Home / Migrate / Blockchain Node

Service Info

Status--
Endpointhttp://docker:8085
PQC AlgorithmML-DSA-65
FIPS StandardFIPS 204 (ML-DSA)

Where PQC is Used

Validator Registration

Register a node as a validator with ML-DSA-65 keypair. Validator address derived from SHA-256 of public key.

ML-DSA-65 (FIPS 204)
🧱
Block Signing

Validator signs each block with provider.sign(blockHash, privKey). Signature embedded in block header.

ML-DSA-65 (FIPS 204)
🔗
Chain Verification

Any node can verify the full chain by calling provider.verify() on every block signature + checking hash linkage.

ML-DSA-65 (FIPS 204)
🌐
P2P Peering

Peer connections authenticated with validator keys. Quantum-safe node-to-node communication.

ML-DSA-65 (FIPS 204)

Description

This service demonstrates quantum-safe blockchain validation — the same patterns you'll implement using the Qudo JNI provider in your validator/node software.

Validator identity: provider.generateKeyPair("ML-DSA-65") — validator address from public key hash
Block production: provider.sign(blockHash, validatorPrivKey, "ML-DSA-65") on each block
Chain verification: provider.verify() on every block signature — immutable quantum-safe audit trail
P2P security: Peer connections authenticated with validator keys

POST /api/blockchain/register-node Register a validator node
🔒 Qudo provider: provider.generateKeyPair("ML-DSA-65"). Validator address = SHA-256(publicKey)[0:20], 0x-prefixed.
POST /api/blockchain/add-block Sign and add a new block to the chain
🔒 Qudo provider: provider.sign(blockHash, validatorPrivKey, "ML-DSA-65"). Signature embedded in block; hash links to previous block.
GET /api/blockchain/chain Get the full blockchain
🔒 Returns all blocks with their ML-DSA-65 signatures, validator addresses, and hash chain.
POST /api/blockchain/verify-chain Verify signatures on every block
🔒 Qudo provider: provider.verify() called on each block's signature. Returns true only if all signatures valid + hash chain intact.
POST /api/blockchain/connect-peer Connect to a P2P peer
🔒 Registers peer in the network map. Production: authenticate peer with provider.verify() on handshake signature.
GET /api/blockchain/peers List connected peers
🔒 Returns all peer connections with addresses and status.
GET /api/blockchain/health Service health + chain length
🔒 Returns node status and current chain length.

Blockchain Node Migration Reference

Migrate your PoS validator node to quantum-safe block signing. Use this playground to try PQC validator operations, then use the Qudo JNI provider in your node software.

1. How It Works 2. Migrate Your System 3. Performance 4. Pitfalls 5. FAQ

1. How PQC Validators Work

Validator Node                                      Network Peers
   |                                                      |
   |  1. provider.generateKeyPair("ML-DSA-65")            |
   |     -> validator identity (address from SHA-256)      |
   |                                                      |
   |  2. Build block {index, prevHash, data, timestamp}    |
   |     blockHash = SHA-256(serialized block)             |
   |     sig = provider.sign(blockHash, privKey,           |
   |                          "ML-DSA-65")                  |
   |                                                      |
   |---- block + signature + validator address ---------->|
   |                                                      |
   |     3. Each peer verifies:                            |
   |        provider.verify(blockHash, sig, valPubKey,     |
   |                         "ML-DSA-65") -> must be true  |
   |        Check block.prevHash matches tip of chain
Validator Identity

Each validator has an ML-DSA-65 keypair. Address = SHA-256(publicKey)[0:20], 0x-prefixed. Replaces ECDSA secp256k1 / Ed25519 in PoS chains.

🔗
Chain Verification

Every peer independently verifies every block's signature with provider.verify(). Chain is quantum-safe as long as validator keys are ML-DSA.

2. Migrate Your System

Replace ECDSA/Ed25519 block signing with Qudo JNI calls. Consensus protocol (PoS, PoW, BFT) stays the same.

import com.qudo.crypto.QudoCrypto;
import com.qudo.crypto.QudoKeyPair;

QudoCrypto provider = QudoCrypto.create();

// ============================================================
// 1. Validator setup (once at startup, or during registration)
// ============================================================
QudoKeyPair validatorKeys = provider.generateKeyPair("ML-DSA-65");
byte[] addrHash = provider.sha256(validatorKeys.getPublicKeyPem());
StringBuilder sb = new StringBuilder("0x");
for (int i = 0; i < 20; i++) sb.append(String.format("%02x", addrHash[i]));
String validatorAddress = sb.toString();

// ============================================================
// 2. Sign a new block (during block production)
// ============================================================
String blockData = "{\"index\":42,\"prevHash\":\"0xabc...\",\"txs\":[...]}";
byte[] blockBytes = blockData.getBytes();
byte[] blockHash = provider.sha256(blockBytes);
byte[] blockSig = provider.sign(blockHash, validatorKeys.getPrivateKeyPem(), "ML-DSA-65");

// Broadcast: block + blockSig + validatorAddress + validatorKeys.getPublicKeyPem()

// ============================================================
// 3. Verify an incoming block (during chain validation)
// ============================================================
byte[] receivedHash = provider.sha256(receivedBlockBytes);
boolean valid = provider.verify(receivedHash, receivedSig,
    senderValidatorPubKey, "ML-DSA-65");
if (!valid) rejectBlock();
// Also check: block.prevHash == localChain.tip.hash

provider.close();
This is what runs in your validator node. Your consensus logic (leader selection, voting, finality) is unchanged — only the signature primitive swaps.

3. Performance

OperationML-DSA-65Ed25519 (classical)
Block sign~10ms<1ms
Block verify (per peer)~5ms<1ms
Signature size per block3,309 bytes64 bytes
Validator public key size~2,726 bytes (PEM)32 bytes
Block production stays fast: ~10ms sign is fine for 1-second block times. The cost is storage (~3KB/block) and bandwidth during chain sync.

4. Pitfalls

Pitfall: Chain size grows significantly

Cause: Each block signature is 3.3KB vs 64 bytes. A chain with 10M blocks stores ~33GB of signatures (vs 640MB classical).
Mitigation: Use light clients that don't store full signatures; archive old blocks; use ML-DSA-44 if throughput matters more than Level 3 security.

Pitfall: Validator key rotation

Cause: If a validator's private key is compromised, historical blocks remain signed by that key.
Fix: Rotate validator keys on-chain (governance tx). Chain verifiers check validator pubkey was active at the block's height.

5. FAQ

Q: Does my consensus protocol change?

A: No. PoS/PoW/BFT logic is independent of the signature algorithm. Only sign() and verify() call sites change.

Q: Can PQC validators co-exist with ECDSA validators?

A: During migration, yes — use dual signatures (see dApp simulator) or run a separate PQC-only chain with a bridge. Long-term, all validators should migrate to ML-DSA.

Crypto Inventory Scanner

Analyze any endpoint's cryptographic configuration. Enter a host:port to scan its TLS setup and identify what's quantum-safe vs what needs migration.

Scan Endpoint