What it is. Linea is a faster, cheaper add-on to Ethereum that is often promoted as already protected against future quantum computers.
What we found. That protection claim points at an internal engine part, while the layer that actually guards user money still relies on math a quantum computer could one day break, and none of it is fixed yet.
Why it matters. Holders and businesses could trust their funds are safe from quantum attack when they are not, and because one company runs nearly every piece of Linea, that single company decides whether and when the gap gets closed.
ConsenSys-developed Type-2 zkEVM whose user signature path is plain ECDSA secp256k1 and whose final L1 verifier is PLONK-KZG over BN254 (pairing-based, Shor-breakable). The inner Vortex commitment uses a Ring-SIS lattice hash, but lattice content sits inside a Shor-vulnerable pairing-based wrapper, not at the L1-verifiable security boundary.
Summary
Linea is a ConsenSys-developed Type 2 zkEVM rollup whose user-signature path is plain ECDSA secp256k1 inherited from Ethereum, whose final L1-verified proof is PLONK-KZG over BN254 (pairing-based, Shor-breakable), and whose inner Vortex commitment uses a Ring-SIS lattice hash with Reed-Solomon encoding. Marketing copy that calls Linea lattice-based or quantum-resistant describes the inner commitment, not the L1-verifiable security boundary that user funds depend on. No PQ-safe primitive sits at that boundary today. Migration Stage 1 (Acknowledged). Raw QRI 25. After-cap QRI 25. Band 3 Planning. CI plus-minus 10. Key uncertainties: (i) whether to count Vortex Ring-SIS inner-commitment lattice content as shipped PQC (we treat the security boundary as authoritative); (ii) sequencer/prover decentralization timeline beyond Phase 2; (iii) ConsenSys vendor concentration (MetaMask, Infura, sequencer, native bridge, custody all under one roof) could accelerate PQ migration coordination once decided, or bind the chain to one vendor's PQ posture.
What the gates say
- Gate 1a, Hybrid signature: FAIL , no documented hybrid signature composition at account or sequencer level; ECDSA secp256k1 throughout
- Gate 1a, Hybrid KEM: FAIL , no hybrid KEM in RPC TLS or sequencer transport; standard X25519/ECDHE-secp256r1/RSA cert chains
- Gate 1b, Commit-to-hash: COND , only relevant if Gate 1a-Sig OR-composition declared
- Gate 2, Evidence reconstruction: PASS , every sub-score reconstructible from cited public artifacts
- Gate 3, Primitive naming: PASS , every primitive named with mechanism: ECDSA-secp256k1, PLONK-KZG-over-BN254, PLONK-over-BLS12-377, PLONK-over-BW6-761, Vortex-over-Ring-SIS+Reed-Solomon, MIMC, KoalaBear-prime-field, Keccak-256
Burn-vs-rescue policy on file
Declared option f, Undeclared. No protocol-level burn/freeze of unmigrated balances declared. No rate-limit canary. No Linea-specific STARK-rescue analogue. EIP-7702 + ERC-4337 give an optional migration substrate inherited from Ethereum, but Linea has not declared a position on what happens to ECDSA balances after a CRQC threshold or how unmigrated state would be treated.
Seven dimensions
Each dimension scores 0–100 internally; the weighted roll-up produces the QRI.
1 Cryptographic Exposure weight 12% 45 / 100
Multi-layer prover documented in code and the linea-monorepo. Final L1 verification is PLONK-KZG over BN254, pairing-based.
ECDSA secp256k1 (transaction signatures, EOA model) · Keccak-256 (Ethereum-state hashing, EVM) · SHA-256 (precompiles) · Vortex (list-polynomial-commitment over Reed-Solomon encoded rows; column hash on Ring-SIS lattice + MIMC) · PLONK over BLS12-377 (execution proofs) · PLONK over BW6-761 (aggregation) · PLONK-KZG over BN254 (final outer proof posted to L1) · KoalaBear 31-bit prime field (small-field Vortex variant) ECDSA secp256k1→ Shor-break-via-DL-without-pairingsKeccak-256→ Grover-weaken (256→128-bit)PLONK-KZG over BN254 (final L1 verifier)→ Shor-break-via-pairingsPLONK over BLS12-377→ Shor-break-via-pairingsPLONK over BW6-761→ Shor-break-via-pairingsVortex over Ring-SIS + Reed-Solomon (inner commitment)→ structurally PQ-safe-by-family but recursively wrapped in Shor-vulnerable PLONK-KZG outer proofMIMC hash→ Grover-weaken (research-grade ZK hash, tier 4)
Multi-curve, multi-commitment diversity within the Shor-vulnerable surface. The Ring-SIS/lattice ingredient sits inside a Shor-breakable pairing-based wrapper, so deployed PQ-safe family count at the L1-verifier boundary is 0.
No NIST-standardized PQ primitive (ML-DSA, ML-KEM, SLH-DSA, FN-DSA/Falcon) in any signing or KEM path.
gnark and Linea zkEVM specification have third-party security audits (Least Authority audited Limitless Prover, 2025). Standard practice for ECDSA secp256k1. Stateless schemes throughout. Cryptanalytic tier: tier-1 ECDSA/SHA-256/Keccak; tier-2 BN254/BLS12-377; tier-3 Ring-SIS; tier-4 MIMC and KoalaBear.
2 Quantum Recovery Exposure weight 8% 29 / 100
Every Linea EOA is a secp256k1 ECDSA keypair inherited from Ethereum. MetaMask is the dominant wallet and is owned by ConsenSys.
Linea Mainnet Alpha launched 2023-07-11; chain age ~2 years 10 months. Native LINEA token TGE 2025-09-10 added a fresh airdrop cohort across ~749k wallets.
Historical secp256k1 signatures are post-Shor forgeable. L1 PLONK-KZG verifier is itself Shor-breakable (BN254 pairings).
RPC endpoints terminate over standard TLS 1.3 with X25519/ECDHE-secp256r1/RSA. No hybrid PQ KEM in deployed RPC stack. Sequencer is centralized so on-wire collection is concentrated.
3 Metadata, Anonymity & Confidentiality weight 8% 20 / 100
Pseudonymous, transparent ledger. Full tx graph visible via L2 explorers and L1 blob/calldata. MetaMask routing (default RPC = Infura) further concentrates per-user IP correlation.
Top-3 RPC providers (Infura, ConsenSys-owned, Alchemy, QuickNode) concentrate >70% of inbound RPC traffic. Mempool gossip observability constrained because sequencer is single, ConsenSys-operated.
Linea Native Bridge correlates L1↔L2 addresses via message-passing contract on Ethereum. Third-party bridges (LayerZero OFT, Across, Stargate, Hop) compound source-dest correlation.
No mainnet shielded pool. Retroactive de-anon under Shor limited to recovery of secp256k1 private keys.
No structural mix layer.
4 Migration Architecture weight 15% 65 / 100
Linea inherits Ethereum's crypto-agility surface, EIP-7702 (Pectra, 2025-05-07) lets EOAs delegate to smart-contract code. ERC-4337 supported. ConsenSys controls Vortex/Wizard/PLONK pipeline as monorepo-internal upgrades, KoalaBear and Limitless Prover deployment done without contested fork.
Inherits Ethereum's AA toolkit (ERC-4337 + EIP-7702). MetaMask Smart Accounts ships AA UX. No published default-AA-with-PQ-validation.
Multiple coordinated upgrades since mainnet alpha (2023-07): Beta v1 (2024), Pectra alignment (2025), TGE (2025-09-10), Limitless Prover (2026-02-20), 100 mGas/s milestone, KoalaBear upgrade, Phylax Credible Layer 2026-01-28, Yield Boost 2026-03-30. No contested fork.
AA + EIP-7702 makes hybrid signature composition architecturally trivial at account-contract level. No Linea-published hybrid spec, testnet, or pilot. Inner Vortex layer is lattice-based but wrapped in Shor-vulnerable outer PLONK-KZG.
N/A, no stateful-hash scheme. Default credit.
N/A, Linea has no permissionless BFT validator set today. Sequencer is centralized. Weight redistributes.
5 Deployment Execution weight 22% 10 / 100
0% on user-signature path. The Vortex inner-commitment layer uses a Ring-SIS lattice hash but the L1-finalized proof is PLONK-KZG over BN254.
Vortex (lattice-based, Ring-SIS hash + Reed-Solomon, with KoalaBear and BLS12-377 small-field variants) is shipped in production prover monorepo. NOT the security boundary.
Sequencer is single, ConsenSys-operated. No validator set in L1-style sense.
VOIDED to 0 per v3.1 (5a = 0). Linea roadmap names dated milestones but none is a PQ migration milestone.
Recurring claim across third-party explainers and ConsenSys-adjacent marketing that Linea's prover is lattice-based (≥10 third-party articles). Shipped PQC at security boundary: 0. Estimated ratio: ~5-8× when scored against user-funds threat model.
VOIDED. No PQ scheme is the default; no footprint measured.
6 Supply Chain Vendor Readiness weight 25% 0 / 100
Top-3: MetaMask (ConsenSys-owned), Rabby, Trust Wallet. PQC roadmap: 0. Concentration of Linea traffic under one ConsenSys-owned wallet is a structural single point of failure.
Linea Native Bridge (canonical, ConsenSys-operated), LayerZero (OFT), Across. PQC roadmap: 0.
MetaMask Institutional (ConsenSys), Fireblocks, BitGo. None has published Linea-asset-specific PQ roadmap.
Infura (ConsenSys-owned, dominant), Alchemy, QuickNode. None ships PQ-enabled RPC TLS as default. HSM/TEE provenance not publicly disclosed.
7 Governance & Coordination weight 10% 35 / 100
Sequencer is single, ConsenSys-operated. State-root proposers whitelisted. Nakamoto coefficient at sequencer layer = 1.
Strong delivery cadence, Limitless Prover, KoalaBear small-fields upgrade, 100 mGas/s, Pectra alignment, TGE, Phylax Credible Layer integration.
ConsenSys (founded by Joe Lubin) is named institutional sponsor; Linea Foundation is formal governance entity post-TGE. Strong cryptography research bench inside ConsenSys (gnark library team). No named PQ migration working group.
ConsenSys handled MetaMask Snap security incidents and rollup-class exploits via Phylax Credible Layer. No demonstrated coordinated cryptographic change under live attacker pressure.
No canary, honeypot, rate-limit, or cryptographic tripwire embedded.
X + Y vs Z, when does the math turn against you?
v3.1 demotes the X+Y vs Z timing test to a secondary signal, the headline output is Migration Stage. The timing test still answers the question: can this chain finish migrating before the threat lands?
Verdict
X+Y reaches 2036-2051, Crisis Zone (vs Z10 2030); Outside risk window at central case (vs Z25 2035)
Z-compliance
Outside compliance window flagged under NIST IR 8547 disallowance 2035
Source-disagreement disclosure
v3.1 requires every chain card to publish material divergences among authoritative sources, plus the delta-QRI under alternative weighting.
Linea/ConsenSys product copy and several third-party explainers describe the prover as lattice-based and frame this as a quantum-resistance property. The architecture documentation makes clear that the L1-finalized proof is PLONK-KZG over BN254 (pairing-based and Shor-vulnerable). The lattice content sits inside the inner Vortex commitment, not at the security boundary.
L2BEAT classification (Stage 0, 5/6 requirements met) and the decentralization roadmap describe the sequencer/prover as currently centralized; phased decentralization through 2026 is mapped; PQ migration is not on the public roadmap.
Delta-QRI under alternative weighting
Alternative-weighting that treats Vortex inner-commitment Ring-SIS as shipped PQ and credits 5a 8/25, 5b 9/15: +5 → QRI ~30 (still Band 3 Planning, just at the upper boundary).
Announcement-to-shipped ratio
Announced: 15. Shipped: 1. Ratio: 7.5.
Tag: >1.5x deduction applied via 5e (-3 from 9 to 6). Borderline against the >2.0 cap-65 line; not over it. The lattice-content claim is not vapor, Vortex Ring-SIS is real shipped code, but the security-boundary reading materially differs from the marketing surface.
Peers in the rollup-L2 profile
9 chains closest to Linea by Stage then QRI.