[Cryptography] Quillon Graph: A private, post-quantum electronic cash system

Thu Jan 8 09:08:22 EST 2026

Ian,

Your complexity argument is sound engineering for ephemeral protocols. I'd apply it to TLS, Signal, SSH — systems where you can rotate keys, push updates, and yesterday's traffic is forgotten. The spooks indeed exploit the gap between theoretical security and deployed complexity.

But immutable ledgers break the "emergency update" escape hatch.

Consider the scenario: Quantum computers mature in 2045. You push an emergency update to your node software. Great — new transactions are now post-quantum. But what about the 2025 transaction graph that's been sitting on-chain for 20 years? That data doesn't receive your update. It's already been harvested, it's already recorded in an append-only structure, and if the classical crypto protecting it falls, there's no remediation path. You can't "hide amongst the noise" because the noise is also compromised — every classical signature on every historical block is now forgeable.

The asymmetry is:

  - Ephemeral systems: Simplicity wins. If threat materializes, rotate and update. Past sessions are gone anyway.
  - Permanent records: Security margin wins. If threat materializes, you cannot update the past. The chain remembers.

  On complexity and attack surface — you're right that hybrid introduces implementation risk. But the failure modes are different:

  1. Implementation bug in hybrid: Attackable now, discoverable now, patchable now.
  2. Cryptographic break of single primitive: Attackable retroactively, affects all historical data, no patch possible.

  I'll take the bug I can find and fix over the break I can't remediate.

On TLAs and committee capture: Fair concern, and why the implementation uses NIST PQ plus classical (XChaCha20-Poly1305). If NIST's process was compromised à la Dual_EC, the classical layer remains. If classical falls to Shor, the PQ layer remains. The complexity serves defense-in-depth, not feature accretion.

The "best of simple class" advice optimizes for implementation correctness. For ephemeral data, that's the right optimization. For data with τ_persistence → ∞, I'd rather have correct-and-possibly-overkill than elegant-and-possibly-insufficient.

That said — your point about attack surface is taken seriously. The hybrid implementation isolates the two paths cleanly: classical key derivation, PQ key derivation, final key = KDF(classical || pq). No complex interleaving. Compositional security, not combinatorial complexity.

Appreciate the pushback. These are exactly the tradeoffs the paper tries to formalize in Section 7.3.

-Viktor

Really important if something matters

Afsendt med Proton Mail sikker e-mail.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: publickey - overdrevetfedmetodologi at pm.me - 0x5F4716BA.asc
Type: application/pgp-keys
Size: 1722 bytes
Desc: not available
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20260108/4143e266/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 603 bytes
Desc: OpenPGP digital signature
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20260108/4143e266/attachment.sig>