Foundation docs explicitly name every primitive used at protocol level. Minor deduction: TLS/transport layer for validator gossip is not separately specified in public foundation docs.

Every signing, encryption, proof-system, and consensus primitive in active use depends on hardness of discrete logarithm or pairing problems on BLS12-377 / Edwards-BLS12. No PQ-safe primitive is in mainnet use.

0 PQ families on mainnet (all primitives are pre-quantum DL/pairing-based). No lattice, hash-based, code-based, or isogeny PQ primitive deployed. Diversity Cap is not yet triggered (it fires on lattice-monoculture); Aleo is in a pre-cap state of zero PQ families.

No primitive in active use maps to NIST PQC categories 1-5. BLS12-377 targets ~128-bit classical security; Edwards-BLS12 targets ~125-bit classical; Poseidon parameter sets target 128-bit classical.

snarkVM and snarkOS underwent three independent audits (Trail of Bits, NCC Group, zkSecurity) covering Varuna and surrounding protocols; Varuna has a SageMath reference implementation. Constant-time engineering and formal verification are NOT documented for Aleo's core crypto. Library provenance: pure-Rust internal arkworks-derived stack. Cryptanalytic-maturity tier mixed: SHA-2/3 / Keccak / BLAKE2s tier 2, Schnorr/ECDH on Edwards curves tier 1, Poseidon and Varuna tier 4 (research-grade).

Every Aleo account address is an Edwards-BLS12 public-key point published on-chain at first transaction. Schnorr signatures over Edwards-BLS12 reveal the public key implicitly through the signature equation. With ~25 validators each holding a stake-weighted Edwards-BLS12 keypair signing every block, validator compromise is also a Forge surface.

Cold/dormant Aleo holdings sit at known Edwards-BLS12 addresses on-chain; the address IS the public key (Bech32-encoded). Unlike Bitcoin P2PKH where the pubkey is hashed and only revealed at spend, Aleo addresses publish the curve point at account creation. Cold funds are fully Forge-vulnerable today via passive on-chain harvesting.

Every transaction-authorizing Schnorr signature and every consensus BatchSignature on the chain since 2024-09-18 is verifiable post-Shor against a forged version. Combined with on-chain pubkey publication, historical authorization records lose non-repudiation once Shor lands.

Validator-to-validator gossip in AleoBFT runs over the snarkOS P2P network; the foundation has not published the transport-layer cipher suite. RPC endpoints typically run TLS at infrastructure provider level. By inference, the entire validator-mesh and RPC layer uses classical TLS with X25519/secp256r1 KEM, which is HNDL-vulnerable.

Every Aleo record payload is sealed by an ECDH key-agreement on Grumpkin between sender and recipient (via the recipient's incoming viewing public key), with AES-128-GCM applied to the note payload. Both halves of the construction are HNDL-broken under Shor: the ECDH key agreement on Edwards-BLS12 is a discrete-log instance broken by Shor; the resulting AES-128 has only 64-bit Grover security. An adversary harvesting all note ciphertexts plus all ivpks now decrypts every shielded payload, sender, recipient, asset type, amount, contract being called, once a CRQC against Edwards-BLS12 DL exists. USDCx institutional-grade private stablecoin transactions (live since 2026-01-27) inherit this vulnerability. There is no hybrid PQ KEM testnet, no announcement, no plan.

Aleo's record model fully shields transaction inputs/outputs/amounts/programs behind zk-SNARK proofs (Varuna). On-chain visible state for a private transaction is a serial-number nullifier set + record commitment + encrypted record + proof, closer to Zcash shielded than to pseudonymous Bitcoin/Ethereum. Public records also supported. Per-transaction sender-address leakage opt-in via v4.0.0 encrypted-sender field.

Top-3 RPC concentrated among a small set (Aleoscan, Provable Explorer, Lavender.Five Nodes), partially offset by Leo Wallet and Puzzle Wallet running their own infrastructure. Mempool gossip observable to all 25 validators by AleoBFT design. Validator metadata retention policy undeclared.

Bridges into Aleo (Wormhole, LayerZero, custodial xReserve for USDCx) are observable on the source chain. Circle's xReserve is a centralized mint/burn pipeline whose books link USDC↔USDCx 1:1, providing a strong correlation channel for institutional flows.

Dominant confidentiality risk for Aleo. The privacy guarantee for a record relies on (a) the secrecy of the recipient's view key derived from the Edwards-BLS12 secret, and (b) the secrecy of the random scalar used in the record-encryption ECDH. Both are protected only by the discrete-log problem on Edwards-BLS12. Once Shor lands, every historical Aleo private record encrypted to a published address is decryptable. Combined with on-chain pubkey publication and full chain history availability, this gives an attacker a one-shot mass de-anonymization of every transaction since 2024-09-18, including USDCx payroll, vendor, and institutional transfers since 2026-01-27.

Aleo does not run a mix-network or cryptographic shuffle protocol at the protocol layer. Privacy comes from the SNARK record model itself (hidden inputs/outputs), not from mixing. No on-chain commit-reveal mix, no cMix-class IT-secure shuffle, no precomputation/cover-traffic infrastructure.

No Aleo Foundation, Provable, or community-ratified ARC announces post-quantum migration of record encryption. The publicly-visible roadmap and snarkOS v4.x release notes through 2026-05-01 list AleoBFT consensus upgrades, AleoVM developer experience, prover staking, program upgradability, priority fees, encrypted-sender records, and USDCx, but no PQ KEM, no hybrid encryption testnet, no announced sunset of ECIES-on-Edwards-BLS12.

snarkOS has demonstrated coordinated hard-fork upgrades (v3.3 validator-set expansion, v4.0 record-model upgrade, v4.1 program upgradability, v4.2 fee-market) but no algorithm-switch event. The new record versioning system introduced in v4.0.0 is described as enabling adaptation to evolving regulatory requirements but does not specify an algorithm-replacement path.

Aleo accounts have no key-rotation primitive, the address is the public key, and rotating it requires moving funds to a new address (with sender-side correlation). There is no native account-abstraction path comparable to ERC-4337 / EIP-7702. Compute keys allow third-party transaction generation but not algorithm rotation.

In ~20 months since mainnet, Aleo executed validator-set expansion (Feb 2025), three coordinated v4.x hard forks (v4.0.0 Jul 2025, v4.1.0, v4.2.0 Sep 2025), and v4.4.0 Nov 2025, all without contested splits. Track record is short but clean.

No public hybrid PQ design exists. Architecturally, the SNARK proof system (Varuna over BLS12-377) is the deepest constraint on agility, replacing it with a FRI-based proof system is technically feasible but would require a full re-instantiation of snarkVM. Record encryption could in principle be migrated to a hybrid KEM (ML-KEM concatenated with current ECIES) more cheaply, but no ARC proposal exists.

Aleo does not use stateful hash signature schemes anywhere in the stack. Schnorr-on-Edwards-BLS12 is stateless. Per rubric, stateless-by-default chains score full 15.

AleoBFT signs BatchProposes/BatchCertificates with Schnorr signatures on Edwards-BLS12 from each of the 25 validators (no BLS aggregation). 2f+1 BatchSignatures are aggregated into a BatchCertificate. The consensus signing primitive itself is Shor-vulnerable Schnorr-on-EC. No PQ-replacement path is declared for consensus signing.

0% of consensus signing, transaction signing, record encryption, or proof generation runs on a PQC primitive as of 2026-05-01.

snarkOS contains no merged PQC primitive (no ML-DSA, no SLH-DSA, no ML-KEM, no FRI proof system) as of 2026-05-01.

0 of 25 validators run PQC consensus keys.

VOIDED to 0 per v3.1 rule (5a = 0). No dated, enforcement-mechanism-backed PQ milestone exists in any ARC, snarkOS release plan, or roadmap publication.

Announced PQC = 0 in trailing 12 months (no foundation blog post, ARC, social post, or press claim). Shipped PQC = 0. Ratio = 0/0 (undefined; treating as not-deduction-eligible because there is no announcement to falsify). Aleo is honest about its current posture by silence.

Undisclosed. With no announced PQ scheme, the bytes-per-block footprint under PQ is unknown. If Aleo were to migrate consensus to ML-DSA-65 (~3,300 byte sigs vs ~64 byte Schnorr), the multiplier across 25 BatchSignatures per round would be ~50×, beyond the rubric's >38× threshold.

Top wallets are Leo Wallet (Provable-acquired in 2025) and Puzzle Wallet. Neither has published a PQC roadmap. WalletConnect support for Aleo is partial. No top-3 wallet ships PQ key derivation.

USDCx uses Circle's centralized xReserve mint/burn pipeline (not a trustless bridge, no PQC roadmap from Circle for the xReserve back-end). General cross-chain messaging via Wormhole / LayerZero is at design discussion stage.

Launch partners include Blockdaemon (node operator/custody-adjacent), Chainalysis (compliance), Toku (payroll), Request Finance (invoicing). Top-tier institutional custody (Coinbase Custody, BitGo, Fireblocks, Anchorage) does not yet support Aleo native asset custody at scale. None of the named partners has a published PQC roadmap that covers Aleo keys.

RPC/explorer providers include Aleoscan, Provable Explorer, Lavender.Five Nodes, with broader provider support limited (no Infura/Alchemy/QuickNode mainstream support documented for Aleo). HSMs: no documented Ledger / Thales / YubiHSM integration for Aleo Edwards-BLS12 / Schnorr keys (Aleo curves are not on Ledger's supported list as of 2026-05-01). TEEs not used in core consensus path.

25 validators on mainnet (expanded from 16 in Feb 2025), max 200 by protocol rule. Minimum 10M ALEO stake to validate. Client diversity is effectively single-client (snarkOS reference implementation). Stake distribution skewed by foundation/Provable holdings at genesis.

Validator-set expansion, three v4.x hard forks within Q3 2025, v4.4 in Nov 2025, all coordinated cleanly. No demonstrated coordinated upgrade under live attacker pressure.

Aleo Network Foundation (non-profit, oversees core development) and Provable Inc. (for-profit, core dev shop). Public governance via vote.aleo.org and ARC process. No named PQ migration WG or PQ-lead role.

Aleo's mainnet launch in Sep 2024 had launch-day issues (community criticism re token distribution / inflation), resolved without fork. No major adversarial-attack coordination precedent.

No community honeypot, no rate-limited spending rule, no cryptographic tripwire, no automated-response mechanism for Shor / record-encryption breakage published.