What it is. Taiko copies Ethereum's rules line for line and hands its ordering job back to Ethereum, then has four separate teams of machines re-check every batch of activity before it counts as final.
What we found. Taiko likes to point out that every batch now gets a full math-proof check, and people read that as safe against quantum computers, but the final stamp those proofs carry onto Ethereum is the exact kind of math a quantum computer would unpick, and so is the way users sign.
Why it matters. Having four checkers does not help if all four hand off through the same breakable stamp, and the worst place for that to give way is the bridge where deposited money waits, since whoever controls it could move everyone's funds at once.
Based, Type-1 Ethereum-equivalent rollup with multi-prover stack (SGX Geth + SGX Reth + SP1 + RISC0) and 100% ZK proof coverage. Proven crypto-agility at the multi-prover layer, but inner SP1/RISC0 STARK proofs are wrapped in BN254-pairing Groth16 for L1 verification (Shor-vulnerable) and user signing remains ECDSA secp256k1.
Summary
Taiko Alethia is a based, Type-1 Ethereum-equivalent rollup operated by Taiko Labs. Mainnet launched May 2024, rebranded to Taiko Alethia February 2025. Sequencing is delegated to Ethereum L1 proposers (no L2-native sequencer), preconfirmations live on mainnet, and the protocol settles validity via a multi-prover stack: SGX (Geth and Reth) plus zkVM provers SP1 and RISC0. Taiko reports 100% ZK proof coverage on mainnet (December 2025) using SP1 + Boundless. The previous in-house Halo2 ZK-EVM circuits are deprecated. Taiko Labs has no published post-quantum statement, no PQC AIP, no PQ primitives in taiko-geth or taiko-client. Crypto stack inherits Ethereum: ECDSA secp256k1 for user EOAs, BN254/Keccak-256/SHA-256 for proof verification and Merkle commitments, with EIP-7702 and ERC-4337 inherited via Pectra-equivalent upgrades. Migration Stage 0. Raw QRI 26.4. After-cap QRI 26.4 (no cap binding at this level). Band 2, Acknowledged. Confidence plus-minus 9. Largest uncertainties: whether 100% ZK coverage rollout includes any plan for a PQ verifier path, and whether multi-prover diversity narrative compensates for absence of any PQ family.
What the gates say
- Gate 1a, Hybrid signature: FAIL , no documented hybrid signature composition AND or OR at user signing or prover signing layer
- Gate 1a, Hybrid KEM: FAIL , no documented hybrid KEM at RPC TLS or prover-network transport
- Gate 1b, Commit-to-hash: COND , no OR-composition declared
- Gate 2, Evidence reconstruction: PASS , every non-voided sub-score has 3+ public artifacts
- Gate 3, Primitive naming: PASS , every named primitive specified: ECDSA secp256k1, Keccak-256, SHA-256, BN254 Groth16, SP1 zkVM (FRI/STARK), RISC0 zkVM (FRI/STARK), Intel SGX attestation, AES-128-GCM, X25519
Burn-vs-rescue policy on file
Declared option f, Undeclared. No Taiko Labs or Taiko DAO position on what happens to vulnerable EOA-held L2 funds in a quantum scenario. Rollup-L2-specific consideration: dormant L2 funds depend on canonical bridge contract's L1 ownership; if Ethereum L1 freezes vulnerable EOAs at L1 escrow side, L2 mirror state inherits. But for users who only ever interacted at L2, the bridge-contract escrow on L1 is keyed under Taiko's bridge admin set.
Seven dimensions
Each dimension scores 0–100 internally; the weighted roll-up produces the QRI.
1 Cryptographic Exposure weight 12% 32 / 100
Three distinct proof systems on L1: SGX, SP1, RISC0. Previous in-house Halo2-based ZK-EVM circuits explicitly deprecated per Raiko README.
ECDSA secp256k1 (EOA signatures, inherited from Ethereum) · Keccak-256 (hashing and Merkle-Patricia tries) · SGX attestation (Intel SGX enclaves; SgxVerifierGeth, SgxVerifierReth) · SP1 zkVM (STARK-based RISC-V zkVM by Succinct) · RISC0 zkVM (STARK-based RISC-V zkVM by RISC Zero) · Groth16 over BN254 (SP1/RISC0 on-chain wrapping for L1 verification) ECDSA secp256k1→ Shor-break-via-DL-without-pairingsKeccak-256→ Grover-weaken (256→128-bit)BN254 Groth16 (SP1/RISC0 on-chain wrapper)→ Shor-break-via-pairingsSHA-256→ Grover-weakenSP1 zkVM (FRI-based STARK)→ PQ-safe at the prover-soundness layer (FRI is hash-based)RISC0 zkVM (FRI-based STARK)→ PQ-safe at the prover-soundness layerIntel SGX attestation→ relies on Intel attestation root keys (RSA-2048/ECDSA P-256), Shor-vulnerable
0 PQ families deployed at user/consensus signature layer. Proof-system layer hosts FRI-based STARK primitives (PQ-safe at soundness) but they are wrapped in BN254-pairing Groth16, so on-chain verification path is Shor-vulnerable end-to-end.
No NIST FIPS 203/204/205 PQC primitive deployed by Taiko Labs.
Shasta protocol re-audit by OpenZeppelin (2026-01-27): 0 critical, 0 high, 0 medium, 3 low (resolved). Earlier Code4rena 2024-03 contest. Trail of Bits coverage on related zkVM components (SP1, RISC0). No machine-checked formal proofs of verifier contracts. Cryptanalytic tier mix: Tier 1 (ECDSA, Keccak-256, SHA-256), Tier 2 BN254 pairing, Tier 4 (SP1/RISC0/Boundless prover ecosystems).
2 Quantum Recovery Exposure weight 8% 22 / 100
Taiko Alethia TVL materially smaller than top-tier L2s. EOAs use ECDSA secp256k1; pubkey revealed on first transaction.
Mainnet live since May 2024 (~24 months). Smaller dormant-balance surface than older L2s.
Validity-proof verification on L1 uses BN254-pairing Groth16 wrappers around SP1/RISC0 STARK proofs, plus SGX attestation signatures rooted in Intel's RSA/ECDSA attestation chain. Both surfaces Shor-vulnerable. Sequencer-side signatures inherited from Ethereum L1 proposers (based-rollup property).
Public RPC endpoints served over standard TLS 1.3 (X25519/P-256 ECDHE + AES-GCM). No documented hybrid PQ KEM in Taiko's RPC stack.
3 Metadata, Anonymity & Confidentiality weight 8% 21 / 100
Pseudonymous transparent EVM ledger (Taikoscan). Full tx graph public.
As based rollup, sequencing delegated to Ethereum L1 proposers. Permissionless block production. Preconfirmations live on mainnet. Structurally reduces sequencer concentration relative to single-sequencer L2s. Public RPC endpoints concentrate among Alchemy/Infura/QuickNode.
Canonical Taiko Bridge produces direct on-chain linkage. Third-party bridges via Stargate/LayerZero/Symbiosis/XY Finance/Rubic make L1↔L2 hop traceable.
No shielded pool on Taiko Alethia. ECDSA Shor-breaks address pseudonymity once linked to identity off-chain.
No on-chain mixer integrated.
4 Migration Architecture weight 15% 61 / 100
Type-1 Ethereum-equivalent inherits Ethereum's crypto-agility surfaces by design. Shasta hard fork (Q4 2025) included EIP-7702. Pacaya hard fork (2025) and Ontake (2024) preceded Shasta. Type-1 equivalence means Taiko cannot ship user-signature-scheme change unilaterally, must wait for Ethereum L1. Multi-prover architecture IS form of cryptographic agility at proof-verification layer.
ERC-4337 supported on Taiko (Ethereum-equivalent EVM); EIP-7702 inherited via Shasta upgrade path. Architecturally tractable PQ migration via smart-account verifying ML-DSA or SLH-DSA. No Taiko-specific client-layer PQ migration documented or deployed.
Coordinated upgrade record over trailing 24 months: mainnet launch May 2024, Ontake hard fork (2024), Pacaya hard fork (2025), rebrand to Taiko Alethia February 2025, Shasta hard fork Q4 2025 (100% ZK coverage; Pectra/EIP-7702). DAO + Security Council governance. No contested or stalled forks.
ERC-4337 + EIP-7702 + multi-prover architecture make hybrid (classical + PQ) verification path architecturally constructible. A future PQ-circuit prover could be added as a fifth verifier alongside SGX Geth, SGX Reth, SP1, RISC0 under existing Standard Proposal #20-style governance pattern. No such hybrid spec'd.
Default-pass per v3.1 rule. No stateful hash scheme.
N/A, Taiko Alethia is a based rollup; ordering is delegated to Ethereum L1 proposers and validity is established via the multi-prover stack. No BFT consensus with BLS signature aggregation at the Taiko layer.
5 Deployment Execution weight 22% 14 / 100
Zero PQ signatures observed in Taiko Alethia transaction stream. Multi-prover stack uses BN254-pairing Groth16 wrappers for on-chain verification (not PQ).
Grep of taiko-geth, taiko-client, raiko, and taiko-mono yields no ML-DSA, ML-KEM, SLH-DSA, Falcon, XMSS, or SPHINCS+ implementation.
Based rollup uses Ethereum L1 proposers as sequencing layer; no Taiko-specific validator set with own keys. Provers (SGX, SP1, RISC0) operate on Intel attestation roots and zkVM proof keys, none PQ.
VOIDED to 0 per v3.1 (5a = 0). Standard Proposal #20 covers SP1/RISC0 verifier image rotation, not PQ.
Trailing 12-month PQC announcement count from Taiko Labs/Taiko DAO channels: 0. Shipped PQ on mainnet: 0. Cleanest possible washing posture.
Voided per Gate 2, no PQ signature deployed.
6 Supply Chain Vendor Readiness weight 25% 16 / 100
Top-3: MetaMask, Rabby, Safe (smart-account on Taiko). Hardware: Ledger, Trezor. Trezor Safe 7 ships ML-DSA-44 device attestation + SLH-DSA-128 bootloader (firmware integrity, not transaction signing).
Top-3: canonical Taiko Bridge, Stargate (LayerZero), Symbiosis. Tile is the chain's largest concrete PQ exposure: a future quantum forge of bridge admin or canonical-bridge guardian key would be catastrophic.
Top-3: Coinbase Custody, BitGo, Anchorage. None has publicly shipped PQ key migration on Taiko mainnet. Industry trade press describes custodians as piloting quantum-resistant key migration roadmaps, pilot, not shipped.
Top-3 RPC: Alchemy, Infura, QuickNode. AWS KMS shipped ML-DSA support 2025-06. Intel SGX is load-bearing primitive in Taiko's multi-prover (SGX Geth + SGX Reth verifiers mandatory), and SGX attestation roots remain classical. AWS KMS ML-DSA generic, not Taiko-bound.
7 Governance & Coordination weight 10% 49 / 100
Based rollup, ordering delegated to Ethereum L1 proposers (permissionless block proposing for L2). Multi-prover diversity (SGX Geth + SGX Reth + SP1 + RISC0; two valid proofs requirement with SGX Geth mandatory). Decentralization roadmap aims for full DAO ownership transfer.
24-month track record of coordinated upgrades through DAO governance: Ontake (2024), Pacaya (2025), Shasta (Q4 2025). Audit pre-commitment via OpenZeppelin re-audits. Mainnet → 100% ZK proof coverage by December 2025.
Taiko Labs is named protocol-development entity; co-founders Daniel Wang (CEO; previously Loopring Foundation founder) public. Taiko DAO operational with Security Council. No designated PQ lead.
Multi-prover transition (Pacaya) and 100% ZK coverage rollout (Q4 2025) executed without contested forks. No precedent of coordinated cryptographic-primitive change under active attacker pressure.
No quantum canary embedded in Taiko Alethia protocol.
X + Y vs Z, when does the math turn against you?
v3.1 demotes the X+Y vs Z timing test to a secondary signal, the headline output is Migration Stage. The timing test still answers the question: can this chain finish migrating before the threat lands?
Verdict
X+Y reaches 2031-2041; Crisis Zone (vs Z10 2030); Outside risk window (vs Z25 2035)
Z-compliance
Outside compliance window for any jurisdiction with hard-stop 2030
Source-disagreement disclosure
v3.1 requires every chain card to publish material divergences among authoritative sources, plus the delta-QRI under alternative weighting.
100% ZK coverage framing (December 2025) implies ZK = quantum-resistant in some popular coverage. SP1/RISC0 inner proofs are FRI-based (PQ-safe at soundness), but the on-chain wrapper is BN254-pairing Groth16 (Shor-vulnerable). LayerQu scores the on-chain verification path as classical because that is the binding cryptographic surface.
L2BEAT and DefiLlama report differing TVL/TVS bands depending on inclusion rules (canonical bridge balance vs total bridged ETH/USDC); no specific point-figure asserted.
Delta-QRI under alternative weighting
Estimated -2 (QRI ~22 if supply-chain weighted at 30%).
Announcement-to-shipped ratio
Announced: 0. Shipped: 0. Ratio: 0.
Tag: none, zero washing; no inflated narrative; equally, zero substance
Peers in the rollup-L2 profile
9 chains closest to Taiko Alethia by Stage then QRI.