Foundation docs name every active primitive with mechanism. CIP-381 added Plutus pairing operations over BLS12-381 (Chang #1 hard fork). Mithril uses BLS12-381 stake-based threshold multi-signatures.

PQ-safe primitives: zero on mainnet today.

0 PQ families on mainnet. All consensus, signing, and Mithril aggregation primitives are classical EC / pairing-based. KES is forward-secure but built on Ed25519. Hash family (BLAKE2b) present but Grover-weakened.

Classical primitives map to legacy NIST levels (Ed25519 ≈ 128-bit pre-quantum, BLAKE2b-224 ≈ 112-bit pre-quantum below FIPS 2030 deprecation floor). No FIPS 203/204/205/206 primitive is deployed.

Ed25519 via libsodium / ed25519-dalek with strict verification. KES Sum6Kes is a Rust implementation of MMM iterated-sum forward-secure construction; key-evolution interval ~36 hours (Sum6 = 2^7 = 128 evolutions over the 90-day operational-cert validity). Ouroboros Praos / Genesis are peer-reviewed (IACR 2017/573). KES is stateful by design, key-evolution is mandated at the protocol level via operational certificates.

Cardano uses Shelley addresses where payment credentials are BLAKE2b-224 hashes of Ed25519 verification keys (CIP-19). Pubkeys are NOT revealed until first spend, similar to Bitcoin P2PKH but with hash truncated to 224 bits. Once spent, the Ed25519 pubkey is exposed on-chain in the witness; subsequent funds at the same address are quantum-vulnerable. eUTXO model encourages address rotation but does not enforce it. KES rotation does not protect account keys, only block-producer keys.

Mainnet since 2017-09-29 (Byron). Long dormancy tail. Byron-era addresses use legacy double-hash (SHA3-256 then BLAKE2b-224) which still hides pubkey pre-spend. Founder allocations and ICO-era unmoved UTXOs exist. BLAKE2b-224 truncation provides 112-bit Grover floor, below NIST 2030 deprecation level.

Historical Ed25519 signatures in spent transactions are forgeable post-Shor in principle, but the chain's append-only consensus prevents retroactive substitution. Block-producer KES forward-security limits the window where a compromised KES key can be used to backdate blocks (≤ ~90 days per operational cert). Account-level Ed25519 signatures are not forward-secure.

Node-to-node Ouroboros gossip uses TLS for the network mux layer; standard X25519 / Ed25519 / classical TLS on validator and relay infrastructure. RPC providers (Blockfrost, Koios, Maestro) terminate TLS classically. No documented hybrid KEM deployment in cardano-node. HNDL surface is bounded, block contents are public, but validator gossip metadata, mempool relay, and operator-side keys held under classical TLS-protected sessions are HNDL-exposed.

Pseudonymous on the eUTXO mainnet. Stake addresses tie payment credentials to the same staking key, increasing graph linkability above pure UTXO chains. Midnight (privacy-focused partner chain) launched federated mainnet late March 2026 using ZK-SNARKs and selective disclosure but is a separate chain, not the Cardano L1 ledger.

~3,000 active SPOs (Mithril stake registration shows registered stake at 22% of network as of August 2025, with 82.9% of SPOs on recent client versions). Many SPOs run self-hosted nodes. RPC layer (Blockfrost, Koios, Maestro, Demeter) more concentrated. Mempool gossip fully observable.

Cardano has historically had limited bridge surface (Wanchain, Milkomeda EVM sidechain). LayerZero integration was announced for 2026. Smaller bridge footprint than Ethereum / Solana lowers passive-observer correlation surface.

Ed25519 (Edwards25519) and Praos VRF are Shor-broken; once a payment key has signed, the pubkey is on-chain. BLAKE2b-224 hash limits pre-spend exposure. No on-chain encryption of payloads on the Cardano L1 (Midnight is separate).

No on-chain mixer or cryptographic shuffle in cardano-node. No CoinJoin equivalent in eUTXO mainnet.

Hard Fork Combinator (HFC) is documented in the Cardano consensus layer and has shipped 5+ era transitions (Byron→Shelley 2020-07, Allegra/Mary 2020-12/2021-03, Alonzo 2021-09, Vasil 2022-09, Chang #1 2024-09 enacting CIP-1694, Plomin/Voltaire enactment Q1 2026). Algorithm-level swap (e.g., adding ML-DSA alongside Ed25519) has not been demonstrated; the HFC swaps eras, not primitives, and CIP-381 added pairing primitives at the Plutus VM level rather than at the consensus signing layer.

KES key rotation is native (operational certificates rotated each KES period, ~36 hours). No native account abstraction equivalent to ERC-4337 / EIP-7702. eUTXO scripts (Plutus V1/V2/V3) provide programmable spending logic at the script-address level, which gives some AA-flavored flexibility, but is not a documented client-layer PQC migration path.

5+ coordinated hard forks in 5 years with no contested forks, no chain split, no rollback. Voltaire / CIP-1694 enacted on schedule under three-stakeholder coordination (DReps, Constitutional Committee, SPOs). Updated Constitution ratified with 79% of active voting stake.

The publicly-stated migration architecture is hybrid by design, a post-quantum proof chain (extension of Mithril) is intended to checkpoint the classical L1 with PQ signatures, with full chain merge planned long-term. Architecturally possible. Spec-level documentation is at framework / livestream level; no merged CIP. PR #441 and Issue #413 on cardano-foundation/CIPs are both closed without merge.

Cardano's only stateful signing primitive is KES Sum6Kes, used at the block-producer layer. State management is enforced at the protocol level via operational certificates with bounded KES periods (typical 90-day operational-cert validity, 36-hour evolution). The 15/15 is awarded for KES discipline, not for PQ stateful-hash deployment.

N/A. Ouroboros Praos uses non-aggregating Ed25519-based KES at the block-producer layer; chains using non-aggregating signatures at consensus are out-of-scope for 4f. Mithril uses BLS12-381 threshold-aggregate signatures, but Mithril is a checkpoint / certificate layer, not the Cardano consensus signing layer.

0%. No PQ primitive signs Cardano L1 transactions, blocks, or VRF outputs.

cardano-node and cardano-base contain no PQ signature implementation. The kes repository implements MMM forward-secure Ed25519, not PQ. Mithril repo contains BLS12-381 (Shor-broken via pairings) for stake aggregation, not PQ. Project Nightstream (collaboration with Google / Microsoft Research) was announced February 2026 as a research effort to replace classical ZK-SNARKs with lattice-based proofs; no shipped consensus-client code.

Zero SPOs use PQ keys. KES + Ed25519 only.

VOIDED to 0 if 5a = 0 per v3.1. The 3-phase livestream timeline (research agenda 2025-2026; 2-3 years proof chain; 3+ years merge) names phases but no enforcement-mechanism-backed flag-day, no CIP with hard-fork activation epoch, no sunset date for Ed25519 / VRF.

Announced PQ items in trailing 12 months: Project Nightstream (Feb 2026 announcement), Post-Quantum Cardano livestream + 3-phase roadmap, Mithril proof-chain framing as the PQ checkpoint mechanism, FIPS 203-206 alignment statements, multiple Bitcoin / BIP-360 commentary appearances. Shipped PQ on mainnet: 0. Ratio is high (≥3 announced / 0 shipped). Announcement quality is unusually disciplined, explicit publication of 5-10× performance penalty without hardware acceleration before shipping.

Undisclosed at chain-spec level. No published Cardano-specific bytes-per-block-under-PQ analysis.

Top-3 wallets: Lace by IOG, Eternl, Yoroi by EMURGO; Daedalus is desktop full-node, also IOG. PQ roadmap: 0 of top-3 publish a PQC roadmap. Ledger / Trezor used as Cardano hardware wallets and have no shipped PQ Cardano firmware.

Relevant bridges: Wanchain, Milkomeda (EVM sidechain), LayerZero (announced integration 2026). None publishes a PQ roadmap covering Cardano bridge endpoints.

Cardano-supporting custodians include Coinbase Custody, Anchorage, Kraken Institutional, BitGo. Coinbase Custody has issued general PQC-awareness statements at the parent-company level (institutional research note); no Cardano-specific PQ migration path.

RPC: Blockfrost, Koios, Maestro, Demeter, none publishes PQ TLS or hybrid KEM termination. HSM: stake-pool operators commonly use YubiHSM / Ledger HW for cold keys; no PQ HSM integration documented for Cardano. TEE: not part of Cardano consensus.

~3,000 active SPOs; client diversity is single-implementation (cardano-node Haskell). Nakamoto coefficient is among the highest in major L1s (publicly cited 25-50 range). Single-client risk balances strong stake distribution.

Five+ coordinated hard forks in 2020-2026 with no rollbacks; CIP-1694 / Voltaire transition completed on schedule; new Constitution ratified by 79% of active DRep stake.

Intersect MBO (member-based organization, formed 2024), IOG (Charles Hoskinson), Cardano Foundation, EMURGO. Voltaire-era tripartite governance: DReps + Constitutional Committee (7-member, community-elected after interim) + SPOs. The named coordination lead has personally fronted the PQ roadmap publicly.

Voltaire transition is a precedent for coordinated change at scale. No precedent of coordinating crypto migration under an active attacker.

No documented canary, honeypot, rate-limited spending rule, or cryptographic tripwire embedded in Cardano consensus.