Peer-to-Peer Cryptocurrency
1. Abstract
We present RGM, a peer-to-peer electronic currency system that incorporates post-quantum digital signatures at the consensus layer. Unlike existing cryptocurrencies that rely on Elliptic Curve Digital Signature Algorithm (ECDSA), RGM natively supports ML-DSA-44 (Module-Lattice-Based Digital Signature Algorithm), standardized by the National Institute of Standards and Technology as NIST FIPS 204 in August 2024.
RGM is built as a fork of Dogecoin 1.14.x, inheriting a proven and battle-tested codebase, extended with post-quantum cryptography via liboqs 0.15.0 โ the Open Quantum Safe library. The protocol introduces a new witness version (v2) for PQ addresses, maintaining full backward compatibility with legacy and SegWit v0 addresses.
2. Introduction
2.1 The Quantum Threat
Bitcoin was introduced in 2009 with ECDSA over the secp256k1 curve as its digital signature scheme. At the time, this was a sound choice โ elliptic curve cryptography provides compact key sizes and fast operations with security levels adequate against classical computers.
However, Shor's algorithm (1994) demonstrated that a quantum computer can solve the elliptic curve discrete logarithm problem in polynomial time. A quantum computer with approximately 2,330 logical qubits (after error correction) would be sufficient to break 256-bit ECDSA. Current estimates place such a machine within 10โ15 years, though timelines remain uncertain.
Critically, the attack applies retroactively: any address that has ever revealed its public key (by spending from it) is vulnerable. Bitcoin addresses that have transacted โ estimated at over 25% of the total supply โ are at risk.
2.2 Motivation
The cryptocurrency space has been aware of this threat for years, yet no major chain has implemented quantum-resistant signatures at the protocol level. The typical response is "we'll upgrade when it becomes necessary." RGM takes a different position: security is not a feature to be added later.
With NIST finalizing post-quantum standards in 2024, the tools are now available. RGM implements ML-DSA-44 today, before quantum computers become a practical threat, giving users the option to migrate their funds to quantum-safe addresses now.
3. Post-Quantum Cryptography
3.1 ML-DSA-44 Algorithm
ML-DSA-44 is the designation for the Module-Lattice-Based Digital Signature Algorithm at security level 2, as defined in NIST FIPS 204. It is the standardized version of CRYSTALS-Dilithium, a lattice-based digital signature scheme developed by a team of researchers from ETH Zurich, CWI Amsterdam, Radboud University, and others.
| Parameter | ML-DSA-44 | ECDSA (secp256k1) |
|---|---|---|
| Security Level | NIST Level 2 (~128-bit classical) | ~128-bit classical |
| Private Key Size | 2,528 bytes | 32 bytes |
| Public Key Size | 1,312 bytes | 33 bytes (compressed) |
| Signature Size | 2,420 bytes | 71โ72 bytes |
| Quantum Security | ~128-bit (Grover + best known) | Broken by Shor's |
| Standard | NIST FIPS 204 (2024) | SEC2 / RFC 6979 |
3.2 Lattice-Based Security
ML-DSA-44 security relies on the hardness of two related problems:
- Module Learning With Errors (MLWE): Given a matrix A and a vector b = As + e (where s is small secret, e is small error), find s. This problem is believed to be hard even for quantum computers.
- Module Short Integer Solution (MSIS): Find a short non-zero vector x such that Ax = 0. Also believed quantum-hard.
No sub-exponential quantum algorithm is known for these problems. The best known quantum attacks (e.g. quantum lattice sieving) provide only a constant factor speedup, not the polynomial speedup that Shor's algorithm provides against ECDSA.
3.3 NIST Standardization
NIST launched its Post-Quantum Cryptography Standardization project in 2016. After three rounds of public evaluation involving hundreds of cryptographers and security researchers worldwide, CRYSTALS-Dilithium was selected as the primary lattice-based signature algorithm and standardized as ML-DSA in FIPS 204, August 13, 2024.
Available at: https://csrc.nist.gov/pubs/fips/204/final
4. Protocol Design
4.1 Address Types
RGM supports three address types simultaneously, ensuring backward compatibility:
| Type | Prefix | Script | Key Algorithm |
|---|---|---|---|
| Legacy P2PKH | Rโฆ | OP_DUP OP_HASH160 | ECDSA secp256k1 |
| SegWit v0 (P2WPKH) | rgm1qโฆ | OP_0 <20-byte hash> | ECDSA secp256k1 |
| SegWit v2 PQ | rgm1zโฆ | OP_2 <20-byte hash> | ML-DSA-44 |
PQ addresses use witness version 2 โ distinct from SegWit v0 (P2WPKH) and v1 (Taproot). The 20-byte hash is computed as HASH160(serialized_public_key) where the public key is the 1,312-byte ML-DSA-44 public key.
4.2 Witness Version 2 Structure
The scriptPubKey for a PQ address has the form:
The witness field for spending contains:
Verification: compute HASH160(witness[1]), compare against the hash in scriptPubKey, then verify the ML-DSA-44 signature witness[0] over the transaction sighash using public key witness[1].
4.3 Transaction Structure
PQ transactions are structurally identical to SegWit transactions โ they use the same serialization format (marker byte 0x00, flag byte 0x01, witness data appended after outputs). The only difference is the witness content and the script type.
Due to the larger signature and public key sizes, PQ transactions are significantly larger than classical transactions:
| Transaction Type | Typical Size | Witness Weight |
|---|---|---|
| P2PKH (1-in, 2-out) | ~250 bytes | โ |
| P2WPKH (1-in, 2-out) | ~190 bytes + 108 witness | 432 WU |
| PQ v2 (1-in, 2-out) | ~190 bytes + 3732 witness | 14,928 WU |
5. Consensus Mechanism
5.1 Phase 1: Scrypt Proof-of-Work (Blocks 0โ199,999)
The network launches with Scrypt PoW, identical to Dogecoin and Litecoin. This choice provides:
- Proven security โ Scrypt has been securing billions in value for over a decade.
- Accessible mining โ CPU and GPU mining enables wide participation from launch.
- ASIC ecosystem โ Existing Scrypt ASICs (Antminer L3+, L7, L9) can mine RGM.
5.2 Phase 2: Auxiliary Proof-of-Work (Block 200,000+)
At block 200,000, Auxiliary Proof-of-Work (AuxPoW) activates. AuxPoW allows miners of other Scrypt chains (primarily Litecoin and Dogecoin) to simultaneously mine RGM at no additional computational cost, by embedding RGM block headers inside their primary chain's coinbase transaction.
This mechanism, originally developed for Namecoin and subsequently adopted by Dogecoin, dramatically increases network security by tapping into the combined hashrate of multiple chains. An attacker would need to overwhelm not just RGM's own miners, but the combined hashrate of all merge-mined chains.
6. Economics
RGM uses a deflationary emission schedule modeled on Bitcoin's halving mechanism:
| Period | Block Range | Reward |
|---|---|---|
| Genesis | 0 โ 2,102,399 | 50 RGM |
| First Halving | 2,102,400 โ 4,204,799 | 25 RGM |
| Second Halving | 4,204,800 โ 6,307,199 | 12.5 RGM |
| โฆ | โฆ | โฆ |
With a target block time of ~1 minute, the first halving occurs approximately 4 years after genesis. The total supply is finite, converging toward a fixed maximum as rewards approach zero.
7. Implementation
RGM is implemented as a fork of Dogecoin Core 1.14.x, which is itself derived from Bitcoin Core. This lineage provides a mature, extensively reviewed codebase with full node, wallet, RPC, and P2P networking functionality.
Post-quantum cryptographic operations are provided by liboqs 0.15.0 (Open Quantum Safe), a C library maintained by the Institute for Quantum Computing at the University of Waterloo. liboqs implements NIST-standardized algorithms and is widely used in academic and industry post-quantum research.
Key modified components:
- src/pq/pq_key.cpp โ CPQKey class: ML-DSA-44 key generation and signing
- src/pq/pq_pubkey.cpp โ CPQPubKey class: signature verification, GetHash160
- src/script/interpreter.cpp โ VerifyWitnessProgram for witness v2
- src/script/standard.cpp โ TX_WITNESS_V0_PQKEYHASH type
- src/keystore.cpp โ PQKeyMap storage (hash160 โ {privkey, pubkey})
- src/wallet/wallet.cpp โ AddPQKey, wallet persistence
- src/outputtype.cpp โ OutputType::PQ, getnewaddress "" pq
8. Security Analysis
8.1 Quantum Attack Resistance
ML-DSA-44 at security level 2 targets 128-bit post-quantum security. The best known quantum attack against MLWE/MSIS is quantum lattice sieving, which provides at most a constant factor speedup over classical algorithms โ not the polynomial speedup of Shor's algorithm against ECDSA.
8.2 Classical Security
Against classical computers, ML-DSA-44 provides security equivalent to or exceeding ECDSA-256. The algorithm has been analyzed extensively during the 6-year NIST competition with no significant weaknesses found.
8.3 Implementation Security
The liboqs implementation of ML-DSA is derived from the reference implementation submitted to NIST and has been reviewed by the Open Quantum Safe team. Side-channel resistance is provided through constant-time arithmetic operations in the core library.
8.4 Legacy Address Risk
9. Roadmap
| Milestone | Block Height | Description |
|---|---|---|
| Genesis | 0 | Network launch, Scrypt PoW, legacy + SegWit v0 addresses |
| Quantum Upgrade | 50,000 | SegWit activation, PQ addresses (rgm1zโฆ) available |
| AuxPoW | 200,000 | Merge mining with LTC/DOGE activates |
| First Halving | 2,102,400 | Block reward 50 โ 25 RGM |
10. References
- NIST FIPS 204, "Module-Lattice-Based Digital Signature Standard," August 2024. csrc.nist.gov/pubs/fips/204/final
- Ducas et al., "CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme," TCHES 2018.
- Satoshi Nakamoto, "Bitcoin: A Peer-to-Peer Electronic Cash System," 2008.
- Shor, P., "Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer," SIAM Journal on Computing, 1997.
- Open Quantum Safe, liboqs 0.15.0. openquantumsafe.org
- Dogecoin Core 1.14.x Source Code. github.com/dogecoin/dogecoin
- BIP141: Segregated Witness. BIP-0141