DEV Community

Cover image for The Half-Life of a Signature, and the Record Built to Outlast It
Micky Irons
Micky Irons

Posted on • Originally published at mickai.co.uk

The Half-Life of a Signature, and the Record Built to Outlast It

#postquantumcryptogra #auditrecords #mldsa #digitalsignatures

The Half-Life of a Signature, and the Record Built to Outlast It

By Micky Irons, founder of Mickai.

A signature feels permanent at the moment you apply it. The cryptography is sound, the maths checks out, and the file is sealed. Yet a signature is not a fact about the past. It is a bet on the future, specifically a bet that the algorithm that produced it will still be hard to forge years from now. That bet has a half-life, and almost nobody writes it down.

The uncomfortable truth is that signatures age in three ways at once. The algorithm weakens as cryptanalysis improves and hardware gets cheaper. The signing key ages out, rotated, retired, or quietly compromised. And the institution that vouched for the key changes shape, gets acquired, or simply stops answering. Any one of these can turn a once-valid seal into a question mark. A record built to outlast its signature has to survive all three.

A marble figure of Chronos carved in white stone, one hand dissolving into dust at the edge while gold rim light catches the intact half, set against pure void black.

Time does not negotiate with cryptography. Every signature carries a decay curve it never prints on the certificate.

Why the quantum clock matters now, not in 2040

The convenient version of the story says quantum computers are decades away, so classical signatures are safe for now. The inconvenient version is that an adversary does not need a quantum computer today to defeat a record dated today. They need only to keep the sealed material until the machine arrives. Harvest now, break later. For anything that must remain credible for a decade or more, a contract, a custody trail, a regulatory filing, the relevant question is not whether the algorithm is safe today but whether it will still be safe across the whole life of the record.

This is why the move to post-quantum signatures is a records problem before it is a cryptography problem. The standard exists. In 2024 the United States National Institute of Standards and Technology published FIPS 204, the Module-Lattice Digital Signature Algorithm (ML-DSA), as the first ratified post-quantum signature standard. The hard part is no longer choosing the algorithm. It is wiring it into the place where consequential actions actually happen, so that the seal is applied automatically, every time, without a human deciding it is worth the effort.

Sealing the action, not the file

Most systems sign artefacts. You produce a document, then sign the document. The gap between the act and the seal is where disputes live, because the thing you signed is a snapshot, not the event. Mickai, the Sovereign Intelligence Operating System that runs fifty specialised brains on the operator's own hardware, takes the opposite approach. Every consequential action is sealed at the moment it occurs into the Open Audit Record, the OAR, and each entry is signed with FIPS 204 ML-DSA-65, the post-quantum standard described above.

The distinction is not cosmetic. Signing the action rather than the artefact means the record captures what was decided, by which brain, on what inputs, under whose authority, at the instant it mattered. The seal is post-quantum from the first entry, so the harvest-now-break-later attack has nothing soft to bite on. And because the OAR is generated by the substrate itself rather than bolted on afterwards, there is no human in the loop deciding whether this particular action was important enough to record. They all are.

Mnemosyne, goddess of memory, carved in marble holding an unbroken tablet, gold light tracing the inscribed lines while the surrounding hall falls away into darkness.

The OAR seals the action as it happens, not the document after the fact. Memory of the event, not a snapshot of the file.

A signature alone is a closed loop

Here is the limitation no signature scheme escapes on its own. To verify a signature, you need the public key. To trust the public key, you need whoever issued it. To trust the issuer, you need their key, and so on up a chain that eventually rests on an institution you have to take on faith. If that institution is the same one whose records are in question, the loop closes on itself. The signer is vouching for the signature. That is fine until the day it is exactly the thing in dispute.

Breaking the loop requires an anchor that the signer does not control and cannot quietly revise. This is the role Pantheon plays. Pantheon is Mickai's own sovereign Layer 1, with a native token (PAN, fixed at five billion supply) and a hard property: it anchors a cryptographic hash commitment of the record to Bitcoin, so the existence and ordering of the record become permanent and independently checkable. It does not move Bitcoin and it is not a Bitcoin Layer 2. Anchoring is not spending. What gets committed is a fingerprint, not funds, and once that fingerprint is settled it cannot be backdated, reordered, or quietly removed by anyone, including the operator who produced it.

Three layers, three independent failures

Put together, the design answers each of the three ways a signature ages. The post-quantum seal addresses the algorithm weakening, because ML-DSA-65 is built to resist the machine that breaks classical signatures. The OAR addresses the key and the authority question, because every entry carries the full context of who acted and under what mandate, sealed at the moment of action rather than reconstructed later. And the Bitcoin anchor through Pantheon addresses the institution problem, because the proof of when a record existed no longer depends on the institution still being there to confirm it.

The point of separating the layers is that they fail independently. A weakness in one does not silently propagate into the others. If, years out, ML-DSA itself needed succeeding, the anchored history would still prove what existed and when, giving a clean baseline to migrate from. That is the practical meaning of building a record to outlast its signature. You stop asking any single mechanism to carry the whole burden of trust across decades.

Poseidon carved in marble driving a trident into bedrock at the sea floor, gold light marking the point of impact, the surrounding water rendered as deep void black.

Pantheon anchors a hash of the record to Bitcoin. The fingerprint is fixed in place, the funds never move.

Sovereignty is what makes it durable

None of this works if the record lives on infrastructure you do not control. A trail that can be altered by whoever runs the server is not a trail, it is a courtesy. Mickai runs on the operator's own hardware and is fully offline-capable, which means the sealing, the OAR, and the anchoring commitment originate inside the operator's perimeter rather than on a vendor's terms. Trust Agent stands at that perimeter as the boundary. The record is produced where the operator has authority, and only the anchor reaches outward, carrying a hash and nothing more.

The engineering discipline behind this is documented rather than asserted. Mickai holds 101 filed UK patent applications, around 2,234 claims, owned by Mickai LTD, with Micky Irons named as the inventor. The patents are evidence of the architecture, not the headline of it. The headline is simpler. A signature tells you something was sealed. A record built to outlast its signature tells you what happened, proves when it happened, and keeps proving it long after the original seal has aged into history.

Themis carved in marble holding level scales, one pan resting on a fading inscription and the other on a freshly cut one, hard gold rim light across the blindfold against pure black.

A record built to outlast its signature does not ask you to trust the signer. It lets a stranger check the proof for themselves.

Written by Micky Irons. Originally published at https://mickai.co.uk/articles/the-half-life-of-a-signature-and-the-record-built-to-outlast-it. More from Micky Irons and Mickai at mickai.co.uk.

Top comments (0)