Foundation docs name every primitive with mechanism. Subnet consensus, NNS root key, threshold canister signing, vetKD encrypted-key delivery, and user authentication are inventoried and reproducible.

Zero PQ families on mainnet. All consensus, threshold-signing, canister-signing, and authentication primitives are classical EC or pairing-based.

Classical primitives map to legacy NIST levels (~128-bit pre-quantum). No FIPS 203 (ML-KEM), 204 (ML-DSA), 205 (SLH-DSA), or draft 206 (FN-DSA) primitive deployed.

ICP replica is implemented in Rust (dfinity/ic) by an in-house cryptography group. NIDKG construction published (ePrint 2021/339). Constant-time inherited from k256, ed25519-dalek, BLS12-381 crates. No published Formosa-Crypto / Libjade machine-checked proofs of the threshold protocols. Cryptanalytic maturity tier 1 (classical ECC) for tECDSA/tSchnorr; pairing-tier (custom NIDKG) for BLS12-381.

ICP user accounts derive from Internet Identity passkeys via canister signatures (BLS12-381). NNS root keys, subnet public keys, canister signature anchors, and tECDSA key_1 pubkeys are exposed on-chain. ckBTC and ckETH controlling private keys are held in secret-shared form on tECDSA-enabled subnets, Shor-breaking secp256k1 OR breaking BLS12-381 exposes those custody keys.

Mainnet launched 2021-05-10. Four years of cold balances exist (genesis allocation, early-investor unlocks, dormant Internet Identity anchors). Subnet BLS12-381 keys are long-lived and re-shared rather than rotated to new pubkeys. Threshold ECDSA key_1 has been the production secp256k1 key since GA (Aug 2022) and has not been rotated.

Subnet BLS12-381 threshold signatures sign blocks, certified state, canister signatures, and chain-key tokens. These signatures cover long-term subnet assets (ckBTC, ckETH, ckUSDC reserves) and are forgeable post-Shor. tECDSA secp256k1 signatures issued for Bitcoin / Ethereum outbound transactions are forgeable post-Shor.

Node-to-node replica gossip uses TLS for the network mux layer, with classical X25519 / Ed25519 / RSA. RPC providers (boundary nodes) terminate TLS classically. vetKD encrypted-key delivery uses BLS-IBE-style encryption over BLS12-381 G2 transport public keys, every encrypted key transported via vetKD on mainnet today is HNDL-vulnerable.

Pseudonymous. ICRC-1/2 ledger transactions reveal sender and receiver principals on-chain. Internet Identity derives a different principal per dapp origin (cross-app linkability defeated at II layer), but per-dapp on-ledger activity is fully linkable.

Boundary nodes (HTTPS gateways) operated by DFINITY-controlled infrastructure plus a growing community provider set. Subnet replica gossip observable to ~13–40 nodes per subnet. ICP runs ~42 subnets with ~130 independent node providers (NNS-controlled). No published validator metadata-retention policy.

Chain-key Bitcoin (ckBTC, mainnet 2023-04-03), chain-key Ethereum (ckETH), ckUSDC, ckUSDT, and Chain Fusion JSON-RPC outbound to EVM chains create on-chain trails between ICP principals and external addresses.

Every signing primitive that anchors ICP identity is Shor-vulnerable. Post-Shor recovery of subnet BLS12-381 keys exposes every canister-signature-derived principal, historical II authentications can be re-attributed. vetKD-encrypted payloads are Shor-decryptable.

No on-chain mixer, cryptographic shuffle, or mix-network in the replica.

NNS-governed protocol upgrades replace replica binaries weekly across subnets via NNS proposals. Replica's cryptographic stack is modular. DFINITY CTO Jan Camenisch (Dec 2024) committed to replacing cryptographic schemes if needed (crypto agility). Production additions: tECDSA secp256k1 GA Aug 2022; tSchnorr BIP-340 + Ed25519 GA mainnet Sep 2024; vetKD test key on mainnet subnet under proposal 136589 May 2025.

Every canister IS a smart-contract account with native key management. Internet Identity supports multi-passkey rotation (add/remove devices) and OpenID Connect federation. No client-layer PQC path published. Session-key types are Ed25519 and ECDSA.

Weekly NNS-coordinated subnet binary upgrades routine since mainnet launch (May 2021). Major coordinated additions include Bitcoin integration (Nov 2022), tECDSA GA (Aug 2022), ckBTC (Apr 2023), ckETH / Chain Fusion (2023–2024), tSchnorr + Ed25519 GA (Sep 2024), vetKD test key (May 2025). No contested fork.

No published hybrid PQC envelope at the subnet-consensus, threshold-signing, vetKD, or II layer. Proposal 35660 (Dec 2021) committed DFINITY to PQ research but did not specify a hybrid migration architecture. Sep 2025 forum thread on Qubex Protocol describes a third-party L2 hybrid signature scheme (ECDSA/Schnorr classical + ML-DSA-44 + SLH-DSA-SHA2-128f, ML-KEM-768), not a DFINITY foundation product.

ICP deploys no stateful hash-based signature primitive. Default 15/15 for stateless schemes.

ICP subnet consensus uses BLS12-381 threshold aggregation via NIDKG. No spec, testnet, or mainnet pilot of a PQ aggregation path published by DFINITY. Camenisch Dec 2024: 'closely monitoring the situation and will propose replacements at the appropriate time.' Score reflects undeclared status with active research commitment.

Mainnet PQC traffic 0%. No PQ primitive signs subnet blocks, NNS proposals, threshold canister signatures, vetKD encrypted-key transport, or II authentications.

dfinity/ic replica contains no PQ signature implementation in consensus, NIDKG, tECDSA, tSchnorr, or vetKD code paths. The third-party Qubex Protocol R&D thread (Sep 2025) implements ML-DSA-44 + SLH-DSA-SHA2-128f + ML-KEM-768 inside canisters as an L2 prototype; this is application-layer canister code, not replica consensus client code.

Zero subnet replicas hold PQ keys; subnet keys are BLS12-381 only. Boundary nodes terminate classical TLS.

VOIDED to 0 because 5a = 0. Standing dated commitment is Proposal 35660 (Dec 2021, adopted by NNS as long-term R&D objective). Camenisch Dec 2024 reaffirmed crypto-agility commitment with no enforcement-mechanism-backed flag-day, no NNS proposal with hard-coded activation epoch.

Announced PQ work in trailing 12 months: Proposal 35660 reaffirmed in 2025 Roadmap Update; Qubex Protocol third-party R&D thread (Sep 2025); third-party RFP for canister-level PQC verification engine (Dec 2025); media coverage citing ICP's 'crypto agility'. Shipped PQ on mainnet: 0 bytes. No deduction trigger.

No PQ signature scheme is selected or specified for ICP consensus, threshold signing, vetKD, or II. Score 0 per rubric for 'undisclosed.'

Top-3: Internet Identity (DFINITY-operated; passkey/WebAuthn ES256/EdDSA, no PQ roadmap), Plug Wallet (browser extension, no PQ roadmap), NFID Wallet (Internet Identity Labs, OpenID + chain-fusion, no PQ roadmap). Ledger Nano via DFINITY/Zondax-built ICP app supports ICP/ckBTC/ckETH but ships classical curves only.

Top-3: Chain-key Bitcoin (ckBTC; tECDSA secp256k1 + subnet BLS12-381), Chain-key Ethereum / Chain Fusion (ckETH), ckUSDC / ckUSDT. All rely on the same tECDSA secp256k1 + BLS12-381 stack, single-family Shor exposure. Higher floor than other tiles because ckBTC/ckETH have explicit DFINITY ownership and would migrate via NNS proposal.

Top-3 by ICP custody volume: Coinbase Custody (lists ICP), BitGo (lists ICP), Fireblocks (research / non-custody integrations). None has published an ICP-specific PQ migration roadmap.

RPC providers: DFINITY-operated boundary nodes plus community boundary nodes; ic0.app gateway. No PQ TLS hybrid KEM in the boundary fleet. HSM: stake-pool / node-provider HSMs (where used) are vendor-default classical (Thales / YubiHSM / AWS KMS). TEE: ICP replicas run on commodity bare metal.

~42 subnets, each with 13–40 nodes (default 13 for application subnets, 28–40 for high-replication subnets including the NNS subnet and key tECDSA subnets). ~130 independent node providers globally. NNS-controlled membership; node providers are vetted via NNS proposal. DFINITY Foundation retains significant influence via early-investor neuron concentration and protocol-development authority.

NNS proposals execute weekly. Replica binaries upgraded subnet-by-subnet with no-downtime rolling upgrades. Major cryptographic additions (tECDSA, tSchnorr, vetKD test key) shipped under NNS coordination on stated timelines. Strong operational track record under non-emergency conditions.

DFINITY Foundation (CEO/Chief Scientist Dominic Williams; CTO Jan Camenisch; VP Research includes Jens Groth, Andrea Cerulli on PQ R&D). Proposal 35660 (Dec 2021) named Groth and Cerulli as PQ R&D leads. No publicly-named, mandated PQ migration program manager with quarterly deliverables.

NNS has handled governance-attack precedents (large-neuron voting, contested SNS launches) but no precedent of a coordinated cryptographic primitive change under active adversarial pressure. The closest precedent is the routine NIDKG re-sharing protocol that allows subnet membership changes.

No community honeypot, no rate-limited spending rule, no cryptographic tripwire embedded in subnet consensus, no automated PQ-event response.