Aptos publishes a complete primitive inventory in its developer cryptography reference. Primitives are named with parameter sets and module paths. Groth16 over BN254 is documented for the Keyless feature (AIP-61).

Every signature, KEM-equivalent, and zk-SNARK primitive currently in production is quantum-vulnerable.

0 PQ-safe families deployed. AIP-137 proposes hash-based SLH-DSA-SHA2-128s but the proposal sits in Discussion #640 with no merged code.

No PQ primitive deployed. Proposed SLH-DSA-SHA2-128s would map to NIST Category 1 if accepted. Voided to 0 because no production PQ primitive exists.

Production primitives use blst (BLS12-381) and curve25519-dalek (Ed25519, Ristretto255), both widely-audited, constant-time libraries. Move language has formal-verification tooling (Move Prover); cryptographic primitive wrappers themselves are not machine-verified. No PQ primitive in production.

Aptos accounts expose the authentication key as part of account state. While the auth key is a hash and can be rotated independently of the account address, on first signed transaction the public key is revealed and the address-to-pubkey link becomes public. Mainnet TVL routinely exceeds $1B in stablecoin and DeFi balances.

Mainnet genesis October 2022 (~3.5 years operational by May 2026). Auth-key indirection means dormant accounts that have never signed retain quantum-resistant exposure (auth key is SHA3-256(pubkey | scheme_id)), but any account that has signed even once is exposed. Lower historical surface area than older chains.

All historical Ed25519 signatures and BLS12-381 consensus aggregates are forgeable post-Shor. Random-beacon BLS threshold signatures are also retroactively forgeable. No retroactive proof-of-possession or hash-binding mechanism documented.

Validator gossip and RPC use standard TLS (classical ECDHE/X25519 KEM, RSA/ECDSA cert chains). No documented hybrid PQ KEM deployment on validator transport, RPC endpoints, or bridge relay channels.

Pseudonymous transparent ledger. Move resource model exposes object ownership and balances. No native shielded pool.

Aptos Labs RPC, Nodereal, and Ankr are dominant. Validator infrastructure heavily concentrated on AWS (>33% of stake hosted there per H1 2025 measurement). Mempool gossip observable. No published validator-metadata retention policy.

Primary bridges into Aptos are LayerZero (theaptosbridge.com) and Wormhole. Both observable by passive cross-chain indexers, allowing source-to-destination linking. No privacy bridge in mainstream use.

Aptos Keyless (AIP-61) uses Groth16 over BN254 with OIDC JWTs. Shor on BN254 breaks the Groth16 verifier and the trusted-setup commitments, exposing the OIDC-to-account binding for every Keyless-derived account historically. Same risk applies to BLS12-381-derived randomness beacon outputs.

No protocol-level mixnet or commit-reveal shuffle. Application-layer privacy primitives are limited.

AIP-55 introduced SingleKey and MultiKey containers with scheme identifiers, designed precisely so new signature schemes can be added without breaking existing accounts. Move VM and aptos_std cryptography modules support modular primitive registration. AIP-61 (Keyless) and AIP-75 demonstrate live precedent: new auth schemes have been added without hard-fork disruption.

Authentication-key indirection is the structural advantage. The on-chain account address is fixed at creation; the auth key (a hash binding pubkey + scheme byte) is mutable. account::rotate_authentication_key (proven, requiring signed RotationProofChallenge) and account::rotate_authentication_key_call (unproven, used for non-standard schemes such as passkeys) allow scheme migration without asset transfer. The OriginatingAddress reverse-lookup table preserves recovery. Unmatched among the L1s in this pilot.

Active AIP cadence with on-chain governance. AIP-55, AIP-61, AIP-75, AIP-131 (block-time reduction) all shipped without contested forks within 3 years.

Architectural support exists via MultiKey (AIP-55), which can compose K-of-N over heterogeneous schemes. AIP-137 as drafted is a replacement scheme, an account selects either Ed25519 OR SLH-DSA-SHA2-128s, not a mandatory AND-hybrid. No AIP currently specifies a hybrid Ed25519 AND SLH-DSA composition with commit-to-hash-of-both-pubkeys.

SLH-DSA is a stateless hash-based scheme (FIPS 205). No state-management burden. Default 15 applies.

Aptos uses BLS12-381 multi-signature aggregation in AptosBFT v4 (Jolteon) consensus voting and a BLS threshold scheme for the on-chain randomness beacon. AIP-137 covers account signatures only. No published spec, testnet, or mainnet pilot for a PQ aggregation path at consensus.

0% of mainnet signing traffic uses PQ primitives. AIP-137 has not been activated; no PQ account type is callable on mainnet.

No SLH-DSA implementation merged into aptos-core. Search of the cryptography directory shows ed25519, multi_ed25519, secp256k1_ecdsa, bls12381, ristretto255 modules; no slh_dsa, sphincs, ml_dsa, or ml_kem module.

No validator runs a PQ consensus key. AptosBFT v4 consensus voting and the randomness beacon both use BLS12-381 across the entire validator set (~152 active validators end-Q2 2025).

VOIDED to 0 per v3.1 because 5a = 0. AIP-137 is a single proposal with no enforcement-mechanism-backed dated milestones (no flag day, no mandatory sunset, no on-chain governance vote scheduled).

Announcements: AIP-137 generated wide press coverage (Yahoo Finance, Bitget News, KuCoin, Cryptorank, Lookonchain, mpost, HTX, Cryptonomist, Defi-Planet) plus official Aptos / Aptos Labs / cryptography lead social posts in Dec 2025. Shipped: 0 mainnet PQ bytes signed. Operationally treat as >2.0.

SLH-DSA-SHA2-128s signatures are 7,856 bytes vs 64-byte Ed25519, a ~123× raw-byte multiplier (cited in AIP-137 commentary as ~82× larger on a different baseline; even the lower figure is far above the >38× threshold). Verification ~4.8× slower (~294 µs). No published throughput-mitigation plan.

Top-3: Petra (built by Aptos Labs), Pontem, Martian (acquired by Pontem in 2024). No published PQ roadmap. Open question whether any will support AIP-137 once activated; no public commitment.

Top-3: LayerZero (theaptosbridge.com, primary), Wormhole, Stargate. None has published a PQ aggregation-key or PQ-validator roadmap.

Top-3: Coinbase Custody, BitGo, Fireblocks. All three publish forward-looking PQ statements (NIST-aligned hybrid pilots), but no Aptos-specific PQ key-management product is deployed. Per v3.1 rule: chains mandating SLH-DSA without a documented custodian-MPC alternative are capped at 15/25.

Top-3: Aptos Labs RPC, Nodereal, Ankr. No PQ-TLS / hybrid-KEM termination on public RPC endpoints. HSM/TEE chain not documented as PQ-pilot anywhere in the stack.

Nakamoto coefficient 18 (consensus-stake-weighted, H1 2025); 152 active validators end-Q2 2025; 76.4% of eligible supply staked. Geographic Nakamoto = 3 (US, Germany, Korea). Hosting Nakamoto = 1 (AWS hosts >33.3% of stake). One-client stack (aptos-core).

AIP-131 (block-time reduction) shipped on documented timeline; AIP-55, AIP-61, AIP-75 sequence shows consistent governance throughput. No deadline-driven crypto migration yet executed.

Aptos Labs cryptography is led by a Head of Cryptography (founding-team since Feb 2022); AIP-137 was authored by him. The Aptos Foundation operates governance and ecosystem coordination. Mandate is partially implicit, there is no published PQ migration working group charter, but the named lead and AIP authorship trail are clear.

No documented coordinated cryptographic change executed under active adversarial pressure. Mainnet outages have been recovered through validator coordination, but not under adversarial-attacker conditions on a crypto primitive.

No canary, honeypot, rate-limited spending rule, or in-consensus cryptographic tripwire documented.