Independent technical reference — built by Postern Labs, not the protocol
Bloch-SIS-PoW, explained down to the source.
A post-quantum, pure-Proof-of-Work BlockDAG with no owner, no foundation, and no official site. This page exists because those two facts — "post-quantum L1" and "nobody runs it" — sound incompatible until you read the code. So we read the code. Everything technical below is sourced from the protocol's own repository or from a live query against the running chain.
Network at a glance
fetching live data from the public RPC…
Queried live, client-side, from https://blochv-node.fly.dev — a single public read-only node, not a consensus source. If the fetch above fails (ad-blockers, offline), the numbers shown are a snapshot taken while building this page. See the live block explorer for real-time blocks, or run curl yourself in Verify it yourself.
The framing, stated once, plainly
Two facts everything else here depends on.
1. This is not the official site.
Bloch-SIS-PoW has no official website and no official block explorer. If another site claims to be "the official Bloch site," it isn't — no such thing exists by design. This page is an independent initiative by Postern Labs to answer open questions and doubts about the protocol with source-grounded technical detail. It is explicitly temporary: it exists to serve during a moment of transition, and it will step aside once — or if — the community around the protocol stands up its own site, docs, and explorer.
2. The protocol has no owner.
Bloch-SIS-PoW is ownerless public infrastructure. There is no controller and no controlling entity — not Postern Labs, not any single party. Postern Labs is one builder among many on a neutral base: it consumes the same public RPC/API as anyone else, with no privileged role in consensus and no admin keys. Anyone can clone the repository, run a node, mine, and build on it. Nobody can stop them, and nobody granted permission for them to start.
These two facts are repeated throughout this page — in the disclaimer, in the footer, and wherever the distinction matters — because a reader arriving skeptical deserves not to have to hunt for them.
What makes Bloch different
Bitcoin's ethos, a post-quantum construction.
The governing ethos is deliberately Bitcoin-shaped: pure Proof-of-Work, no owner, no premine sold to anyone, coins that carry no governance weight, no controller. What's different is the construction underneath — built from scratch, after Shor's algorithm and Grover's algorithm were already known threats, rather than before. Below is what the source code implements — described plainly, not promised.
1 · Post-quantum by construction — the headline
Hybrid Falcon-1024 ‖ ML-DSA-65
Bitcoin secures every coin with ECDSA over secp256k1 — a classical elliptic-curve scheme that Shor's algorithm, run on a sufficiently large fault-tolerant quantum computer, is understood to break: an exposed public key becomes forgeable. No such computer exists today, and estimates of when one might vary widely — but the exposure is structural, not hypothetical. Bloch-SIS-PoW signs every transaction with two independent post-quantum lattice signature schemes concatenated, both of which must independently verify — a break of one scheme's underlying hardness assumption does not by itself forge a signature.
SHAKE-256 hashcash + a Module-SIS lattice gate
Where Bitcoin's mining puzzle is a pure SHA-256 preimage race, a valid Bloch-SIS-PoW block must satisfy two conditions: a short-vector Module-SIS residual check over a lattice derived from the block header, and a SHAKE-256 hashcash target on an auxiliary hash. Honest caveat, stated inline rather than left for the fine print: the lattice gate's live parameterization (k = 4) is deliberately relaxed for this beta and is, by the source's own description, trivially forgeable — see Proof-of-Work for the full mechanics and honesty notes.
Hashing throughout the protocol — the PoW aux-hash, block identity, and the Coherence shielded-pool's commitments and nullifiers — uses SHAKE-256, part of the SHA-3/Keccak family, which gives Grover's algorithm only a quadratic speedup against preimage and collision search (the standard post-quantum posture for hash-based constructions), versus Bitcoin's SHA-256.
The thesis, stated plainly: Bitcoin's proof-of-work is itself comfortably post-quantum (SHA-256, Grover-only speedup) — its quantum exposure is at the signature layer, where an exposed ECDSA public key becomes forgeable to a sufficiently capable quantum adversary. Bloch-SIS-PoW is an attempt at a pure-PoW Layer 1 built from scratch to close that specific gap at the signature layer, while keeping the hashcash security model that has held up for Bitcoin.
2 · GhostDAG-Q — a BlockDAG, not a single chain
Bitcoin orders blocks one at a time: two blocks mined within propagation delay of each other mean one is orphaned outright, its work discarded. Bloch-SIS-PoW's blocks can — and routinely do — carry multiple parents, and GhostDAG-Q colors each block blue or red based on a k-anticone rule (live k = 10) rather than discarding concurrent work outright. See Consensus below for the full blue-set/blue-score/blue-work mechanics and pseudocode. Net effect: a materially higher sustainable block rate and faster confirmation feel for a comparable security budget — the same PoW-depth finality model as Bitcoin, applied to a DAG instead of a chain.
3 · Coherence — an optional shielded pool, sharing one source of truth
A SHAKE-256 note-commitment / nullifier / Merkle-anchor design, proved in zero-knowledge by an SP1 guest program that shares the exact same core logic as the node's own validation — see Coherence. The source's own caveat is kept verbatim there: no privacy claim is made until it is audited.
4 · Pure-PoW, ownerless economics
No staking, no validator set, no ICO, no token sale ever, no listing initiative by any party, coins that carry zero governance weight. The reward-split machinery for a validator/oracle pool exists in source but both shares are hard-coded to zero — 100% of every block's subsidy goes to the miner, exactly Bitcoin's model. See Emission & the coin and Governance for how this pairs with a deliberately designed exit from any privileged role for whoever wrote the initial code.
Bloch-SIS-PoW vs. Bitcoin, side by side
| Dimension | Bitcoin | Bloch-SIS-PoW |
|---|---|---|
| Signatures | ECDSA / secp256k1 — breakable by Shor's algorithm on a future large quantum computer | Hybrid Falcon-1024 ‖ ML-DSA-65 — both halves must independently verify |
| Hash function | SHA-256 (SHA-256d for PoW) | SHAKE-256 (SHA-3/Keccak family) throughout |
| PoW puzzle | SHA-256 leading-zeros preimage race | SHAKE-256 leading-zeros hashcash + a Module-SIS lattice short-vector gate |
| PoW gate strength today | n/a | Relaxed (k = 4) — trivially forgeable by design, right now (candidate k = 8 reverted after stalling the chain) |
| Structure | Linear chain — concurrent blocks orphaned | GhostDAG-Q BlockDAG — concurrent blocks merged via blue set / k-anticone (k=10) |
| Finality model | PoW depth (confirmations) | PoW depth (confirmations) — same model, no BFT layer, no validator set |
| Issuance | 21,000,000 BTC cap, reward decays to 0 | 21,000,000,000 BLOCH nominal, reward decays to a perpetual 100 BLOCH/block tail floor |
| Pre-allocation | None | 17% of nominal supply, 10-yr cliff + 40-yr vest, structurally passive (no consensus power) |
| Governance | Ownerless, PoW, coins don't vote, adoption-only | Same model, plus a designed exit from any privileged author role — see Governance |
| Maturity | ~15 years live, heavily attacked and hardened | mainnet-beta, unaudited, low-hashrate and 51%-attackable at current size |
Sources for this section: crates/bloch-sis-pow/ (PoW), crates/bloch-crypto/src/crypto/mod.rs (signatures), src/consensus/mod.rs (GhostDAG-Q), crates/coherence-core/ (Coherence), crates/bloch-crypto/src/core/tokenomics_v2.rs (emission). Every figure is cross-referenced against the deeper sections below.
Read this before anything else
The complete disclaimer.
This section is deliberately thorough rather than buried in fine print. Honesty is the credibility this page is trying to earn — so here is everything, plainly.
Not the official site, no official anything
Bloch-SIS-PoW has no official website, no official block explorer, and no official app. This page is a non-official, independent technical reference, built and hosted by Postern Labs as one builder among many. It is temporary by design — a stopgap for a moment of transition, not a claim of stewardship. If a community forms around the protocol and stands up its own resources, this page is expected to step aside.
Bloch-SIS-PoW is public infrastructure that nobody owns, including Postern Labs. There is no foundation, no company behind the protocol itself, no admin key, and no privileged role in consensus for any party. Anyone runs it; anyone builds on it; nobody can be asked for permission because there is nobody positioned to grant it.
The chain runs a mainnet beta — a designation, not a security claim. The reference implementation has not been audited: no cryptographic peer review, no third-party security assessment has been completed on the PoW, the signature stack, the consensus implementation, or the shielded-pool code. Treat everything as research-grade software.
The network is nascent: a small number of nodes and low aggregate hashrate mean the chain's security budget is small. A well-resourced attacker could plausibly out-mine the honest network and reorganize recent history. This is an inherent property of a young, low-participation PoW chain — not a bug to be patched, but a fact to weigh before relying on any confirmation.
The live residual-gate width of the Module-SIS structural filter is k = 4 (TESTNET_RESIDUAL_COEFFS in source). At this width the gate contributes only a small rejection floor — the work is trivially forgeable in the sense that the structural filter alone is not hard to satisfy; all of the PoW's real security currently rests on cumulative SHAKE-256 hashcash work, which is itself modest on a low-hashrate chain. A stronger gate (k = 8) was activated once as a soft fork and then reverted because it multiplied mining difficulty roughly 4096× and the low hashrate of the day could not find blocks, stalling the chain. It is expected to return paired with a matched difficulty reduction. Until then, no elevated security is claimed for the gate.
There has never been a token sale, and there is no plan for one. No entity promotes, markets, or takes any initiative to list the coin on any exchange. The coin carries no value claim — it is not marketed as an investment, is not a security, and is not represented as having or acquiring monetary value. It is, by design, worthless as a financial instrument; whatever else it may be, it is not a promise of return.
Nothing on this page is advice of any kind. It is a technical description of a piece of software and the network it runs on. Consult qualified professionals for anything touching your specific legal, tax, or financial situation — this page cannot and does not attempt to substitute for that.
If you clone the repository, run a node, mine blocks, or hold any balance on this chain, you are doing so as an experiment on unaudited, 51%-attackable, research-grade software with a coin that carries no value claim. There is no support desk, no compensation fund, and no recourse. Treat it accordingly.
The protocol's consensus rules encode a one-time genesis allocation equal to 17% of nominal total supply (3,570,000,000 of 21,000,000,000 BLOCH), locked by a ten-year cliff and then released in 480 equal monthly tranches across the following forty years. This is disclosed here precisely because it is the one fact a skeptical reader should weigh most heavily against "ownerless": a meaningful share of eventual supply is pre-allocated in the consensus rules. What it does not do is grant its holder any special role: the allocation address has no admin key, no elevated permission, and no voting weight — GhostDAG-Q and SHAKE-256 hashcash do not recognize address identity in consensus at all. It is a structurally passive balance, nothing more.
Down to the source
How the protocol actually works.
Every claim below is sourced from the protocol's own crates — mostly bloch-sis-pow, bloch-crypto, and the node's consensus, coherence, and network modules — or from a live RPC query against the running chain. Where the source flags something as unaudited, provisional, or reverted, that qualifier is kept in, not rounded off.
0 · Block & header structure
What a block actually is, field by field.
A block (crates/bloch-crypto/src/core/mod.rs::Block) carries a header, a transaction list, DAG accounting fields, and the PoW witness itself:
This matches a live sample from getblockbyheight queried against the public node (see RPC reference): hash, height, blue_score, bits, nonce, merkle_root, parents[] — the RPC layer surfaces exactly these fields, plus a derived size and the transaction list.
Three different hashes, three different jobs
The source computes block-related hashes for three distinct purposes — worth naming precisely rather than assuming there's just one "the block hash":
- Block identity (
block_hash()) —SHA3-256("BLOCH-BLOCK-ID-V1" ‖ pow_preimage ‖ nonce ‖ pow_solution). This is the hash used everywhere that matters for consensus and storage: genesis registration, DAG insertion, block storage indexing, and reorg bookkeeping all key off this value (confirmed by direct usage insrc/main.rs,src/storage/mod.rs,src/reorg.rs). Binding the PoW solution into the identity hash prevents witness-malleability — you cannot take a valid block and swap in a different valid solution for the same header without changing its hash. - ASIC-facing mining hash (
pow_hash()) — double-SHA256 (SHA-256d) over an 80-byteMiningHeaderprojection laid out exactly like Bitcoin's classic header (version‖prev_hash‖merkle_root‖timestamp‖bits‖nonce), used only by the Stratum V1/V2 mining path so existing SHA-256d ASIC firmware and pool software can search a nonce in a familiar 80-byte shape. It is not the consensus PoW check — the source is explicit that "SHA-256d is gone" as a validity rule; this hash exists purely for hardware/pool wire compatibility during nonce search. - DAG indexing hash (
dag_hash()) —SHA3-256over the full, untruncated header serialization (all fields, not the 76-byte PoW projection), used internally for DAG reachability bookkeeping, kept distinct from PoW hashing on purpose.
How multiple parents become one 32-byte commitment
The Module-SIS PoW seed needs a fixed-size preimage, but parents is a variable-length DAG reference list. The header's 80-byte mining projection folds it down via parents_commitment(): sort the parent hashes ascending (so gossip reordering never changes the result), then pairwise SHA-256d-reduce them Bitcoin-merkle-style (duplicating the last element when the level is odd) until one 32-byte root remains — zero parents (only genesis) yields all-zero, one parent passes through unchanged.
The compact difficulty target — Bitcoin-style nBits
The header's bits field is a 4-byte compact encoding of a 256-bit target, "identical in spirit to Bitcoin's nBits" per the source's own comment: the top byte is an exponent, the low 24 bits a mantissa, decoded as target = mantissa << (8 × (exponent − 3)). A live sample from the public node: bits: "0x203fffc0" (from a getblockbyheight query). Retargeting runs on every block via ASERT-Lattice — an Absolutely Scheduled Exponentially Rising Targets algorithm anchored at genesis, tuned for a 30-second block time with a 2-day half-life and clamped to at most a 4× change per single retarget step (MAX_FACTOR = 4) to bound timestamp-manipulation attacks.
Source: crates/bloch-crypto/src/core/mod.rs (BlockHeader, Block, MiningHeader, parents_commitment, hash methods), crates/bloch-sis-pow/src/difficulty.rs (compact bits codec, ASERT-Lattice).
1 · Proof-of-Work
SHAKE-256 hashcash with a Module-SIS structural gate.
Bloch-SIS-PoW's proof-of-work is not "lattice-hard" in the sense of resting its security on the hardness of a Module Short Integer Solution (SIS) problem. It is a SHAKE-256 (Keccak) hashcash — cumulative work against a leading-zeros target, exactly like Bitcoin's SHA-256d, except the hash function is SHAKE-256. Layered on top of the hashcash is a Module-SIS structural gate: before a candidate's hash is even checked against the difficulty target, its accompanying solution vector must satisfy a short-vector condition over a lattice built from the block header. The gate does not replace hashcash security — it filters the search space and ties every valid block to a lattice-structured object, in the same algebraic family (same prime modulus q) as the chain's post-quantum signatures.
The three conditions a solution must satisfy
Conditions (1)+(2) are the Module-SIS structural gate: s must be a short vector (every coefficient in [-2, 2]) whose product with a header-derived matrix lands close to a header-derived target, modulo the prime q = 2²³ − 2¹³ + 1 = 8,380,417 — the same modulus ML-DSA-65 (FIPS 204) uses, chosen deliberately so the number-theoretic transform can be shared between the PoW and the signature subsystem. Condition (3) is the actual hashcash difficulty target: a SHAKE-256 digest of the solution, nonce, and header must fall below a threshold, exactly the "leading zero bits" difficulty familiar from Bitcoin.
| Symbol | Value | Meaning |
|---|---|---|
n | 256 | Solution vector dimension |
m | 512 | Matrix row count (m = 2n, conventional in lattice cryptography) |
q | 8,380,417 | Prime modulus, shared with ML-DSA-65's NTT |
B | 2 | ‖s‖∞ ≤ B — solution norm bound |
β | 523,776 (q/16) | ‖A·s − t‖∞ < β — residual bound |
k (residual width, live) | 4 | Coefficients of the residual actually checked today — the relaxed regime |
k (residual width, candidate) | 8 | A tighter gate, activated once as a soft fork then reverted — see below |
Step by step: how Block::validate_pow() actually checks a block
Two details worth making explicit: the residual width k is selected by the height of the block being validated, never the validator's current tip — so an attacker cannot lie about height to get an easier check (a height claimed too high only makes validation stricter, and the real height is independently checked before this runs). And the PoW seed's nonce is a full u64 supplied outside the 76-byte preimage — the crate's own seed derivation is SHAKE256(DOMAIN_SEED ‖ preimage ‖ nonce), matching the formula at the top of this section exactly.
Why the residual gate checks only k coefficients, not all m
Checking the residual against all 512 rows is not a stronger "canonical" mode — the source is explicit that at β = q/16 that configuration is simultaneously trivial for lattice reduction (√M·β ≥ q) and infeasible for honest small-s mining, broken in both directions. The design instead checks a small k of the rows, kept deliberately outside that trivial regime (√k·β < q), so the gate contributes a fixed rejection floor of roughly k · log₂(q / 2β) bits — about 12 bits at the live k = 4, about 24 bits at the candidate k = 8 — without ever becoming the chain's actual security source.
k = 4 — the relaxed regime
This is what the mainnet-beta chain checks right now (TESTNET_RESIDUAL_COEFFS in source). It is deliberately tiny — the source's own comment calls the resulting security "ZERO" from the gate alone. All real protection currently comes from cumulative SHAKE-256 hashcash work, which is itself modest given today's low network hashrate.
k = 8 — the candidate hardening
A soft fork (CANONICAL_RESIDUAL_COEFFS = 8) was activated on-chain at block 213,000. Because a k=8-valid solution is automatically k=4-valid (a strict prefix check), the change was a pure tightening — no chain split. But it multiplied mining difficulty roughly 4096×, and the network's low hashrate at the time could no longer find blocks, stalling the chain. It was reverted, and is expected to return only paired with a matched difficulty reduction so block time holds near 30 seconds.
The security model, stated the way the source states it
A trapdoorless PoW cannot be simultaneously lattice-hard and mineable: with no trapdoor, the same short-vector search that an honest miner runs is also the attacker's cheapest attack, so the "hard" and "mineable" regimes are provably disjoint at any single parameter set. Bloch-SIS-PoW's designers made this trade-off explicit rather than papering over it: the PoW's security is the cumulative SHAKE-256 hashcash work, full stop — no "N-bit lattice security" number attaches to any k. The Module-SIS gate is a structural filter that binds work to a lattice form (useful for tying the PoW to the same algebraic family as the signatures, and for future research directions), not the source of hardness.
Its post-quantum property, likewise, comes from the hash function: SHAKE-256 gives Grover's algorithm only a quadratic speedup against preimage/collision search, the standard post-quantum posture for hash-based constructions — not from any lattice hardness claim.
Source: crates/bloch-sis-pow/src/{lib.rs,params.rs}, crates/bloch-crypto/src/core/mod.rs (soft-fork activation constants), and the crate's own README, which we've paraphrased and checked figures against rather than invented.
2 · Signatures
Hybrid Falcon-1024 ‖ ML-DSA-65 — both must verify.
Every Bloch-SIS-PoW key, and every signature, is a concatenation of two independent post-quantum signature schemes: ML-DSA-65 (NIST FIPS 204, the standardized successor to CRYSTALS-Dilithium) and Falcon-1024 (a NIST-selected lattice signature scheme built on NTRU lattices). A signature verifies only if both halves independently verify.
| Scheme | Family / standard | Public key | Signature (fixed / max) |
|---|---|---|---|
| ML-DSA-65 | NIST FIPS 204 (module-lattice, ≈ NIST security category 3) | 1,952 B | 3,309 B (fixed) |
| Falcon-1024 | NIST PQC selection (NTRU-lattice, ≈ NIST security category 5) | 1,793 B | ≤ 1,462 B (variable — compressed encoding) |
Category numbers are the schemes' own published NIST security categories, not a protocol-specific claim — included here for context, not sourced from the Bloch-SIS-PoW repository itself.
Why hybrid, not just one scheme
Two independent lattice constructions, from different underlying assumptions (module lattices for ML-DSA, NTRU lattices for Falcon), mean a cryptanalytic break of one scheme does not by itself forge a valid signature — the attacker still has to break the other. It's belt-and-suspenders against the risk that any single, relatively young standardized post-quantum scheme has a weakness nobody has found yet. The cost is size: a hybrid public key and signature are roughly the sum of both schemes' sizes, several times larger than a single classical ECDSA key.
Crypto-agility: the suite header
Every enveloped public key, secret key, and signature carries a 4-byte B1 0C + suite-id header, registered in source: 0x0001 is today's ML-DSA-65 ‖ Falcon-1024 hybrid (the shipped default); 0x0002 is a defined ML-DSA-65-only suite, existing to demonstrate that Falcon is removable via the registry without a further wire-format break — it has not been removed, and the shipped default remains the hybrid.
A known implementation caveat, stated plainly
Falcon signing requires constant-time floating-point arithmetic to avoid side-channel leakage of the secret key — a materially harder engineering target than integer-only schemes. Falcon verification is deterministic integer arithmetic and consensus-safe; the caveat applies to the signing path. This is flagged in the reference crate's own documentation, not something we're surfacing to score a point — it's the kind of caveat an unaudited reference implementation should carry until reviewed.
Addresses and replay protection
An address is SHA3-256(public_key) truncated to 20 bytes, rendered as bloch1q… (mainnet) or bloch1t… (testnet) with a checksum. Every transaction's signed preimage additionally folds in a fixed domain constant plus a 4-byte chain-id (0xB10C_0001 mainnet / 0xB10C_0002 testnet), so a signature valid on one chain cannot be replayed on the other even with identical inputs.
Source: crates/bloch-crypto/src/crypto/mod.rs (hybrid sign/verify, suite registry), crates/bloch-crypto/src/crypto/mod.rs::falcon module, crates/bloch-crypto/src/address.rs, crates/bloch-crypto/src/core/mod.rs (key/signature size constants).
3 · Consensus
GhostDAG-Q — a BlockDAG, not a single chain.
Bloch-SIS-PoW's Layer 1 is a BlockDAG: blocks can — and routinely do — have more than one parent, and more than one "tip" can exist at once without either being orphaned. The ordering and security rule that turns this DAG into a single canonical history is GhostDAG-Q, an implementation modeled on the GHOSTDAG protocol used by Kaspa (the node's own source comments cite kaspanet/rusty-kaspa as the reference).
The coloring algorithm, in pseudocode
Paraphrased from src/consensus/mod.rs's block-insertion logic — not a literal copy, but the same steps in the same order:
Two safety properties this buys, both visible directly in source comments: colouring a block blue can never silently push an already-blue block's own anticone over K (the no_regression check above), and a red block is not discarded — it remains part of the DAG, is still fully validated, and can still carry transactions; it is simply excluded from the blue-work tally that drives selected-parent choice and the canonical total order.
The anticone parameter K
Two blocks are in each other's anticone if neither is an ancestor of the other in the DAG — i.e., they were mined concurrently, unaware of each other. GhostDAG-Q colors a block blue (counted toward the canonical order and blue score) if its anticone, intersected with the current blue set, has size at most K; otherwise it is colored red — still part of the DAG and still validated, but excluded from the blue-work accounting that drives selected-parent choice. The live value, confirmed both in source (GHOSTDAG_K) and by querying the running chain's getdaginfo RPC method, is K = 10.
How this differs from a single chain
- Concurrent blocks aren't wasted. On a classic single chain (Bitcoin), two blocks mined within propagation delay of each other mean one is orphaned outright — its work is discarded. On a BlockDAG, both become parents of later blocks; if their mutual anticone stays within
K, both are colored blue and both contribute to blue work and (via mergeset) to the canonical order. - The "longest chain" rule becomes "heaviest blue-work chain." Selected-parent choice is
argmax(blue_work), not block height — cumulative proof-of-work along the selected chain, Kaspa-aligned, is what a reorg has to out-produce. - Finality is still PoW depth. There is no BFT validator set and no separate finality gadget layered on top — Bloch-SIS-PoW's own documentation is explicit that finality works "à la Bitcoin/Kaspa": reorgs deeper than a checkpoint depth are rejected outright by the node (
CHECKPOINT_DEPTH = 1,000blocks), and block bodies below that horizon are eligible for pruning (PRUNING_DEPTH = 10,000blocks).
Source: src/consensus/mod.rs (GhostDAG-Q implementation, selected-parent and blue-set logic, checkpoint/pruning constants), crates/bloch-crypto/src/core/mod.rs::GHOSTDAG_K, and a live getdaginfo query against the public RPC endpoint (see RPC reference).
4 · Coherence
Coherence — the shielded-pool layer, and its honest caveat.
"Coherence" is the protocol's optional shielded-pool subsystem: SHAKE-256-based note commitments, nullifiers, and a zero-knowledge spend proof, built as a lean, portable core (coherence-core) shared verbatim by the node, an SP1 zkVM guest prover, and the mobile wallet, so all three agree byte-for-byte on what a valid shielded spend looks like.
How it fits together
- Notes are private value-carrying objects (
v, an owner tagpk_d, and two randomizersρ/ψ). Only their SHAKE-256 commitment is published, appended to a fixed-depth-32 incremental Merkle accumulator. - Spending a note reveals its nullifier — a SHAKE-256 hash keyed by a nullifier key and the note's position — which the node's consensus state records to block any future double-spend of the same note, without ever revealing which commitment it corresponds to.
- The node maintains a bounded window of accepted anchors (
ANCHOR_HISTORY = 100recent Merkle roots) so a spend proof stays valid for a short window after being built, and a bounded reorg-undo horizon (MAX_REORG_UNDO = 128blocks) to safely unwind shielded state on a chain reorganization without a full resync. - The actual zero-knowledge statement —
check_spend— is proved by an SP1 (RISC-V zkVM) guest program against exactly this same core logic, so the circuit and the node's own validation can never silently diverge.
The exact invariant — check_spend, the statement the ZK circuit proves
Three things this enforces, together: every spent note was really in the commitment tree at the published anchor (membership), every note is spent under its one true nullifier so the same note can never be spent twice (uniqueness), and the arithmetic balances exactly — inputs equal outputs plus the disclosed fee, with no room to mint value inside the shielded pool. This is coherence-core's check_spend function, run identically by the node's own validation and by the SP1 zero-knowledge guest program that proves it — both call the same code, so they cannot silently diverge.
The source's own caveat, kept verbatim: "Zero-security testnet: no privacy claim until audited (Coherence C4)." Treat the shielded pool as a structurally-complete but unaudited component — the commitment/nullifier/Merkle machinery is implemented and shared across node, prover, and wallet, but no privacy guarantee is being made about it yet.
Source: crates/coherence-core/src/lib.rs (notes, commitment tree, spend statement), src/coherence/mod.rs (node-side shielded state, anchor history, reorg-undo bookkeeping), crates/coherence-prover (the SP1 guest).
5 · Emission & the coin
Supply schedule, halving, and the genesis allocation.
Block subsidy: geometric halving, then a perpetual tail
The initial reward is 8,400 BLOCH/block, halving every 1,036,800 blocks (≈1 year at a 30-second target). At the seventh halving (height 7,257,600) the geometric reward would fall to 65 BLOCH — below a fixed 100 BLOCH tail floor — so the floor activates instead and holds perpetually. Unlike Bitcoin's asymptotic-to-zero emission, Bloch-SIS-PoW's mining reward never reaches zero; it settles onto a permanent tail, a design choice shared with chains like Monero that prioritizes a standing miner incentive over a hard supply cap on the mining side. 100% of each block's subsidy currently goes to the miner — the reward-split machinery for validator and oracle pools exists in source but both shares are set to zero, since there is no BFT validator set or oracle system in this pure-PoW design.
The genesis allocation — disclosed in full, structurally passive
Consensus rules encode a one-time allocation of 3,570,000,000 BLOCH — 17% of nominal total supply. The genesis block itself mints none of it; instead the allocation is fully locked for ten years (a 10,368,000-block cliff), then released in 480 equal monthly tranches over the following forty years (41,472,000 blocks) — a fifty-year vesting horizon in total. Each tranche is exactly 7,437,500 BLOCH, dividing the allocation with no remainder.
(Renamed here for neutrality; the underlying source constants encode the same values under different identifier names.)
The allocation address carries no special consensus power: no admin key, no elevated RPC access, no voting weight, no ability to alter emission, difficulty, or any other consensus rule. GhostDAG-Q and SHAKE-256 hashcash validate blocks and order the DAG with no notion of address identity at all — the allocation is a structurally passive balance subject to the same transaction and signature rules as any other UTXO, once it vests.
Source: crates/bloch-crypto/src/core/tokenomics_v2.rs — supply constants, halving/tail-floor logic, and vesting math, each backed by an in-crate consensus test (e.g. halving_emission_closes, vesting_telescopes_to_total) that we cross-checked against the numbers quoted here.
6 · P2P networking
libp2p, empty seed list by design, and a post-quantum transport.
Bloch-SIS-PoW nodes speak libp2p over TCP (and WebSocket), gossip blocks and transactions over gossipsub, discover LAN peers via mDNS, and maintain a persisted peer list on disk (known_peers.json) that survives restarts. The wire protocol carries its own version numbers — PROTOCOL_VERSION = 1, MIN_PROTOCOL_VERSION = 1 — checked on every message, both currently confirmed live by the public node's getnetworkinfo response ("protocol": 1, "net_protocol": 1).
Message types on the wire
The gossip/sync protocol (src/network/mod.rs::NetworkMessage) defines: NewBlock (hash, blue score, height, block bytes), NewTransaction (txid, tx bytes), PeerTip / PeerExchange / PeerRequest / PeerCount (peer bookkeeping and PEX), GetHeaders / Headers (initial block download, keyed by blue score), GetBlock (fetch by hash), and a Version / VersionAck handshake pair carrying version, user agent, blue score, height, and timestamp. Gossip runs over three topics: bloch/blocks/1, bloch/txs/1, bloch/sync/1.
| Port | Protocol | Purpose |
|---|---|---|
16110/tcp | libp2p | P2P — block/tx gossip, sync, peer exchange |
16111/tcp | libp2p / WebSocket | P2P over WebSocket, same protocol |
16210/tcp | JSON-RPC over HTTP | Node RPC — binds 127.0.0.1 by default, keep it local |
16310/tcp | Prometheus | Metrics — opt-in only, via --metrics |
"Your node won't connect" — that's DEFAULT_SEEDS = [], on purpose
The shipped seed list is literally empty in source:
pub const DEFAULT_SEEDS: &[&str] = &[];No foundation-run bootstrap servers, no privileged seed node, no DNS seed records yet (a domain constant exists in source as a placeholder but has no TXT records configured — it's an acknowledged TODO, not a working feature). This is the ownerless ethos applied literally: nobody operates a canonical bootstrap point. The direct consequence, stated just as plainly: a freshly started node sits alone until you hand it a peer address. That is not a bug report — it's how the software ships. See Run a node for the exact flag to fix it.
Peer exchange (PEX) and how a node grows its peer set
Once connected to even one peer, nodes exchange peer lists (PEX), rate-limited and validated (public-address checks, LAN-address checks, a cap on the known-peers list, pruning of invalid entries) before persisting the results. A node's externally-reachable address is only advertised via PEX after being independently confirmed by at least 3 distinct peers (EXTERNAL_ADDR_QUORUM) — a defense against a single malicious peer poisoning what address gets propagated. After first contact, your node becomes a seed for the next node that dials it.
A post-quantum transport layer, not just post-quantum consensus
Beyond the PoW and the signatures, the node's transport layer (src/transport/) implements an authenticated hybrid handshake using ML-KEM-768 (NIST FIPS 203, formerly CRYSTALS-Kyber) for the session key exchange, ChaCha20-Poly1305 for the encrypted channel, and libp2p Ed25519 identity signatures binding the transcript against man-in-the-middle substitution. The codebase's own history records the first end-to-end production run of this handshake on 2026-04-20 on the project's predecessor chain (pre-rebrand, before the code that runs today's Bloch-SIS-PoW mainnet), documented verbatim in the repository's FIRST_POST_QUANTUM_HANDSHAKE.md. The same transport code is what today's Bloch-SIS-PoW nodes run.
Source: src/network/mod.rs (libp2p wiring, PEX, address-quorum confirmation, gossipsub topics), crates/bloch-crypto/src/core/mod.rs::DEFAULT_SEEDS, src/main.rs (CLI flags and default ports), src/transport/mod.rs (ML-KEM-768 handshake).
Build it yourself — trust the compiler, not this page
Run a node & connect.
The protocol has no official binary distribution and no official installer. What follows is the exact clone/build/run/peer sequence, checked against the CLI's own flag definitions in source. Mainnet beta is unaudited and 51%-attackable — see the disclaimer before you point real hashrate or funds at it.
1Get the source
The repository is not a Postern Labs product and has no official site to link to. Rendered here as plain text on purpose:
gitlab.com/blochsispow-group/BlochSISPoW-project# prefix with your git host scheme of choice, then:
git clone <the repository above> bloch
cd blochPrerequisites: a Rust toolchain (rustup, stable) and a C toolchain — clang, cmake, pkg-config — needed by RocksDB and the PQClean-based crypto crates.
2Build
cargo build --releaseBinaries land in target/release/: bloch (the full node), bloch-cli (an RPC client, Bitcoin-Core-bitcoin-cli-style), and bloch-wallet. cargo test runs the crate's own test suite, including the PoW guardrail tests referenced in the PoW section.
3Run a relay node
./target/release/bloch --testnet \
--data-dir ./bloch-data \
--listen /ip4/0.0.0.0/tcp/16110 \
--rpc-bind 127.0.0.1 --rpc-port 16210Always pass --testnet. The flag name is a historical artifact, not a network selector you can skip: it selects the network Bloch-SIS-PoW's mainnet beta actually runs on, which launched under this flag and keeps its name in the CLI pending a later rename. A node started without the flag joins a different, unused network. Note this is purely a CLI naming quirk — the node's own getnetworkinfo RPC method correctly reports "network": "mainnet" once running (verified live; see RPC reference).
--data-dir- Where the chain lives: RocksDB block/UTXO storage, the persisted known-peers list, and node identity keys. Default
./bloch-data. Delete it to start fresh. --listen- The libp2p multiaddr your node accepts peers on. Default
/ip4/0.0.0.0/tcp/16110— the address others will use to bootstrap from you. --rpc-bind/--rpc-port- JSON-RPC over HTTP, default
127.0.0.1:16210— local only, on purpose.--rpc-publicexposes it on0.0.0.0, which is dangerous unauthenticated; pair it with--rpc-api-keyif you must.
4Or run a miner
./target/release/bloch --testnet --mine \
--data-dir ./bloch-data \
--listen /ip4/0.0.0.0/tcp/16110--mine makes the node brute-force Module-SIS solutions under the live relaxed k = 4 regime and attach the winning solution vector as the block's PoW witness. Mining is solo only in the reference node — there is no built-in Stratum pool protocol support for the SIS solution vector's extra field. To be direct about the economics: the coins mined carry no value claim, on a nascent, low-hashrate, 51%-attackable network. Mine to add hashrate and exercise the machinery, not as an investment.
5Check it's alive
# with the bundled CLI (defaults to 127.0.0.1:16210):
./target/release/bloch-cli getnetworkinfo
./target/release/bloch-cli getblockcount
# or raw JSON-RPC over HTTP:
curl -s -X POST http://127.0.0.1:16210/ \
-H 'content-type: application/json' \
-d '{"jsonrpc":"2.0","id":1,"method":"getnetworkinfo","params":[]}'Full method list in RPC reference below. Optional Prometheus metrics: add --metrics and scrape 127.0.0.1:16310.
6Peering — bootstrap once, then PEX takes over
A fresh node has zero peers because DEFAULT_SEEDS is empty in source — deliberately, per P2P networking above. Dial a known peer to bootstrap:
./target/release/bloch --testnet \
--peer /ip4/213.188.208.175/tcp/16110 \
--peer /dns4/blochv-node.fly.dev/tcp/16110--peer repeats and accepts DNS multiaddrs. The first address above is a currently-reachable public bootstrap node; the second reaches the same public reference node this page's live panels query over RPC, dialed on its P2P port instead. Once connected, peer exchange (PEX) takes over — your node learns more peers, persists them, and redials on restart. After that first contact, your node is a seed for the next person.
# LAN or single-machine testing needs RFC1918/loopback addresses accepted:
./target/release/bloch --testnet --allow-private-peers \
--peer /ip4/192.168.1.50/tcp/16110No peer to dial? Start an island: run one miner and one relay pointing at each other on a single machine or LAN. On a network this young, every additional peer measurably matters — file what you find (attacks on the PoW design, consensus/reorg edge cases, IBD or networking failures, build failures on your platform) as public issues in the protocol repository. There is no private steward to report to quietly.
The node's JSON-RPC surface
RPC API reference.
JSON-RPC 2.0 over HTTP POST, default 127.0.0.1:16210 for your own node, or the public read-only reference endpoint below. Method names and response shapes are taken directly from src/rpc/mod.rs; example responses were captured live against the public node.
src/rpc/mod.rs directly for anything load-bearing.| Method | Params | Returns |
|---|---|---|
getnetworkinfo | — | network, version, protocol, net_protocol, blue_score, blocks, peers, mempool, syncing, chain, pruned_height |
getblockcount | — | tip height (integer) |
getdaginfo | — | tip, tip_blue_score, tip_blue_work, tip_height, block_count, tip_count, tips[], chain_length, k |
getmempoolinfo | — | size |
getpeerinfo | — | peer_count, syncing |
getpeers | — | connected peer addresses/IDs, parsed from stored multiaddrs |
getblockbyheight | [height, verbose?] | hash, height, blue_score, tx_count, timestamp, bits, nonce, parents[], merkle_root, size (+ transactions[] or txids[] if verbose) |
getblock | [hash_hex, verbose?] | same shape as getblockbyheight, looked up by hash |
getblockhash | [height] | block hash (hex string) at that height |
getbalance | [address] | satoshis, bloch, utxo_count, address |
getutxos | [address] | address, utxo_count, satoshis, bloch, utxos: [{txid, index, value, script_pubkey}] |
getaddresscount | — | addresses_with_balance, utxo_entries — distinct on-chain wallets holding ≥1 UTXO |
gettransaction | [txid] | transaction detail |
getrawmempool | — | pending transaction ids |
sendrawtransaction | [hex_tx] | broadcast result / error |
getblocktemplate | — | parents (current tips), height, blue_score, expected bits (via the same ASERT-Lattice function accept_block validates with), mempool transactions selected for the template, block subsidy, vesting delta |
getchainstats | — | total_blocks, total_txs, avg_txs_per_block, blocks_last_24h, txs_last_24h, avg_block_time_secs, current_difficulty, hashrate_hs, hashrate_human |
getsupplydistribution | — | tiers: [{label, address_count, total_sats, total_bloch, pct_of_supply}], total_addresses, total_sats, total_bloch |
gethashrate | — | hashrate_hs, hashrate_human, avg_block_time_secs, current_difficulty |
getdifficultyhistory | [limit ≤ 100] | count, points: [{height, bits, bits_hex, timestamp, target_hex}] |
listtransactions | [address, limit, start_height, end_height, offset] | paginated tx history for an address with confirmations and direction |
Additional methods exist in source (getblocktimepercentiles, gettxstatus, getaddressinfo, getmempoolstats, gettxsbyblock, getaddressbalance_at_height, getattestation, getpools) whose exact field sets are not detailed here — not exposed in the depth this reference reviewed; read src/rpc/mod.rs directly for their schemas. | ||
Example — getnetworkinfo
curl -s -X POST https://blochv-node.fly.dev/ \
-H 'content-type: application/json' \
-d '{"jsonrpc":"2.0","id":1,"method":"getnetworkinfo","params":[]}'Live response, captured while building this page:
{
"id": 1,
"jsonrpc": "2.0",
"result": {
"blocks": 338836,
"blue_score": 338835,
"chain": "bloch-sis",
"mempool": 0,
"net_protocol": 1,
"network": "mainnet",
"peers": 30,
"protocol": 1,
"pruned_height": 0,
"syncing": false,
"version": "0.1.0-genesis"
}
}Example — getdaginfo
{
"id": 1,
"jsonrpc": "2.0",
"result": {
"block_count": 338808,
"chain_length": 338808,
"k": 10,
"tip": "053f22634b33614a50e079122f8837183568e5ef760c6f339a71e6a7631e2a14",
"tip_blue_score": 338807,
"tip_blue_work": "731944",
"tip_count": 1,
"tip_height": 338807,
"tips": ["053f22634b33614a50e079122f8837183568e5ef760c6f339a71e6a7631e2a14"]
}
}A quirk worth naming precisely
The CLI flag that selects the live mainnet-beta network is spelled --testnet — a historical name kept for compatibility, not a statement about which chain you're joining (see step 3 above). We checked whether this naming quirk also leaks into the RPC's own network field, since that's the more consequential place for it to matter: live queries against the public endpoint above return "network": "mainnet" correctly. If you see a build reporting the legacy string differently in some other field, treat the CLI flag name — not the RPC response — as the known quirk.
Don't take this page's word for it
Verify it yourself.
Every network figure on this page can be reproduced with a single curl command against a node that is not this page and not run by Postern Labs' own infrastructure narrative alone — it is the same public endpoint anyone can query, and the same repository anyone can clone and build from source.
Query the live chain
A public, read-only RPC endpoint, reachable right now:
curl -s -X POST https://blochv-node.fly.dev/ \
-H 'content-type: application/json' \
-d '{"jsonrpc":"2.0","id":1,"method":"getnetworkinfo","params":[]}'Or skip the terminal entirely: the live block explorer on this site drives the same endpoint from your browser, refreshing every few seconds.
Verify the source, not a binary
Building from source, as in Run a node, is the strongest verification available — there is no official pre-built binary to trust instead. The repository address, again, as plain text because there is no official link:
gitlab.com/blochsispow-group/BlochSISPoW-projectWho decides what the protocol does
How the code evolves — governance without a controller.
This section is impersonal by design: it describes a model, not a person. No individual or entity is named here, because the point of the model is that none needs to be.
The code-evolution model — Bitcoin-style, no central authority
- No entity controls upgrades. There is no admin key over the network, no foundation with a merge button that changes what live nodes run, and no privileged node whose software choice binds anyone else's.
- Changes are proposals, not decrees. A code change takes effect on the network only if node operators and miners voluntarily choose to run it. Consensus, in the most literal sense, is simply "the rule set the network decided to keep running."
- Coins do not vote. Holding a balance grants zero governance power over the protocol. Economic weight is not protocol control — GhostDAG-Q and SHAKE-256 hashcash validate blocks with no notion of who holds what.
- Anyone may read, fork, patch, or propose. Divergent rules simply produce a fork; whichever network people actually keep running is the one that persists. This is adoption deciding outcomes, not a decree binding them.
The stated design principle
Whoever wrote the protocol's initial code wrote code, and nothing more. That act of authorship confers no ownership and no control over the network that later runs it — publishing a protocol is not the same act as governing one. The initial authorship role is, by stated design, meant to end: it carries no owner role, no controller role, and no special consensus power, and is intended to step fully away, leaving behind protocol that lives or dies purely by voluntary adoption. The absence of a controller is treated as a feature of the design, not an oversight to be corrected later.
This is a stated design intent — a letter of intent, in the same sense used elsewhere on this page — not a completed, technically-enforced guarantee. Nothing about GhostDAG-Q or the PoW rules can force a human being to stay silent or step back; what the design does is remove every technical lever (admin keys, privileged nodes, voting weight) that could be used to exercise control even if someone wanted to. Consistent with the rest of this page: nothing here is decentralized-and-safe by decree — it is decentralized to the extent that voluntary adoption, today, actually makes it so.
Where the protocol is headed
The intended path to community stewardship.
Bloch-SIS-PoW is, right now, in a moment of transition. It is live, unaudited, low-participation software with no owner — and the intended direction of travel is toward a wider, self-organizing set of stewards, not toward any single party accumulating more control.
What "coins don't vote" means here
The intended model mirrors Bitcoin's own history: protocol changes are not decided by weighted balance-holder votes. They propagate only through voluntary node and miner adoption — a change ships as software that node operators and miners choose to run, or don't. A large balance confers no formal say in that process; GhostDAG-Q and the PoW rule set don't check who holds what.
What "nothing is decentralized-and-safe yet" means
This is a design intent, not a completed transition. The network today is small, low-hashrate, and unaudited — properties that no governance model changes on their own. Describing an intended path to broader stewardship is not a claim that the protocol is already resilient against concentrated control; the disclaimer above applies in full, right now, regardless of where the protocol is headed.
This page does not speak for the protocol's future governance — nobody can, since nobody owns it. What's written here is a description of the design intent visible in how the protocol is built: no privileged consensus role for any address, an empty default seed list so no party is a mandatory bootstrap point, and reward/emission rules that are fixed in consensus code rather than adjustable by any operator.