Database/wallet local-storage encryption uses 32-byte PBKDF2-derived secret; symmetric primitive used inside SDK storage not specified in public docs (single deduction). Score reflects deduction including 10% Dim-1 weighted-contribution discount for Poseidon dependence inside commitment/nullifier path.

0 PQ families on mainnet. Every primitive is pre-quantum DL/pairing/Poseidon-hash. No lattice, hash-based PQ signature, code-based, or isogeny PQ primitive deployed.

No Railgun primitive maps to NIST PQC categories 1-5. BN254 targets ~110-bit pairing security under recent TNFS analyses (lower than original ~128-bit). Under Shor, all EC/pairing primitives are fully broken; under Grover, symmetric/hash strengths halve.

Railgun smart-contract suite audited by Trail of Bits, ABDK Consulting, and Zokyo. Constant-time engineering and machine-checked formal verification of cryptographic core NOT documented. Trusted-setup ceremony used Perpetual Powers of Tau (community-multiparty). Cryptanalytic-maturity tier mix: ECDSA secp256k1/Ed25519 tier 1; Keccak-256 tier 2; Groth16 + BN254 pairing tier 2-3; Poseidon tier 4.

Every Railgun shield/unshield transaction signed by underlying-chain ECDSA secp256k1 signature whose public key is recoverable. The 0zk private address is composed of BabyJubJub Spending Key (used to authorize zk-SNARK-proven spends) and Ed25519 Viewing Key. Both keys published as part of 0zk address, once Shor lands, every active 0zk address is forgeable.

Railgun 0zk addresses publish both Spending Key public point and Viewing Key public point at first creation/first receipt, there is no hashed-pubkey-then-revealed-at-spend scheme. Dormant/cold 0zk addresses with shielded-pool balances expose same Forge surface as active addresses.

Every zk-SNARK spend proof validated by Railgun smart contract since 2021 is verifiable post-Shor against forged version. Every underlying-chain ECDSA signature carrying Railgun shield/unshield/transact call is forgeable post-Shor. Historical compliance trails lose non-repudiation.

Railgun is contract suite, not network-layer protocol, no Railgun-specific validator gossip or RPC layer. Transport layer is whatever underlying chain uses, and end-user RPC traffic runs over classical TLS. Broadcaster (relayer) infrastructure is community-operated and uses standard HTTPS. No PQ-hybrid TLS announced.

Every Railgun UTXO committed to on-chain Merkle Tree as Poseidon hash. Shielded balance reconstructable only by Viewing Key holder, who scans Shield/Transact events and decrypts associated note ciphertexts using key derived via ECDH on recipient's BabyJubJub Spending Key public point and sender's ephemeral key. The long-term key in this ECDH is recipient's BabyJubJub public point, published in 0zk address. An adversary harvesting Railgun event logs today can decrypt every shielded note once Shor is operational on BN254/BabyJubJub. ~$108M TVL and cumulative private-send volume of $4B+ is HNDL-exposed in its entirety. No announced PQ KEM migration.

Railgun's UTXO model fully shields sender, recipient, token type, and amount inside shielded pool. Transactions in shielded pool appear to originate from a Broadcaster address. Closer to Zcash shielded / Aleo records than to pseudonymous Ethereum/Bitcoin. Caveats: shield/unshield interactions DO link public 0x address; Private Proofs of Innocence requires depositors to prove their funds are not on a sanctioned-actor list; cross-chain shielded pools are independent.

Railgun has no native RPC/mempool layer, surface inherited from underlying chain. On Ethereum, Infura + Alchemy + QuickNode collectively serve majority of dApp RPC traffic. Mempool gossip exposes pending shield/unshield transactions to any observer. Broadcaster (relayer) layer adds per-transaction sender-IP-obfuscation.

Railgun's shielded pools on Ethereum, Polygon, BSC, and Arbitrum NOT cross-chain natively, there is no Railgun-internal bridge. To move private balance from one Railgun chain to another, user must unshield on chain A (linking 0x address to amount), use third-party bridge, and shield on chain B.

Dominant confidentiality risk for Railgun. Privacy guarantee for shielded note rests on (a) secrecy of recipient's Viewing Key (Ed25519, DL-secure) and Spending Key (BabyJubJub, DL-secure), and (b) secrecy of sender's ephemeral ECDH scalar. Once Shor lands, every published 0zk address yields its Viewing Key under polynomial-time attack, and entire history of Railgun shielded transactions on every chain since 2021 becomes publicly readable. One-shot mass de-anonymization on Q-day.

Railgun does NOT run mix-network or cryptographic shuffle. Anonymity comes from (i) SNARK shielded-pool model (Zcash-style commitment-and-nullifier), (ii) Broadcaster relayer (off-chain wallet-level mixing equivalent, sender IP hidden behind Broadcaster), and (iii) cumulative anonymity-set growth from $4B+ private-send volume across $108M TVL.

No Railgun governance proposal, blog post, Medium article, or DAO-treasury-funded research agenda announces post-quantum migration of note encryption. Publicly-visible roadmap lists compliance features (Private Proofs of Innocence), V2 architecture (cross-chain shielded pools via LayerZero, 2026 target), and Ethereum Foundation Kohaku integration, but no PQ KEM, no hybrid encryption testnet.

Railgun contract suite uses EIP-1967 Transparent Upgradeable Proxy with Delegator contract owned by on-chain governance Voting contract. Successful DAO proposal can swap implementation contract, providing pathway to deploy PQ-revised implementation. Current architecture is deeply BN254-bound: Groth16 verifier uses Ethereum's BN254 pairing precompile (EIP-197), entire 54-circuit suite was built and trusted-set-up against this curve. No public crypto-agility spec.

Railgun account model has no native key-rotation primitive, 0zk address IS BabyJubJub Spending Key public point + Ed25519 Viewing Key public point, and rotating either requires unshielding to 0x address and re-shielding to new 0zk address (with sender-side correlation). EF Kohaku reference wallet (announced 2025 with Railgun integration) is closest published path to wallet-layer migration vehicle but does not address Railgun's cryptographic core.

Railgun has executed in-place upgrades via EIP-1967 proxy pattern multiple times since 2021 launch (V2 deployment, Private Proofs of Innocence integration, governance contract refinements). 30-day Sponsorship → 3-day vote → 1-day veto → on-chain execution flow with 500,000-RAIL sponsorship threshold. No contested or rolled-back upgrade documented.

No public hybrid PQ design exists. Architecturally, deepest constraint on PQ migration is Groth16-over-BN254 proof system, circuit suite, trusted setup, verifier, and in-EVM pairing precompile are all tightly coupled. A hybrid approach validating both classical Groth16 and PQ-safe FRI proof would roughly double on-chain gas cost.

Railgun does not use stateful hash signature schemes (XMSS / LMS / leanXMSS) anywhere. Stateless throughout. Default credit.

N/A, Railgun is not a chain and operates no consensus layer. Underlying chains (Ethereum, Polygon, BSC, Arbitrum) each have their own consensus signature scheme and are in scope for 4f question on their own scorecards.

0% of Railgun's on-chain proof verification, note encryption, key derivation, or underlying-chain settlement runs on a PQC primitive as of 2026-05-01.

Railgun is a smart-contract suite, not consensus client. The Solidity contract repository contains no PQC primitive; the JavaScript/TypeScript Railgun-Community wallet SDK contains no PQC primitive. Underlying-chain consensus clients are out of Railgun's direct control.

Railgun has no validator set of its own; underlying-chain validators on Ethereum/Polygon/BSC/Arbitrum run classical schemes. For privacy-focused-chain scorecard profile, this sub-score reads as 0 by default since Railgun does not operate validators.

VOIDED to 0 per v3.1 rule (5a = 0). No dated, enforcement-mechanism-backed PQ milestone exists in any DAO governance proposal, Medium article, RAIL token roadmap, or contract repository plan.

Announced PQC = 0 in trailing 12 months. Shipped PQC = 0. No deduction applies; full 15. Railgun is honest about its current pre-PQC posture by silence, there is no announcement-to-shipped.

Undisclosed. Groth16 proof on BN254 is ~256 bytes uncompressed; comparable FRI-based proof would be 50-200KB, multiplier of >100×, well past >38× threshold.

Top wallet integrations are Railway Wallet (first SDK-integrated Railgun wallet), upcoming EF Kohaku reference wallet, and several community integrations via open Railgun-Community SDK. None has published PQC roadmap. BabyJubJub-derived 0zk addresses are not on Ledger's supported curve list as of 2026-05-01, rules out hardware-secured Spending Keys.

Cross-chain Railgun balance movement requires unshield → third-party bridge → shield, with bridges including Wormhole, LayerZero (planned for V2), Stargate, Hop, Across, Synapse. None has published PQC roadmap. Wormhole's 19-Guardian Ed25519 multisig, LayerZero's Ultra-Light Node oracle/relayer, Hop's bonded relayer model, all classical.

Institutional custody for Railgun's RAIL token supported on a few centralized exchanges (Bitfinex-listed presence). For BabyJubJub Spending Key custody scenario, none of top-tier institutional custodians (Coinbase Custody, BitGo, Fireblocks, Anchorage, Fidelity Digital Assets) lists Railgun 0zk address custody.

RPC dependence on underlying chain's RPC providers (Infura, Alchemy, QuickNode, Ankr), none has published Railgun-touching PQC roadmap. HSMs: BabyJubJub not on Ledger's, Thales's, or YubiHSM's supported-curve lists. TEEs: Broadcaster operations could in principle be run inside attested enclaves but no Railgun infrastructure documents this.

Railgun has no validator set; stake in Railgun context is RAIL governance staking that secures protocol upgrade authority. RAIL token distribution somewhat concentrated among early backers and Right to Privacy Foundation. Active Governor count and Nakamoto coefficient not published as headline metrics.

Railgun has executed proxy upgrades for V2 deployment, Private Proofs of Innocence integration, and governance refinements without contested splits. The Inferno Drainer + zkLend incidents (2024-2025) demonstrated governance and compliance layer can respond to specific high-profile events ($530K + $9.5M of attacker funds blocked).

Multiple named entities, Railgun DAO (on-chain governance via RAIL stakers), Right to Privacy Foundation (funded initial development as charitable grant; received 25% of initial token allocation), Railgun Project as Medium publication/community brand, and named contributors including co-founder. No named PQ migration WG or PQ-lead role exists.

Inferno Drainer ($530K blocked, 2024) and zkLend attacker ($9.5M blocked, 2025) episodes demonstrate that Railgun DAO + PPOI screening + Chainalysis Sanctions Oracle pipeline can coordinate against named adversaries. Protocol has not faced coordinated cryptographic-vulnerability response with active attacker pressure.

No community honeypot, no rate-limited spending rule, no cryptographic tripwire, no automated-response mechanism for Shor/pairing-break/note-encryption breakage. PPOI compliance pipeline is sanctions-screening tripwire, not quantum-readiness tripwire.