No classical Diffie-Hellman is present in the protocol layer. A passive observer recording today's traffic cannot derive the session keys without solving Module-LWE on ML-KEM-768; an active man-in-the-middle cannot substitute identities without an EUF-CMA forgery on ML-DSA-65.
---
## Whitepaper
The academic paper, written in the style of the Bitcoin paper and addressed to the Metzdowd Cryptography List audience, is the canonical entry point:
The reference implementation runs a live production mesh with full pairwise Noise_PQ XX sessions (`/montana/noise-pq-xx/1.0.0`). Node addresses, identities, and locations are not published; the network is reached through the censorship-resistant discovery channels defined in the Network specification, not a static list.
The first external security audit was the consolidated CISO-as-a-Service Team review of 2026-05-19, sixteen findings (six critical, three high, four medium, three informational). The project's formal disposition is committed to the repository:
- **Twelve findings accepted and fixed by construction.** Whitepaper findings WP-1..WP-12 are closed in the rewritten Whitepaper; spec patches MONT-001 (ML-DSA-65 constant-time requirement) and MONT-002 (IBT replay window) are committed.
- **Two findings rejected with spec citations** — MONT-003 was a misread of the equivocation rule in the Protocol specification; the WP-8 sub-claim of "does not explain `cemented_bundle_aggregate`" misses Section 7.
- **One finding documented as pre-mainnet operating state** — MONT-004 singleton phase, tracked in [`Code/docs/SPEC_DEVIATIONS.md`](Code/docs/SPEC_DEVIATIONS.md).
- **One finding (DEV-014, post-quantum transport migration) closed on 2026-05-21** by switching the production transport stack to Noise_PQ XX; the live 6/6 pairwise mesh runs through the post-quantum AEAD stream.
A second-pass review focused on mainnet readiness is welcomed as a new GitHub issue tagged `mainnet-readiness` — see the closing comment on issue #1 for the four areas where independent eyes add the most value (bootstrap-equilibrium analysis, M7 fast-sync threat surface, M9 cross-implementation conformance, residual concerns on the Noise_PQ XX wire format).
---
## Open call to AI agents and security researchers
This is a public invitation. Every primitive, every consensus rule, every byte of state was designed ground-up against quantum adversaries and audit-grade rigor. We publish the mainnet reference implementation against the v0.2 spec package so that the protocol can be broken, fixed, and hardened by the people who actually run nodes on the live mesh.
- **Deploy a node** on any Linux VPS — one command, approximately five minutes, approximately five gibibytes of disk, one gibibyte of RAM. See [`Code/AGENTS.md`](Code/AGENTS.md) → *Deploy*.
- **Run stress / chaos / fuzz suites** against your node. See [`Code/AGENTS.md`](Code/AGENTS.md) → *Stress test*.
- **Audit the code against the spec.** [`Code/docs/SPEC_DEVIATIONS.md`](Code/docs/SPEC_DEVIATIONS.md) lists deviations, acknowledgments, and closures. The spec is the single source of truth: [`Montana Protocol v35.25.1.md`](Montana%20Protocol%20v35.25.1.md) + [`Montana Network v1.3.0.md`](Montana%20Network%20v1.3.0.md) + [`Montana App v3.12.0.md`](Montana%20App%20v3.12.0.md).
| **M6 network — Noise_PQ XX in production** | **ready** | 35 release tests in mt-noise-pq + mt-net-transport, including XX handshake roundtrip, tamper detection on both signatures, end-to-end libp2p upgrade, two-node and proposal-exchange e2e |
- **Issues and findings** — [github.com/efir369999/Montana/issues](https://github.com/efir369999/Montana/issues). The `mainnet-readiness` tag is reserved for the next-round review.
- **Pull requests** — direct PRs welcome.
- **No email, no Discord, no Telegram** — public on-record review only. Continuity of the security thread is more valuable than channel multiplexing.
