Manuel B. Santos

I would bet against Q day by 2030, but I wouldn't bet against it at 10:1 odds. ~10% risk is unacceptably high here, so I'm very in favor of transitioning to quantum-safe cryptography by 2029: blog.google/innovation-and… Yes this means I 90% expect to be made fun of in 2030. Oh well.

I feel the blockchain post-quantum P2P stack between nodes doesn't get much attention. With my colleague @shemnon, we explore a scenario where we move away from signatures to define peerIds in the execution P2P layer and look at three different protocols: ethresear.ch/t/exploring-si…

PR to satoshilabs: github.com/satoshilabs/sl… Proposed spec: github.com/tectonic-labs/… Test vector code: github.com/tectonic-labs/…

Tectonic team has proposed a PR to satoshilabs SLIPs to integrate ML-DSA into SLIP-0010 standard (a BIP-32-like deterministic derivation supporting different signing schemes). You can check the new proposed spec and the reference test vector code for more information 🧵

Do Bitcoiners understand the exponential? Over the past 15 years, the estimated physical qubits needed to crack RSA-2048 has dropped by 10,000x. 📉 2012: ~1 billion 📉 2017: 230 million 📉 2019: 20 million 📉 2025: ~900K 📉 2026: ~100K That last number? Published this month by Iceberg Quantum. $ETH has already started migrating to post-quantum cryptography. Meanwhile $BTC maxis are still debating whether quantum computing is even real. It's real. And the curve isn't slowing down. The question isn't if quantum breaks current crypto — it's whether your chain upgrades before it does. 🔑 10,000x in 15 years. What does the next 5 look like?

@apruden08 Nice coincidence that Tectonic's blogpost on hybrid HD wallets (tectonic.xyz/blog/hybrid-hi…) construction was announced same day you submitted this work to eprint!

Extremely proud and excited for our team to contribute this new work, that addresses an *unsolved* problem with post-quantum cryptography for blockchains: enabling hierarchical deterministic (HD) wallets that generate multiple addresses from a single seed phrase. This paper enables that for ML-DSA, the NIST-recommended algorithm standardized last year. Instead of creating and storing every private key separately, modern wallets uses a mathematical process to derive a tree of keys from that single seed. Each branch of the tree can generate new addresses, but all of them can still be recreated later from the same original seed. The purpose of this design is convenience and security. From this tree, the wallet can derive both private keys and the corresponding public keys for many addresses. An extended public key, often called an xpub, is a special public key that sits high in this tree and contains enough information to derive all of the child public keys underneath it. The purpose of an xpub is to allow address generation without exposing private keys. For example, a merchant or payment server can use an xpub to generate a new receiving address for every customer while the actual signing keys remain safely stored in a separate wallet. This separation improves operational security because the system that creates addresses does not need access to funds or signing authority. If you've ever used a modern wallet, or have ever integrated crypto into your business, you realize that this is *essential* infrastructure that must be ported over when we migrate to PQ.

@conordeegan Interesting work! One question that also bugged me from SRL25: how can one claim unlinkability if the A component of the public key is fixed in RandPK? In SRL25 they make the (imo not very strong) argument that subnets could exist with fixed A. Do you address that issue?

New paper from our team. Post-quantum HD wallets with full non-hardened public key derivation. Watch-only wallets, xpubs, hierarchical key management, etc. all with provable security under standard lattice assumptions. BIP32 non-hardened derivation depends on the linear algebra of elliptic curves. You add an offset to a parent public key and get a valid child public key. Post-quantum lattice schemes break this in two ways. Some schemes round their public keys during key generation, which destroys linearity. And even without rounding, each derivation adds noise that changes the statistical profile of derived keys, breaking unlinkability. In this work, we built two constructions. The first uses ML-DSA for hardened-only derivation with full security proofs. The second, the main result, uses Raccoon-G, a variant of Raccoon with Gaussian-distributed secrets. We skip the rounding step and publish the full public key to preserve linearity. On top of this, Gaussians are stable under addition, so derived keys stay in the same distributional family as fresh ones. That gives you non-hardened derivation with provable unlinkability and unforgeability under standard lattice assumptions. The tradeoff is larger keys and signatures, and a bounded derivation depth. In practice the depth bound is not restrictive since real wallet structures like BIP44 only use non-hardened derivation for the last two levels anyway. We implemented both constructions in Rust. Paper and Github below.

Or... if you want to try it out you can find its implementation within our bedrock repo: github.com/tectonic-labs/… The crate is here: crates.io/crates/tectoni…

If you are more into specs, you can check the repo: github.com/tectonic-labs/…

Managing keys is always a pain. Bip-32.39/44 gave us HD wallets from one seed. How can we get the same deterministic UX for post-quantum? We designed an hybrid HD mechanism which you can read a bit more about in our blogpost below!

If you care about shipping PQ in wallets, this makes the upgrade path concrete with deterministic derivation for classical and post-quantum keys from the same seed phrase. Read more in the blog post below: tectonic.xyz/blog/hybrid-hi…

@wyatt_benno That's great! Excited to see any resulting improvements 👏 are you building on top of Symphony?👀

@manel1874 Albi is on our team and he is working on it :) but more generally it is a goal.

Amazing lattice folding work! Reminded of the 6 traits achieved: Plausible post-quantum security, Pay-per-bit commitment costs, Field-native arithmetic,Support for general (non-SIMD), Small-field support, Low recursion overheads. 1GPU will prove 1CPU core soon real time :) Now we want to bootstrap the NovaBlindFold forward into the Lattice setting. Lattice work fast -> isogeny work slow but in EC… many directions and high hopes: 1. Succinct lattice proofs. (Albi26) 👀 2. Adding ZK to lattice PCS. 2026 is a groundbreaking year for ZK (privacy), folding, JOLT, and lattice.

@mercysjest @srinathtv Congrats on the paper! One question: you mentioned Symphony in the related works section. Does SuperNeo folding can be used within Symphony or is there a better SNARK system where SuperNeo can be used? Any idea? 👀

Excited to announce new additions to the Neo family. With @srinathtv, we introduce SuperNeo, a new lattice-based folding scheme that inherits all the benefits of Neo while eliminating the need for a SIMD constraint system and reducing witness sizes by ~64x (degree-wise)...[1/6]

eprint.iacr.org/2026/279 claims to chop another few bits out of the Kyber/ML-KEM security level. If the idea works then (given the attack structure) I think that it should straightforwardly combine with the larger security loss from the October paper eprint.iacr.org/2025/1910.

@hashbreaker One thing that bugs me: given 2026/279 (cf. Table 2) and NIST security evaluation criteria page, Kyber1024 is no longer under Category 5 and falls under Category 4. Am I missing something?

📃New article with @merzsp ! We present new algebraic techniques to attack the Poseidon2 and Poseidon2b 🧜🔱 hash functions. This is a class on 'Skipping Class', and how to make 15000$ in one day. 💸 (1/12)

@fede_intern A good writeup from Àlex on the paper: x.com/AlexRdgzG/stat…

What's going on Poseidon land? Somebody explain me.

Heading to @EthereumDenver in a couple weeks? Check out our events -->

Great to witness this quantum race! Chinese team from USTC achieving fault-tolerant QER below the surface code threshold using their 107-qubit quantum processor Zuchongzhi. I believe its the first team outside US achieving this milestone! 👏 journals.aps.org/prl/abstract/1…