Why PQ signature + ZK audit
Post-quantum signatures and ZK audit proofs solve different problems. Use both only when your compliance model needs both authenticity and privacy-preserving attestations.
What each layer does
| Layer | Primary goal | Best for |
|---|---|---|
| PQ signature (Dilithium) | Authenticity and integrity with quantum-resistance | Token issuance, token verification, non-repudiation |
| ZK audit proof | Prove compliance facts without exposing sensitive internals | Regulated workflows, selective disclosure, audit trails |
Decision guide
| Scenario | Recommended stack | Reason |
|---|---|---|
| General API token verification | Classical + PQ hybrid signature | Migration-safe and legally compatible |
| High-assurance long-lived tokens | PQ signature required | Future-proof against quantum attacks |
| Audit where business logic is sensitive | PQ signature + ZK audit | Verifiable evidence with privacy |
| Simple low-risk internal prototype | Classical only (temporary) | Fast iteration before hardening |
Practical rollout order
- Enable hybrid_required policy for production integrations.
- Move large signatures to JSON body or secure cookies (not headers).
- Publish performance numbers separately for native vs ZK stages.
- Add ZK audit only for controls that require privacy-preserving compliance proof.