[Cryptography] Quillon Graph: A private, post-quantum electronic cash system

Viktor S. Kristensen overdrevetfedmetodologi at pm.me
Wed Jan 7 20:31:03 EST 2026 

  Peter,

  Thank you for your thoughtful and detailed engagement with the paper. Your technical insights are valuable and deserve careful consideration—they've helped sharpen several aspects of the argument.

  On algorithm specification:

  You're correct that naming specific algorithms (CRYSTALS-Dilithium-5, Kyber-1024, AEGIS-QL) departs from the convention of simply saying "post-quantum cryptography." This was deliberate:

  1. Operational transparency: This isn't a theoretical RFC—it's documentation for a deployed system. Implementers, auditors, and security researchers need to know exactly what's running. Vagueness here would be a security liability, not a virtue.
  2. Acknowledging NIST standardization: These are FIPS 203/204 standardized algorithms. While I share your caution about the relative youth of their cryptanalysis compared to RSA/ECC's 30+ years, declining to specify merely defers the decision to implementers—who would likely choose the same algorithms.

  On hybrid classical/post-quantum:

  Agreed completely, and the paper explicitly recommends this approach. Section 7.1 states:

  "Combine primitives such that security requires breaking both:
  Security = Sec(Classical) ∨ Sec(Post-Quantum)"

  The XChaCha20-Poly1305 layer provides defense-in-depth precisely for the concern you raise: if lattice assumptions fall, the classical layer remains as a floor. This is a defensive and prudent strategy given the uncertainties you've correctly highlighted.

  On the youth of NIST PQ analysis:

  This is the strongest objection, and the paper doesn't shy away from it. Section 4.3 states explicitly:

  "We have: (1) No proof that lattice problems are hard for quantum computers, (2) No proof that lattice problems are hard even for classical computers, (3) No proof that current constructions are optimally secure."

  The position isn't "trust NIST PQ blindly"—it's "NIST PQ is the best available response to an irreducibly uncertain threat." For immutable ledger systems where data persistence approaches infinity, even heavy-tailed engineering distributions don't provide adequate security margins.

  On authorship:

  Fair criticism. I've added proper attribution in the next revision. I'm Viktor, lead developer of Quillon-NarwhalKnight. The synthesis and system design are mine; the foundational perspectives from Shannon, Gutmann, Witten, Hellman, and Greene are of course theirs.

  On signatures vs. encryption in HNDL:

  This is technically the most subtle point, and you're right to raise it. Signature schemes don't encrypt secrets—you cannot "harvest now, decrypt later" a signature.

  However, the threat to signatures is real but distinct. If the underlying problem (e.g., discrete log) falls to CRQC, an adversary who has harvested signed messages could recover private keys and forge new signatures—effectively enabling "Harvest-Now-Forge-Later" (HNFL). For blockchains, this means retroactive theft from exposed addresses. The paper should have separated the encryption (HNDL) and signature (HNFL) threat models explicitly. Thank you for the correction.

  On Dual_EC_DRBG:

  I included it not to imply NIST PQ is backdoored—the public scrutiny of the PQC competition far exceeds what Dual_EC received—but to establish a non-zero prior on standards process compromise that prudent risk analysis cannot dismiss. The hybrid approach addresses this: even if ML-KEM/ML-DSA have unknown weaknesses, the classical layer provides a security floor.

  On DAG-BFT and Privacy:

  You raise an important distinction. You're correct that DAG-based BFT protocols (Bullshark, Mysticeti, Narwhal-Tusk) provide consensus and ordering—not privacy. Any validator can see the transaction graph, and if one publishes it, the data is public.

  Q-NarwhalKnight's privacy comes from layers above the consensus mechanism:

  1. Transaction-level privacy via zk-STARKs: Transaction amounts and sender/recipient relationships are hidden inside zero-knowledge proofs. Validators see and order proofs, not plaintext transactions. They can verify validity without learning contents—similar to Zcash's shielded pool, but using STARKs (no trusted setup) rather than SNARKs.
  2. Network-level privacy via Tor: Transaction submission and block propagation occur over dedicated Tor circuits with 4 circuits per validator, rotated per epoch. This prevents traffic analysis from linking IP addresses to transaction patterns.
  3. Mixing layer: A quantum-enhanced mixing protocol (inspired by Dandelion++) provides unlinkability even if an adversary controls some validators.

  The DAG-BFT layer sees opaque commitments and validity proofs. The "blockchain" that validators could publish contains:
  - Proof commitments (hashes)
  - zk-STARK validity proofs
  - Encrypted metadata

  Without the decryption keys (held only by transaction participants), this is cryptographically meaningless data.

  On the 50ms finality claim:

  The 50ms target applies to optimistic conditions with geographically proximate validators and pre-established Tor circuits. Under adversarial conditions or global distribution, we see 2-3 seconds (comparable to Bullshark). The paper should clarify this is a best-case figure, not a guarantee. Thank you for pushing on this—I'll revise to state "sub-3-second finality with sub-100ms optimistic path."

  The distinction from public blockchains like Bitcoin/Ethereum is that those systems broadcast plaintext transactions to all nodes. Even with mixers or L2 privacy solutions, the base layer contains unencrypted transaction graphs. Q-NarwhalKnight's base layer contains only proofs—the plaintext never touches the consensus layer.

  ---
   The privacy isn't from the DAG-BFT—it's from the zk-STARK transaction layer. The DAG-BFT orders proofs, not transactions. This is architecturally similar to Zcash (transparent vs shielded) but with the shielded mode as default and STARKs replacing SNARKs.


  ---
  I'd welcome further discussion, particularly on the formal treatment of Gutmann's engineering skepticism and the AI-driven variance inflation model. Your insights would be valuable as we refine the framework.

  Best regards,
  Viktor



Really important if something matters

Afsendt med Proton Mail sikker e-mail.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: publickey - overdrevetfedmetodologi at pm.me - 0x5F4716BA.asc
Type: application/pgp-keys
Size: 1722 bytes
Desc: not available
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20260108/0b30c03a/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 603 bytes
Desc: OpenPGP digital signature
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20260108/0b30c03a/attachment.sig>

More information about the cryptography mailing list