Skip to main content

Post-quantum security

Khromosome is quantum-secured at the protocol level. The signature scheme is ML-DSA-87 — Dilithium, standardized as FIPS 204, at NIST Level 5 (the highest parameter set). It is built into the chain two ways:

On-chain verification — the ML-DSA-87 precompile

The Khromosome execution client (KhromePQ, a custom Reth v1.8 build) embeds a native ML-DSA-87 verification precompile at address 0x100. Dilithium verification is far too large to run as ordinary EVM bytecode; making it a precompile is what lets a contract demand a quantum-resistant signature on chain at all.

The PQVerifier library wraps the precompile:

  • Input is packed pk (2592 bytes) || sig (4627 bytes) || message.
  • It returns a 32-byte word — 1 means valid.
  • It fails closed: on a chain or fork without the precompile, verify reverts rather than silently returning false.
import {PQVerifier} from "src/PQVerifier.sol";

// reverts on a malformed key/sig or a missing precompile; returns bool otherwise
bool ok = PQVerifier.verify(pqPublicKey, pqSignature, message);
require(ok, "bad PQ signature");

Identity anchoring — PQRegistry

PQRegistry binds a quantum-safe public key to an account as a permanent identity anchor and records PQ-signed attestations:

  • registerKey(bytes pqPublicKey) — bind an ML-DSA-87 key to msg.sender. The full key is emitted in the KeyRegistered event for cheap off-chain retrieval; only its keccak256 hash is stored on chain as the immutable anchor.
  • The contract exposes SUITE = "ML-DSA-87", tracks totalRegistered, and supports key revocation and on-chain attestations (Attested).

What the chain guarantees is an immutable, quantum-resistant binding and attestation trail that a forged ECDSA signature cannot rewrite — even an adversary who breaks secp256k1 cannot retroactively forge a registered PQ identity.

See the deployed addresses in Contracts.