Hash-based commit-reveal authorization for EVM accounts: spend with one-time hash secrets instead of attaching a post-quantum signature to every transaction.
If a cryptographically relevant quantum computer arrives, Shor's algorithm breaks the elliptic-curve signatures (ECDSA, BLS) that every major chain uses to authorize transactions. The standardized post-quantum replacements fix the math but are heavy on-chain: an ML-DSA-44 signature is 2,420 bytes, SLH-DSA runs 8 to 17 KB. That cost is paid on every single transaction, forever, replicated across every node.
There is an older idea that avoids signatures entirely: authorize an action by revealing the preimage of a hash you committed to earlier. Security then rests on hash preimage resistance, which quantum computers only dent (Grover halves the exponent) rather than break. Versions of this idea have been proposed repeatedly since 2014: Fawkescoin (Bonneau and Miller), commit-delay-reveal migration for Bitcoin (Stewart et al. 2018), Dryja's Fawkescoin-variant soft fork sketch (2025), and a pairwise commit-reveal scheme by Finlow-Bates, Jakobsson and Siadati (2026).
What none of that work delivers: a real implementation, a security analysis against a realistic mempool adversary, or cost measurements against the post-quantum signatures it claims to beat. That is the gap this project fills. Build it, attack it, measure it honestly, including the cases where a plain PQ signature wins.
One account contract, three moves:
- Register. The account stores the Merkle root of
2^done-time leaves. Each leaf is the hash of a secret derived from a single seed, so the wallet only stores 32 bytes. Registration happens once and is amortized over all later actions. - Commit. To act, post a 32-byte commitment binding chain id, account, the exact action (target, value, calldata), a leaf index, and the leaf's secret. The commitment reveals nothing about the secret or the action.
- Reveal. After a minimum age in blocks and before the commitment expires, reveal the secret, the Merkle path, and the action. The contract checks the leaf is unused, the path is valid against the root, the commitment matches and has aged, then marks the leaf spent and executes the action.
An attacker watching the mempool learns the secret the moment the reveal transaction appears. It does them no good: using it requires a fresh commitment, and fresh commitments must age minCommitAge blocks before they can be revealed. The victim's already-aged reveal lands first. How large that safety margin really is under congestion, censorship and reorgs is exactly what this project measures instead of assuming.
Full protocol in docs/SPEC.md, adversary analysis in docs/THREAT_MODEL.md.
Honesty up front, since this space is full of overclaiming:
- On today's Ethereum the reveal transaction itself is still wrapped in an ECDSA-signed envelope. The protocol protects the authorization layer; the envelope needs account abstraction (or a quantum-emergency fork) to matter fully.
- Registration is a classical-crypto bootstrap. There is a trust window at account creation. This is a migration and contingency design, not a from-genesis pure-PQ chain.
- Commit-reveal costs two transactions and a delay. Whether that beats one fat PQ signature is an empirical question, and the benchmarks here treat it as one.
contracts/ Solidity account contract and tests (Foundry)
tooling/ Rust workspace: leaf derivation, Merkle trees, commitment
construction, golden test vectors shared with the contracts
bench/ Gas benchmarks against on-chain PQ signature verifiers
(ETHFALCON and ETHDILITHIUM vendored as pinned submodules);
results in bench/results/RESULTS.md
docs/ Protocol spec, threat model, the authorization game, and the
account-abstraction analysis (AA.md)
sim/ Committed simulator result vectors (tooling/qca-sim generates)
fees/ Historical base-fee sample and the empirical fee-cost analysis
- Protocol spec and threat model
- Account contract: commit, reveal, nullifiers, expiry, root rotation, defensive burn
- Rust tooling and cross-implementation golden vectors
- First adversarial review pass (PQ crypto, MEV, formal); findings folded into the design and docs
- Gas benchmarks vs on-chain ML-DSA and Falcon verification (results, measured from transaction receipts: the depth-16 commit+reveal flow totals 114K gas for authorization alone, 148K including a 1 ETH transfer, against 1.6M for the cheapest non-standard Falcon verifier and 8.2M for FIPS ML-DSA-44 per call; the two-tx structure breaks even only if basefee rises about 15x between commit and reveal; SLH-DSA rows are cited from upstream publications, not re-run, since no implementation has a license permitting vendoring)
- Formal authorization game (docs/GAME.md): the reveal race as a security game against a quantum mempool adversary, theft bounded by beta^a in the block-builder share, cross-checked by the simulator. An adversarial review of the model found a one-transaction denial-of-service (burn-griefing) that the first design missed; the fix (age-gating the defensive nullify) is in the contract, and its consequence is a clean impossibility result: race-free recovery from a leaked leaf cannot exist.
- Adversarial mempool simulator (tooling/qca-sim): Monte Carlo over the game, reproduces every closed-form bound and measures what the proofs cannot (fee-auction ties, concentrated builders, leaked-leaf recovery). Committed result vectors in sim/results.
- Empirical base-fee analysis (fees/results/RESULTS.md): replaying two years of real mainnet base fees (2024-2026), the two-transaction flow was cheaper than every measured PQ verifier at 100% of entry points over the operative minCommitAge window, and beats the cheapest Falcon verifier 99.7% of the time even under a full 256-block censorship delay. The single-number break-even is now a measured distribution.
- Recovery paths for lost leaf state
- Paper draft
MIT