QRL Weekly, 2026-June-19
19th June 2026
Weekly Development Snapshot
Status / overview
- April 3rd: Audit complete of 2 cryptographic libraries.
- March 31st: QRL 2.0 Testnet V2 Released.
- Audits: Internal and External work ongoing
64 Byte addresses
- 64 bytes address related changes done for qrvmone, qrvmc
- hyperion is being reviewed for 64 bytes address related changes
P2P Layer PQ Implementation
- Falcon-1024 has been implemented and PR is currently being reviewed
Daniel Bernstein’s “Exploiting ML-DSA Bugs” review
The QRL ML-DSA implementation is not broken and is not at risk from any of the three forgery attacks described in the paper. Each attack relies on a specific implementation bug; we checked for all three at the bit/byte level, confirmed each is absent, and corroborated the findings with empirical probes and the existing test suite.
| # | Attack in the paper | Underlying bug it needs | Present in go-qrllib? | Outcome |
|---|---|---|---|---|
| 1 | Secret-key recovery from masks | Duplicated mask coefficients ( AABBCC / A0B0C0 / ABABCDCD ) | No | Not exploitable |
| 2 | Predictable signatures | Secret seed K zeroed/cleared before use | No | Not exploitable |
| 3 | Nonce-reuse forgery | Repeated nonces from a truncated seed hash | No | Not exploitable |
To guard against such bugs being introduced into the codebase in the future, we added specific regression tests.
Additional CVE review (ML-DSA Timing)
We additionally confirmed that the most recently disclosed ML-DSA timing vulnerability (Decompose, CVE-2026-22705) is not present.
19th June 2026
