News
Security

from the migration desk

One mnemonic, four identities

Why Quorum can derive classical and post-quantum identities from one recovery phrase without making PQ security depend on classical private keys.

One mnemonic, four identities research title card

Quorum's wallet can derive Ed25519, Secp256k1, Falcon-512, and Winternitz identities from one BIP-39 mnemonic. That is a usability choice, not a claim that every derived key is post-quantum.

The mnemonic is the root secret. If it is exposed, every derived identity is exposed. The narrower security claim is that compromise of one derived classical private key does not automatically reveal the independent Falcon or Winternitz secrets.

The branch model

Each scheme uses a separate derivation branch:

  • Ed25519 uses a Solana-compatible hardened derivation path.
  • Secp256k1 uses an Ethereum-compatible BIP-32/BIP-44 style path.
  • Falcon uses domain-separated HKDF material.
  • Winternitz uses its own hardened tree for one-time positions.

The public key, private key, or signature from one branch is not used as input to another branch. That matters under a quantum threat. A future attacker who derives an Ed25519 private key from an exposed Ed25519 public key has broken that classical identity. They have not thereby reversed the BIP-39 seed or the separate Falcon branch.

What the mnemonic does and does not solve

The mnemonic solves backup ergonomics. It lets users recover the identities they need for mixed-scheme governance without managing four unrelated seed phrases.

It does not make Ed25519 quantum-resistant. It does not make Secp256k1 quantum-resistant. It does not remove the need for pq_threshold. Quantum readiness comes from requiring post-quantum approvals and rotating authority away from purely classical paths.

Safe wording: one recovery phrase can derive all supported identities through separate branches. Unsafe wording: one mnemonic makes the whole wallet quantum-safe.

Why this is useful for migration

Users need a migration path that is secure enough to reason about and simple enough to operate. Separate derivation branches keep post-quantum identities independent from classical private keys, while one mnemonic keeps backup manageable for real teams.

The policy layer still decides security. A wallet with Falcon keys is not automatically a quantum-ready multisig. A multisig becomes quantum-ready when its approval requirements actually require post-quantum evidence.

References