blockchain network
Filecoin FIL
Filecoin's production cryptography is entirely classical with no post-quantum protection across any critical layer. Spend authorization uses ECDSA (secp256k1) and BLS (BLS12-381) signatures. Consensus relies on BLS block/ticket signatures and Drand BLS threshold randomness. Most critically, the network's core value proposition—verifiable storage via Proof of Replication (PoRep) and Proof of Spacetime (PoSt)—depends on Groth16 zk-SNARKs over BLS12-381 pairings, which a quantum adversary could forge to falsely claim storage rewards or corrupt consensus. Protocol Labs' CryptoNet funded research into lattice-based PQ-SNARKs (2022) demonstrates awareness, but no formal quantum risk assessment, FIP, migration roadmap, prototype, or testnet exists. All address types (f1/secp256k1, f3/BLS, f410/FEVM-secp256k1) remain quantum-vulnerable. The project has not published the minimum required assessment artifacts (Stage 0), and every critical cryptographic layer remains quantum-vulnerable with no mitigation in production. The QRI Score is 2/100, reflecting that while some minimal research acknowledgment exists, there is no formal inventory, threat model, or migration plan.
Not AssessedECC/BLS-Only ProductionResearch Acknowledgment OnlyClassical-Only
Category breakdown
QRI Factors
Algorithm & Implementation Assurance
0 / 20
Migration Mechanism, Governance & Ecosystem Coordination
0 / 15
Migration Status & Value-at-Risk
1 / 25
Production Cryptographic Protection
0 / 35
Security Assessment & Evidence Preparedness
0.5 / 5
Critical Quantum Blockers
- Active production spend authorization remains entirely ECC/BLS-only (secp256k1 for f1/f410 addresses, BLS12-381 for f3 addresses) with no PQC or hybrid-PQC path available.
- Storage proofs (PoRep and PoSt) rely on Groth16 zk-SNARKs over BLS12-381 pairings; a quantum adversary could forge storage proofs, breaking the network's economic model and consensus integrity.
- Consensus-critical authentication (block signing, ticket signing, Drand randomness beacon) uses BLS12-381 threshold signatures with no PQC alternative.
- No public migration roadmap, FIP, prototype, or testnet exists for any post-quantum migration across any critical layer.
- Quantum attack can plausibly break supply integrity, state binding, or asset ownership in a critical layer (via forged storage proofs).
Key Risks
- Quantum-enabled storage proof forgery: A quantum adversary could forge Groth16 proofs over BLS12-381, allowing them to claim storage rewards without actually storing data, breaking the network's economic model and data integrity guarantees.
- Quantum-enabled spend authorization compromise: All FIL holdings in f1 (secp256k1), f3 (BLS), and f410 (FEVM secp256k1) addresses are vulnerable to Shor's algorithm key recovery from exposed public keys, enabling theft of all on-chain value.
- Quantum-enabled consensus takeover: BLS12-381 block and ticket signatures could be forged, allowing a quantum adversary to produce fraudulent blocks and compromise chain finality.
- Quantum-enabled randomness manipulation: The Drand BLS threshold randomness beacon could be compromised, enabling grinding attacks on leader election and WindowPoSt/ProveCommit verification.
- No migration path exists: There is no FIP, roadmap, prototype, or governance process for migrating any critical layer to post-quantum cryptography, leaving the network entirely exposed with no announced remediation timeline.
- Long-exposure public key risk: Reused f1/f3 addresses and transacted f410 EOAs have publicly exposed keys that can be attacked offline with no time constraint.
- Deep architectural dependency: The Groth16+BLS12-381 proof system is embedded in the protocol's trusted setup, on-chain verification gas schedule, and storage provider hardware requirements; migration would require a comprehensive re-architecture of the proving subsystem.
Assurance Notes
- Classical cryptographic audits exist (NCC Group 2020 on Bellman/BLS, Sigma Prime 2020 on PoRep/PoSt, SnarkPack 2021, Oak Security 2023 on FEVM) but all are stale (2020-2023) and none cover post-quantum cryptography or quantum migration readiness.
- Protocol Labs' CryptoNet funded research into lattice-based post-quantum SNARKs (2022), demonstrating awareness of the quantum threat to pairing-based proofs, but no production deployment, formal FIP, or migration roadmap has resulted from this research.
- No Filecoin Improvement Proposal (FIP) addresses post-quantum cryptography, quantum-resistant signatures, or migration from ECC/BLS primitives as of the evaluation date.
- Filecoin's architecture is deeply intertwined with quantum-vulnerable cryptography across all critical layers: spend authorization (secp256k1 + BLS12-381), consensus (BLS block/ticket signatures), randomness (Drand BLS threshold signatures), and storage proofs (Groth16 over BLS12-381 pairings). Migration would require fundamental protocol changes.
- The FEVM (Filecoin Ethereum Virtual Machine) introduces additional secp256k1 exposure through f410 Ethereum-compatible addresses, compounding the classical signature surface.
- The LayerQu third-party scorecard (accessed June 2026) rates Filecoin as Migration Stage 0 (Unaware/Unannounced), QRI 17/100, Crisis Zone.
Non-Scoring Caveats
- Classical audits (2020-2023) are stale but confirm the current classical-only design; no PQC-specific audit exists.
- Protocol Labs' CryptoNet PQ-SNARK research (2022) has not produced any production-ready output or formal migration proposal.
- The massive scale of Filecoin's daily SNARK verification (millions of proofs) would create significant performance challenges for any future PQ-SNARK migration.
- Exact prevalence of long-exposure public keys (reused f1/f3 addresses, transacted f410 EOAs) is not quantified in primary sources reviewed.
- Future protocol upgrades from one PQ-secure design to another are not relevant to the current evaluation since no PQ production system exists.
Evidence record
Claims and Caveats
Security Assessment & Evidence Preparedness
Public cryptographic inventory of critical public-key mechanisms and public quantum threat model
Claim: Filecoin has not published a cryptographic inventory or quantum threat model for its production cryptography.
Coverage basis: Absence of evidence across all primary sources
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical uncertainty · Score treatment: score-reducing
Quantum blocker: No public cryptographic inventory or quantum threat model exists
Assurance: Searches of the Filecoin spec, FIPs repository, and official communications yielded no quantum-specific cryptographic inventory, threat model, or risk assessment. The absence is confirmed with high confidence.
The cryptonet.org (2022 Q3) post mentions Protocol Labs funding research into lattice-based post-quantum SNARKs. This is a research acknowledgment, not a formal inventory or threat model for Filecoin's production system.
Security Assessment & Evidence Preparedness
Public evidence record supporting the assessment
Claim: Protocol Labs' CryptoNet has acknowledged quantum threat to SNARKs and funded lattice-based PQ SNARK research. Filecoin's classical crypto is well-documented in specs and open-source code.
Coverage basis: Research funding acknowledgment and public code/spec documentation
Implementation score: 0.25 · Evidence confidence: Medium
Issue classification: none · Score treatment: note-only
Assurance: The cryptonet.org research funding is a substantiated public statement from Protocol Labs. However, it falls far short of a formal evidence record supporting a quantum-specific assessment of Filecoin's production cryptography.
Scored at 0.25 (public design/research plan) because a minimal research-level acknowledgment exists via the CryptoNet post, but no structured evidence record, code references for quantum risk, transaction examples, or reproducible analytics specific to quantum vulnerability have been published.
Production Cryptographic Protection
Spend authorization / transaction signatures are PQC or hybrid-PQC on mainnet
Claim: Filecoin uses ECDSA (secp256k1, signature type 1) and BLS (BLS12-381, signature type 2) for all transaction signatures. FEVM delegated signatures also use secp256k1.
Coverage basis: ECC/BLS-only; no PQC or hybrid support
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: Active production spend authorization remains entirely ECC/BLS-only with no PQC path.
Assurance: Confirmed from official Filecoin spec, address-type documentation, and FIP-0055 (FEVM delegated signatures). All signature paths use secp256k1 or BLS12-381 exclusively.
Address types f1 (secp256k1), f3 (BLS12-381), and f410 (secp256k1 Ethereum-compatible) cover all user-facing and contract-facing accounts. No PQ or hybrid signature type exists.
Production Cryptographic Protection
Account, address, public-key exposure, and key-derivation design
Claim: All Filecoin address types expose ECC/BLS public keys. f1 addresses expose secp256k1 public keys on first spend. f3 addresses expose BLS public keys. f410 addresses expose secp256k1 keys.
Coverage basis: All address types are quantum-vulnerable; long-exposure risk exists
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: All address types expose quantum-vulnerable ECC/BLS public keys with no PQ key-derivation or migration path
Assurance: Address-type documentation is unambiguous: f1 = secp256k1, f3 = BLS12-381, f410 = secp256k1. No PQ address type or hybrid key-derivation scheme exists.
Long-exposure risk: f3 (BLS) and f1 (secp256k1) public keys are visible on-chain and can be attacked offline once a CRQC exists. No address-rotation mechanism or PQ key-derivation path is available.
Production Cryptographic Protection
Consensus-critical authentication (validator signatures, VRFs, randomness, threshold signatures, block certificates)
Claim: Filecoin uses BLS signatures over BLS12-381 for block/ticket signing, F3/GossiPBFT finality certificates, and Drand randomness beacon threshold signatures.
Coverage basis: All consensus authentication is BLS-only (BLS12-381)
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: Consensus finality and randomness depend on quantum-vulnerable BLS12-381 signatures.
Assurance: FIP-0086 specifies BLS signatures for GossiPBFT messages and finality certificates. FIP-0063 details Drand quicknet using BLS12-381. The filecoin-f3-blssig crate implements BLS12-381 with BDN aggregation.
A quantum break of BLS12-381 would allow forging finality certificates (≥⅔ QAP threshold) and manipulating the Drand randomness beacon, compromising both fast finality and leader election.
Production Cryptographic Protection
State-integrity and data-availability mechanisms (commitments, nullifiers, KZG/pairing commitments, bridge verification)
Claim: Filecoin's PoRep and PoSt storage proofs use Groth16 zk-SNARKs over BLS12-381 pairings, verified millions of times daily on mainnet.
Coverage basis: PoRep/PoSt proofs depend on quantum-vulnerable BLS12-381 pairings
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: cap-applying
Quantum blocker: Quantum attack can plausibly break supply integrity and state binding via forged storage proofs.
Assurance: Confirmed from the Filecoin spec (SDR PoRep, PoSt sections), the SnarkPack research publication, and the rust-fil-proofs codebase. The trusted setup for Groth16 parameters is documented in the phase2-attestations repository.
This is arguably Filecoin's most critical quantum vulnerability. A quantum adversary could forge proofs of replication and spacetime, claiming to store data they do not possess, collecting block rewards and undermining the entire storage-proving economic model.
Production Cryptographic Protection
Privacy and proof layers (ZK proof assumptions, note encryption, viewing keys)
Claim: Filecoin uses Groth16 zk-SNARKs over BLS12-381 pairings for all storage proofs. The proof system is pairing-based and quantum-vulnerable. Filecoin has no shielded privacy layer.
Coverage basis: ZK proof layer is quantum-vulnerable (Groth16 over BLS12-381)
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: cap-applying
Quantum blocker: Groth16 proof system over BLS12-381 pairings is quantum-vulnerable at the proof-assumption level
Assurance: The Groth16 proving system is well-documented in the Filecoin spec and code. It requires a BLS12-381 pairing check for verification. Quantum attacks on pairings would break soundness.
Filecoin does not have a separate privacy layer (no shielded pools, stealth addresses, or note encryption). The proof-layer vulnerability is covered under the state-integrity subfactor; this subfactor captures the pairing-based ZK assumption risk.
Production Cryptographic Protection
P2P transport, node identity, and peer authentication
Claim: Filecoin nodes use classical cryptographic mechanisms (libp2p with standard key exchange) for P2P transport and peer identity.
Coverage basis: Classical P2P cryptography; no PQC
Implementation score: 0 · Evidence confidence: Medium
Issue classification: operational/product caveat · Score treatment: score-reducing
Assurance: P2P transport is not the most critical layer for Filecoin's quantum risk, as asset ownership and consensus integrity depend on higher layers. However, node identity compromise could enable eclipse or Sybil attacks that interact with consensus vulnerabilities.
While P2P is classified as quantum-critical vulnerability, its practical severity is lower than the consensus and storage-proof layers. No specific P2P-PQC documentation or implementation was found.
Production Cryptographic Protection
Critical wallet, custody, HSM, signer, and hardware-wallet workflows
Claim: No evidence of PQ wallet, custody, HSM, or hardware-wallet support for Filecoin.
Coverage basis: No PQ wallet or custody path exists
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: No PQ wallet, custody, or HSM workflow exists for FIL
Assurance: The absence of PQ wallet/custody support is confirmed with high confidence because no PQ signature types exist for Filecoin accounts. Wallets cannot support a PQ path that the protocol does not provide.
This subfactor is downstream of the protocol's lack of PQ signature support. Even if wallets wanted to implement PQ signing, the protocol has no PQ account type or signature validation path.
Migration Status & Value-at-Risk
Percentage of economically relevant value-at-risk protected from quantum key-recovery attacks
Claim: 0% of Filecoin's value-at-risk is protected from quantum attacks. All FIL in all account types (f1, f3, f410) and all storage-provider collateral is quantum-vulnerable.
Coverage basis: 0% protected; all value is in ECC/BLS accounts
Implementation score: 0.05 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: Material long-exposure quantum-vulnerable value exists with no migration, freeze, deprecation, burn, recovery, or policy path.
Assurance: Since the protocol supports only ECC/BLS account types and has no PQC address format, all FIL value is quantum-vulnerable by construction. Coverage threshold <25% applies (implementation score 0.05).
Even if an exact percentage could be computed, it would be 0% because no quantum-safe account type exists. All FIL is held in either secp256k1 or BLS12-381 accounts.
Migration Status & Value-at-Risk
Critical wallets migrated, protected, or inherently PQ-native
Claim: No critical wallets (treasuries, exchanges, custodians, bridges, foundations, major protocols) have migrated to PQ protection because no PQ account type exists.
Coverage basis: Zero critical wallets protected; no PQ account type available
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: No critical wallets can migrate because no PQ account type or migration path exists
Assurance: This is a structural consequence of the protocol's lack of PQ support. Critical wallets cannot migrate to protection that does not exist at the protocol level.
Filecoin Foundation, Protocol Labs, exchanges (Coinbase, Binance, etc.), and storage provider operators all hold FIL in quantum-vulnerable accounts with no migration option.
Migration Status & Value-at-Risk
Legacy vulnerable pools/accounts/UTXOs/contracts are identified, measurable, deprecated, migrated, frozen, or proven not to exist by design
Claim: No legacy vulnerable accounts have been identified, deprecated, or targeted for migration. No freeze, burn, or deprecation policy exists for quantum-vulnerable accounts.
Coverage basis: No identification or deprecation of vulnerable accounts
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: No vulnerable-account identification, deprecation, freeze, or burn policy exists
Assurance: Searches of the FIPs repository and Filecoin documentation yielded no proposals addressing legacy vulnerable account identification, deprecation, freeze, or burn for quantum-migration purposes.
Since all account types are quantum-vulnerable by design, this subfactor captures the complete absence of any mechanism to partition, tag, or deprecate vulnerable accounts in preparation for a future migration.
Migration Mechanism, Governance & Ecosystem Coordination
Public migration or protection roadmap with sequencing, activation criteria, and dependencies
Claim: No public migration roadmap exists for Filecoin. No FIP addresses PQC migration, signature replacement, or proof-system migration.
Coverage basis: No roadmap; zero migration planning
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical uncertainty · Score treatment: score-reducing
Quantum blocker: No public PQC migration roadmap, FIP, or design document exists
Assurance: Comprehensive search of the FIPs repository (including discussions) for 'quantum', 'post-quantum', 'PQC', 'lattice', 'hash-based', and related terms returned zero relevant results as of June 2026.
The research funding into lattice-based PQ SNARKs (cryptonet.org 2022) is a research activity, not a migration roadmap. No sequencing, activation criteria, dependencies, or timeline has been published.
Migration Mechanism, Governance & Ecosystem Coordination
Migration accessibility and defaults: PQ/hybrid account creation, wallet tooling, transaction paths, custody paths, user-facing warnings, education, and migration prompts
Claim: No PQ account creation, wallet tooling, transaction paths, custody paths, user warnings, or migration prompts exist.
Coverage basis: No migration accessibility or tooling
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: No PQ account creation, migration tooling, or user-facing migration path exists
Assurance: Since the protocol has no PQ account type, no downstream tooling can exist. This is a structural gap.
This subfactor covers the entire user-facing migration experience, which is entirely absent. There are no warnings about quantum vulnerability in any official Filecoin wallet or documentation.
Migration Mechanism, Governance & Ecosystem Coordination
Migration enforcement and coordination: enforcement mechanisms, exchange/custody/bridge/wallet coordination
Claim: No enforcement mechanisms, coordination with exchanges/custodians/bridges/wallets, or unsafe-path blocking exists for quantum migration.
Coverage basis: No enforcement or coordination mechanisms
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical uncertainty · Score treatment: score-reducing
Quantum blocker: No migration enforcement or ecosystem coordination exists
Assurance: Enforcement mechanisms cannot exist without a migration target. No exchange, custody, bridge, or wallet coordination for quantum migration has been publicly documented.
The filecoin.io and fil.org websites contain no quantum-related security advisories, migration guidance, or coordination announcements.
Migration Mechanism, Governance & Ecosystem Coordination
Emergency disclosure, incident-response, or governance process for quantum-related vulnerabilities
Claim: No quantum-specific disclosure, incident-response, or governance process has been published.
Coverage basis: No quantum-specific emergency process
Implementation score: 0 · Evidence confidence: Medium
Issue classification: assurance-only caveat · Score treatment: score-reducing
Quantum blocker: No quantum-specific incident-response or governance process exists
Assurance: The fil.org/security page provides general security contact information but contains no quantum-specific disclosure process, incident-response playbook, or emergency governance procedure.
While Filecoin has general security processes, the absence of quantum-specific emergency procedures is a gap given the protocol's total dependence on quantum-vulnerable cryptography.
Algorithm & Implementation Assurance
Uses NIST-standardized, standards-track, or broadly reviewed PQC/hybrid-PQC algorithms appropriate to the use case
Claim: Filecoin uses no PQC algorithms in production. All cryptography is classical (secp256k1 ECDSA, BLS12-381 signatures and pairings, Groth16 SNARKs).
Coverage basis: No PQC algorithms used
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: No NIST-standardized or broadly reviewed PQC algorithms are used in production
Assurance: The absence of PQC algorithms is confirmed from the Filecoin spec and all primary source code repositories (blstrs, rust-fil-proofs, lotus). Only classical algorithms are used.
The cryptonet.org research into lattice-based PQ SNARKs has not resulted in any production algorithm selection, FIP, or implementation.
Algorithm & Implementation Assurance
Independent cryptographic and implementation audit for quantum-critical scope
Claim: Classical crypto audits exist (NCC Group 2020, Sigma Prime 2020, Oak Security 2023) but no PQC audit exists because no PQC is implemented.
Coverage basis: Classical audits only; no PQC audit scope
Implementation score: 0 · Evidence confidence: High
Issue classification: assurance-only caveat · Score treatment: confidence-only
Assurance: Classical audits are stale (2020–2023) but remain relevant for confirming the classical-only design. They provide no assurance for any future PQC implementation. This is an assurance-only caveat that does not independently reduce the QRI Score.
Scored 0.00 because there is no independent audit of any quantum-safe implementation. The classical audits confirm the quantum-vulnerable design but do not advance quantum readiness.
Algorithm & Implementation Assurance
Open-source, reproducible implementation
Claim: Filecoin's cryptographic implementations (blstrs, rust-fil-proofs, lotus) are open-source and publicly buildable, but implement only classical algorithms.
Coverage basis: Open-source classical implementation; no PQ implementation
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Assurance: The classical code is well-structured, publicly available, and buildable. This provides a foundation for future PQ implementation but does not constitute PQ readiness.
Scored at 0 because there is no PQC implementation to evaluate. The open-source nature of classical code aids future migration but does not constitute PQC readiness.
Algorithm & Implementation Assurance
Parameter agility and future upgrade path
Claim: No documented parameter agility or upgrade path for replacing cryptographic primitives with PQ alternatives exists.
Coverage basis: No parameter agility or upgrade path documented
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical uncertainty · Score treatment: score-reducing
Quantum blocker: No documented parameter agility or cryptographic upgrade path
Assurance: Filecoin's architecture deeply embeds specific cryptographic choices (BLS12-381, Groth16, SDR parameters) into the protocol, consensus rules, gas schedule, and trusted setup. No FIP or design document describes how these could be replaced or upgraded.
The NI-PoRep upgrade (FIP-0092) demonstrates that proof-system changes are possible through the FIP process, but this was within the same Groth16/BLS12-381 framework. A full PQ migration would require far more fundamental changes.
Algorithm & Implementation Assurance
Stateful-signature safety, side-channel, fault-injection, state-management, hardware-wallet, HSM, or custody implementation risks
Claim: Filecoin does not use stateful hash-based signatures (XMSS/LMS). No PQC implementation exists to evaluate stateful-signature safety.
Coverage basis: N/A for current production (no PQC implementation)
Implementation score: 0 · Evidence confidence: not applicable
Issue classification: none · Score treatment: not applicable
If Filecoin were to adopt XMSS/LMS in a future PQ migration, this subfactor would become applicable and state-management risks would need to be assessed.
Algorithm & Implementation Assurance
Performance and resource-impact analysis exists where PQ signature/verification costs could affect safe deployment
Claim: No public performance or resource-impact analysis exists for deploying PQ signatures or PQ proof systems on Filecoin.
Coverage basis: No PQ performance analysis
Implementation score: 0 · Evidence confidence: Medium
Issue classification: assurance-only caveat · Score treatment: note-only
Assurance: The scale of Filecoin's proof verification (millions of SNARKs/day) would create significant performance challenges for PQ-SNARK migration. The complete absence of such analysis is a significant gap.
This is scored at 0.00 because no analysis exists. However, per the QRI spec, the absence of a formal performance benchmark is normally a note-only caveat unless resource constraints prevent safe use of PQ controls. Since no PQ controls exist at all, this subfactor is scored on its implementation status (none).
Report metadata