<div style="font-family: Arial, sans-serif; font-size: 14px;"><span><span>Fellow cypherpunks,</span></span><div><br></div><div><span> As earlier noted I've been working on a new distributed consensus system that I believe</span></div><div><span> addresses several open problems at the intersection of post-quantum</span></div><div><span> cryptography and Byzantine fault tolerance. It launches in 8 days. I'd</span></div><div><span> like to share the cryptographic architecture because I think some of you</span></div><div><span> will find the construction amusing.</span></div><div><br></div><div><span> **The short version:** We built a DAG-based BFT consensus protocol where</span></div><div><span> every cryptographic primitive — from block signatures to VDF time-locking</span></div><div><span> to privacy proofs — is post-quantum. Not "PQ-ready." Not "migration path</span></div><div><span> planned." Running. In production. On a live P2P network right now.</span></div><div><br></div><div><span> Here's what's under the hood:</span></div><div><br></div><div><br></div><div><span> 1. CONSENSUS: DAG-KNIGHT WITH GENUS-2 VDF ANCHOR ELECTION</span></div><div><br></div><div><span> The consensus layer uses a DAG structure (inspired by the Narwhal/Tusk</span></div><div><span> separation of data availability from ordering). Leader election uses a</span></div><div><span> Verifiable Delay Function, but not on ordinary elliptic curves.</span></div><div><br></div><div><span> We implemented a VDF over genus-2 hyperelliptic Jacobians following the</span></div><div><span> construction in IACR 2025/1050. The group order factoring problem on</span></div><div><span> genus-2 curves is believed to require ~O(p^{1/3}) quantum operations</span></div><div><span> vs ~O(p^{1/2}) for elliptic curves (Grover on Pollard-rho), giving us</span></div><div><span> a meaningful quantum security margin without the key bloat of lattices.</span></div><div><br></div><div><span> The practical benefit: anchor election that remains unpredictable even</span></div><div><span> to an adversary with a modest quantum computer, with VDF proofs that</span></div><div><span> are still efficiently verifiable classically.</span></div><div><br></div><div><br></div><div><span> 2. SIGNATURES: DILITHIUM5 + SQIsign HYBRID</span></div><div><br></div><div><span> Block signatures use NIST FIPS 204 (ML-DSA / Dilithium) at security</span></div><div><span> level 5. We also implemented SQIsign (IACR 2025/847 — the "2D-West"</span></div><div><span> variant) for contexts where 204-byte signatures matter more than</span></div><div><span> signing speed.</span></div><div><br></div><div><span> The isogeny-based construction is admittedly still aggressive for</span></div><div><span> production use, but having it as a selectable primitive means nodes</span></div><div><span> can switch without a hard fork. Crypto-agility is the point: we</span></div><div><span> designed the signature layer so that swapping algorithms is a config</span></div><div><span> change, not a consensus change.</span></div><div><br></div><div><br></div><div><span> 3. PRIVACY: CLSAG RING SIGNATURES + BULLETPROOFS + RECURSIVE STARKs</span></div><div><br></div><div><span> For confidential transactions, we use:</span></div><div><br></div><div><span> - CLSAG ring signatures (the same construction Monero adopted in 2020,</span></div><div><span> ~25% smaller than MLSAG) for sender anonymity</span></div><div><span> - Bulletproofs range proofs (Bunz et al., S&P 2018) to prove amounts</span></div><div><span> are in [0, 2^64) without revealing them</span></div><div><span> - A recursive STARK composition for proof aggregation — no trusted</span></div><div><span> setup, transparent, and plausibly post-quantum</span></div><div><br></div><div><span> The mixer protocol uses Chaumian blind signatures with a threshold</span></div><div><span> pool construction. Stealth addresses for receivers. The transaction</span></div><div><span> graph is designed to be opaque by default.</span></div><div><br></div><div><br></div><div><span> 4. NETWORK PRIVACY: DANDELION++ WITH TOR CIRCUIT MANAGEMENT</span></div><div><br></div><div><span> Transactions propagate through a Dandelion++ stem phase before</span></div><div><span> flooding, making it difficult to determine the originating node via</span></div><div><span> network topology analysis. The P2P layer runs over libp2p with</span></div><div><span> integrated Tor circuit management — 4 dedicated circuits per</span></div><div><span> validator, rotated per epoch.</span></div><div><br></div><div><br></div><div><span> 5. SYMMETRIC ENCRYPTION: AEGIS-256</span></div><div><br></div><div><span> Block-level encryption uses AEGIS-256 (IACR 2024/268) — the AES-based</span></div><div><span> AEAD that achieves ~2 cycles/byte on hardware with AES-NI. We chose</span></div><div><span> this over AES-GCM because AEGIS provides 256-bit security against</span></div><div><span> key-recovery attacks even under nonce misuse, and its internal state</span></div><div><span> is large enough (5 x 128-bit AES blocks) to resist quantum search on</span></div><div><span> the state space.</span></div><div><br></div><div><br></div><div><span> 6. HASH: SHA-3 / SHAKE256</span></div><div><br></div><div><span> Keccak everywhere. Block hashes, Merkle trees, address derivation, VDF</span></div><div><span> challenges. Grover's algorithm gives a quadratic speedup on preimage</span></div><div><span> search, so SHA-3-256 offers ~128-bit quantum security. We use SHAKE256</span></div><div><span> where variable-length output is needed (VDF challenges, KDF).</span></div><div><br></div><div><br></div><div><span> 7. KEY EXCHANGE: KYBER-1024 (ML-KEM)</span></div><div><br></div><div><span> P2P session establishment uses Kyber-1024 (NIST FIPS 203) for</span></div><div><span> key encapsulation. Combined with Noise protocol framework for</span></div><div><span> forward secrecy.</span></div><div><br></div><div><br></div><div><span> THE AMUSING PART</span></div><div><br></div><div><span> Bitcoin's SHA-256 + secp256k1 + RIPEMD-160 stack will survive first-</span></div><div><span> generation quantum computers through brute force (double the key</span></div><div><span> sizes, hope for the best). Most "quantum-resistant" blockchains bolt</span></div><div><span> on a single lattice signature and call it done.</span></div><div><br></div><div><span> We went the other direction: what if EVERY layer assumed a</span></div><div><span> cryptanalytically relevant quantum computer exists TODAY? Not as</span></div><div><span> a future contingency, but as a design constraint from day one.</span></div><div><br></div><div><span> The result is a system where:</span></div><div><span> - Block signatures are lattice-based (Dilithium5)</span></div><div><span> - VDF time-locking uses genus-2 curves (quantum-hard group order)</span></div><div><span> - Privacy proofs are STARK-based (no elliptic curve assumptions)</span></div><div><span> - Key exchange is lattice-based (Kyber-1024)</span></div><div><span> - Symmetric crypto assumes Grover (256-bit keys, AES-based AEAD)</span></div><div><span> - Hashing assumes Grover (SHA-3-256 = 128-bit quantum security)</span></div><div><br></div><div><span> The entire attack surface is: break lattices AND break genus-2 DLP</span></div><div><span> AND break SHA-3 AND break AES. Simultaneously. With the same quantum</span></div><div><span> computer.</span></div><div><br></div><div><br></div><div><span> NETWORK STATUS</span></div><div><br></div><div><span> 6 peer nodes currently syncing via libp2p gossipsub. DAG-BFT consensus</span></div><div><span> producing blocks every 2 seconds. Fully decentralized P2P propagation —</span></div><div><span> no central coordinator, no permissioned validator set.</span></div><div><br></div><div><span> Native DEX with constant-product AMM. Stablecoin (QUGUSD). Token</span></div><div><span> deployment via VM. All running on the post-quantum stack described above.</span></div><div><br></div><div><span> Launch: February 15, 2026.</span></div><div><br></div><div><span> Source: <a target="_blank" rel="noreferrer nofollow noopener" href="https://quillon.xyz">https://quillon.xyz</a></span></div><div><span> Node binary: wget <a target="_blank" rel="noreferrer nofollow noopener" href="https://quillon.xyz/downloads/q-api-server-linux-x86_64">https://quillon.xyz/downloads/q-api-server-linux-x86_64</a></span></div><div><br></div><div><span> I'm genuinely curious what this list thinks about the genus-2 VDF</span></div><div><span> construction for leader election. The security reduction is cleaner</span></div><div><span> than I expected, but I haven't seen it used in a consensus protocol</span></div><div><span> before. Happy to discuss the details.</span></div><div><br></div><div><span> — DK</span></div><div><span> Q-NarwhalKnight / Quillon</span></div><div><br></div><div><span>Note on Skepticism & The Need for Proof Against Quantum Threats</span><div><br></div><div><span>To the skeptics and the Gutmanns among us—who rightly demand proof and warn against overhyped timelines—I hear you. </span></div><div><span>The engineering challenges of building a cryptographically relevant quantum computer (CRQC) remain staggering, and </span></div><div><span>"20 years away" has been a moving target for decades. </span></div><div><span>The landscape has shifted in three critical ways:</span></div><div><br></div><div><span><b>AI as a variance compressor: </b>AI is no longer just a research aid—it’s a landscape navigator. Systems like GNoME, AlphaFold, and cuLitho</span></div><div><span> demonstrate the ability to traverse high-dimensional optimization spaces orders of magnitude faster than human intuition. This compresses </span></div><div><span>the upper tail of timeline distributions while inflating the lower tail—making earlier breakthroughs more probable, even if median estimates remain unchanged.</span></div><div><br></div><div><span>Industry timelines are now engineering schedules, not speculation: Google’s Willow processor achieved below-threshold error correction in 2024.</span></div><div><span> IBM, PsiQuantum, and Quantinuum have published funded roadmaps targeting fault-tolerant systems by the early 2030s. This isn’t academic conjecture; it’s capital-backed engineering.</span></div><div><br></div><div><span>Harvest-Now-Decrypt-Later is already operational: As documented in the Snowden disclosures and formalized in both PDFs, encrypted data is being collected and stored at scale. </span></div><div><span>The adversary is patient, storage is cheap, and the decryption clock starts the moment a CRQC comes online—whether that’s in 2035 or 2045.</span></div><div><br></div><div><span>Shannon’s limit is absolute: only information-theoretically secure systems are immune to HNDL. Everything else is a bet against time.</span></div><div><span> Hellman’s ethical framework reminds us that waiting for certainty is itself a decision—and often the wrong one when the cost of failure is unbounded.</span></div><div><br></div><div><span>Q-NarwhalKnight is built under the assumption that this bet is already risky enough to warrant action. We’re not claiming to have “solved” post-quantum security—no one can, per Shannon and Witten.</span></div><div><span> Instead, we’ve engineered a system where every layer assumes a quantum adversary exists today, forcing defense-in-depth across lattices, genus-2 curves, symmetric primitives, and hash functions.</span></div><div><br></div><span>I welcome the skepticism. It’s what keeps crypto honest. But I also invite you to read the timelines, track the hardware, and watch the AI accelerants. </span></div><div><span>The window for migration is measured in years, not decades—and it’s closing faster than we think.</span><br></div><div><span><br></span></div><div><span> References:</span></div><div><br></div><div><span> [1] IACR 2025/1050 - "VDFs from Genus-2 Hyperelliptic Curves"</span></div><div><span> [2] NIST FIPS 204 - ML-DSA (Dilithium) Digital Signature Standard</span></div><div><span> [3] NIST FIPS 203 - ML-KEM (Kyber) Key Encapsulation Mechanism</span></div><div><span> [4] IACR 2025/847 - "SQIsign2D-West: The Full Story"</span></div><div><span> [5] Bunz et al. "Bulletproofs" IEEE S&P 2018</span></div><div><span> [6] IACR 2024/268 - "AEGIS: A Fast Authenticated Encryption"</span></div><div><span> [7] Danev et al. "DAG-Knight: A Parameterless Generalization of</span></div><div><span> Nakamoto Consensus" (2022)</span></div><span><span> [8] Keccak/SHA-3 - NIST FIPS 202</span></span><span></span><br></div><div style="font-family: Arial, sans-serif; font-size: 14px;"><br></div>
<div style="font-family: Arial, sans-serif; font-size: 14px;" class="protonmail_signature_block ">
<div class="protonmail_signature_block-user "><div>Really important if something matters<br></div></div>
<div class="protonmail_signature_block-proton">
Afsendt med <a href="https://proton.me/mail/home" target="_blank">Proton Mail</a> sikker e-mail.
</div>
</div>