TzEL is an experimental Tezos smart rollup for private, post-quantum transactions. It replaces elliptic-curve cryptography with hashes, ML-KEM, and STARK proofs.
Quantum computers capable of breaking elliptic curve cryptography are no longer a theoretical concern. Google's Willow chip crossed the quantum error correction threshold in 2024, demonstrated a 13,000x speedup over the fastest supercomputer in 2025, and in March 2026 Google accelerated its own post-quantum migration deadline to 2029, citing "store now, decrypt later" as a primary driver. NIST finalized post-quantum standards in 2024. The NSA requires all national security systems to migrate by 2035.
Every deployed privacy protocol—Zcash, Aztec, Penumbra—relies on elliptic curves for note encryption, key agreement, or signatures. When those curves break, the transaction graphs will be fully exposed retroactively.
Adversaries can collect encrypted blockchain data today and hold it for future decryption, a "harvest now, decrypt later" threat U.S. agencies have already warned about.
For financial privacy, that risk does not expire. If quantum computers break the cryptography protecting Zcash, anyone who knows your shielded address could later recover sensitive details from payments sent to you, including amounts and memos.
TzEL is still R&D code and not suitable for real value. It already runs as a Tezos smart rollup on Shadownet, with proof-bearing shield and private-send transactions going through the DAL.
Today there is a real testnet path from wallet to rollup execution, not just isolated proofs or local demos.
TzEL runs as a Tezos smart rollup. Shielded transactions carry STARK proofs, and those proofs are large enough that Tezos's data availability layer is a natural place to post them.
TzEL does not add a post-quantum wrapper around a curve-based privacy system. It removes elliptic curves from the privacy stack entirely: BLAKE2s for hashing, ML-KEM-768 for encryption, hash-based one-time signatures for spend authorization, and STARKs for proofs.
Fund safety relies on hash collision resistance and STARK soundness. Note confidentiality relies on ML-KEM (NIST FIPS 203) and authenticated encryption. No component depends on the hardness of discrete log or factoring.
TzEL separates spending authority from proving. A wallet authorizes a transaction locally with a hash-based signature, while proof generation can run on a larger machine.
The signature is checked inside the STARK itself. An untrusted prover can help produce the proof, but it cannot change the transaction or gain spend authority.
That makes the system easier to operate: wallets stay small, proving can be delegated, and the rollup still verifies the exact transaction the wallet approved.
TzEL separates detection, viewing, and spending. Detection material can flag likely incoming notes. Viewing material can validate and decrypt them. Spending authority stays separate.
That makes a contained watch-only service possible: a delegated scanner can follow the chain and report incoming activity without being able to move funds.