Inventory verifiable from Sapphire.sol library docs and Oasis Core ADR set. Not all attestation-layer primitives documented in Oasis foundation sources directly, SGX DCAP ECDSA attestation chain is documented by Intel.

0 PQ-safe families (lattice 0, hash-based 0, code-based 0, isogeny 0). All PK primitives are classical elliptic-curve / discrete-log.

No PQC primitive deployed → no NIST category mappable.

ADR-0009 documents Oasis Core's Ed25519 verification semantics, documented behavioural specification, not machine-checked formal verification. Standard implementations from upstream Curve25519/secp256k1 libraries. Library provenance: oasis-core (Go, in-house), CometBFT v0.37.x (upstream), Intel SGX SDK. No statefulness considerations. Tier 1 (classical ECC, SHA-2/3 family).

Sapphire and Emerald accounts use Secp256k1 ECDSA, EVM model reveals public key as soon as transaction is signed. Cipher and consensus-layer ROSE accounts use Ed25519, where Schnorr-derivative scheme exposes pubkey on first spend. ROSE TVL plus Sapphire DeFi TVL is at quantum-vulnerable addresses with revealed pubkeys.

ROSE consensus-layer accounts use Ed25519 hashed addresses; Sapphire/Emerald addresses are Ethereum-style 20-byte hashes of secp256k1 pubkeys. Cold (never-spent) addresses retain pubkey-hash protection. No documented PQ-rescue policy for any unspent balance class.

All historical consensus and runtime transactions are Ed25519 / Secp256k1 ECDSA signed. Post-Shor, every historical signature is forgeable. Block-by-block hashing chain preserves order/integrity post-Shor but every Ed25519/ECDSA signature is independently forgeable.

RPC TLS, validator gossip (CometBFT P2P), client→runtime calldata channel: all rely on classical X25519/ECDH/TLS handshake primitives. No hybrid PQ KEM deployed at any documented endpoint. Captured ciphertext-on-wire is HNDL-vulnerable.

Sapphire's confidentiality model is TEE-resident state encrypted with Deoxys-II under SGX-derived seal keys, not zk-style notes encrypted under public keys. HNDL surface split: (i) in-flight client→runtime calldata encrypted under X25519 ECDH session keys, every recorded encrypted Sapphire/Cipher transaction is HNDL-decryptable post-CRQC; (ii) at-rest sealed state inside enclave is encrypted under SGX seal keys (AES-class), Shor does NOT break this directly; residual HNDL surface for at-rest state goes through compromise of ECDSA-based DCAP attestation chain.

Sapphire conceals transaction inputs, return values, and contract state inside SGX enclave; transaction graph at consensus layer (sender, recipient address, amount of ROSE gas paid) is visible. Cipher provides same model. Emerald is non-confidential EVM. Closer to shielded payload, pseudonymous graph than to fully shielded chain.

RPC concentration: Oasis Foundation operates first-party RPC endpoints; third-party providers (Chainstack, Ankr, Figment) also active. No public top-3 RPC % share figure. Mempool gossip standard CometBFT P2P. Validator metadata retention not declared.

Sapphire integrated with Celer cBridge (lock-and-mint plus cross-chain messaging) and Wormhole. Bridges are dominant deanonymization surface for users moving value into Sapphire from a transparent chain.

Privacy on Sapphire/Cipher rests on Intel SGX TEE seal keys (AES-class, Grover-weakened but not Shor-broken) PLUS ECDSA-based DCAP attestation chain. CRQC breaks ECDSA → forges DCAP attestations → attacker can impersonate legitimately-attested enclave and obtain key-manager-derived decryption keys for historical sealed state. TEE seal keys themselves not directly Shor-vulnerable, differentiates from zk-privacy chain where every encryption primitive is on Shor-broken curves.

No on-chain mixnet, no commit-reveal shuffle, no cMix-class structural mix-network. Sapphire's privacy model is encrypt-state-inside-enclave, not metadata-mixing.

Client→runtime payloads encrypted with X25519-Deoxys-II envelope. X25519 is Shor-broken. No PQ KEM hybrid announced, no testnet, no mainnet, no historical re-encryption plan. 0 is the floor for Shor-vulnerable PK enc with no plan.

ParaTime architecture in principle a hosting surface for future PQC-runtime. Consensus-layer Ed25519 is fixed by CometBFT v0.37.x and is not algorithm-pluggable without a fork. ADR-0009 acknowledges Ed25519 verification-semantics issues and recommends future-code consideration of FIPS 186-5 Algorithm 2 or ZIP-215, neither post-quantum.

Sapphire offers distinctive encrypted key-management contract model: confidential storage holds long-lived keypairs that authenticate via WebAuthn/hardware wallets/passkeys/multi-credential registrations. Functionally an account-abstraction-layer alternative to ERC-4337/EIP-7702, ParaTime-native. No announced PQ-safe credential type.

Mainnet upgrade log shows multiple coordinated upgrades since launch (Nov 2020): Cobalt, Damask, Eden, ParaTime additions (Sapphire mainnet 2022, Cipher, Emerald), Tendermint→CometBFT migration in oasis-core 23.0.x. No publicly visible contested-fork history.

ParaTime architecture could in theory host PQC-runtime alongside Ed25519 consensus, but no such ParaTime announced, in spec, or in testnet. Consensus layer itself has no documented hybrid-signature path.

N/A → full credit. No stateful hash schemes (XMSS, LMS, leanXMSS) anywhere in active stack.

N/A, Oasis consensus uses CometBFT (Tendermint-derivative) Ed25519 individual validator signing, NOT BLS aggregation. v3.1.0 explicitly lists CometBFT/Tendermint Ed25519 chains as N/A for 4f.

Mainnet PQC signing traffic: 0%. No PQC primitive deployed at any consensus or runtime signing surface.

oasis-core CHANGELOG (master branch through 2026-05) shows no merged PR adding ML-DSA, SLH-DSA, Falcon, ML-KEM, or any other NIST PQC primitive. CometBFT upstream at v0.37.x has no PQC consensus signing.

0% of consensus validators have PQC keys actively used. Consensus key spec is Ed25519 per CometBFT validator-key format.

VOIDED to 0 by v3.1.0 rule because 5a = 0. 2025 Oasis Roadmap (Jan 2025) does not mention PQC, ML-DSA, ML-KEM, lattice, hybrid signatures, or quantum. Roadmap focus areas are Sapphire, ROFL adoption, TDX support, decentralized-AI deployments.

Announced PQC items (trailing 12mo): 0. Shipped PQC: 0. No claim, no shipped delta. Full credit because no inflated narrative exists.

No PQ signature in mainnet → no observed bytes-per-block multiplier → undisclosed → 0.

Top-3: Oasis ROSE Wallet (first-party); MetaMask (Sapphire EVM via custom RPC); Keplr (consensus-layer ROSE). 0 top-3 vendors with PQC roadmap → minimum-floor 4 for foundation-operated infrastructure presence.

Top-3: Celer cBridge (primary asset bridge); Wormhole; first-party Oasis Bridge. 0 top-3 with PQC roadmap.

ROSE supported on Coinbase exchange. Specific institutional custody partnerships not enumerated as Oasis-specific. None of those custodians has published MPC-PQ roadmap.

RPC: Oasis Foundation endpoints + Chainstack + Ankr/Figment. HSM: standard validator HSM tooling, no Oasis-specific PQC HSM integration. TEE: Intel SGX (production runtime); Intel TDX (planned per ROFL roadmap). Intel SGX/TDX attestation chain is ECDSA-based; no PQ-attestation roadmap published by Intel.

~120 active validators on consensus committee. Per third-party analyst summaries, top-7 validators control ~33% of stake (Nakamoto coefficient ≈ 7). Mid-pack decentralization. Single-client risk: Oasis Core only consensus client.

Mainnet upgrade log: Cobalt, Damask, Eden, multiple ParaTime additions, Tendermint→CometBFT migration. Coordinated upgrades on cadence; no documented under-attacker upgrade history.

Oasis Protocol Foundation is named coordination lead, with public engineering updates (monthly cadence) and roadmap publications. No PQC-specific working group or named PQ-migration lead announced.

2025 TEE Break Challenge (1 BTC bounty in Sapphire smart-contract for anyone who could extract in-enclave key, Oct 2025 - end-2025) is precedent for security-incentive coordination but not PQC-coordination precedent.

No published canary/honeypot/rate-limit/cryptographic-tripwire mechanism for quantum-attacker detection. TEE Break Challenge is one-off bounty, not embedded consensus-level tripwire.