BB84 eliminates ECDSA from every L2 transaction. Every action is authenticated through hash-chain preimage revelation — resistant to adversaries running Shor's algorithm on a quantum computer.
Shor's algorithm, running on a sufficiently large quantum computer, breaks ECDSA in polynomial time. Every signature leaks the private key. For a live rollup, this means any account can be drained — including withdrawal authorization and stealth-address privacy.
Grover's algorithm applies to hash functions but provides only a quadratic speedup. A 256-bit hash preimage still requires ~2¹²⁸ quantum operations to invert.
secp256k1 signatures used by every Ethereum account. A quantum computer with ~4000 logical qubits can derive the private key from any public key.
Spend authorization via keccak256(preimage) == lastReveal. Each spend is a one-time operation; replay prevented by a global nullifier set.
One-time addresses generated with ephemeral keys eliminate the link between sender and recipient. Recipients scan with a view key — no on-chain correlation.
A complete rollup stack from deposit to withdrawal, with ECDSA removed from every hot-path operation.
Accounts are anchored to a commitment chain[N]. Each spend reveals one preimage, walking backward through the chain. The NullifierTree predeploy prevents all replay attacks.
Senders generate one-time addresses for recipients using ephemeral Diffie-Hellman. Recipients scan chain events with their view key. No transaction graph linkage on-chain.
PrivacyLock L1 tokens, mint wrapped L2 tokens to a stealth OTA. Burn L2 tokens to initiate withdrawal. Full round-trip proven on Sepolia with MPT storage proofs and instant dispute resolution.
L1 ↔ L2Two-phase commit-reveal: a HashCommitTx binds the spend without revealing the preimage. Only the committed (nullifier, preimage, txDigest, nonce) tuple is accepted in the subsequent reveal.
The Onyx hardfork activates on top of Isthmus EVM. Smart contracts execute unchanged. Only L2 user transaction authorization is replaced — the execution environment is identical to mainnet Ethereum.
EVM CompatibleBuilt on the battle-tested OP Stack: sequencer, batcher, proposer, dispute game. The HashOutputOracle game type enables instant output proposals on the devnet.
Derive ota_spend_sk from entropy, compute a forward hash chain of length N, and register chain[N] as the commitment anchor on L2 via a deposit transaction.
Call depositWithStealth or depositWithStealthToken on the L1 portal. The op-node derives deposit transactions that register the OTA and mint funds on L2 — no L2 signature needed.
To spend: first send a HashCommitTx that binds the spend without exposing the preimage. Then send a HashRevealTx in a later block that proves ownership by revealing chain[N-k].
Initiate withdrawal via HashRevealTx. An output is proposed, a storage proof is generated, and after the maturity delay the L1 funds are released — fully ECDSA-free on the L2 side.
A minimal set of new contracts bridges the two layers with no ECDSA in the L2 hot path.
Add BB84 to MetaMask or any EVM wallet. The RPC is compatible with all standard Ethereum tooling — cast, ethers.js, viem, Foundry.
Try the Bridge →Where the protocol stands today against classical and quantum adversaries.
| Property | Classical Security | Post-Quantum (Shor/Grover) | Notes |
|---|---|---|---|
| L2 Spend Authorization | ✔ Hash preimage | ✔ 128-bit Grover security | Replaces ECDSA with keccak256 chain |
| Replay Prevention | ✔ Nullifier set | ✔ Collision resistance | Global NullifierTree on L2 |
| Front-Running Protection | ✔ Commit-reveal | ✔ Hash binding | Two-phase HashCommitTx + HashRevealTx |
| Sender Privacy | ✔ Stealth OTA | ✔ Ephemeral ECDH hidden on L1 | View key scanning, no on-chain link |
| L2 Batch Submission | △ ECDSA batcher key | △ Vulnerable to Shor | Known limitation — future work |
| Output Proposals | △ ECDSA proposer key | △ Vulnerable to Shor | Known limitation — future work |
| Smart Contract Execution | ✔ Full EVM | ✔ No ECDSA in hot path | Onyx hardfork blocks legacy tx types |
The network is live on Sepolia. Connect your wallet, bridge testnet ETH, and explore the hash-chain authentication primitives.