[Cryptography] Post-quantum confidential transactions: open problem with the commitment layer

[Communitycoins]

Hi all,

I'm working on a formal specification for a privacy-focused cryptocurrency
built entirely on post-quantum primitives, and I've hit a wall I'd like input
on. The full spec is public and there's no company, no funding, and no token
behind it. This is a design-first project, written before any implementation,
specifically so the cryptography can be reviewed before anything ships.

The signature and KEM layers are straightforward. FALCON-1024 for signatures,
Kyber-1024 for key encapsulation, both NIST 2024 standards. The problem is the
privacy stack.

The design targets Monero-style privacy: ring signatures for sender anonymity,
stealth addresses for the recipient, and confidential transactions to hide
amounts. The amount-hiding layer is where I'm stuck.

Confidential transactions conventionally use Pedersen commitments, which are
additively homomorphic and let the network verify that inputs equal outputs
without revealing any amount. Bulletproofs then prove each committed value is
in range. But Pedersen's hiding property rests on the discrete log assumption,
so the whole amount-hiding layer falls to Shor's algorithm. Swapping the
signature scheme for a lattice one does nothing about this.

The requirements I can't simultaneously satisfy with anything I've found:

1. Hiding and binding against a quantum adversary.
2. Additive homomorphism, so input/output balance is verifiable without
opening any commitment.
3. An efficient range proof, ideally logarithmic in the value range, the way
Bulletproofs are.

Hash-based commitments give me 1 but lose 2. Lattice-based commitments from
SIS/LWE can give me 1 and 2, but I haven't found a range proof construction
over them that's both production-ready and well-reviewed. Everything I've
found is either recent, large, or unproven in practice.

Two related questions on the same stack:

- Post-quantum ring signatures. Lattice constructions exist in the literature
but the signature sizes are large enough to worry me at blockchain scale. Is
there a current construction people consider settled for this use case?
- Key images. The standard construction derives the key image from the
discrete-log relationship between private and public key. That relationship
doesn't exist in a lattice setting. Is there an accepted way to build a
deterministic, unlinkable, unforgeable key image post-quantum?

I'd genuinely welcome being told the commitment problem is harder than I
think, or pointed at work I've missed. References, objections, or "this is
open and here's why" are all useful. The full specification is available and
I'm happy to share it with anyone interested.

Thanks for reading.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20260622/e94b76aa/attachment.htm>