Cryptographic Foundations

120-bit post-quantum security across all protocol layers.

Read the WhitepaperExplore Performance →

Cryptographic Stack

Recommended

Primitive

  • User signatures

    ML-DSA-65 (FIPS 204)

  • Threshold encryption (MEV)

    ML-KEM-768 (FIPS 203) + Shamir's Secret Sharing

  • Symmetric encryption

    AES-256-GCM

  • Out-of-circuit hashing

    SHA3-256

  • In-circuit hashing

    Poseidon (t=3, Rf=8, Rp=56, Goldilocks)

  • Epoch randomness

    MinRoot VDF over Goldilocks field

  • Proof system

    ZK-STARKs (FRI-based, hash-only)

  • Secret sharing

    Shamir's (12-of-21 threshold)

Security

  • User signatures

    128-bit PQ

  • Threshold encryption (MEV)

    128-bit PQ + info-theoretic

  • Symmetric encryption

    128-bit PQ

  • Out-of-circuit hashing

    128-bit PQ

  • In-circuit hashing

    128-bit algebraic

  • Epoch randomness

    Sequential, ASIC-resistant (~10× max speedup)

  • Proof system

    >128-bit single; 120-bit recursive

  • Secret sharing

    Information-theoretic (infinite)

Why ML-DSA-65?

QBit uses ML-DSA-65 (formerly Dilithium). Four reasons: integer-only constant-time arithmetic (no floating-point side-channel risk), NIST Level 3 security, finalized standard status (FIPS 204), and an algebraic structure that maps efficiently to STARK constraint systems.

Recommended

Sig Size

  • ML-DSA-65

    3,293 bytes

  • FN-DSA-512

    666 bytes

  • SLH-DSA-192s

    16,224 bytes

Security

  • ML-DSA-65

    NIST Level 3

  • FN-DSA-512

    NIST Level 1

  • SLH-DSA-192s

    NIST Level 3

Arithmetic

  • ML-DSA-65

    Integer constant-time

  • FN-DSA-512

    Floating-point

  • SLH-DSA-192s

    Hash-based

Status

  • ML-DSA-65

    Finalized (FIPS 204)

  • FN-DSA-512

    Draft (vulnerable)

  • SLH-DSA-192s

    Finalized (5× larger)

STARK Circuit Analysis

Constraint estimates per ML-DSA-65 signature verification inside the STARK circuit:

SHAKE-256 expand
12–15K constraints
NTT forward/inverse
8–10K constraints
Matrix-vector multiply
12–15K constraints
HighBits extraction
6–8K constraints
Norm checks
15–20K constraints
Hint reconstruction
3–5K constraints
Total per signature
56K–73K constraints
State transition overhead
5–8K/tx
Effective total
61K–81K/tx

Security Budget

Recommended

Security Level

  • ML-DSA

    128-bit

  • SHA3

    128-bit

  • Poseidon

    128-bit

  • Single STARK

    >128-bit

  • Recursive (10 steps)

    120-bit

  • Protocol (overall)

    120-bit

Cryptographic Agility

Every QBit transaction includes a 1-byte sig_version field, enabling the protocol to support multiple signature schemes concurrently.

Adding a new scheme follows a three-step process: implement the AIR constraints for the new signature verification, deploy the updated prover to Sentries, and pass a governance vote to activate the new sig_version on-chain.

Users migrate at their own pace. Sentries support multiple schemes concurrently during the transition period. Deprecated schemes get a 2-year sunset window for key rotation.

Read the WhitepaperExplore Performance →