Monero is the only chain where a slow quantum arrival is still a catastrophe. Every ring signature since 2014 is Ed25519, every stealth address is ECDH, every amount is a Pedersen commitment. When Shor lands, the privacy of an eleven-year chain unwinds backwards, not forwards.
Summary
Monero is the hardest case in this batch. Every privacy primitive is ECC-based: CLSAG ring signatures over Ed25519, Pedersen commitments on Ed25519, stealth addresses via ECDH, Bulletproofs+ range proofs. A future Shor-capable adversary retroactively de-anonymizes every transaction since 2014 — sender, recipient, amount. This is the single worst retroactive-deanon scenario in the 25-chain batch. Offsetting: Monero has the STRONGEST migration architecture in the batch — aggressive hardfork cadence (RingCT, Bulletproofs, CLSAG, Bulletproofs+ all successful), CCS-funded PQC ring signature research (Raptor, MatRiCT+), and an active Monero Research Lab culture. Band 3 Intentional reflects the research pipeline + hardfork capability but no deployed PQC. Privacy-L2 weight profile amplifies the Dimension 3 weight (30%) to reflect that retroactive deanon is the core quantum risk for Monero.
What the gates say
- Hybrid: FAIL. No hybrid plan on file.
- Evidence: PASS. Sources reconstructable by third party.
- Primitive naming: PASS. Named primitives at every scored sub-level.
Burn-vs-rescue policy on file
undeclared
Seven dimensions
Each dimension scores 0-100 internally; the weighted roll-up produces the QRI on the left. Open a row to read the sub-score detail.
1 Cryptographic Exposure 25 / 100
Entire Monero privacy stack is Ed25519/Curve25519-based.
CLSAG ring signatures over Ed25519 (Curve25519) · Pedersen commitments (Ed25519) for amount hiding · Stealth addresses via ECDH (Ed25519) · RandomX (PoW mining, ASIC-resistant) · Keccak-256 (block/tx hashing) · Bulletproofs+ (range proofs, Ed25519)ECC-only. No PQC family deployed in production.
No NIST PQC primitives deployed
2 HNDL Exposure 6 / 100
Catastrophic HNDL exposure: every XMR transaction in the chain (since 2014) uses ECC primitives. Shor break retroactively de-anonymizes ALL historical privacy-preserving tx.
11+ years of cold keys. Every historical ring signature forgeable under Shor.
CLSAG ring signatures persist on the Monero chain permanently — all retroactively Shor-breakable.
Stealth addresses + Pedersen commitments ALL ECC-based. Shor-break reveals amount + recipient retroactively for every historical tx.
3 Metadata & Privacy Exposure 45 / 100
Ring signatures + stealth addresses + Pedersen commitments currently hide sender, recipient, and amount. Post-Shor: ALL three privacy layers break retroactively.
Pool concentration in RandomX mining. Seed nodes distributed but fewer than BTC. Dandelion++ limits mempool correlation.
Minimal bridge surface (CEX deposits/withdrawals primary). Bridge correlation lower than most chains.
CRITICAL: Monero is the highest-stakes retroactive-deanon scenario in blockchain. A future Shor-capable adversary could retroactively deanonymize every historical XMR transaction, exposing all historical ring-sig senders, stealth-addr recipients, and Pedersen-committed amounts. Entire privacy thesis evaporates retroactively.
4 Migration Architecture 35 / 100
Monero has a coordinator-free hard-fork discipline (every ~6 months historically). Proven ability to upgrade crypto primitives (RingCT → CLSAG; Bulletproofs → Bulletproofs+).
No native AA. Subaddresses + view keys provide some rotation primitive but not full AA.
Monero has the most aggressive hard-fork cadence in this batch. RingCT (2017), Bulletproofs (2018), CLSAG (2020), Bulletproofs+ (2022) all required coordinated hard forks and were executed successfully.
CCS-funded PQC research (Raptor/MatRiCT+/GLYPH) explores PQ ring signatures and lattice-based primitives. No production deployment yet, but research pipeline is the strongest in this batch.
5 Deployment Execution 8 / 100
No NIST PQC in production despite active research.
no PQC in monero-project code
PoW, no validator set
Research-level milestones, no dated production schedule.
Monero community is unusually clear-eyed about ECC vulnerability. 'Privacy is not retroactively quantum-safe' messaging exists. Low washing.
6 Supply Chain Vendor Readiness 10 / 100
Open-source wallets aligned with MRL research.
Many exchanges have delisted XMR.
7 Governance & Coordination 55 / 100
PoW RandomX ASIC-resistant. Pool concentration moderate. No premine, no foundation control.
Monero has the strongest hard-fork coordination track record in this batch. 6-month hardfork cadence historically. Successfully executed multiple core-crypto changes (RingCT, Bulletproofs, CLSAG, Bulletproofs+).
Monero Research Lab (Sarang Noether, Surae Noether, koe, etc.). Community Crowdfunding System (CCS) funds research. No named 'PQC lead' but research culture is strongest in batch.
Handled ASICMiner attacks, responded to ring-size attacks, handled Bulletproofs critical vulnerability disclosure + hardfork. Demonstrated ability to coordinate under security pressure.
The X + Y vs Z inequality
X (data shelf life): 20+ (privacy retroactive-deanon risk extends indefinitely backward over 11+ years of chain history)
Y (migration time): 6-10 (strongest research pipeline + fastest hard-fork cadence in batch)
Z10 (10% CRQC year): 2036 · Z50 (50%): 2041
Verdict: X+Y > Z (danger).
Four-scenario grid
| Scenario | Value preserved | Privacy preserved |
|---|---|---|
| quantum never | 100% | 100% |
| arrives suddenly pre migration | 30% | 0% |
| arrives slowly post migration | 85% | 30% |
| arrives slowly mid migration | 55% | 10% |
Peers in the privacy-L2 profile
Order-book view of the 5 chains closest to Monero by QRI.
Public artifacts used for this scorecard
Each entry below is a sub-score citation. Clicking the link takes you to the public source. A third party should be able to reconstruct every number on this page from these URLs in 48 hours.
Entire Monero privacy stack is Ed25519/Curve25519-based.
Supply chain snapshot
A chain's supply chain cannot migrate faster than its slowest dependency. Zero PQC roadmaps in any of the four categories is a structural blocker, not a lagging indicator.
Analyst notes on the scoring
Dimension 3 (Privacy Exposure) is weighted 30% for privacy-L2 profile, reflecting that retroactive deanonymization is Monero's primary quantum risk. HNDL score is near-floor (6/100) because every historical tx is Shor-exposed — no defense-in-depth. Migration architecture is near-ceiling for this batch because of the research pipeline + hardfork cadence. PQC-washing risk is LOW here — the Monero community is clear-eyed about the retroactive vulnerability. Seraphis and Jamtis (next-gen Monero protocol proposals) incorporate PQ considerations but aren't yet production-bound.
Scorecard metadata
- Profile: privacy-L2
- Scored: 2026-04-18 by
layerqu-v2-scoring-agent-3 - v1 reference:
chainscreen-v1-archive - QRI raw: 28 · after caps: 28
- Confidence interval: ±10
- PQC washing ratio: 1.3x
- Burn-vs-rescue: undeclared
Caps triggered
- Mosca (5a<20% → QRI max 60)
- Sutor (5d count=2 — Migration Stage max 2, borderline 3)
- Casado (3+ vendor tiles pqc=0 → migration_stage max 3)
- Hybrid gate FAIL → QRI cap 60