Inventory clear and reconstructible from CometBFT and Cosmos SDK docs/code.

No PQ-safe primitive in active use.

0 PQ families. Two classical families (Edwards-curve EdDSA, Weierstrass-curve ECDSA), but neither PQ-safe; the diversity rubric counts PQ families.

Ed25519 ≈ 128-bit classical / 0-bit post-Shor; secp256k1 ECDSA ≈ 128-bit classical / 0-bit post-Shor; SHA-256 ≈ 128-bit post-Grover. No NIST PQC category mapped because no NIST PQC primitive in scope.

CometBFT consensus has a TLA+ specification and machine-checked safety proofs; the underlying Ed25519 / secp256k1 libraries are standard Go implementations without machine-checked PQ-relevant proofs. Standard Go crypto/ed25519 is constant-time; secp256k1 uses btcec/dcrec, known constant-time. Tier 1 (mature classical EC + SHA-2). No PQ implementation.

cosmos1… accounts derive from secp256k1 pubkey hash (RIPEMD-160(SHA-256(compressed pubkey))). Pubkey is published on-chain on first outbound tx, so any account that has ever signed has its pubkey publicly recorded, Shor-forgeable post-CRQC.

Accounts that have never signed retain pubkey-hash protection; accounts that signed once retain exposed pubkeys indefinitely. Cosmos Hub mainnet has been live since March 2019, so a non-trivial fraction of cold supply has revealed pubkeys at some point.

Every historical Ed25519 validator vote and secp256k1 account signature is forgeable after CRQC. IBC light-client checkpoints rely on Ed25519 validator-set signatures: a CRQC adversary can forge a valid-looking historical Cosmos Hub header against any Tendermint light client trusting historical validator-sets.

CometBFT p2p secret connection uses X25519 ECDH key agreement for transport encryption between validators (Shor-vulnerable). RPC/REST endpoints use standard TLS (classical X25519 / RSA / ECDH). No hybrid PQ KEM deployed. Validator gossip and mempool transport sit fully in classical-DH HNDL scope.

Fully transparent ledger; cosmos1… addresses pseudonymous; IBC packet receipts make cross-chain flow trivially linkable to any passive observer.

Top public RPC endpoints concentrated among a handful of operators (Polkachu, Strangelove, Imperator, Lavender.Five, Notional, Stake.Systems, Stakewolle). Mempool gossip observable to any validator-grade node; no validator-metadata-retention policy declared at protocol level.

IBC channels make flows between Hub and ~40+ connected zones directly linkable; Skip Protocol / Stride / Neutron flow analysis is straightforward. Gravity Bridge (Cosmos↔Ethereum) and Axelar add EVM-side correlation.

Cosmos Hub does not publish encrypted payload data, ZK-shielded transactions, or DL-based ring signatures. Confidentiality risk from Shor on its curves is limited to long-term cryptographic identity correlation rather than payload decryption.

None at protocol level.

CometBFT supports --key-type flag to choose validator consensus key type at init (Ed25519 default; secp256k1 selectable). Cosmos SDK crypto/keys package is modular; new schemes added historically (sr25519 added, secp256r1 added). However, no production instance of a validator-consensus-key-type swap on Cosmos Hub mainnet within 5 years; the agility is architectural, not demonstrated.

ADR-016 specifies validator consensus key rotation; the Olympus (v0.52) release introduced consensus-key-rotation as a major feature plus the new x/accounts module. x/authz (delegated authorization) and x/feegrant (fee delegation) are live. No native account abstraction comparable to ERC-4337 / EIP-7702 / Starknet AA. No documented client-layer PQ migration path.

Coordinated upgrades v17 (2024-Q3), v18, v19, v19.2 emergency upgrade, v20 (2024-10), via on-chain governance with ~2-week voting. Strong execution cadence. Contested ATOM 2.0 proposal (2022) was rejected on-chain, a successful adversarial-coordination data point in itself.

cometbft init --key-type supports multiple consensus key types in principle, so a hybrid validator key (parallel keys per validator, both verified at consensus) is architecturally constructible. No spec proposal or ADR for a hybrid Ed25519+PQ scheme on Cosmos Hub. DoraFactory's external cosmos-pqc and tendermint-pqc repos demonstrate Dilithium drop-in replacement (not hybrid) on a research fork.

N/A by default, no stateful hash scheme in scope; stateless schemes score full per v3.1 rubric.

N/A. Cosmos Hub uses Ed25519 non-aggregating signatures at consensus per CometBFT default. The Tendermint BLS-aggregation feature request (tendermint/tendermint#1319, opened 2018-03-16) was closed as not planned. BLS is not in the Cosmos Hub consensus path.

0% of validator votes or account signatures on Cosmos Hub mainnet under a PQC primitive.

No PQC scheme merged into cometbft/cometbft main, no PQC scheme merged into cosmos/cosmos-sdk main crypto/keys. DoraFactory tendermint-pqc (Dilithium fork) and cosmos-pqc (Cosmos SDK fork using liboqs-go for Dilithium) exist as external research repos, not in canonical client.

All ~180 active Cosmos Hub validators use Ed25519 consensus keys per default. No validator has registered a PQC consensus key.

VOIDED to 0 per v3.1 rule (5a = 0). No dated, enforcement-mechanism-backed PQC milestones for Cosmos Hub mainnet.

Announced PQC trailing-12-mo from Cosmos Hub / Interchain Foundation / Informal / Hypha: ~0 official communications. Shipped PQC: 0. Ratio undefined / low. No washing detected (no claims to deflate).

No PQ deployment, no published bytes-per-block analysis under any PQ scheme for Cosmos Hub.

Top-3 in-ecosystem wallets: Keplr, Leap, Ledger HW. None publish a PQC roadmap. Ledger HW has internal PQC research at Ledger Donjon but no shipped PQ-signing for Cosmos accounts.

Top-3 bridges in Cosmos Hub flow: IBC (light-client model, Ed25519 verification), Axelar (BLS + Ed25519, classical), Gravity Bridge (Ethereum↔Cosmos, secp256k1 + Ed25519). None publish a PQC roadmap. IBC v2 / IBC Eureka work targets ZK-Tendermint-light-client over SP1, that is succinctness, not PQ; the Ed25519 verification stays.

Top-3 institutional custodians supporting ATOM: Coinbase Custody, BitGo, Anchorage. None publish a Cosmos-specific PQC roadmap. None have MPC-PQ in production for ATOM signing.

Top RPC providers: Polkachu, Strangelove, Imperator, Lavender.Five, Notional. None publish PQ-enabled RPC TLS. HSMs used by validators: standard YubiHSM2 / Ledger / Thales / AWS KMS, no PQ signing for Ed25519/secp256k1 in production.

~180 active validators. Reported Nakamoto coefficient in the 6-7 range historically (per Chorus One / Messari analyses), with top-7-or-so controlling 33% threshold. Client diversity weak: nearly universal CometBFT (no second consensus client).

v19.2 emergency upgrade (2024) executed under time pressure. Standard cadence v17/v18/v19/v20 sustained through 2024.

Interchain Foundation (foundation), Interchain Inc / Interchain Labs (engineering), Informal Systems (CometBFT, Hub stewardship), Hypha Worker Co-op (testnet + mainnet ops, Proposal 985 ratified Hypha for 2025). Clear named ownership. No named PQC migration lead for Cosmos Hub.

ATOM 2.0 (Proposal 82, 2022) rejected on-chain demonstrates governance functions under contested high-stakes proposals. No precedent of a coordinated cryptographic-primitive change while under attacker pressure.

No canary, honeypot, rate-limited spending rule, or cryptographic tripwire on Cosmos Hub.