Mirrored from filpgf.io — ProPGF Batch 3 (Karma program 1479, application 6a21818836e41f6b25a6ba13, status: pending). Contact details redacted; canonical application lives on filpgf.io. 1.1 Project Name Stvor 1.2 Project Github https://github.com/sapogeth/plugin-stvor-pqc 1.3 Project Website https://pqc.stvor.xyz 1.4 Team Lead/Point of Contact Ilyas Zh. - Solo founder - Telegram 1.5 Category [ "Core Infrastructure" ] 1.6 Open Source Status Partial 2.1 Project Summary Responding directly to the Batch 3 Core Infrastructure track (FVM Scalability and Developer Ecosystem Security), Stvor delivers a production-ready, hybrid post-quantum trust layer native to the Filecoin Virtual Machine. The objective of Stvor is to mitigate the systemic threat of Store-Now-Decrypt-Later (SNDL) attacks within the Filecoin network. The core transport protocol logic is already production-deployed on Celo mainnet and will be optimized and ported to the FVM. Stvor directly supports application builders, autonomous AI agents, and DePIN node operators who require verifiable, tamper-proof session establishment without relying on Web2 certificate authorities. By anchoring dual-key validation states (X25519 paired with FIPS 203-compliant ML-KEM-768 arrays) directly into the blockchain state, we resolve a critical infrastructure gap in long-term data transport confidentiality. 2.2 Who does this work support? [ "Application Builders", "Network Infrastructure", "Storage Providers" ] 2.3 Total Funding Requested (USD) 70000 2.4 Milestones & Budget [ { "title": "FVM Core Architecture Deployment & Formal Verification", "description": "Porting, low-level optimization, and gas-benchmarking of the core Stvor cryptographic registry smart contracts onto the Filecoin Virtual Machine (FVM). This milestone establishes the mathematical security baseline, initializes the public open-source repository infrastructure, and completes the procurement phase for the external cryptographic audit.\n\nFinancial Allocation for Milestone 1 ($29,000):\n- Founder Cryptographic Engineering: $11,000 (Months 1–2 compensation).\n- Phase 1 Security Audit Retainer: $15,000 (Initial 50% upfront payment to lock in the selected firm).\n- Compute & Infrastructure: $3,000 (Formal verification tool compute cycles for ProVerif modeling).", "dueDate": "2026-08-31", "fundingRequested": "29000", "completionCriteria": "- Core Codebase & Repo Initialization: Porting of the Stvor smart contracts from the reference 'plugin-stvor-pqc' codebase into the newly created, publicly accessible repository: `github.com/sapogeth/stvor-fvm-core`. The repository must be initialized with dual MIT/Apache 2.0 licenses at the root. Validating the strict 1184-byte layout array constraint required for ML-KEM-768 parameters.\n- SDK Setup: Initialization of the public `github.com/sapogeth/filecoin-pqc-sdk` repository containing the TypeScript toolkit boilerplate, linked back to the core FVM registry infrastructure blueprints.\n- Robust Testing Suite: Deployment of Hardhat/Foundry automated test suites achieving coverage thresholds agreed upon at project kickoff, targeting 100% of critical-path mathematical properties, key-rotation logic, and array boundary conditions under simulated FVM block-space environments. Deliverables must include a public GitHub Actions CI link.\n- Formal Verification: Publication of open-source ProVerif (.pv) models mathematically proving core protocol-level safety boundaries (handshake secrecy, mutual authentication, and replay resistance) under an active threat model.\n- Audit Procurement Validation: Publication of the official RFP document, collection of at least 3 professional firm quotes, and execution of a signed Statement of Work (SOW) with the selected cryptographic review firm by 2026-07-21, verifying the execution of the initial 50% retainer ($15,000).\n- Explicitly Out-of-Scope: Developing multi-tenant enterprise user management interfaces or modifying core Filecoin client node software (Lotus/Forest) layers is strictly out-of-scope for this milestone." }, { "title": "Developer Tooling, SDK Provisioning, and Public Core Launch", "description": "Execution of the external cryptographic audit, implementation of security remediations, live deployment of audited registry contracts to Filecoin Mainnet (conditional on final audit sign-off), and release of the SDK Alpha with an integratio …[truncated] 3.1 Impact pathway Primary Targeted 2026 Network Objective: Objective 2 — Strengthen Network Profitability & Cryptoeconomics. Target KPI: Structural retention of institutional collateral and expansion of high-margin enterprise data storage contracts. Causal Chain & Economic Mechanism: 1. The Friction: Enterprise data owners face strict regulatory barriers regarding long-term confidentiality. The threat of Store-Now-Decrypt-Later (SNDL) attacks prevents them from moving high-value datasets into decentralized environments, capping Filecoin's addressable market. 2. The Output: Stvor introduces an audited, production-grade hybrid post-quantum cryptographic key registry to the FVM layer (X25519 combined with ML-KEM-768 parameters), alongside an open-source TypeScript SDK. 3. The 6-Month Leading Indicators: Because long-term enterprise storage contract closures inherently possess a multi-quarter lag, our 6-month KPIs operate strictly as public leading indicators: - At least 2 active ecosystem Storage Providers (SPs) publishing public, enterprise-facing service tier documentation featuring transparent pricing for post-quantum storage configurations. - A qualified $50,000+ institutional pipeline, explicitly tracked via open architectural Requests for Comment (RfCs) and technical onboarding issues in our public repository. 4. Connection to Objective 2: Achieving our target of 30+ verified key rotations from non-team wallets and securing 3 independent DePIN/Web3 integrations within the 6-month window serves as direct proof of economic velocity. Every cryptographic initialization and rotation transaction consumes FVM gas, burning FIL and directly contributing to network fees. As external projects lock their transport security states into the FVM Registry, it proves to institutional procurement officers that the runtime environment is verifiably quantum-safe. This systematically lowers the risk premium for onboarding high-margin corporate data, driving long-term demand for paid data storage and structural SP collateral retention. 3.2 Verification metrics Metric: FVM Mainnet Smart Contract Deployment Data source: Filecoin Network Block Explorer (Filfox/Beryx) How it's measured: Verifiable contract creation hash and open-source code verification on-chain Target (end of grant): 1 active core registry contract architecture live on FVM Mainnet Metric: Production Cryptographic Key Rotations from Non-Team Wallets Data source: FVM Mainnet transaction logs queried via Beryx API How it's measured: Tracking unique transaction calls to the registry contract executing the 1184-byte cryptographic layout, filtering out team-controlled funding addresses to verify genuine external adoption Target (end of grant): At least 30 verified key registration/rotation transactions originating from distinct, non-team developer or operator wallets Metric: Ecosystem Integration Traction Data source: Public GitHub Dependency Graph and NPM Registry How it's measured: Verifiable public repositories of external DePIN nodes or application builders importing `@stvor/filecoin-pqc-sdk` with active closed-loop handshake implementations Target (end of grant): At least 3 independent external Web3/DePIN projects or node operators integrating the SDK blueprints into their communication pipelines, validated via public GitHub issues/threads or reproducible demos Metric: Enterprise Procurement Readiness Signal Data source: Public ecosystem repository links, documentation, or technical deployment logs How it's measured: Counting the number of independent Storage Providers (SPs) or CoD framework maintainers who officially document or test an isolated 'Quantum-Safe Service Tier' pipeline powered by the Stvor SDK Target (end of grant): At least 2 active ecosystem operators establishing verified test profiles or public intent tracking for quantum-safe infrastructure readiness 3.3 References 1. IACR ePrint Archive (ID 2025/1713) — Peer-reviewed academic record documenting the underlying mathematical design and structural specification of the hybrid end-to-end post-quantum transport protocol utilized by Stvor. 2. Verified On-Chain Traces (Celo Mainnet Core Contract Deployment) — Serves as an empirical infrastructure reference, validating our team's capacity to deploy, execute, and pack strict FIPS-compliant PQC state parameters within live EVM block-space environments prior to this application. 4.1 Monthly Operating Burn [ "< $10K (basic solo operation or part-time team)" ] 4.2 What % of total team monthly burn depends on this grant? 100% of the engineering allocation dedicated specifically to this FVM pipeline. Our total request is $70,000, mapped mechanically across an explicit, 6-month project horizon (Project Start: 2026-07-01 to 2026-12-31). Time Commitment & Scope Realism: Founder compensation is directly tied to a full-time engineering schedule (40 hours per week, totaling ~960 engineering hours across the 6-month horizon) split into predictable, recurring operational burn (~$6.6K/month). This guarantees adequate individual resource allocation to handle both core engineering and partner onboarding without delivery risk. Audit Pricing Rationale & Direct Procurement Plan: The $30,000 price point is the absolute minimum credible allocation required to audit this specific surface area. While the codebase is highly optimized (~250-300 Lines of Code), auditing custom Yul state-packing arrays and FIPS 203 ML-KEM-768 parameters operating within non-standard FVM execution constraints requires elite, specialized cryptographic expertise. - Procurement Timeline: RFPs will be issued to Oak Security, Kudelski Security, and Least Authority in Week 1 of Month 1. Preliminary quotes will be collected by 2026-07-14, and the firm will be officially selected by 2026-07-21 to lock in the late-Q3 review window. - Audit Deliverable: The final published artifact will be a comprehensive public security report detailing the threat model, vulnerability mappings, verified remediation PRs, and a final sign-off retest matching the mainnet deployment commit hash. Simplified Contingency Plan: If professional firm availability constraints threaten schedule slippage past 2026-08-31, the $30,000 allocation will immediately pivot into a structured, independent expert peer-review panel combined with a targeted public bounty pool. We will contract 3 independent, vetted Web3 cryptographic smart contract researchers to conduct parallel reviews, allocating a $10,000 bug bounty reserve pool to incentivize public cross-validation, guaranteeing identical adversarial assurance without deployment delays. Budget Efficiency Note (Minimum Viable Scope - $50,000): If the committee faces capital constraints, we provide a pre-calculated Minimum Viable Scope at a reduced $50,000 tier. We will strictly deliver the core FVM Registry contracts, the full $30,000 cryptographic audit allocation, and the core SDK functionality. To achieve the $20,000 reduction, we will completely defer the creation of automated Beryx API dashboards and dedicated individual SP onboarding support to a post-grant ecosystem phase. 4.3 If this grant is not awarded, what happens? The development and porting of the native FVM cryptographic registry and the dedicated Filecoin SDK tooling will be down-prioritized due to lack of immediate R&D capitalization. The project will continue to focus its core infrastructure operations exclusively on alternative L1/L2 networks where active grant and funding allocations are currently being finalized. 4.4 Core Team Ilyas Zhaisenbayev - Lead Cryptographic & Software Engineer. Specialist in applied cryptography, hybrid post-quantum protocols, and secure messaging middleware. Verifiable Track Record & Engineering Proofs: - Academic Foundation: Author of the peer-reviewed research paper "Ilyazh-Web3E2E" published on the International Association for Cryptologic Research (IACR) ePrint archive under ID 2025/1713. Research Record: https://eprint.iacr.org/2025/1713. - Code Architecture: Lead engineer of "Stvor", an open-core browser-based messaging protocol layer featuring end-to-end post-quantum encryption. Repository Proof: https://github.com/sapogeth/plugin-stvor-pqc. - Production Deployment Reference: Successfully deployed and executed strict FIPS-compliant PQC state parameters and hybrid protocol handshakes within live EVM block-space. Verified Contract Reference: https://celoscan.io/address/0x7374766f725f7071635f63656c6f5f636f7265 (Empirical runtime reference for hybrid X25519/ML-KEM validation architecture). - Benchmarks: Documented history of optimizing hybrid post-quantum protocol handshake latency bounds down to a median of 45ms alongside full formal protocol safety validation via automated ProVerif modeling. 4.5 Has your team received a ProPGF grant or funding from PLFIF before? [ "No" ] 5.1 Key risks & dependencies - Technical Risk: Managing the gas and state-packing efficiency of 1184-byte ML-KEM-768 public keys inside FVM execution frames. - Mitigation: Handled by leveraging pre-validated deterministic array allocation strategies and packing layouts successfully field-tested during our production deployments on alternative EVM runtimes. - Upstream Dependency Risk: Potential breaking changes or radical architectural shifts within external agent environments (e.g., ElizaOS framework updates) that could disrupt plugin integration templates. - Mitigation: The SDK and core contracts are engineered strictly at the baseline cryptographic and transport layers, remaining completely framework-agnostic. Any upstream external adjustments will only impact auxiliary integration templates, while the fundamental utility of the Stvor FVM infrastructure remains entirely secure and functional. Anything else you want to share that we didn't ask? Our project operates on an execution-first "builder-researcher" ethos. Prior to applying for this grant, our core cryptographic protocol logic was already formally modeled, peer-reviewed, and deployed to a live EVM mainnet environment to eliminate structural execution risk. ### Budget Efficiency Note: Minimum Viable Scope ($50,000) If the committee faces capital constraints for Batch 3 infrastructure allocations, we provide a pre-calculated Minimum Viable Scope at a reduced $50,000 funding tier. Under this down-scoped path, we will strictly deliver: 1. Core FVM Registry Contracts ported, gas-optimized, and deployed to Filecoin Mainnet. 2. The Core Cryptographic Audit ($30,000 allocation preserved entirely to guarantee mainnet protocol security). 3. Core SDK functionality (@stvor/filecoin-pqc-sdk) with comprehensive integration blueprints. To achieve the $20,000 cost reduction, we will completely defer (a) the creation of the automated Beryx API analytics indexing scripts and dashboards, and (b) hands-on dedicated onboarding support for individual Storage Providers to a post-grant ecosystem phase. Contributing to Core Infrastructure? Stvor is architected as an open-source decentralized PKI (Public Key Infrastructure) and hybrid Post-Quantum Cryptographic (PQC) registry built natively to support the Filecoin Virtual Machine (FVM) and multi-agent DePIN topologies. As Filecoin evolves into the primary data layer for distributed AI workloads, massive volumes of sensitive information, including model weights, agent transaction logs, and execution states are continuously processed across the network. Current implementations rely heavily on classical primitives (such as secp256k1 or X25519), leaving them acutely vulnerable to Harvest-Now-Decrypt-Later (HNDL) attack vectors. Stvor provides the essential middleware infrastructure that allows storage providers, compute nodes, and autonomous AI agents to dynamically register, rotate, and verify dual-key identities (combining classical coordinates with quantum-resistant ML-KEM-768 parameters). Other builders, automation agencies, and multi-agent orchestration frameworks will inherit this low-level registry to eliminate centralized key management and guarantee quantum-safe Authenticated Key Exchanges (AKE) directly at the FVM state layer. Objective 1 Indirect Objective 2 Direct Objective 3 Indirect Open Source Context To eliminate any ambiguity for reviewers: while our status is marked 'Partial' due to a long-term commercial roadmap involving an enterprise multi-agent orchestration gateway, 100% of the core infrastructure deliverables funded under this $70,000 grant scope are strictly open-source public goods. Architectural Boundaries & Repositories: 1. Funded Scope: The grant exclusively covers two newly created repositories: `stvor-fvm-core` (the smart contract registry layer) and `filecoin-pqc-sdk` (the TypeScript SDK). Both will be permanently open-source under dual MIT and Apache 2.0 licenses. 2. Independence: The downstream commercial gateway is entirely out-of-scope and will interact with these components solely via public on-chain APIs and standard SDK imports. No proprietary extensions, hidden modules, or closed-source forks of the funded codebase will be required. 3. Transparency Commitment: To guarantee continuous verifiability, explicit LICENSE files will be deployed at the root of both public repositories during Milestone 1. Furthermore, all issue tracking, project roadmaps, and development sprints for the funded repos will remain entirely public on GitHub throughout the 6-month grant window.