Foundation blog (April 2026) names current primitives explicitly. Three points withheld: stateful/stateless distinction not declared at protocol level; the random-beacon / TSS path (in active development per roadmap) does not yet name its candidate signature scheme.

Foundation explicitly acknowledges that an attacker with a CRQC could derive a private key from a public key. SHA-384 and AES-256 are CNSA-tier choices that retain ≥128-bit security under Grover.

Families currently: 0; planned families: lattice (Falcon/FN-DSA primary, ML-DSA fallback, ML-KEM for KEM). All planned PQ migration is lattice-only. Diversity Cap (v3.1 → 60) will apply once any PQ family ships. Foundation post explicitly names FN-DSA (FIPS 206) as primary and Dilithium (ML-DSA) as fallback if FIPS 206 is delayed, both lattice. No hash-based or code-based fallback declared.

SHA-384 (FIPS 180-4, CNSA-aligned, 192-bit residual under Grover); AES-256 (CNSA-aligned, 128-bit residual under Grover); planned FN-DSA = NIST cat 1 or higher (parameter set unstated); planned ML-DSA = cat per parameter (unstated); planned ML-KEM = cat per parameter (unstated). Foundation states intent to follow CNSA but does not name PQC parameter sets.

Hashgraph consensus aBFT proven in Coq (consensus correctness, not crypto-primitive proofs). Standard Ed25519/ECDSA implementations expected. Hedera SDKs (Java/JS/Go/Rust). Planned Falcon/Dilithium are stateless. Tier 1 (ECDSA/Ed25519/SHA-2 classical) shipped, tier 3 (NIST PQC standardized) targeted, not yet shipped.

Hedera account IDs are protocol-assigned numeric tuples shard.realm.account (e.g., 0.0.123), they are NOT derived from the public key. The public key is exposed only when a transaction is signed (or when an alias is used). This is structurally favourable vs Bitcoin/Ethereum: address ≠ pubkey hash. Live cumulative TVL/circulating-HBAR sits behind keys revealed at first signature; once revealed, future Shor-derived forgery is possible against any active account.

Treasury/Council allocations and dormant retail accounts that have never transacted retain pubkey-not-revealed status (assuming no aliases), reducing cold exposure relative to chains where the address IS the pubkey hash. Concentration in Council-allocated tranches is documented in HBAR tokenomics.

Every historical Ed25519 / ECDSA secp256k1 signature on the network ledger remains forgeable post-Shor with respect to the public key it was made under. Hashgraph history is hashed with SHA-384 (Grover-resistant chaining) but signature non-forgeability collapses with Shor.

Foundation states intent to migrate Post-quantum TLS for nodes as step 1 and Post-quantum TLS for client connections as step 2 of its PQ sequence, indicating awareness that current AES-256-in-TLS handshakes use classical KEM (ECDHE / X25519). Until ML-KEM hybrid TLS is deployed at consensus and client surfaces, validator-gossip and gRPC transport remain HNDL-vulnerable. SHA-384 + AES-256 reduce symmetric-side Grover exposure.

Pseudonymous transparent ledger; account IDs visible in Mirror Node. Account-ID model decouples address from pubkey but does not hide the transaction graph itself.

Mirror Node operators include the foundation, several Council members, and third parties (Arkhia, Hashio JSON-RPC Relay). gRPC endpoints concentrated among Council-run nodes. No published validator-metadata retention policy.

HashPort bridge live; Chainlink CCIP supported for select assets. Passive observer can correlate source-to-dest flows across these surfaces.

Lower retroactive de-anon surface than chains heavy in DL-curve-based privacy primitives (Hedera does not deploy ElGamal ring sigs / EC-curve-based zk). Historical Ed25519/ECDSA pubkeys remain Shor-vulnerable but disclosure was already pseudonymous, not anonymity-protected. SHA-384 hashing limits chain-state hash inversion.

No protocol-level mixnet, shuffle, or commit-reveal mixing.

Account model decouples address from key, new key types can be added at the HAPI level without breaking existing accounts. Foundation explicitly states a new post-quantum key type can be added to the Hedera API once FIPS 206 finalizes. ECDSA secp256k1 was added alongside Ed25519, that is one prior algorithm-addition precedent.

Native key rotation supported via account-update transactions (account keys can be replaced without changing account ID). Threshold keys and key lists native. Client-layer PQC path documented in the April 2026 blog (PQ TLS for clients) but not yet deployed. AA-equivalent capability via native multi-key, not ERC-4337-style smart-account-AA.

Council-coordinated network upgrades have shipped at consistent cadence. No contested forks. Coordination authority is centralized in the Council, which is both an asset and a single-point-of-coordination.

Foundation explicitly states the event signing will be updated to a hybrid signature (classical Ed25519 + FN-DSA together), this is a documented hybrid AND-composition path for consensus event signing. Architecturally feasible via account-key model. Not yet deployed.

Planned PQ schemes (FN-DSA, ML-DSA) are stateless. Stateful-hash signature schemes (XMSS/LMS) are not in the announced migration. Default full credit per v3.1 rule.

Hashgraph consensus uses virtual voting with gossip-about-gossip, votes are calculated locally rather than transmitted, so the consensus does not aggregate per-node signatures over a per-block message in a BLS-style scheme. Per-event signing uses Ed25519. The roadmap lists TSS signatures (threshold signature scheme for aggregating node signatures, in progress), TSS implementation candidate algorithm not yet named, no spec or testnet yet.

No PQC primitive shipped on mainnet as of 2026-05-01. April 2026 blog describes the migration sequence in future tense; no deployed PQ event-signing or PQ-TLS.

No PQC code merged into Hiero / hedera-services consensus client surface as of evidence cutoff. WECAN grant (Dec 2025) and SEALSQ partnership (Dec 2024) fund off-chain quantum-safe identity / hardware tooling; chain-client PQC code is research-stage.

Council nodes operate under Ed25519. No validator-side PQC key adoption.

VOIDED to 0 per v3.1 rule (5a = 0). The April 2026 blog publishes a sequenced plan (PQ-TLS nodes → PQ-TLS clients → hybrid event signing → new PQ key type targeted for 2027), but only one of those is dated, and 5d is voided when 5a = 0.

Announced PQC items in trailing 12mo (foundation blog April 2026, SEALSQ partnership Dec 2024, WECAN grant Dec 2025, multiple press echo): ~6-8 distinct announcements. Shipped PQ on mainnet: 0. The April 2026 blog is the substantive technical artifact (specific primitives + migration sequence). Tag: announcement overhang, not narrative-only. 9 points deducted.

Hybrid Ed25519 + FN-DSA event signing. FN-DSA (Falcon-512) reference: ~10-11× raw signature size vs Ed25519 (Falcon-512 sig ≈ 666 bytes vs Ed25519 64 bytes ≈ 10×). Falls in 5-10× scoring band.

Top-3: HashPack, Blade Wallet, Ledger HW. PQC-roadmap count: 0 published roadmaps for HashPack or Blade. Ledger HW carries the same general PQC posture as Ledger across all chains.

Top-3: HashPort, Chainlink CCIP, LayerZero. PQC-roadmap count: 0 with deployed PQC. Chainlink CCIP has architecture discussions of PQ but no shipped path.

Top-3: Fireblocks, BitGo, Anchorage Digital. PQC-roadmap count: 1 partial (Fireblocks-Hedera + SEALSQ QS7001 chip integration roadmap; Anchorage and BitGo have published PQC research, no Hedera-specific deployment).

Top-3 RPC: Hedera Mirror Node (foundation), Hashio JSON-RPC Relay, Arkhia. HSM: SEALSQ QS7001 chip with Dilithium-key embedding is a SEALSQ-side product announcement (Dec 2024) with partner mention of Hedera; no Hedera-side confirmation of deployed PQ HSMs at validator nodes is publicly available.

Permissioned 31-member Governing Council (FedEx joined Feb 2026; Accenture announced 2026-04-30). Members include Google, IBM, Boeing, Standard Bank, NVIDIA, ServiceNow, FIS, abrdn, Nomura, DBS Bank, Arrow Electronics, Repsol, FedEx. Low Nakamoto coefficient by design; institutional permissioned governance.

Consistent release cadence (recent versions 0.70 / 0.71). Council coordination is structurally fast vs anonymous-validator chains. No coordinated upgrade under live attack on record.

Hashgraph algorithm authored by a named individual; Hashgraph as a company / Council provides published mandate via Council documents. No standalone PQ working group with a named technical lead and public charter (April 2026 blog is foundation-authored without a named PQ-WG lead).

Council structure designed for coordinated decision-making; multiple Council additions and Council-driven HIP enactments document coordination capability. No precedent of coordinated cryptographic change under active attacker.

No published canary, honeypot, or rate-limited tripwire embedded in consensus.