Quantum-Proof Your Secrets: SNDL's Shield Against Tomorrow's Decryption Threats

SNDL shield tackles the imminent “store-now, decrypt-later” risk posed by future quantum computers, which can retroactively break today’s classical encryption and expose archived secrets. Our proposal leverages NIST-standardized post-quantum primitives—CRYSTALS-Kyber for hybrid key encapsulation, Dilithium for integrity, and a lightweight PQ-AEAD cipher (e.g. Ascon-128a) to encrypt payloads—ensuring data remains unreadable even under quantum attack. We integrate a Tesseract-based OCR pipeline to classify scanned documents by sensitivity before encryption, and enforce fine-grained Role-Based Access Control at the API layer to bind each operation to a user identity. Every encrypt, decrypt, and policy-change event is immutably recorded as an HMAC-protected Merkle-tree leaf, delivering tamper-evident, append-only audit trails. By contributing this modular, standards-aligned framework under OpenSSF governance, we enable secure, accountable migration of any datastore to post-quantum resilience while simplifying community review, CI-scorecard checks, and Sigstore-backed supply-chain integrity.