PQVM-native Post-Quantum L1

The Trust Layer You Need Before Q-Day

Shell Chain is built to protect identity and value in a post-quantum world. Q-Day — when quantum computers break today's encryption — is estimated as early as 2030.

Block ExplorerView on GitHub

The policy countdown has already started

RSA and ECDSA have an expiration date. Every chain that isn't post-quantum is a liability on the clock.

This isn't speculation. Three U.S. federal documents define the timetable. Builders who only start after the deadline will lose their chain in a forced migration.

Regulatory timeline

  1. 2024-08
    NIST FIPS 203/204/205 finalized

    ML-KEM, ML-DSA and SLH-DSA become US federal post-quantum standards. (source)

  2. 2025
    NSA CNSA 2.0 enforcement window opens

    US National Security Systems begin mandatory PQ migration timetable. (source)

  3. 2030–2035
    CRQC (cryptographically-relevant quantum computer) maturity window

    NIST IR 8413 evaluation report: when classical asymmetric cryptography is expected to be at risk. (source)

  4. Today
    “Harvest now, decrypt later” attacks already active

    Cloud Security Alliance: long-lived encrypted data is being collected today for future quantum decryption. (source)

Migration is not optional. The question is who ships it first — and who ships it without forking.

What Shell Chain is

A PQVM-native Layer-1

We did not bolt quantum security onto an existing chain. We built it around NIST ML-DSA-65 / SLH-DSA-SHA2-256f signatures, paired them with native account abstraction so users can rotate keys without changing address, and engineered a three-layer block compression pipeline — Zstd, pubkey deduplication, and STARK signature aggregation — that shrinks a worst-case 7.76 MB block (30M gas at 2-second blocks) down to roughly 425 KB on disk after the proving window. That is an ~18× reduction, achieved without changing the Solidity developer experience.

30M gas / 2 s block worst-case (~7.76 MB raw) → ~425 KB final on disk after the STARK proof is shed at the end of its verification window. Live blocks are ~1.5 MB while proofs are retained. Source: BENCHMARKS.md (A1 + A2 + A3).

  • NIST-standard ML-DSA-65 + SLH-DSA-SHA2-256f signatures
    NIST FIPS 204 · NIST FIPS 205
  • PQVM with EVM-familiar semantics — existing Solidity contracts deploy unchanged
    PQVM execution layer
  • Protocol-level account abstraction — key rotation without changing address
    Protocol-level
Read the technical spec →

Post-Quantum Virtual Machine

PQVM — the execution layer that makes PQ economical.

PQVM reimplements EVM-familiar semantics in Rust, so your existing Solidity contracts, Hardhat scripts, and ethers.js tooling connect via a standard RPC compatibility layer. Native PQ precompiles expose ML-DSA-65 and SLH-DSA verification at the VM level — no classical-crypto precompiles ship. STARK aggregation then collapses thousands of PQ signatures into a single succinct proof, making post-quantum security economically viable at L1 throughput.

EVM-familiar semantics
Solidity, Hardhat, Foundry, and ethers.js work unchanged through the RPC compatibility layer — no contract rewrites required.
Solidity · Hardhat · Foundry · ethers.js
PQ precompiles
ML-DSA-65 (FIPS 204) and SLH-DSA (FIPS 205) verify and batch-verify are built directly into the VM — no classical-crypto precompiles.
FIPS 204 · FIPS 205
STARK aggregation
Thousands of PQ signatures collapse into a single succinct proof, making post-quantum security economically viable at block scale.
Winterfell · ~18× end-to-end
Native account abstraction
AA is a protocol primitive — not an ERC-4337 bundler dependency. Rotate keys without changing your address.
Protocol-level · no ERC-4337
Explore the architecture →

Why this is not easily replicated

The only chain that satisfies three hard constraints at once.

Any competitor can match one column. Matching all three requires years of foundational rebuilding — not a fork.

 
NIST-signed PQ signatures
Ethereum tooling-compatible
Shipped (not whitepaper)
Shell Chain
ML-DSA-65 + SLH-DSA-SHA2-256f
PQVM-native
v0.23, testnet live
Ethereum
research stage
mainnet
PQ roadmap open
QRL / Algorand
XMSS or Falcon only
not EVM
mainnet

STARK aggregation makes PQ signatures economically viable on PQVM. Without it, PQ-native execution at this scale is too heavy to sustain.

What's already in production

Thirteen shipped milestones. Next: incentivized testnet and mainnet genesis.

v0.24.3
Current release
1,200+
Rust tests passing
7
Shipped milestones
69
Security fixes shipped
  1. ShippedM13 — STARK Signature Aggregation PoC

    Winterfell prover: A3 STARK layer compresses Dilithium3 signatures 7.1× (batch=5). Combined A1+A2+A3 pipeline: ~18× end-to-end (7.76 MB raw → ~425 KB pruned).

  2. ShippedNative Account Abstraction

    Protocol-level smart accounts; 32-byte native addresses (0x + 64 lowercase hex); key rotation without changing address.

  3. Shipped3-way block-storage pruning

    Hot / warm / cold tiers; ZSTD compression for cold layer.

  4. ShippedStorage profiles (archive / full / light)

    Single-flag node classification; P2P StorageCapability advertisement; auto back-fill of historical bodies.

  5. ShippedSecurity & efficiency hardening

    Architecture re-split, consensus slashing wired in, network amplification fix, bounded mempool channels, supply-chain CI.

  6. ShippedNative AA Phase 1 + Operations Hardening

    Batch transactions (0x7E tx type, atomic InnerCall execution), native paymaster (sponsored gas), storage profiles CLI, Prometheus metrics, /healthz + /readyz probes, witness verification RPC.

  7. ShippedPublic testnet live

    Live RPC, faucet, explorer, and external validator onboarding.

  8. PlannedMainnet genesis

    After audit close-out and 90-day stable testnet.

Next

Public incentivized testnet (validator onboarding + independent audit) → mainnet genesis after 90 days of stable testnet.

See the release history →

Token economics

Where value accrues.

SHELL is consumed by every post-quantum verification, key rotation, and STARK aggregation proof — not held as governance collateral.

Tokenomics

  • Gas token

    All transaction fees denominated in SHELL with PQTx-native fee model with base fee + tip; base fee burned.

  • Validator stake

    WPoA stake-weighted proposer selection; slash conditions cover double-sign and equivocation (live since v0.17).

  • Aggregator bond

    STARK prover nodes post a SHELL bond and earn fees per accepted aggregation proof.

  • PQ verification services

    Off-chain DID resolution and key-rotation attestation are settled in SHELL.

Known risks

  • A NIST PQ algorithm is later broken

    Multi-algorithm Verifier trait; new schemes can be added without a hard fork.

  • STARK prover network centralisation

    v0.18 roadmap opens proving to bonded operators with slashing.

  • Inherited EVM vulnerabilities

    PQVM reimplements EVM-familiar execution; 69 internal audit findings already addressed.

Investors

Get on our radar.

We share testnet milestones, audit results, and token-economics updates directly with investors who register early.

No spam. One-click unsubscribe.