zkSync Era publicly enumerates most primitives across user, prover and settlement layers.

The proof-system architecture is hybrid in mathematical structure but not in security: the on-chain verifier is BN254-pairing-based (Shor-vulnerable). Matter Labs claims Airbender is 'resilient against quantum threats' but this applies to the FRI inner proof, not to the on-chain FFLONK wrapper that L1 actually verifies, nor to user signatures.

Families: 1 (hash). Hash-based primitives are present in production within the inner proof layer (Boojum FRI, Airbender FRI/STARK). No lattice, code-based, or isogeny family is deployed. No PQ signature scheme (ML-DSA, Falcon, SLH-DSA, XMSS) ships at the user, sequencer, or proposer level. The hash-only inner proof is genuine PQ deployment for a narrow surface (proof soundness against a quantum prover) but does not extend to the user signature path, the on-chain verifier wrapper, or KEMs.

zkSync Era has not deployed any NIST FIPS 203/204/205 (ML-KEM, ML-DSA, SLH-DSA) primitive. No public mapping exists at any subsystem. Per Gate 3, this sub-score is voided to 0.

zkSync verifier and circuit code receives independent audits (OpenZeppelin, Spearbit, Code4rena, ChainLight published findings including a 2023 ZK-EVM soundness bug), but no machine-checked formal proofs of cryptographic primitives are published; Boojum and Airbender circuit security relies on academic FRI/STARK literature plus internal review. constant_time: standard Rust implementations (era-boojum, zksync-airbender) without dudect / Formosa-grade attestation. library_provenance: matter-labs/era-boojum (archived; succeeded by zksync-crypto), matter-labs/zksync-airbender (MIT). Cryptanalytic_tier: Tier 1 for ECDSA secp256k1; Tier 2 for Keccak-256 / Blake2s / Blake3; Tier 4 for Poseidon.

zkSync Era TVL is approximately $0.16–$0.30B as of Q1 2026 per L2BEAT. EOAs use ECDSA secp256k1; smart accounts likewise default to ECDSA validators in widely deployed wallets. Public keys are revealed on first signed transaction. All actively used balances are exposed to Shor-class forgery once a CRQC exists. Native AA does enable per-account migration to alternative signature schemes once a verifier contract exists, but no PQ verifier is shipped or live today.

zkSync Era live since 2023-03-24 (~37 months). Bridge contract balances, dormant accounts, and treasury holdings sit at ECDSA-derived addresses. As with Ethereum, the address is Keccak-256(pubkey)[12:32] so the pubkey is not directly revealed by the address, but any prior outbound transaction exposed it. ZKsync Lite shutdown on 2026-05-04 forces Lite users to migrate or withdraw, partially compressing the dormant surface but not eliminating it for Era.

Historical user ECDSA signatures, sequencer batch commitments, and the FFLONK-on-BN254 final-proof signatures recorded on Ethereum L1 are all Shor-forgeable post-CRQC. No retro-signing, freeze-window, or PQ-wrapping mechanism for historical state-root attestations is documented.

Public RPC endpoints (Matter Labs, Alchemy, QuickNode, Ankr, Chainstack) and validator/sequencer gossip use standard TLS 1.3 (X25519/P-256 ECDHE + AES-GCM). No hybrid PQ KEM is documented at any zkSync transport layer. The rollup itself publishes state diffs as Ethereum calldata or blobs (public), so consensus material is not HNDL-vulnerable; HNDL surface is the operator-side TLS.

Transparent EVM-style ledger; full transaction graph is public via block explorers. Pseudonymous addresses only.

Sequencing is performed by a single Matter Labs sequencer (whitelisted proposer per L2BEAT). Public RPC concentrated among Matter Labs RPC, Alchemy, QuickNode, Ankr, Chainstack. No public mempool, transactions are sent to the sequencer and only become observable when committed in a batch on L1. Validator metadata retention as a formal published policy is not declared.

Canonical bridge produces direct L1↔L2 linkage observable on Ethereum. Third-party bridges (LayerZero, Across, Stargate, Synapse) and Elastic Network interop (v29 messaging upgrade 2025-10-06; v31 in audit) make cross-chain hops traceable via passive observation.

No shielded pools natively on zkSync Era. The Prividium privacy stack (institutional, deployed 2026 Q1) is a separate Elastic Network chain rather than a feature of Era itself. Era's pseudonymity has the standard property: Shor on secp256k1 enables key recovery from any revealed pubkey, retroactively linking historical activity if any off-chain identity binding exists.

No protocol-level mixer integrated into zkSync Era.

Two independent forms of production crypto-agility. (1) Native account abstraction from genesis: every account is a smart contract that can implement custom signature validation. The chain natively supports ecrecover, EIP-1271, and the P256Verify precompile for secp256r1 / WebAuthn, multiple non-ECDSA validators are already in production. A PQ verifier (ML-DSA, Falcon, SLH-DSA) could be added as a custom Solidity/Yul validator without any protocol fork. (2) The proof system has been migrated once already, from PLONK-on-BN254 (legacy) to Boojum 1.0 (FRI inner + FFLONK wrapper) on protocol version v27, and is migrating again to Airbender (Atlas upgrade, late 2025), demonstrating end-to-end prover-stack swap discipline.

Strongest native AA story of any production EVM-compatible chain alongside Starknet. Smart Accounts are fully programmable; signature schemes, multi-sig, spending limits, and paymaster sponsorship are first-class. Key rotation is a contract-level operation. Documented client-layer PQ migration path is not published. Score 16 reflects strong AA + partial client-layer narrative through Airbender's PQ inner proof and Prividium's pluggable interop.

Multiple coordinated upgrades without contested forks: Boojum activation (2023-07-17), v24 prover upgrade, v27 (legacy prover stack removed), v29 interop messaging (2025-10-06), v29.3/v29.4 patch upgrades (Q1 2026), Atlas upgrade introducing Airbender + new sequencer (late 2025), v31 interop in audit. Governance flows through ZK Nation governor on Era itself with token-holder voting, Security Council and Guardians, plus Emergency Upgrade Board (3/3 multisig).

Hybrid deployment is architecturally trivial via native AA, a smart account can validate both an ECDSA and a PQ signature, including AND-composition (require both) or OR-composition (accept either). No public reference implementation, audit, or testnet of such a hybrid validator is documented. Airbender PQ-safe inner proof is itself a single-family pure replacement at the proof-soundness layer, not a hybrid. Architecturally ready, formally undeclared.

zkSync Era does not use any stateful hash signature scheme (no XMSS, LMS, leanXMSS) at user, sequencer, or settlement layers. Stateless schemes only.

zkSync Era has no BLS-aggregation-based BFT consensus at L2; sequencing is a single whitelisted Matter Labs operator and settlement reuses Ethereum L1 finality. The chain's L2 consensus is not a BFT committee with aggregated PQ signatures, so 4f is N/A; rendered as 0 with N/A flag rather than penalized.

Mainnet PQC %: ~0% at user signature layer; non-zero at proof-soundness inner layer (Airbender FRI/STARK is 'post-quantum proof' per Matter Labs Q1 2026 deliverables). Zero PQ user signatures observed on mainnet. The Airbender inner proof generation is hash-based (Blake2s/Blake3 + FRI over Mersenne31) and runs in production via the Atlas upgrade, but the on-chain proof verifier on Ethereum L1 is FFLONK-on-BN254 (Shor-vulnerable). The PQ surface is therefore real but partial.

matter-labs/zksync-airbender (MIT, public) is shipped, audited, and running in production, STARK/FRI hash-based primitives (Blake2s, Blake3, Mersenne31 field arithmetic) are present in the most-used prover stack. matter-labs/era-boojum likewise ships hash-based FRI in legacy production. No ML-DSA, Falcon, SLH-DSA, XMSS code is merged in the user-facing zksync-era client. Partial credit for proof-side PQ code, no credit for signature-side.

Matter Labs operates a single sequencer with a classical ECDSA L1 batch-poster key. ZKnomics Staking Pilot Season 1 with 300M+ ZK staked is described as 'laying the technical groundwork for a future decentralized sequencer'. No validator/sequencer holds a PQ signing key today.

VOIDED to 0 per v3.1 rule (5a effectively zero at user signature layer, well below the 20% threshold). The 2026 roadmap exists but does not name dated, enforcement-mechanism-backed PQ-signature milestones (no 'Era v32 will activate ML-DSA on date X' governance proposal exists at ZK Nation). Airbender's PQ-readiness is claimed as a property today, not a future milestone with deadline.

Ratio: ~2.0. Announced PQ surface (trailing 12 months): Airbender '100% post-quantum proof' (Q1 2026 deliverables, mirror.xyz launch post, multiple X posts), Airbender main marketing page 'resilient against quantum threats', Boojum framed historically as 'post-quantum path.' Shipped PQ surface: Airbender FRI/STARK inner proof in production (real); FFLONK-on-BN254 on-chain wrapper (not PQ); zero PQ user signatures (not PQ). The '100% post-quantum proof' framing applies to the inner-layer prover, not to end-to-end on-chain verification, and the marketing copy does not consistently distinguish.

No PQ signature scheme deployed → no measured per-block PQ footprint to publish. Architecturally, native AA gives smart accounts complete control over the validator contract, so a Falcon-512 (~10–11× ECDSA), ML-DSA-44 (~38× ECDSA raw), or SLH-DSA-128s (~110–125× ECDSA) validator can be deployed per-account without protocol changes. Calldata cost on Ethereum settlement bounds the per-tx PQ footprint, and AA paymasters can sponsor that cost. Awarded 10/20 reflecting '5–10× expected for Falcon-style with AA-validator amortization, undeclared in formal specification.'

Top-3 zkSync Era wallets (MetaMask + Snap, Rabby, Safe, plus native AA wallets like Argent and Clave) have no published PQC roadmap as of 2026-05-01. WebAuthn / passkey support exists (P256Verify precompile), useful for UX but not PQ.

Top-3 (Canonical Era bridge, LayerZero, Across), no published PQC roadmap. LayerZero's classical-ECDSA / Ed25519 oracle and relayer architecture remains. Elastic Network Hyperbridges and the v31 interop upgrade do not specify PQ primitives.

Top-3 (BitGo via Q1 2026 Prividium partnership, Coinbase Custody, Anchorage). BitGo's MPC custody architecture is structurally amenable to PQ retrofitting (key-shares can be regenerated under a PQ scheme). No public PQC roadmap from any of these custodians as a formal commitment. Awarded 5 to reflect the BitGo-Prividium institutional partnership creating concentration on a custodian with a regulated-finance posture.

Matter Labs RPC, Alchemy, QuickNode, Ankr, Chainstack, no published PQC roadmap. HSMs used for batch-poster keys (Ledger, AWS KMS, Thales) operate under classical ECDSA. No TEE attestation chain integration documented for zkSync Era.

L2 sequencing is a single Matter Labs sequencer (Nakamoto coefficient = 1 for L2 sequencing). L1 settlement inherits Ethereum's distribution. ZK token governance has ~1.13B ZK active voting power and ZKnomics Staking Pilot at 300M+ ZK staked, but this governs upgrades, not real-time consensus.

Multiple coordinated protocol upgrades shipped under industry-watch conditions: Boojum activation (2023), v27 prover swap, v29 interop messaging (2025-10-06), Atlas / Airbender (late 2025), v29.3/v29.4 patches (Q1 2026), v31 in audit. Established standard path (~10-day governance) and emergency path (3/3 multisig). No contested fork.

Matter Labs (Alex Gluchowski as CEO/founder, public-facing) plus the ZK Nation governance system (Token Assembly, Security Council, Guardians). Dedicated PQ working group or named PQ-cryptography lead is not publicly identified at zkSync, Airbender is presented as a Matter Labs prover team output without a named PQ-migration WG mandate.

No documented adversarial-pressure cryptographic upgrade; Boojum and Airbender migrations were planned, not adversarial. Sequencer outages (notably 2024 multi-hour halt) tested operational coordination but not cryptographic-change coordination under attack.

No published canary, honeypot, or rate-limited spending rule for cryptographic-break detection at zkSync Era.