Post-Quantum Account Authentication
Rivellum uses CRYSTALS-Dilithium3 (ML-DSA-65, FIPS 204) as its sole signature scheme. All accounts are post-quantum secure by default.
Key Scheme
| Property | Value |
|---|---|
| Algorithm | CRYSTALS-Dilithium3 (NIST Level 3) |
| Public key size | 1,952 bytes |
| Signature size | 3,309 bytes |
| Security level | Post-quantum (NIST Level 3) |
| Classical fallback | None — Dilithium only |
There is no hybrid mode or classical fallback. Every signature on Rivellum is post-quantum.
Single-Key Accounts
The default account type uses a single Dilithium keypair:
AccountAuth {
scheme: KeyScheme::Dilithium,
public_keys: vec![dilithium_pubkey],
threshold: None,
session_keys: vec![],
}
Multi-Signature Accounts
Multi-sig accounts require M-of-N Dilithium signatures:
AccountAuth {
scheme: KeyScheme::DilithiumMultiSig { threshold: 2 },
public_keys: vec![key_a, key_b, key_c], // 2-of-3
threshold: Some(2),
session_keys: vec![],
}
- Threshold range: 1 to N (where N = number of keys)
- All keys must be valid Dilithium public keys (1,952 bytes each)
- Intents require at least
thresholdvalid signatures
Session Keys
Session keys provide delegated signing authority with fine-grained policies:
SessionKey {
public_key: PublicKey::Dilithium(key_bytes),
policy: SessionKeyPolicy {
allowed_contracts: vec![contract_addr], // restrict to specific contracts
max_fee_per_intent: 1_000_000, // fee cap per intent
expiration_ms: 1700000000000, // absolute expiry timestamp
max_calls: 100, // total invocations allowed
},
created_at_ms: 1699000000000,
calls_used: 0,
revoked: false,
}
Session Key Operations
| Operation | Description |
|---|---|
| Add | Register a new session key with a policy |
| Revoke | Permanently disable a session key |
| Use | Sign an intent (increments calls_used) |
Session keys are checked against their policy on every use:
- Must not be revoked
- Must not exceed
max_calls - Must not be past
expiration_ms - Target contract must be in
allowed_contracts - Fee must not exceed
max_fee_per_intent
SDK Usage
The TypeScript AI SDK (@rivellum/ai-sdk) exposes RivellumAgent for AI-economy operations. Account
authentication configuration (key scheme, session keys) is not wrapped by the SDK; query it
directly via the HTTP API:
// Query account nonce
const nonce = await fetch(
`https://rpc.rivellum.network/v1/nonce/${address}`
);
const data = await nonce.json();
console.log(`Nonce: ${data.nonce}`);
// Query balance
const balance = await fetch(
`https://rpc.rivellum.network/v1/balance/${address}`
);
const balanceData = await balance.json();
console.log(`Balance: ${balanceData.balance}`);
Or with curl:
curl https://rpc.rivellum.network/v1/nonce/0x1234.../
curl https://rpc.rivellum.network/v1/balance/0x1234.../
Security Considerations
- Dilithium3 is a NIST-standardized post-quantum signature scheme resistant to attacks from both classical and quantum computers
- Key sizes are larger than classical schemes (Ed25519), but security guarantees are significantly stronger
- Session keys limit blast radius: even if compromised, damage is bounded by policy constraints
- Multi-sig adds organizational security without sacrificing post-quantum properties