[Cryptography] Quillon Graph: A private, post-quantum electronic cash system

Viktor S. Kristensen overdrevetfedmetodologi at pm.me
Sun Jan 11 08:01:00 EST 2026 

John,

  Your DES parallel is apt, and the "sucker bet" framing deserves a serious response.

  You're right that the DES history was: NSA knew 56 bits was attackable, told everyone it was fine, and reaped the intelligence benefits. The pattern repeated with Dual_EC (backdoor) and arguably Crypto AG (wholesale compromise). Seven decades of documented adversarial behavior toward civilian cryptography.

  So why would they advocate post-quantum now? Three scenarios:

  Scenario A - They want us prepared:
  NSA has cryptographic equities on both sides - they attack foreign adversaries and protect US communications. The push for PQ could be genuine defensive concern. If China develops CRQC before the US, NSA's collection capabilities are worthless while US secrets are exposed. Preparing the ecosystem now serves their defensive mission.

  Scenario B - They're already ahead:
  The cynical read of Dual_EC: they pushed it because they had the backdoor. The cynical read of PQ: they push it because they've already broken the lattice assumptions. We implement NIST's blessed algorithms; they read our traffic using whatever classical or quantum attack they've discovered on CRYSTALS/Kyber/SPHINCS+. The historical pattern supports this.

  Scenario C - They're hedging:
  They don't know if QC will mature, but if it does, they'd rather the transition happen now (while they can influence it) than in a decade (in a panic, with foreign algorithms). NIST PQ becomes the standard; any weaknesses they've found become long-term capabilities.

  The honest answer: I can't distinguish these from the outside.

  But here's why it may not matter for the specific application (immutable ledgers):

  1. Hybrid defeats Scenario B. If NIST PQ is compromised, the classical layer (XChaCha20-Poly1305) remains. If classical falls to quantum, PQ remains. They'd need to break both. The same "belt without suspenders" criticism you make cuts against them if we do belt-and-suspenders.
  2. Transparency defeats Scenario C. The implementation is open, auditable, and doesn't use NIST's blessed RNG. No Dual_EC-style constant-dependent backdoor can survive independent parameter generation.
  3. Immutability changes the calculus. For TLS, if you bet wrong, your traffic from 2025 is readable in 2045 - bad but bounded. For Bitcoin-style systems, if you bet wrong, the 2025 transaction graph is readable in 2045 - worse because the data is deliberately preserved forever. The risk asymmetry favors preparation even if NSA's motives are suspect.

  Your skepticism is warranted. Mine too. The response isn't "trust NIST" - it's "defense in depth against everyone, including NIST."

  That said, I'll raise your implicit challenge directly: If the post-quantum push is a trap, what's the recommended alternative? Stay classical and accept the (disputed but non-zero) quantum risk? Use non-NIST algorithms (which ones? with what analysis history?)? The "don't trust NSA" position is strong on diagnosis but thin on prescription.

  The paper's position is: diversify across trust assumptions. Use NIST PQ because it's the deepest available analysis pool, but layer classical crypto underneath because the analysis pool might be poisoned. Accept that this doesn't solve the trust problem - it just makes the attack surface require simultaneous breaks of independent assumptions.

  If you have a better architecture that addresses both quantum and institutional threat models, I'm genuinely interested.

  -Viktor

-------------- next part --------------
A non-text attachment was scrubbed...
Name: publickey - overdrevetfedmetodologi at pm.me - 0x5F4716BA.asc
Type: application/pgp-keys
Size: 1722 bytes
Desc: not available
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20260111/a0dfc6b3/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 603 bytes
Desc: OpenPGP digital signature
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20260111/a0dfc6b3/attachment.sig>

More information about the cryptography mailing list