A research blockchain combining post-quantum signatures, quantum-randomized consensus, and real zk-STARK shielded payments. Built from scratch — every claim covered by tests.
QChain explores what it would take to build a system secure against today's adversaries AND against future quantum computers AND with real privacy AND on a working peer-to-peer network — all in one coherent project.
A complete research blockchain: transparent, shielded, and fully-anonymous transactions coexist in the same blocks, gossiped between real nodes, with a hand-rolled zk-STARK system written in Rust.
Post-quantum signatures, quantum randomness, zk-STARK design from scratch (AIR, FRI, Fiat-Shamir), shielded pool design, P2P consensus, fork resolution — by composing well-known primitives.
Production cryptocurrency software. No audits, no peer discovery, no DoS protection, in-memory only. Every shortcut is documented honestly in code and milestone READMEs.
Today's blockchains face two adversaries that aren't going away.
A sufficiently large quantum computer recovers private keys from public keys in polynomial time. Every secp256k1-signed transaction on Bitcoin / Ethereum becomes forgeable retroactively.
Bitcoin and Ethereum reveal sender, recipient, and amount of every payment. Address clustering deanonymizes most users within months of normal activity.
Each implemented end-to-end. Not stubbed.
Dilithium / ML-DSA-65 (NIST FIPS 204) replaces ECDSA on every transaction.
IBM Quantum QPU seeds stake-weighted PoS proposer selection.
Custom AIR over Goldilocks in Rust. 96 tests including 14 adversarials.
TCP gossip, message dedup, fork resolution, chain re-sync on join.
FastAPI + WebSocket + React UI. Multi-node convergence in real time.
Compose them as needed. Or use all three.
| Property | Transparent | Shielded (M3) | Schnorr Anon (M4) | STARK Anon (M8.6+) |
|---|---|---|---|---|
| Note values hidden | ✗ | ✓ | ✓ | ✓ |
| Recipient pubkey hidden | ✗ | ✓ | ✓ | ✓ |
| Spender pubkey hidden | ✗ | ✗ | ✓ | ✓ |
| Cross-spend unlinkability | ✗ | ✗ | ✓ | ✓ |
| Which leaf was spent: hidden | n/a | ✗ | ✗ | ✓ |
| Value conservation in-proof | n/a | ✗ | ✗ | ✓ |
| Anonymity set size | n/a | n/a | — | 65,536 |
| Post-quantum safe | ✓ | ✓ | ✗ | ✓ |
What an external observer sees from each transaction.
M4's Schnorr proofs reveal the specific leaf being spent. And Schnorr breaks under quantum. So we built our own zk-STARK system in Rust.
M4 reveals which leaf was spent through the public Merkle path. That's unlinkable identity, not real anonymity. And Schnorr falls to Shor's algorithm.
A succinct proof that the spender knows some leaf in the pool — without revealing which one. Hash-based, quantum-safe by construction.
Using an existing SNARK library would hide the AIR design choices that matter. The premise is honest cryptography end-to-end. Built on Winterfell; the AIR is ours.
// trace layout: 17 cols × 64 rows Block 0 (rows 0– 7): LEAF → P0 Block 1 (rows 8–15): P0 + sib₁ → P1 Block 2 (rows 16–23): P1 + sib₂ → P2 Block 3 (rows 24–31): P2 + sib₃ → ROOT Rows 32–63: padding (state unchanged) // four constraint groups, all gated by periodic columns hash round deg 8 Rescue-Prime equation, fires within-block block boundary deg 3 next.input = swap_by_dir(prev.output, sibling) witness static deg 2 dir and sib stay constant within each 8-row block direction binary deg 2 dir × (dir − 1) = 0 — every direction bit is 0 or 1
Every gap shipped open. Every gap closed in its own scoped milestone. None hand-waved.
| Gap | What it was | M8.5 | Final | Closed by |
|---|---|---|---|---|
| A | Value conservation — unshield amount not bound to leaf value | OPEN | CLOSED | M8.8-A1 (range proof via 64 bit-decomposition cols) |
| B | Nullifier binding — same note spendable many times | OPEN | CLOSED | M8.6 (AIR computes nullifier = H(sk+1, r, v)) |
| C | Anonymity set ≤ 16 — too small to hide spends | OPEN | CLOSED | M8.7-C (Merkle depth 4 → 16, set size 65,536) |
| D | Pool not chain-replicated — each node had its own pool | OPEN | CLOSED | M8.7-D (ShieldTransaction gossiped + replayed) |
| — | P2P propagation of STARK txs | OPEN | CLOSED | M8.7 (new_stark_anon_tx wire message) |
| — | Chain replay validates historical STARK proofs | OPEN | CLOSED | M8.10 (is_valid() re-verifies historical proofs) |
Release-mode single-core. No marketing math.
The line between cryptography and crypto-LARP is honesty about what works and what doesn't.