Hi everyone!

I'm starting out on my newbie adventure right now and thought I'd break the ice with an intro post.

I used to lurk here back in the day; late 2010 or so. I was so obsessed with Bitcoin back then that I studied it for days. Holding the whole system in my mind without any gaps was everything to me. Years later, after CPU mining on Litecoin fizzled, I sold my stash and moved on. More recently, I've held ETH and several others; but I'll never forget how magical it felt living at the dawn of something so important and being among the few who even knew what it really was or how it worked.

Even more recently, I had an idea (Rule 30 VDFs) that I couldn't shake. And, it turned out that three venerable researchers beat me to the underlying consensus theory back in 2013:

Publicly verifiable proofs of sequential work
https://dl.acm.org/doi/10.1145/2422436.2422479

For a person like me, theory isn't enough. Like Bitcoin, my project (not yet named) requires serious effort to explain and fully understand. Historically, this is the place. So, I decided to finally join and contribute. Also, my launch plan requires the hash from the minting of a future Bitcoin block in order to ensure a fair start. So, technically I'm relevant!

If anyone has advice on which forums I should be posting about this it would be well received. But, in case anyone is curious about the shape of my idea and decisions I've made so far:

- 100% fair-launch L1 commodity coin: no premine, allocations, funds, operators, contracts, or foundations
- First Mover: Proof of Sequential Work Consensus
- Mining proofs: Zexe + Binius + Rule 30 VDF Clock
- Identity: RandomX + DDA + Epoch TTL "tollbooth" for
- Security: ZCash Sapling/Orchard

At the core of my fairness surface is a "Luckiest Hash" race. Combined with my "Fuzzy Victory Window", it ensures that mining is almost like entering a lottery. After a Monte Carlo parameter sweep tonight I found that at the sweet spot, a 5% speed advantage is diluted down to a win-rate of just 56%. I'll have to run simulations with far more than just 9 local nodes to calibrate the security; or else this collapses to PoW and eternal shame, but it's all very real and promising.

If this works, a data center with ten thousand cores runs the clock at exactly the same speed as a single laptop. The mining race can be genuinely flat. My hope is that this would bring back some of that early magic from the times before mining pools and all the complexity and scams.

Things I have a good start on:

- Whitepaper (v2 draft)
- Rule 30 prover in Rust (AVX2 vectorized binary field STARK)
- Chord-based UDP testnet simulator w/TUI
- Swarm telemetry and diagnostic charting

Thanks for the warm welcome! Even just a little external attention on this is enough to keep me going right now. It means a lot.

Your point about these basement windows around me is well taken. Security is hard. Cryptography is extra hard. And, deploying a properly tuned L1 with an ossified protocol and a novel consensus protocol? I'm finding out that it's gonna require making some new friends. It's also true that I don't have everything figured out. For instance, I've only just started considering privacy in the networking layer. I'm no expert, but a Dandelion++ implementation like in Monero seems like the best fit.

Another thing I'm still figuring out is the macroeconomics. I want this coin because I want mining to be fun again. But, my research indicates that without a mining race a lot of people won't care. The best answer I have for this is a consumer framing. It goes like this:

Right now, buying consumer hardware like cell phones and laptops is a pure cost center the moment you click "Buy" or walk out of the store. What if a miner running passively on that device coulld generate even $5-20 per month reliably? That could reframe every piece of consumer electronics as a productive asset! Let the first device pay for the next and so on.

Since my last post, I've made a few changes that address some of those specific asymmetries you mentioned.

The major one, is that I just finished the transition to a binary-native ledger format. This aligns the state transition directly with the STARK circuit, making my proof-of-everything (PoE) recursive state updates significantly faster and more memory-efficient. A stateless ledger gives minted blocks the property of being verified on sight. No need to build up the entire state from history to know a block is valid. No catching up. No merkle checkpoints or roll-ups. Instead, every block carries an aggregated STARK proof of the VDF continuity and the ledger transition, the block is its own certificate of validity. The physics ensure that the coins are there and the clock has stayed true since genesis. This makes participation on mobile, NUCs, and other lightweight hardware safer by design.

Another big change, is that I've moved the internal hashing layer from Groestl/SHA2 to Vision32b. Vision is arithmetization-friendly for binary fields, so in my Binius-style STARK, proving is now essentially "free". It allows me to embed much higher-resolution "proof-of-trace" checkpoints into the VDF clock without bloating the proof.

Another change worth mentioning is that I now have miner auto-calibration for the STARK prover. I'm calling a "Switchover Probe". It's a one-time check that dynamically adjusts the sumcheck crossover points based on the local machine's cache and SIMD width (AVX2/NEON). This ensures that proving throughput remains consistently optimal across heterogeneous hardware. It should help prevent that from becoming a hidden tax on smaller miners.

It's a lot of work, but the physics really are starting to feel solid. I'm currently tuning the M/N window ratios to ensure the protocol stays lottery-like even when one peer has a significant hardware advantage. With a little help refining my ideas and calibrating my testnet, this could open doors to some wild places!

Progress Update: Today I finally decided on a name for the project. Then, I registered domains and secured accounts on various platforms to ensure future availability.

Now, I'm proud to announce:

Veridium Network by Anosic Systems

As a coinage, Veridium roughly means "green mineral" or "green ore". Why? Green is my favorite color and the connection to so-called "emerald ore" and "mining" is very satisying for this old Minecraft fan. Anosic means "without disease" or "healthy". In this case, the sickness is the perverse incentives created by PoW consensus. With Veridium, Anosic aims to prove that a modernized crypto can be much greener.

Anosic Systems will be a research vessel and technical maintainer of the Veridum protocol and ecosystem. I have a few other active research projects (like my eBPF-like principled semantic IR) that this org will also maintain. Once I have a proper landing page the public site will be at: https://anosic.com (coming soon)

Veridium Network refers to the permissionless L1 P2P network.

Veridium is the name of cryptocurrency minted by participants of the network. A technical portal site with a block explorer, downloads, and various utilities will be at: https://veridium.cc (coming soon)

No logo yet, but I did spend a few minutes exploring Unicode for a value symbol to adopt. I found "MATHEMATICAL SCRIPT CAPITAL V" at U+1D4B1 and it looks nicer than all the other V-shaped options I found. So, I'll soon start using in my scripts and in the testnet TUI to help me focus on the values more easily. For example, they would look like this:

𝒱0.01

If anyone has feedback on these names or questions/concerns about these plans it would be greatly appreciated.

Veridium almost came to a full stop today.

I thought that recursive STARK aggregation would significantly compress the ledger under TensorPCS. Instead, I saw the payload shoot from 10 KB up to sizes that would never work. I did find a field solution that would reduce it to nearly 20 KB, but this would have required miners to commit gigabytes of RAM to make proofs.

It was almost game over. I was tempted to quit for the first time. Instead, I found another way. My research has now pivoted into a new dual-PCS (Polynomial Commitment Scheme) strategy. If it works, this means that the Veridium protocol will utilize two distinct PCS phases in an inductive chain:

Phase A: Inner Segments - Work Layer

- Target: VDF (Rule 30), Identity (Vision), Ledger (Horizon Tree)
- PCS: TensorPCS
- Reasoning: Optimized for high-throughput, large-trace "work" circuits
- Output: Three internal proofs" (~525 KB total)
- RAM Overhead: Minimal (linear to trace)

Phase B: Master Verifier - Compression Layer

- Target: Recursive Binius circuit that verifies the three TensorPC` proofs
- PCS: High-Expansion FRI-Binius
- Reasoning: Because Binius verifies Binius with degree-1 XORs, the trace is exceptionally small (2^14 bits per column)
- Compression: By using an inv_rate of 256, we compress the proof size to 20 KB.
- RAM Overhead: ~16 MB. Because the trace is small, the 256× expansion tax is trivial for consumer hardware/mobile phones.

It's already coming together. Test suite is mostly passing again. The Binius-on-Binius verifier circuit exists. I have the witness, allowing me to feed the three segment proofs into the master circuit. I even have a field-compatible FRI-Binius implementation. But, the prover is still leaning on TensorPCS for the master proof.

To hit a 20-30 KB target envelope for network transmission and fix the remaining handshake/starvation issues I'll need to hook FRI-Binius into the prover. I hope to do that soon and report back.

it won't work, it's impossible to compete with powerful hardware

My last post mentioned the need to harden the VDF, Identity, and Ledger arithmetizations. I specifically expressed my concern that gate count inflation could destroy the 100ms verifier budget and/or blow up the blockchain payload. Twenty days later, I'm here to report on my progress.

Those concerns were well justified. As a result, these last few weeks have been absolutely brutal. I've been riding an endless rollercoaster of applied cryptographic engineering; and it's far from over. Here's what happened:

Bit-Slicing Fail
Hardening the VDF meant shifting the architecture to a bit-slicing regime. I spent days migrating the entire kernel to bit-sliced arithmetization. The spatial logic worked perfectly, but the single-segment proof size exploded to 104 KB. Every single bit required its own commitment, destroying the sub-64KB budget.

Packed Geometry Pivot
To save the budgets without sacrificing security, I pivoted to a packed field geometry. This meant overhauling the N-API bridge and the kernel to collapse 512 individual bit-oracles into four 128-bit packed words. It was a massive architectural risk, but it worked! This brought the proof size back down to ~41 KB and kept the verifier fast.

Soundness Crisis & Security Regression
While the geometry was now sensible and the budgets were satisfied, soundness was still lacking. The biggest obstacle was not being able to effectively reason about the algebraic traces and polynomials. They were too large and the tests were taking too long for rapid iteration. It was painfully clear that with a log_inv_rate of 4 (16x eval domain expansion) I was probably never going to figure it out. That's when I decided to make a tactical retreat to a log_inv_rate of 1 (2x expansion). This configuration also reduced the security floor to a mere 25 bits.

Projection Oracles
With the new geometry stabilized, I pushed onward toward projection oracles and vertical arithmetization. This architecture enables transparent unpacking for those 128-bit words inside the circuit without paying the field tax during the commitment phase. It also compressed the massive 1800-column oracle manifest down to a sleek 209-variable manifest, pushing proof sizes down to an incredible 9.7 KB.

Continuity Constraints
Under this vertical geometry, the prover began failing with an elusive evalcheck error. Also, the verifier was now rejecting the consistency of the shifted challenger state columns. I spent days tearing apart the recursive prover, assuming the constraints were failing. In the end, the bug was buried deep in the verifier's internal Binius reductions. Eventually, I fixed the issue, implemented a live challenger continuity constraint to cryptographically bind the final state, and finally achieved rigorous structural mathematical consistency.

Ledger Block
With the math consistent, prover stabilized, and all 88 tests and 10 audits passing, I wrote the very first blockchain completeness audit; optimistically expecting it to work. It didn't. This is the one audit that proves Veridium is undeniably real. Undeterred, I scoured the code to inventory all of the remaining technical debt and then identified three load-bearing stubs:

• A mock algebraic proxy for the Merkle path (not true Vision-32b)
• A static zero-seeded challenger trace
• A simplified query indexer

Today, I conquered all three.

Current Status
The hardest part is over. Veridium is now mathematically sound and boasts a bit-sliced, recursive STARK over a Rule 30 VDF and UTXO carrying blockchain payload. However, security is still sitting at just 25 bits. The road ahead requires dialing the log_inv_rate back up to 4 in order to restore the security floor. The grind goes on. But at least the math is finally on my side.

Changing The World
With a little help, Veridium could change the world. It really could. All it has to do is make something profoundly useful possible that truly never was. Bitcoin and Ethereum both did it. But by comparison, every other cryptocurrency since has either been boring and/or derivative.

Consider privacy. Veridium is privacy-first; shielded just like Monero. So who cares? I care. Mainstream people won't. At the end of the day, mainstream people only care about things like comfort and overpaying. To change the world, an L1 has to deliver an obvious and undeniable reason for mainstream people to actually care.

Veridium will have a boatload of technical achievements worth boasting about. It will be the only L1 for payments that offers all of these at the same time:

• the energy efficiency of Chia-adjacent physics-based consensus
• the stable blockchain payload and verified-on-sight (zero confirmations) properties of Mina Protocol
• default anonymity with optional Starknet-inspired viewing keys for regulator and auditor compliance

Cool right? Wrong! Snoozeville. The mainstream doesn't care about any of that. Not in the least. This is what can be said about world-changing cryptocurrencies:

• Bitcoin proved that energy can generate currency.
• Ethereum proved that smart contracts can work.
• Veridium will prove that sustainable fair home mining is possible.

When Veridium delivers the mainstream will not ignore it. Everyone will find out because it enables a new economic choice for everyone with capable (AVX-512/NEON) hardware.

Call for Small Donations
I'm under-employed right now and working on this in my spare time. Food and gas are the resources I need most. I'm going to continue regardless; that's just how I am. If you're interested in this project and would like to help speed things along, please send a small donation to my address below and then either reply or PM me to let me know if you wish.

Bitcoin: bc1qee6dey9v05v2unw9jwywpgqht9q2x9w885gk8d

Recent work on Veridium has not changed character. It continues to be brutally difficult, with problems having subtle causes that are hard to diagnose. Here is the short version of the recent progress:

• Switching from Binius v0 (stale fork) to Binius v0 (HEAD), and currently at 53 tests, all passing
• Adopting some Binius M3 primitives this time
• Embracing formal verification

• Growing coverage of the circuits using Kani
• Plans for implementing Z3 and a hash-adapted fork of Decree

• Many new probes, audits, and diagnostics

Current status: Ready to start on the recursion assembly now. This will compose all of the working recursion segments into a single multi-segment block with fully wired data-level integration residuals and assembly-dependent gates.

Disclaimer: Deep Veridium Lore Ahead

This rest of this post has three goals:

1. Provide a clear picture of the recent difficulties that Veridium has encountered and the solutions that were found.
2. Explain how Veridium rests upon Binius as a substrate, without which it could never have been built.
3. Justify the particular version of Binius in use (v0) versus alternatives like the newer and actively maintained Binius64.

Troubles with Multipoint-Opening

Veridium recently reached a point where proving the Merkle membership in-circuit FRI verifier was among the final remaining tasks. The system must prove that the coset symbols the circuit folded are the same ones that were actually committed. Without it, a malicious prover could fold any internally-consistent fake coset and the circuit would accept it. For soundness, this is effectively the core of Veridium's proof system.

The linkage mechanism required a multiset equality argument to prove that the set {(query, round, M-coset)} from the fold side equals {(query, round, bind)} from the Merkle/Grøstl side. However, because these lived on different rows with no copy/permutation primitive available, this required some form of grand-product or running-product check.

Why Binius

Before I explain the various failed approaches, it's important to consider what the Binius library is and why it is the foundation of Veridium's design.

Binius is the arithmetization substrate that everything else in Veridium sits on top of: the constraint system, the polynomial commitment scheme, the FRI protocol, the field tower. Choosing it was a foundational decision.

The people who built Binius were well-credentialed professionals. Irreducible assembled a serious team of cryptographers and systems engineers, funded at a level that reflected the significance of their research agenda. The math that they produced, particularly the binary tower field construction and the packed multilinear approach, is genuinely novel work. There are other libraries for ZK and STARKs, but Binius is still years ahead of them.

While I am devoted to understanding zero-knowledge proofs, much of the math and cryptography are still beyond me. As a proof system built by a world-class group of researchers, Binius is a strong foundation to build upon.

Three Failed Approaches

I tried three different approaches in my efforts to bring multipoint-opening to Veridium. I failed each time, but the pattern told me everything that the circuits couldn't.

Approach #1: The Helper Polynomial

The idea was to use Binius' included msetcheck and prodcheck features to commit a helper polynomial f' and open it. The product-tree structure forced f' to accumulate five distinct evaluation points, and greedy_evalcheck simply cannot collapse a committed polynomial opened at multiple points into a single same-query PCS claim. That was the wall I was up against; though I still hadn't realized it.

Beyond the evaluation problem, the payload cost alone was fatal: supplying the roughly 2,200 trace evaluations needed to cover the batched commitment produced a proof in the 500-600 KB range, way beyond the current blockchain payload budget. Even if the evaluation collapse had worked, the approach just wasn't viable.

Approach #2: Isolating the Tuples

Then, I thought that perhaps the problem was that the linkage tuples were entangled with the rest of the trace. The second approach moved them into their own dedicated committed batch, on the theory that a narrower, isolated batch would be easier for greedy_evalcheck to handle. It was not. A dedicated batch still commits and opens f', and f' still accumulates the same five evaluation points from the product-tree structure. The same wall was there waiting for me, and so was the payload explosion. Isolating the tuples changed nothing about the underlying mechanics.

Approach #3: The Running-Product Column

This was the most promising of the three and, for a little while, it looked like it might actually work. This Plonk-style approach meant replacing the separate f' commitment entirely with a single running-product column z living directly in the trace. Because z was riding the main trace commitment, it opened at the main point rather than accruing its own separate openings. The cost dropped to something manageable, and the Fiat-Shamir malleability analysis confirmed the approach was sound as long as the challenges were sampled after the trace was committed.

The prove-side wiring went in with RunningProductComposition, the two-round commit structure, a z_next shift, the composite batched into the main zerocheck, and the post-greedy split to open z into the new proof fields. Then, I hit the wall again.

The z column was referenced in two ways: directly, and through the z_next logical-right-by-one shift. Each reference landed at a different evaluation point, giving greedy_evalcheck two distinct points to reduce for the round-2 z batch. The main trace batch had an identical direct-plus-shift structure and collapsed successfully, but the fresh round-2 z batch did not.

Analysis: Hitting the Multi-Point Committed Polynomial Evaluation Wall

Three constructions, three different shapes, and each one ran into the same error. The prodcheck's f' hit it at five points. The isolated tuple batch hit it at five points. The running-product column hit it at two points. The number of points changed but the failure mode didn't. I was now left with only one possible conclusion: the root cause was structural.

So, I went looking for answers and it didn't take too long to find out that I had made a major mistake in the early days of Veridium. Tempted by a feature I wanted, I built upon an older fork of Binius without checking how old it was. I now realize it lacked many of the features and decouplings of the latest version. A simple error in judgement had baked insurmountable flaws into the project from the start.

The stale fork featured a greedy_evalcheck that was built around the assumption that every committed polynomial could always be reduced to a single same-query PCS claim. The reduction path to handle multiple evaluation points per committed polynomial was simply never finished or exercised. The prodcheck and msetcheck code existed, but the greedy opening path was never hardened for it in practice.

Every construction I attempted that needed to open a committed polynomial at multiple points would eventually reach the same incompatible assertion and fail.

Solution: Replace the Substrate

The wall I kept hitting wasn't just another hard problem waiting to be solved. It was a fundamental property of the substrate I was building on, and the substrate needed to change.

By pivoting to an official copy of the latest Binius v0, I was able to resolve both the evaluation problem and the linkage architecture at the same time, and not through patches but through a fundamentally different design.

The first major structural difference is the separation of zerocheck and sumcheck into independent protocols. In the old fork, these were coupled, and the evalcheck machinery had to collapse each committed batch down to a single same-query point before it could proceed. Now, greedy_evalcheck returns a flat list of EvalcheckMultilinearClaim values with no per-batch collapse step, no MissingEvals error, and no same-query assertion. The reworked FRI protocol opens multiple evaluation points per committed polynomial natively.

Another major improvement is the channels system, which is what makes Veridium's linkage genuinely clean now. The new gkr_gpa (GKR grand-product argument) reduces a grand-product claim to an evalcheck claim on the existing committed inputs. No f' to commit. No running-product z column. No second commitment round and no extra opening of any kind. The linkage instead becomes a channel: the fold side pushes its query, round, M-coset) tuples in, the Merkle side pulls them out, and the channel's multiset balance is enforced natively by the GKR argument over inputs that are already committed. The balance being correct is the binding.

What took three failed attempts and ton of work to approach on the old substrate took a single isolated test to validate on the new one. Channel-based linkage proved and verified on synthetic data, then balanced correctly on real genesis data, with tamper-rejection working in both cases.

Addendum: Binius v0 vs. Binius64

It is true that Binius v0, the current substrate, is not being maintained and that Binius64 has superseded it. I had studied Binius64 for awhile, long before the multipoint-opening effort began, and my reasons for not adopting it still stand; for now.

Veridium's security model includes a predicted roughly five percent performance advantage for purpose-built hardware running the Rule 30 VDF. That gap is small enough to be meaningful as a mining incentive without being large enough to centralize the network, which is by design.

Binius v0's table-based arithmetization, with its binary tower fields operating at the bit level, is structurally more compatible with the kind of hardware arithmetization that could realize this advantage: FPGAs and custom ASICs that treat bitwise operations as native rather than mapping them down from 64-bit words.

By remaining on v0, Veridium maintains a hardware-compatible arithmetization that plausibly enables an easier path to validating that the predicted five percent mining advantage is preserved under custom hardware acceleration.

So this is not a permanent rejection of Binius64. The analysis done during the early research phases was based on the state of both systems at the time, and Binius64 continues to be actively developed. The tradeoff will look different once Veridium's untold hardware story is further along. For now, the v0 foundation is what makes the low-cost hardware mining thesis coherent, and that's reason enough to stay the course.