What part of RISC Zero is NOT quantum-safe?

Specifically: the Groth16 compression step used to convert a recursive STARK into a compact on-chain-verifiable SNARK. Groth16 uses bilinear pairings on the BN254 elliptic curve. The security of pairings reduces to the elliptic-curve discrete logarithm problem, which is broken by Shor's algorithm. BN254 also offers only ~120 bits of classical security and ~0 bits of quantum security. The trusted setup ceremony for Groth16 is a separate concern unrelated to PQ exposure.

Why does Groth16 exist if STARKs are already PQ-safe?

For economics, not security. A raw recursive STARK proof is on the order of 100 KB and takes millions of gas to verify on Ethereum L1. Groth16 compresses that down to about 256 bytes and roughly 250,000 gas — under one dollar at typical gas prices. Industry adoption of Groth16 was driven by Ethereum's calldata and verification-gas economics, not because anyone believed STARKs were insecure. Post-quantum safety was a non-priority when those economics were set.

How does verification-result caching change Ethereum verifier economics?

Instead of paying gas to verify a Groth16 pairing on-chain every time, an Ethereum contract accepts an H33-74 attested verification result. The contract verifies a post-quantum signature bundle (three signatures totaling about 21 KB ephemeral, 74 bytes persistent) once and caches the result on-chain by content address. Subsequent verifiers of the same proof read the cached attested result for the cost of a single SLOAD. The signature verification path is also significantly cheaper than a pairing check on most EVM-equivalent rollups, especially when batched.

Is this a replacement for STARK verification or for Groth16 specifically?

Specifically for the Groth16 compression layer. The STARK is still verified — H33 runs the verification using its own independent implementation. What changes is that downstream consumers do not re-verify the STARK and do not verify a Groth16 wrapper on top of it; they verify the H33-74 attestation that asserts the STARK was verified, by whom, when, and with what verifier-identity. The chain of custody is cryptographic, not pairing-based.

What are the deployment modes?

Three. Mode 1: RISC Zero + Groth16 — current Ethereum-optimized deployment, fast and cheap on-chain but not PQ-safe. Mode 2: pure recursive STARK — full PQ-safe verification, but proof sizes and gas costs are high. Mode 3: STARK + Cachee + H33 — PQ-safe, with reusable verification-result caching that amortizes the verification cost across all downstream consumers. Mode 3 is the cleanest path to a PQ-safe deployment without paying the gas penalty of Mode 2.

Where can I read the receipt specification and run an independent verifier?

The H33-74 substrate specification is published at h33.ai/h33-74. The independent verifier — h33-verify — is open-source under Apache-2.0 at github.com/H33ai/h33-verifier. It is a self-contained Rust binary that accepts a receipt, the optional bundle, and the relevant epoch public keys, and either returns PASS or FAIL with a structured JSON report. No network access, no H33 trust assumption beyond SHA3 and the published spec.

Ten primitives. One coherent authority model.

Every primitive is independently verifiable, post-quantum attested, and composable with the others. None of them require trusting H33’s narrative about what happened.

01 · Time-Bound

Authority Expires

Every authority object carries an explicit TTL. After expiration, the receipt corpus refuses to validate further use. No long-lived bearer tokens. No “forgot to rotate” failure mode.

02 · State-Scoped

Bound to Context

An authority is valid only within its declared state: tenant, route, region, environment, dataset. Same secret, used in the wrong state, fails the cryptographic check — not the policy layer.

03 · Computation-Bound

Authorizes One Operation

A signing authority authorizes signing. A charge authority authorizes a charge under specified bounds. Cross-use is mathematically rejected. Leaked authority cannot be repurposed.

04 · Delegation Chains

Least-Privilege Downstream

A service can issue a strictly narrower child authority to a worker, for a single route, for a single request. The chain is cryptographically provable end-to-end. The parent scope dominates — the child cannot exceed it.

05 · Break-Glass

Pre-Scoped Emergency

Emergency authority exists, but it is never unconstrained. Pre-scoped envelope, mandatory multi-party approval, fifteen-minute default TTL, and an automatic review fires the moment it issues. Break-glass is logged before it is used.

06 · Revocation Proofs

Provable Death

Rotation is not enough. Every revocation produces a cryptographic attestation: when the authority died, who killed it, and the receipt corpus refuses every subsequent attempt. Forensic narrative without trust.

07 · Negative Proofs

Provable Non-Use

Prove this authority has not been used at X. Critical after a leak: rather than panicking that a credential is compromised, you cryptographically demonstrate that no unauthorized use occurred in the exposure window.

08 · Continuity

Receipts Outlast Rotations

A receipt issued under JWT_SECRET v1 remains independently verifiable forever, even after v2, v3, v4 replace it. Rotation generates a continuity proof linking generations. Audit trails do not break on rotation — they extend.

09 · Independent Verifier

Don’t Trust Our Narrative

The conformance specification is published. Your auditor, your insurer, your regulator, a competing vendor — any of them can build a verifier that reconstructs any authority decision from the 74-byte receipts alone.

10 · Observe Mode

Policy Simulation

Run H33-Key in shadow before enforcing. Every authority decision is logged with its full receipt, but no upstream call is blocked. See exactly what would have been denied, rotated, scoped, or flagged. Then flip to enforce when you’re ready.

How to Make RISC Zero Fully Post-Quantum Safe

Q: Is RISC Zero post-quantum safe today?

The STARK core of RISC Zero is largely post-quantum friendly. STARKs, FRI, Merkle commitments, recursion, and Fiat-Shamir rely on collision-resistant hash functions and algebraic codes — none of which are broken by Shor's algorithm. The remaining quantum-vulnerable layer is the optional Groth16 compression wrapper used to shrink proofs for on-chain Ethereum verification. Groth16 depends on pairings over BN254, an elliptic curve that Shor's algorithm breaks. To be fully post-quantum safe, a deployment must remove the Groth16/BN254 step or replace it with a PQ-safe equivalent.

Q: What does H33 + Cachee replace Groth16 with?

Reusable verification-result caching. The STARK is verified once. The verification result is cached, attached to a 74-byte H33-74 post-quantum attestation (ML-DSA-65 + FALCON-512 + SPHINCS+-SHA2-128f-simple), and distributed as a portable receipt. Downstream parties — auditors, regulators, on-chain contracts that accept attested results, other counterparties — verify the receipt instead of re-running the STARK or running a Groth16 pairing check. No pairings, no BN254, no trusted setup, no Shor exposure. The verification result is the artifact.

Q: Does this require modifying RISC Zero?

No. The recursive STARK output of RISC Zero is the input. Cachee verifies it once using H33's independent STARK verifier, then attaches the 74-byte H33-74 attestation. The integration point is at the proof boundary, not inside the zkVM. Existing RISC Zero programs run unchanged.

RISC Zero's STARK foundation is already largely post-quantum friendly. The remaining quantum-vulnerable surface is the Groth16/BN254 compression layer used for proof shrinking and on-chain verification on Ethereum.

H33 and Cachee replace that dependency with post-quantum attestation, verification-result caching, and reusable STARK verification infrastructure — without re-architecting the zkVM, without changing the prover, and without paying the gas penalty of running raw recursive STARKs on L1.

Read the H33-74 spec Independent verifier ↗

What is already quantum-safe in RISC Zero?

The STARK core is built on hash-based and algebraic primitives whose security does not reduce to integer factoring or discrete logarithm. Shor's algorithm does not break any of these. Grover's algorithm halves the effective security level of the underlying hash, which is accounted for by choosing 256-bit hash outputs.

STARK

Scalable Transparent Argument of Knowledge. No trusted setup. Security reduces to the collision resistance of the underlying hash function and the soundness of the underlying polynomial commitment, neither of which is broken by quantum algorithms.

PQ Safe

FRI

Fast Reed-Solomon Interactive Oracle Proof of Proximity. Used as the polynomial commitment inside RISC Zero's STARK. Its security relies on the hardness of distinguishing low-degree polynomials from random — an algebraic property, not a number-theoretic one.

PQ Safe

Merkle commitments

Used to commit to evaluation traces and FRI codewords. Security is exactly collision resistance of the underlying hash. With a 256-bit hash output, Grover gives an attacker no better than 2¹²⁸ work to forge — well above the standard 128-bit security floor.

PQ Safe

Recursion

Composing STARK verification inside another STARK circuit. The outer STARK inherits the post-quantum safety of the inner one. No additional non-PQ primitive is introduced by recursion itself.

PQ Safe

Fiat-Shamir transform

Converts interactive protocols into non-interactive ones using a hash function as a random oracle. Provably secure in the random oracle model, which itself is PQ-safe assuming the hash is collision and preimage resistant against quantum adversaries.

PQ Safe

Hash assumptions (SHA-2, SHA-3, Poseidon, BLAKE3)

Symmetric primitives. Grover's algorithm provides a quadratic speedup on preimage and collision attacks, which is mitigated by choosing 256-bit hash outputs. None of these hashes are vulnerable to Shor.

PQ Safe

What is not quantum-safe?

The quantum-vulnerable surface in a typical RISC Zero deployment is the optional compression wrapper applied after the recursive STARK. It is there for Ethereum gas economics, not for cryptographic strength. Below is exactly what breaks under a sufficiently large quantum computer.

Groth16

A pairing-based zkSNARK construction. The recursive STARK is wrapped in a Groth16 proof so that on-chain verification fits in a few hundred bytes of calldata and a few hundred thousand gas. Groth16 security reduces to assumptions over bilinear pairings — broken by Shor.

Vulnerable

BN254 (alt_bn128)

The elliptic curve over which Ethereum's precompiled pairing is computed. Offers roughly 120 bits of classical security and essentially 0 bits of quantum security — Shor's algorithm solves the elliptic-curve discrete logarithm problem in polynomial time.

Vulnerable

Bilinear pairings

The cryptographic primitive Groth16 verification computes on-chain. The security of any pairing-based proof system reduces to a discrete-log-style assumption on the underlying curve. There is no known post-quantum pairing analogue.

Vulnerable

Trusted setup (Powers of Tau)

A separate concern unrelated to quantum security — the universal Powers of Tau ceremony is sound under standard assumptions if at least one participant was honest. Worth flagging because a PQ migration is also a natural moment to retire any setup-dependent construction.

Setup-dependent

Ethereum verifier economics

Not a cryptographic primitive, but the reason Groth16 is in the stack at all. Ethereum L1 calldata, verification gas, and precompile pricing collectively make raw recursive STARK verification economically painful. Industry adoption optimized toward Groth16 compression; PQ safety was not a priority when that optimization was made.

Driver

Why Groth16 exists in the first place

A raw recursive STARK proof is on the order of 100 KB and verifies in millions of EVM gas. That is fine for off-chain or rollup-internal use. It is not fine for an L1 contract that pays gas for every verification. Groth16 was adopted as a compression layer to fit STARK verification into Ethereum's existing economics, not because the STARK itself was inadequate.

The Ethereum-shaped tradeoff

recursive STARK proof → ~100 KB → ~10M+ gas to verify on L1

recursive STARK proof → Groth16 wrap → ~256 bytes → ~250K gas

The compression was the value. Post-quantum exposure was the price.

The price was acceptable when L1 verification economics were the binding constraint. As post-quantum migration timelines tighten — NIST FIPS 203/204/205 standards are final, and federal agencies have published 2030 transition deadlines — that price is no longer acceptable for systems whose receipts must remain verifiable for decades.

Replace compression with reusable verification

If the only reason Groth16 exists is to make verification cheap to re-execute, then a different shape of solution becomes available: do the STARK verification once, attest the result, and reuse the attestation. The compression problem becomes a caching problem — and caches do not need pairings.

Instead of

recursive STARK → Groth16 wrap → on-chain pairing verify

You can do this

recursive STARK → verify once → cache result → attach PQ attestation

PQ-attested receipt → distribute → independent verifier → PASS / FAIL

No pairings. No BN254. No trusted setup. No Shor exposure.

The verification result becomes the artifact, not the compressed proof. Downstream parties — auditors, regulators, on-chain contracts that accept attested results, other counterparties — verify a 74-byte post-quantum signature bundle instead of a pairing equation. The original STARK is still verifiable from first principles if anyone wants to re-run it; the attestation just means most consumers do not need to.

What H33 and Cachee change

The pieces below are the concrete substitution for the Groth16/BN254 step. H33 owns the cryptography. Cachee owns the distribution. Together they replace the compression-and-on-chain-verify path with a verification-result caching path that is fully post-quantum.

H33

Cryptography

Post-quantum attestation across three independent NIST-finalized families: ML-DSA-65 (FIPS 204), FALCON-512, and SPHINCS+-SHA2-128f-simple (FIPS 205)
74-byte H33-74 substrate receipt: 32-byte commitment on-chain plus 42-byte compact receipt referencing the ephemeral signature bundle
Independent verifier: open-source Rust binary (Apache-2.0) that re-derives the verdict offline with no H33 dependency
Replayable verification: every receipt reconstructs to the same canonical PASS/FAIL across any conforming verifier, in any language
Forgery cost: simultaneous break of module lattices, NTRU lattices, and stateless hash signatures — three independent mathematical bets

Cachee

Distribution

Verification-result caching: content-addressed by the SHA3-256 of the canonical verification artifact
Reusable proof verification: downstream consumers fetch the cached attested result instead of re-running the STARK
Portable receipts: 74-byte references travel anywhere — embedded in calldata, attached to API responses, archived alongside operational logs
Distributed verification infrastructure: cache nodes operate independently; no single point of trust between prover and consumer
Cache hit semantics: every retrieval is itself attested, so a cache miss-and-recompute is indistinguishable from a cache hit at the receipt level

PQ-safe deployment modes

Three positions on the post-quantum-safety / on-chain-economics tradeoff. Pick the row that matches your verification horizon.

Mode	Description	PQ Safe
RISC Zero + Groth16	Current Ethereum-optimized deployment. ~256-byte on-chain proof, ~250K gas verification. Pairing-based wrapper exposes the verification path to Shor's algorithm.	No
Pure recursive STARK	Drop the compression layer entirely. Verify the recursive STARK on-chain. Fully PQ-safe end-to-end. Pays the full L1 gas cost (~10M+ gas per verification) and accepts the ~100 KB proof size.	Yes
STARK + Cachee + H33	Verify the recursive STARK once off-chain through H33's independent verifier. Cache the verification result. Attach a 74-byte PQ attestation. Downstream consumers verify the attestation instead of the STARK or Groth16 wrapper — PQ-safe, with on-chain economics that beat the Groth16 wrapper because no pairing is computed.	Yes

What this page is not claiming

RISC Zero is not insecure. Groth16 is not broken today. BN254 is not currently vulnerable on any classical computer. The points above are all about quantum readiness, not present-day security. The reason to migrate is that receipts minted today are expected to remain verifiable for decades, and a sufficiently large quantum computer arriving inside that window would retroactively invalidate every pairing-based verification path. The migration is a long-tail bet, not a vulnerability disclosure.

Related infrastructure

The components that make Mode 3 deployable today.

FAQ

The questions that come up most often when teams evaluate Mode 3 against their existing Groth16-on-Ethereum deployment.

Is RISC Zero post-quantum safe today?

The STARK core is largely post-quantum friendly. The optional Groth16 compression wrapper used to shrink proofs for on-chain Ethereum verification is not — it depends on pairings over BN254, broken by Shor. A fully post-quantum deployment removes or replaces that wrapper.

Does this require modifying RISC Zero?

No. The recursive STARK output is the input to the caching pipeline. The integration point is at the proof boundary, not inside the zkVM. Existing RISC Zero programs run unchanged.

What does the 74-byte receipt actually contain?

32 bytes of on-chain commitment (a SHA3-256 over the canonical substrate) plus 42 bytes of compact receipt referencing the three PQ signature outputs. The full signature bundle is about 21 KB and lives off-chain. Anyone with the bundle and H33's published epoch public keys can independently verify the three signatures with no network access.

How does this change Ethereum verifier gas costs?

Instead of paying gas to verify a pairing every time, an Ethereum contract accepts an H33-74 attested verification result. The signature verification path is cheaper than a pairing check on most EVM-equivalent rollups, especially when batched, and the same attested result can be SLOAD-ed by any subsequent caller.

What hardness assumptions does the PQ path rely on?

Three independent NIST-finalized post-quantum signature schemes — ML-DSA-65 (module lattices), FALCON-512 (NTRU lattices), SPHINCS+-SHA2-128f-simple (stateless hash signatures) — plus SHA3-256 collision resistance and the STARK's underlying hash assumption. Forgery requires simultaneously breaking all three signature families.

Where do I run the independent verifier?

Source: github.com/H33ai/h33-verifier. Apache-2.0. cargo install --git https://github.com/H33ai/h33-verifier gives you the h33-verify binary. No network access at verification time. The conformance spec, KAT vector, and threat model are committed in the repo.

Is Mode 3 production ready?

The H33-74 substrate, the independent verifier, and Cachee are all live today. The integration boundary with RISC Zero is the recursive STARK output; that boundary is stable. The verifier-signed report layer (v0.2) makes every verdict its own attestable artifact; Mode 2 PQ-signature verification of input receipts (v0.3) closes the cryptographic loop.

Quantum-safe receipts that survive the verifier's continued existence.

If your proof is supposed to be verifiable in 2040, the verification path needs to survive a 2030s-era quantum computer. That means no pairings, no BN254, no Shor-vulnerable curve anywhere in the chain of custody. Mode 3 is the cleanest available shape.

Read the H33-74 spec Get the verifier Pricing

Independent verifier: Apache-2.0 · Spec frozen at v1 · Conformance corpus published