PENUMBRA · privacy-L2 · QRI 12 · BAND 2 Acknowledged Hybrid FAIL · Stage 0 · Washing 1x

Penumbra is the only chain where the worst-case scenario is silent. Shielded-by-default privacy built on Groth16 over BLS12-377 plus decaf377 discrete logs. Every historical tx is mathematically reversible once Shor lands. The shielded pool becomes the glass pool, retroactively, forever. Chaum's nightmare, shipped.

inLinkedIn XPost ▼Scorecard JSON ⇆Compare Verified 2026-04-18

Summary

Penumbra is the starkest retroactive-deanon case in the batch. Private-by-default shielded chain built on Groth16 + BLS12-377 + decaf377 discrete logs. Every historical tx's privacy is mathematically reversible when Shor arrives — Chaum's worst-case. Band 2 (Acknowledged) due to low raw scores + small ecosystem, but underlying risk is severe. Zero privacy preserved in suddenly-pre-migration scenario.

What the gates say

Hybrid: FAIL. No hybrid plan on file.
Evidence: PASS. Sources reconstructable by third party.
Primitive naming: PASS. Named primitives at every scored sub-level.

Burn-vs-rescue policy on file

undeclared

Seven dimensions

Each dimension scores 0-100 internally; the weighted roll-up produces the QRI on the left. Open a row to read the sub-score detail.

1 Cryptographic Exposure 35 / 100

1a_primitive_inventory 15 / 20

Strong primitive inventory — decaf377 + BLS12-377 + Poseidon named.

Primitives: decaf377 (group based on BLS12-377 curve) · Groth16 zk-SNARKs over BLS12-377 · Poseidon hash · Ed25519 (consensus via CometBFT) · Rescue-Prime

Evidence: protocol.penumbra.zone · Penumbra spec

1b_shor_grover_pq_tag 18 / 20

All primitives named with quantum tags.

Evidence: Penumbra protocol spec

1c_algorithm_family_diversity 0 / 20

1d_nist_security_category 0 / 20

1e_implementation_quality 2 / 20

Evidence: github.com

2 HNDL Exposure 18 / 100

2a_active_key 4 / 20

Shielded by default — full diversifier privacy, but spending keys derive from Ed25519-style material.

2b_cold_key 5 / 20

Same. Shielded pool all UM is inside.

2c_sig_long_term 4 / 20

Privacy commitments are long-lived — decaf377 group element commitments, ring signatures. Shor break retroactively de-anons ALL historical shielded tx.

2d_encryption_conf 5 / 20

Standard TLS. Private DEX (ZSwap) batch sealed-bid auctions — sealed-bid privacy relies on same Shor-breakable crypto.

3 Metadata & Privacy Exposure 35 / 100

3a_graph_visibility 18 / 20

Fully shielded by default — no transparent txs. Highest privacy profile.

3b_rpc_concentration 10 / 20

Small ecosystem — Penumbra Labs-operated nodes.

3c_bridge_correlation 8 / 20

IBC connects Penumbra to Cosmos — metadata leaks at IBC boundary despite shielded internals.

3d_retroactive_deanon 0 / 20

CRITICAL: Groth16 over BLS12-377 and decaf377 discrete-log commitments ARE Shor-broken. Every historical shielded Penumbra tx is retroactively de-anonymizable when Shor arrives. Worst-case Chaum scenario. Max score forced to 0-5.

4 Migration Architecture 20 / 100

4a_crypto_agility 5 / 20

Cosmos SDK module-based — theoretical extensibility, but zk-SNARK primitives are deeply embedded.

4b_aa_key_rotation 5 / 20

Limited AA.

4c_hard_fork_track_record 6 / 20

Young mainnet (2024).

4d_hybrid_deployment_readiness 4 / 20

No plausible hybrid zk-SNARK envelope on BLS12-377.

5 Deployment Execution 0 / 100

5a_mainnet_pqc_pct 0 / 20

5b_pqc_code_in_consensus 0 / 20

5c_validator_pqc_keys 0 / 20

5d_published_milestones 0 / 20

5e_pqc_washing_delta 0 / 20

6 Supply Chain Vendor Readiness 3 / 100

6a_wallet 1 / 20

6b_bridge 1 / 20

6c_custodian 0 / 20

No major custodian support.

6d_rpc_hsm 1 / 20

7 Governance & Coordination 30 / 100

7a_validator_stake_distribution 6 / 20

Small validator set.

7b_upgrade_cadence_under_pressure 8 / 20

Post-launch iteration.

7c_named_coordination_lead 10 / 20

Penumbra Labs + Henry de Valence.

7d_adversarial_coordination_precedent 6 / 20

No precedent.

The X + Y vs Z inequality

X (data shelf life): infinite (historical shielded state is forever reconstructable)

Y (migration time): 10-15

Z10 (10% CRQC year): 2036 · Z50 (50%): 2041

Verdict: X+Y > Z (danger).

Four-scenario grid

Scenario	Value preserved	Privacy preserved
quantum never	100%	100%
arrives suddenly pre migration	5%	0%
arrives slowly post migration	70%	5%
arrives slowly mid migration	25%	0%

Peers in the privacy-L2 profile

Order-book view of the 5 chains closest to Penumbra by QRI.

Public artifacts used for this scorecard

Each entry below is a sub-score citation. Clicking the link takes you to the public source. A third party should be able to reconstruct every number on this page from these URLs in 48 hours.

Cryptographic Exposure · 1a_primitive_inventory

Strong primitive inventory — decaf377 + BLS12-377 + Poseidon named.

Cryptographic Exposure · 1b_shor_grover_pq_tag

All primitives named with quantum tags.

Penumbra protocol spec

Cryptographic Exposure · 1e_implementation_quality

https://github.com/penumbra-zone/penumbra

Supply chain snapshot

wallet Penumbra Wallet · Keplr (Cosmos) · Prax 0 PQC roadmaps

bridge IBC 0 PQC roadmaps

custodian — 0 PQC roadmaps

rpc_hsm Penumbra Labs nodes 0 PQC roadmaps

A chain's supply chain cannot migrate faster than its slowest dependency. Zero PQC roadmaps in any of the four categories is a structural blocker, not a lagging indicator.

Analyst notes on the scoring

CRITICAL surprise in batch. Privacy chain with highest retroactive-deanon exposure. Scoring 3d=0/25 reflects that shielded privacy is entirely built on Shor-breakable primitives. Nano-cap ($1.9M MC per v1) limits immediate blast radius but methodologically Penumbra is the cautionary privacy example.

Scorecard metadata

Profile: privacy-L2
Scored: 2026-04-18 by layerqu-v2-scoring-agent-4
v1 reference: chainscreen-v1-archive
QRI raw: 15 · after caps: 12
Confidence interval: ±15
PQC washing ratio: 1x
Burn-vs-rescue: undeclared

Caps triggered

Mosca (5a<20%)
Sutor (5d=0)
Preskill (<3 artifacts multiple dims → ×0.5)
Casado (4 tiles pqc=0)
Hybrid gate FAIL → QRI cap 60