KASPA · L1 · STAGE 0 NO PQ PUBLIC STATEMENT, NO WORKING GROUP, NO SPEC · QRI 20 v3.1.0 methodology

In plain terms

What it is. Kaspa is a fast mining-based coin that has pulled off two big coordinated network upgrades yet has done nothing so far to protect itself against future quantum computers.

What we found. A quantum attacker would not only be able to fake people's account signatures but could also tamper with the ledger's running tally of who owns what, a weak point most other coins do not carry.

Why it matters. Coins sitting in older or reused addresses, and the integrity of the balance records themselves, could be at risk once such a machine arrives, and the project has not yet said what it will do to shield holders.

Fair-launched proof-of-work BlockDAG L1 with two coordinated hard forks on record (rusty-kaspa rewrite + Crescendo 1→10 BPS) but zero PQ posture at the foundation level. Schnorr/ECDSA secp256k1 signatures plus an ECDLP-based MuHash UTXO commitment add a second Shor-vulnerable surface beyond user signatures.

inLinkedIn ↷Audit access ⇆Compare Verified 2026-05-01

Summary

Kaspa is a fair-launched proof-of-work BlockDAG L1 (mainnet 2021-11-07), running the GHOSTDAG protocol with kHeavyHash (Keccak-based) PoW. User signatures are Schnorr secp256k1 (default, BIP340-style) with ECDSA secp256k1 supported. Hashing is BLAKE2b for transaction and address derivation. The UTXO state commitment uses MuHash, an elliptic-curve incremental multiset hash whose security rests on ECDLP, a second Shor-vulnerable surface beyond user signatures. The Crescendo Hardfork (KIP-14) activated 2025-05-05 at DAA score 110,165,000, lifting block production from 1 to 10 BPS, Kaspa's second major coordinated upgrade and proof of hard-fork capacity, but with no PQ content. No KIP labelled post-quantum is in the master KIP repository. The two PQ artifacts that exist are an open community pull request (KIP-22 P2MR, submitted 2026-03-06, unmerged) and an informal personal draft on a third-party GitHub (P2PKH-Blake2b-256-via-P2SH), neither at protocol-spec parity. Migration Stage 0. Raw QRI 20. After-cap QRI 20 (Band 2 Acknowledged, borderline Band 1). CI plus-minus 8.

What the gates say

Gate 1a, Hybrid signature: FAIL , Schnorr secp256k1 sole protocol-default user signature; no AND/OR composition with PQ co-signer
Gate 1a, Hybrid KEM: FAIL , P2P transport uses classical TLS X25519/RSA/ECDH; no hybrid PQ KEM
Gate 1b, Commit-to-hash: COND , no OR-composition deployed
Gate 2, Evidence reconstruction: PASS , every sub-score has ≥ 3 evidence sources; reconstructible in 48h
Gate 3, Primitive naming: PASS , Schnorr secp256k1, ECDSA secp256k1, BLAKE2b, Keccak-256, MuHash on secp256k1 named everywhere

Burn-vs-rescue policy on file

Declared option f, Undeclared. No foundation- or KEF-published policy on what happens to KAS holdings at quantum-vulnerable addresses post-CRQC. Community Phase-I proposal advocates voluntary user migration to commit-hiding addresses but does not propose a freeze, burn, or rate-limit canary. KIP-22 (P2MR) is wallet-layer-only and silent on legacy holdings.

Seven dimensions

Each dimension scores 0–100 internally; the weighted roll-up produces the QRI.

1 Cryptographic Exposure weight 15% 19 / 100

1a · primitive inventory 12 / 20

Chain documentation names every active primitive. MuHash is a meaningful additional cryptographic surface that v2 documentation did not name.

Primitives: Schnorr secp256k1 (default user signatures, BIP340-style 64-byte) · ECDSA secp256k1 (supported alternative) · BLAKE2b (transaction/address hashing) · kHeavyHash (PoW: matrix multiplication sandwiched between two Keccak-256 invocations) · MuHash on secp256k1 (UTXO multiset commitment, ECDLP-based)

1b · shor grover pq tag 2 / 20

Tags:

Schnorr secp256k1 → Shor-break-via-DL-without-pairings
ECDSA secp256k1 → Shor-break-via-DL-without-pairings
MuHash on secp256k1 → Shor-break-via-DL-without-pairings
BLAKE2b → Grover-weaken (256→128 bit)
Keccak-256 (kHeavyHash inner) → Grover-weaken

1c · family diversity 0 / 20

0 PQ families deployed. Diversity Cap fires (zero PQ families is the strict subset of lattice-monoculture rule scope).

1d · nist security category 0 / 20

No NIST PQC primitives deployed.

1e · implementation quality 5 / 20

GHOSTDAG/PHANTOM has academic peer-reviewed proofs (ePrint 2018/104) for consensus, no formal-verification of cryptographic-primitive implementations. rusty-kaspa Rust implementation uses standard secp256k1 crate, no public dudect validation. Stateless schemes only. Cryptanalytic tier: tier 1 (classical ECC + Keccak/BLAKE2b).

2 Quantum Recovery Exposure weight 10% 16 / 100

Forge subtotal: 13/75 Decrypt subtotal: 3/25

2a · active key exposure 3 / 25

Every spent UTXO reveals the Schnorr or ECDSA public key. Address reuse is common in mining rewards and exchange flows. UTXO model gives modest cold-side protection but every active spender is exposed. No P2PKH-style commit-to-pubkey-hash deployed.

2b · cold key exposure 5 / 25

Mainnet 2021-11-07; ~4.5 years of dormant balances. Fair-launch model means dormant balances skew toward miners and early adopters. Schnorr/ECDSA P2PK addresses expose pubkey at funding.

2c · sig long term validity 5 / 25

BlockDAG history is permanent. Post-Shor every historical Schnorr/ECDSA signature is forgeable from the public key alone. The MuHash UTXO commitment introduces an additional retroactive risk: post-Shor the ECDLP-based commitment can be forged to match alternative UTXO sets.

2d · encryption confidentiality hndl 3 / 25

P2P node-to-node communication uses standard TLS (X25519/RSA/ECDH). rusty-kaspa releases do not document any hybrid PQ KEM. No PQC in transport surfaces.

3 Metadata, Anonymity & Confidentiality weight 13% 24 / 100

3a · tx graph visibility 6 / 20

Pseudonymous BlockDAG with full transparency of every block, transaction, and output. UTXO model permits address rotation but provides no native shielding.

3b · rpc mempool concentration 6 / 20

Top-3 RPC concentration is high (community pools, kaspa.org-affiliated infrastructure, exchange RPC endpoints). Mempool gossip is permissionless and fully observable. No published validator-metadata-retention policy.

3c · cross chain bridge correlation 8 / 20

Bridge surface narrower than EVM-native chains. Primary venue is Chainge Finance custodial wKAS bridge to Ethereum, with later expansion to BNB Chain and Polygon. Custodial bridge model concentrates correlation risk on Chainge's signing infrastructure.

3d · retroactive de anonymization 4 / 20

Post-Shor every secp256k1 pubkey on chain is solvable, exposing every historical sender across the BlockDAG. The MuHash commitment, also ECDLP-based, adds a separate retroactive surface.

3e · mixnet shuffle 0 / 20

No on-chain mixing primitive; no shielded pool; no commit-reveal scheme.

4 Migration Architecture weight 10% 40 / 100

4a · crypto agility 3 / 15

PoW chain with hard-fork-only upgrades. No on-chain governance and no protocol-level algorithm-switch mechanism without a coordinated hard fork. The full-node rewrite from Go (kaspad) to Rust (rusty-kaspa, KIP-1) and Crescendo demonstrate the team can ship invasive code changes.

4b · aa key rotation 3 / 20

No Account Abstraction. UTXO-model addresses can be rotated by spending to a new address (voluntary key rotation at wallet layer). KIP-5 (Message Signing) supports off-chain signed messages but is not a key-rotation primitive.

4c · hard fork track record 9 / 15

Two coordinated upgrades on record. KIP-1 rusty-kaspa rewrite (Implemented). KIP-14 Crescendo (Active), 1→10 BPS, GHOSTDAG K parameter recalibration, finality/merge-depth/coinbase-maturity rescaling, activation 2025-05-05 at DAA 110,165,000. No contested forks.

4d · hybrid deployment readiness 2 / 15

No announced hybrid PQ deployment plan. KIP-22 (P2MR ScriptPublicKey, PR #37 unmerged) is a Merkle-root commitment scheme rather than hybrid sig-composition design. The Phase-I community proposal is wallet-layer commit-hiding.

4e · stateful hash state management 15 / 15

Kaspa uses no stateful hash-based scheme. All signing is stateless ECC. Default credit.

4f · bft aggregation path 0 / 20

N/A, Kaspa is Nakamoto-style PoW with no BLS aggregation in consensus and no validator set. Weight redistributes.

5 Deployment Execution weight 22% 18 / 100

5a · mainnet pqc traffic pct 0 / 25

0% mainnet PQC traffic. No PQC primitive in any active mainnet signing or transport surface.

5b · pqc code in consensus client 0 / 15

No PQC code merged into rusty-kaspa main branch (v1.0.0 Crescendo Mainnet release).

5c · validator pqc key adoption 0 / 15

N/A, Kaspa is PoW with no validator set. Weight redistributes within Dim 5.

5d · published dated milestones 0 / 10

VOIDED per v3.1 Milestone-Discipline rule (5a = 0). No public foundation- or KEF-published dated PQ migration milestones.

5e · pqc washing delta 15 / 15

0 formal foundation announcements; no PQ migration position. Shipped count: 0. No overstatement; full marks.

5f · signature footprint multiplier 0 / 20

Undisclosed. No PQ scheme selected, no benchmark published. The tight 100ms (10 BPS) block budget would constrain PQ-signature footprint choice.

6 Supply Chain Vendor Readiness weight 22% 8 / 100

6a · wallet 2 / 25

Top-3: Kaspium mobile, KasWare browser extension, Tangem hardware card; Ledger Live also supports Kaspa. 0/3 publish a PQC roadmap.

6b · bridge 2 / 25

Top: Chainge Finance (primary custodial bridge, wKAS to ETH/BNB/Polygon), exchange-mediated flows, ChainPort. PQC roadmap: 0/3.

6c · custodian 2 / 25

Top-3: Kraken (US/EU spot custody), Bybit, Coinbase/Binance Futures (derivatives only). PQC roadmap: 0/3.

6d · rpc hsm tee infra 2 / 25

RPC: community-operated Kaspa nodes. HSM: Ledger HSM ecosystem via Ledger Live. TEE: no documented attestation chain in rusty-kaspa node software.

7 Governance & Coordination weight 8% 31 / 100

7a · validator stake distribution 8 / 20

PoW chain with no validator set. Mining-pool concentration moderate but observable: Antpool, F2Pool, Kryptex, ViaBTC, Woolypooly. Client-software diversity is currently low (rusty-kaspa is the canonical client).

7b · upgrade cadence under pressure 12 / 20

Two successful coordinated hard forks (KIP-1 rusty-kaspa rewrite Implemented; KIP-14 Crescendo Active 2025-05-05). No demonstrated upgrade under adversarial pressure.

7c · named coordination lead 6 / 20

Kaspa Ecosystem Foundation (KEF) is the named foundation. Yonatan Sompolinsky (founder, GHOSTDAG/PHANTOM author) and Michael Sutton are core contributors. No named PQ migration lead. Most public quantum-credentialed contributor (PhD quantum cryptography) comments via kasmedia rather than as foundation PQ lead.

7d · adversarial coordination precedent 5 / 20

Fair-launch (2021-11-07) gives community legitimacy. No record of coordinated cryptographic-pivot under active-attacker conditions. Crescendo was a planned scaling upgrade.

7e · canary tripwire mechanism 0 / 20

No canary, honeypot, rate-limited spending rule, or cryptographic tripwire embedded.

X + Y vs Z, when does the math turn against you?

v3.1 demotes the X+Y vs Z timing test to a secondary signal, the headline output is Migration Stage. The timing test still answers the question: can this chain finish migrating before the threat lands?

X, signature shelf life

7-12 years

Y, migration time

8-15 years to Stage 5

Z10 (10% CRQC year)

2030

Z25 (25% CRQC year)

2035

Verdict

X+Y reaches 2034-2041, Crisis Zone (vs Z10 2030); Outside risk window at upper bound (vs Z25 2035)

Z-compliance

Outside compliance window flagged at upper bound under NIST IR 8547 disallowance 2035

Source-disagreement disclosure

v3.1 requires every chain card to publish material divergences among authoritative sources, plus the delta-QRI under alternative weighting.

Threat-surface scope (signature-only vs MuHash UTXO commitment)

Industry-standard chain readiness frameworks score signature-Shor exposure as the primary surface. An alternative framing surfaces the MuHash UTXO commitment (ECDLP-based, non-signature surface) as a comparable retroactive risk that sits outside conventional signature-Shor scoring. Under a signature-only weighting Kaspa's Dim 1 raw rises by ~2 points and Dim 3d by ~1 point.

Contributor-commentary credit

Whether kasmedia coverage of contributor commentary qualifies as foundation acknowledgement is contested. Stricter interpretation (foundation-channel-only) puts Kaspa at Band 1 Unaware; looser interpretation puts Kaspa at Band 2 Acknowledged.

Delta-QRI under alternative weighting

Signature-only alternative weighting: +0.5 (raw 20 → 20-21). Hard-fork-rewrite-counts-double weighting: +0.3. Contributor-commentary credit: ±2-3, band-boundary effect.