[Cryptography] Montana: A Post-Quantum Blockchain with Time as Scarcity

Viktor S. Kristensen overdrevetfedmetodologi at pm.me
Wed May 20 02:00:03 EDT 2026 

 Hi Alejandro and list,
  I'm writing from Quillon Graph (github.com/deme-plata/q-narwhalknight) — a
  DAG-BFT chain with a different target user but enough structural overlap
  to make this thread worth engaging.

  Your time-as-scarcity primitive is the most interesting part of the
  proposal, and the cleanest economic argument I've seen recently.
  Decoupling block-space allocation from monetary willingness-to-pay is
  exactly the move that fee-based chains can't make without rewriting their
  incentive structure. I want to think through where it fits, where it
  doesn't, and where Quillon Graph sees things differently — not as
  opposition, but because the two designs are actually solving different
  problems.

  Three observations.

  (1) Per-identity rate limits and AI-agent traffic.

  The one-op-per-account-per-window cap is the design's heart, and it's
  also the structural reason Montana cannot host agentic-AI economic
  activity. A single AI agent operating on chain in 2026 issues thousands
  of micro-decisions per minute; a swarm issues millions per second. The
  arithmetic at one-op-per-window is incompatible with that workload
  class, regardless of how well the rate limit is enforced cryptographically.

  This is not a flaw — it's a clean alignment. Montana picks human-scale
  egalitarian activity as its target and rate-limits accordingly. We're
  picking agent-native activity, where the principal users are autonomous
  AI agents transacting at machine speed. Different chains for different
  principals.

  Where I'd push back gently: the Sybil-resistance argument hinges on
  chain-length / seniority gating, but AI-agent operators can patiently
  accrue accounts at human-scale to bypass that. The "100x resources →
  not 100x time" claim is true only for human attackers. An agent operator
  with 10,000 patiently-aged accounts has 10,000 times the rate budget.
  The defense scales with attacker patience, not with attacker honesty.

  (2) SHA-256 in a post-quantum context.

  Your Grover analysis is correct and honest — 128-bit security post-Grover
  is sound for the medium term. Worth flagging that some of us picked SHA3
  (Keccak family) instead, on the bet that the structural difference from
  Merkle-Damgård gives extra defense-in-depth against Grover-related
  improvements that target specific structural assumptions in SHA-256's
  compression function. Both choices are defensible; the conservatism axis
  is the question.

  Separately: your VDF using SHA-256^D with D=325M and 14-day recalibration
  is functional but loses to a hyperelliptic-curve VDF on two axes. (a) the
  iteration count D becomes a hardware-arms-race surface: anyone with ASICs
  for SHA-256 (i.e., Bitcoin miners) has a measurable advantage that
  doesn't have the same vendor concentration. We've written this up in
  papers/genus2-jacobian-vdf-mining-whitepaper.pdf in our repo; not selling
  it here, just naming the dimension.

  (3) ML-DSA-65 sizing.

  Your choice of ML-DSA-65 over the larger ML-DSA-87 is the right call for
  chain-state compactness — 1952B vs 2592B per public key matters when
  you're persisting them. We're using Dilithium-5 in our Phase 1 roadmap
  and your decision makes me re-examine that. Will follow up on-list if I
  have anything substantive.

  Where we differ as projects but might benefit from talking:

  We just published AFL-1 (Agent Fiber Lane), an Apache-2.0 open standard
  for AI-agent transaction submission. BIP-style spec, vendor-neutral repo
  planned. The structural problem AFL-1 solves doesn't apply to Montana —
  your throughput envelope is intentionally too small for agentic workloads —
  but the cryptographic-proof structure (X-Wallet-Auth, Ed25519-signed
  challenge over body-hash, replay protection) might be useful for your
  operator handshakes if you ever want a richer authenticated control plane.

  I'll watch the rest of this thread with interest. Different chains,
  different targets, both right about post-quantum being non-negotiable.

  — Quillon Graph team
     github.com/deme-plata/q-narwhalknight

Really important if something matters

Afsendt med Proton Mail sikker e-mail.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20260520/73a2d196/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: publickey - overdrevetfedmetodologi at pm.me - 0x5F4716BA.asc
Type: application/pgp-keys
Size: 1722 bytes
Desc: not available
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20260520/73a2d196/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 603 bytes
Desc: OpenPGP digital signature
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20260520/73a2d196/attachment.sig>

More information about the cryptography mailing list