Skip to content

Two-Wallet Demonstration β€” Substrate-Honest Disclosure

This page documents, research-grade and substrate-honestly, what the two-wallet workflow shows on live hardware: full secp256k1 ECDLP (ShorECDLPSubstrate, unbounded C⁴ walk), federation cosignature on every row, and layer-separated publication (L6 math β‰  L7 reward). Claim separation is metrology for peer review β€” the operator runs the full live substrate; frozen JSON names which layer closed.

Bit size discipline β€” two surfaces, one leak refused

Claim leak refused: reading bit_size=32 as β€œthe ECDLP oracle ran on a 32-bit curve.” It did not. The Shor ECDLP leg is always full Bitcoin secp256k1 (order n, P256K cross-check). bit_size governs wallet composition cadence only.

Surface What bit_size does What it does not do
Wallet composition (wallet demo create-exposed, V215) Operator selects {16, 32, 64, 128, 256}; recorded on the row; non-256 schemes may label secp256k1_demo_<n>bit Switch curve, switch order n, or shrink the ECDLP lattice
Shor ECDLP leg (gaiaftcl shor break-classical) bit_size may appear in witness/debug as provenance metadata Bind QC-001-ECDLP to a different reduction surface

Wallet composition

The operator selects a bit size from the closed set {16, 32, 64, 128, 256} when composing demonstration wallets. That selection is federation-cosigned in V215 and tracks substrate-development cadence (seed width, scheme label). It is not the ECDLP oracle parameter.

Shor ECDLP leg (always secp256k1)

gaiaftcl shor break-classical binds Q from the wallet's public_key_hex and runs the Shor-lattice ECDLP witness on Bitcoin secp256k1 via P256K. Periods come from ShorECDLPSubstrate (unbounded C⁴ walk; universal lattice rails; Q-only). Pass/fail is lattice + dG_eq_Q β€” not equality with TOML private_key_hex. Demonstration wallets are not evidence of breaking arbitrary mainnet keys.

Publication (2026-06-05): Paper v3 SHOR_ECDLP_RESEARCH_PAPER.md Β· wiki summary Research-Publication. Frozen datasets: ecdlp_research_*, ecdlp_evaluation_latest.json, qc_vm_validation_latest.json. ECDLP substrate: vqbit_metal (22 pipelines). Encoding cross-check (02… = G, 03… = βˆ’G) mandatory in gate v5; three structured seals in evaluation.v1 (neg-G, generator, bitcoin generator constant) β€” not random 256-bit Q.

Substrate-development cadence (wallet labels only)

V215 rows at bit_size labels 16, 32, 64, 128, and 256 record wallet-composition history on the operator's cell β€” seed material, scheme label, federation cosignature. That cadence is substrate-development evidence for how demonstration wallets are composed, not a matrix of ECDLP runs at shrinking curve orders.

The published ECDLP research leg (QC-001-ECDLP, frozen ecdlp_evaluation_latest.json) already operates on full secp256k1 for structured seals only. Extrapolating wallet bit_size labels into β€œECDLP validated at 16-bit, therefore 256-bit break” is the bit_size claim leak this page refuses.

Substrate-development toward production wallet operations may continue to use the {16…256} label set; each extension must land under closure discipline without re-labeling wallet metadata as ECDLP oracle results.

PQ reference library binding state

Three post-quantum signature schemes are registered today in PostQuantumSchemeRegistry:

  • ml-dsa-87 (FIPS 204)
  • ml-dsa-65 (FIPS 204)
  • slh-dsa-sha2-128s (FIPS 205)

Each registry entry carries referenceLibraryLinked = false. This flag is the substrate's load-bearing honesty surface: it is false until the operator binds the corresponding FIPS 204 / FIPS 205 reference library at a pinned source SHA-256, at which point the substrate's PQ keypair generation lands against the reference library and the flag flips with the binding event recorded under federation cosignature.

Until that binding lands, the substrate composes seed material substrate-natively. The seed pipeline is:

  • V211 β€” Rule 30 cellular-automaton seed composition. The substrate evolves Rule 30 across the M⁸ register and harvests the seed bits substrate-naturally rather than calling out to a classical RNG.
  • V214 β€” depth witnesses bind substrate-development distance into the seed composition under canonical witness.

The substrate-native seed pipeline is real substrate work and produces sealed, federation-cosigned evidence. What it does not do, and what this page refuses to claim it does, is produce a FIPS-conformant ml-dsa-87 / ml-dsa-65 / slh-dsa-sha2-128s keypair. Keypair generation at FIPS conformance lands when the reference library binds. Until then, the registry entries surface as schemes-with-seed-material-only, and the substrate refuses to compose a PQ migration evidence chain that asserts FIPS-conformant keypairs were generated.

Federation cosignature evidence

Cross-cell federation cosignature verifies demonstration evidence federation-mesh-wide. The substrate is not the sole authority on its own measurements; the federation is.

Each V215 row written during the two-wallet demonstration carries the five-context federation cosignature quintet. The quintet binds the demonstration row across the federation mesh so any cell in the federation can replay the row's canonical witness and verify it against the cosigning contexts independently. A V215 row with a missing or malformed quintet is not demonstration evidence β€” it is a pending record awaiting cosignature, and the substrate surfaces it as such.

V214 depth witnesses bind substrate-development distance into the demonstration substrate-mathematically. The depth witness composes the substrate-development cadence (how far the substrate has traveled along its development trajectory at the moment the row is sealed) into the row's canonical witness, so future replay reconstructs not just the measurement but the substrate-development distance at which the measurement happened. Depth witnesses are the substrate's structural answer to "when, in substrate-development terms, did this evidence land?" β€” answered substrate-mathematically rather than wall-clock.

Together, the V215 cosignature quintet and the V214 depth witness mean every row of demonstration evidence is federation-verifiable across the mesh and substrate-development-anchored in the substrate's own trajectory.

What this demonstrates vs what this doesn't demonstrate

What the two-wallet demonstration demonstrates

  • Operator-sovereign composition of Wallet A (exposed secp256k1) and Wallet B (UUM-8D-safed PQ) on the operator's cell, with V215 federation cosignature on every row.
  • shor break-classical against Wallet A's public_key_hex on full secp256k1 β€” lattice periods + dG_eq_Q via P256K (see frozen research export for structured-seal scope).
  • Wallet bit_size labels {16…256} recorded on V215 as composition cadence β€” not as ECDLP oracle width.
  • Substrate-native seed material via Rule 30 (V211) with depth witnesses (V214).
  • Honest refusal when PQ reference libraries are unbound (referenceLibraryLinked = false).

What the two-wallet demonstration does not demonstrate

  • Bit_size β‡’ mis-scoped ECDLP. The ECDLP leg does not switch to a 16/32/64/128-bit curve; bit_size is wallet metadata only.
  • Arbitrary mainnet key break. Research and demonstration paths use structured seals or wallet-bound Q β€” not random 256-bit entropy. See Research-Meaning.
  • FIPS-conformant ml-dsa-87 / ml-dsa-65 / slh-dsa-sha2-128s keypair generation while reference libraries remain unbound.
  • A PQ migration evidence chain asserting FIPS-conformant keypairs on both ends before binding lands.
  • Production-scale ECDLP convergence for random pubkeys β€” direction of substrate-development is not a sealed result.

The substrate-honest framing is the distinction between the two lists. The substrate has earned the first list and refuses the second list until the substrate-development that earns it lands under the closure discipline.

Federation cosignature: pending

This page is not yet in the signed manifest. Run gaiaftcl wiki sign --all.