in app. Each view receives a short-lived access grant signed to a post-quantum standard, so signatures recorded today cannot be reverse-engineered to forge new access to stored data later.

  • Data at rest

    Customer records and financial documents are encrypted with AES-256 throughout storage. This strength remains appropriate for multi-year retention as quantum computing advances.

  • Data in transit

    Connections between your browser and Proofenance use modern TLS encryption, and document streams are never sent in cleartext. We adopt post-quantum TLS standards as they become widely available.

Our approach

Live now

Secure document access

  • Post-quantum signed access grants for file, image, and ProofMarked report views
  • In-app viewer with short-lived permissions and full audit logging
  • AES-256 encryption for stored customer and financial records

Ongoing

Continued hardening

  • Regular rotation of signing keys with smooth transition periods
  • Broader post-quantum protections as NIST and industry standards mature
  • Review of third-party connectors (open banking, payments) against migration timelines

Proofenance follows NIST post-quantum cryptography standards (including ML-DSA for document access grants) as part of a long-term strategy to protect financial records across their full retention period.