The mechanism, end to end. From key generation to a write-once inscription.
How a Falcon-1024 signature, an Algorand smart contract, and a numbered Vault Cell combine to produce an inscription designed to survive the cryptographic break.
Cryptography has an expiration date.
The signatures securing most of the world's value today — ECDSA on Bitcoin, on Ethereum, on every major chain — rest on the difficulty of the elliptic-curve discrete logarithm problem. Shor's algorithm, run on a sufficiently large quantum computer, solves it. Not theoretically. Mathematically.
NIST published the first three post-quantum standards on 13 August 2024 — FIPS 203 (ML-KEM / Kyber), FIPS 204 (ML-DSA / Dilithium), and FIPS 205 (SLH-DSA / SPHINCS+). Falcon was selected in 2022; its standard, draft FIPS 206 (FN-DSA), was released as an initial public draft in 2025, with formal NIST publication expected in 2026–2027. The schemes exist. The deployment is what's missing.
Falcon-1024, briefly: a lattice problem the future cannot solve.
Falcon is a hash-and-sign signature scheme over NTRU lattices, instantiated through the Gentry-Peikert-Vaikuntanathan (GPV) framework, using a short NTRU basis as its trapdoor and a fast-Fourier algorithm for discrete-Gaussian sampling. Verification reduces to a polynomial-arithmetic check in ℤq[x] / (xn+1) together with an L2 norm-bound check on the signature vector, at n = 1024, q = 12289. The hardness assumptions are NTRU key-recovery together with the Short Integer Solution problem over NTRU lattices (NTRU-SIS) — structured-lattice assumptions for which no efficient quantum algorithm is known. It is related to, but not identical with, the unstructured SIS/LWE problems whose average-case hardness the Ajtai and Regev reductions ground in worst-case lattice problems such as GapSVP; Falcon's NTRU setting relies on the NTRU and NTRU-SIS assumptions directly rather than on a clean worst-case-to-average-case guarantee.
1,793 bytes
Larger than ECDSA, but stable. Sits comfortably inside Algorand's transaction footprint.
~1,222 B · 1,423 max
Deterministic-compressed Falcon-1024. One of the most compact PQ-secure signatures in the NIST standard set.
1,700 opcode units
The native AVM falcon_verify opcode performs the verification on-chain — its published cost is 1,700 opcode-budget units, settled at a standard Algorand transaction fee. No off-chain trust required.
NIST FN-DSA · draft FIPS 206
Selected by NIST in 2022 as one of three post-quantum signature schemes for standardization (alongside ML-DSA / Dilithium and SLH-DSA / SPHINCS+); draft FIPS 206 (FN-DSA) was released as an initial public draft in 2025, with formal NIST publication expected 2026–2027. Algorand selected Falcon as its native PQ signature scheme based on signature compactness and verification cost.
Algorand is one of the few major Layer-1s where this primitive is already live on-chain.
Algorand exposes a native Falcon-1024 verification opcode (falcon_verify) at the AVM layer — introduced at AVM v12 (consensus v41, go-algorand v4.3.0). Smart contracts can verify lattice-based signatures on-chain, with consensus-secured finality. No other major Layer-1 exposes this primitive on-chain today: Bitcoin Script cannot do it; EVM does not have it.
The Algorand Foundation has done the cryptography work, the implementation work, and the deployment work. The substrate exists. TRELYAN is what gets inscribed on top of it.
From key generation to a tamper-evident artifact, in six steps.
The Cell holder generates a Falcon-1024 keypair locally — never shared, never escrowed. The public key binds to the Cell at acquisition; the private key never leaves the holder's control.
The holder composes the artifact: text, code, image bytes, or any payload up to 4 KB. Encoding and content are the holder's choice; the contract is content-agnostic.
The holder signs a fixed 102-byte domain-separated message — tagged TRELYAN-INSCRIPTION-v1 — binding the artifact hash (SHA-512/256) together with the app id, cell id, and genesis hash, using the Falcon-1024 private key bound to the Cell. It is this binding, not a bare signature over the artifact, that ties the inscription to one specific Cell, app, and chain.
The Algorand smart contract verifies the signature via the native AVM falcon_verify opcode. The verification is deterministic, on-chain, with consensus-secured finality. No oracle. No off-chain trust.
The contract writes the artifact hash (and, optionally, the artifact bytes themselves) into the Cell's state, transitioning the Cell from Sealed to Inscribed. The binding is write-once.
Pre-sale Cells become Released — freely transferable — when both (a) they have been inscribed and (b) 24 months have elapsed from genesis. The inscription travels with the Cell for the life of the chain.
A small, named, auditable trust surface.
The protocol asks the user to trust three propositions, each of which is independently auditable. (1) That Falcon-1024 is hard to break — that is, that the NTRU and NTRU-SIS assumptions over NTRU lattices remain conjecturally hard against polynomial-time quantum adversaries, with no efficient quantum or classical algorithm known; the draft NIST standardization in FIPS 206 (FN-DSA), not yet published, is the public artifact of that proposition. (2) That Algorand consensus is sound — that the cryptographic-sortition Pure Proof-of-Stake protocol delivers safety and liveness under the partially-synchronous threat model assumed by the 2019 mainnet deployment. (3) That the TRELYAN inscription contract behaves as specified — open-source TEAL, currently deployed unaudited on Algorand TestNet, to be audited by an independent firm with the audit report published alongside the contract address.
The user does not trust the founder, the foundation, a custodian, a multisig committee, or any off-chain process. The protocol is the trust boundary; everything else is documentation around it.