Polkadot publicly enumerates every primitive in active use across the relay chain via the wiki and W3F research site. Six session-key roles each have a named scheme. Bridge stack (BEEFY) curve is documented.

Every signature primitive in production today is Shor-break. No PQ-safe primitive is deployed on mainnet.

Families currently deployed: 0 PQ families, chain is fully classical. Families in published roadmap: 1 (lattice, both ML-DSA/Dilithium and Falcon are lattice). Hash-based use is restricted to FRI-SNARK substitution for Sassafras, not the signature path itself. Per v3.1.0 Diversity Cap rules, lattice-only commits a structural cap on QRI.

Mappings (planned, not deployed): ML-DSA-44 = NIST cat 2; ML-DSA-65 = cat 3; ML-DSA-87 = cat 5, W3F roadmap does NOT specify which Dilithium parameter set will be used. Falcon-512 = cat 1; Falcon-1024 = cat 5, W3F roadmap does not specify variant. Earlier 2023 forum discussion (burdges) mentions Falcon-512 explicitly. For deployed primitives (Sr25519/Ed25519/ECDSA/BLS12-381) NIST PQ category is not applicable, these are pre-quantum.

Schnorrkel (W3F implementation of sr25519) audited; no machine-checked proof of the Polkadot crypto stack published. constant_time: yes for ed25519-dalek and Schnorrkel implementations. library_provenance: schnorrkel (w3f), ed25519-dalek (dalek-cryptography), arkworks (BLS12-381), pq-crystals/dilithium referenced in the Quantum Guard grant. statefulness: not applicable to deployed schemes; planned ML-DSA and Falcon are stateless. Cryptanalytic tier: deployed primitives are tier 1 (classical ECC) + tier 2 (BLAKE2b). No PQ primitive deployed. For PQ side, no liboqs / Formosa-Crypto / OQS provenance committed in W3F roadmap.

Polkadot accounts use the SS58 address format which encodes the raw public key (multi-scheme). Once any account signs a transaction, the public key is on-chain in plaintext. Validator session keys (sr25519/ed25519/ecdsa) are permanent on-chain registration. Effectively 100% of active accounts have exposed Shor-break public keys.

SS58 encodes the raw public key in the address itself. Unlike Bitcoin P2PKH, there is no hash-based address scheme that hides the public key prior to first spend. Cold (never-moved) DOT therefore has the same exposure as active DOT.

Validator session keys rotate (session-key rotation is a native protocol feature). Account keys do not rotate by default; proxies are available but not widely used for key rotation. Historical signatures attached to past blocks are forgeable post-Shor (the attacker can rewrite history attestations off-chain), though chain finality is anchored in GRANDPA finalization, not signature replay.

libp2p validator-to-validator gossip uses Noise (X25519 ECDH). RPC endpoints use TLS with classical key exchange. No PQ KEM (e.g., ML-KEM hybrid) is announced for transport. The W3F PQ roadmap names ML-KEM (CRYSTALS-Kyber) only as a reference; transport-layer PQ is not on the published RFC track.

Polkadot is pseudonymous. Relay-chain transfers and parachain XCM messages are public. Some parachains (Phala) provide TEE-based privacy; the relay chain itself does not.

Multiple production RPC providers (OnFinality, Dwellir, Ankr, Subscan-hosted endpoints) plus self-hosted nodes; not the same level of duopoly as Ethereum's Infura/Alchemy. Validator metadata retention policy is not formally declared at protocol level. Mempool gossip is observable to any node.

XCM is the native cross-parachain protocol with built-in bookkeeping. Snowbridge (BEEFY-anchored bridge to Ethereum) introduces additional cross-chain trace. Source-to-destination correlation is straightforward for a passive observer.

All on-chain signatures use Shor-break primitives. Post-Shor, every historical sender public key is recoverable; existing pseudonymity becomes linkable to deterministic key-graph analysis. No on-chain ElGamal or DL ring signatures in the relay chain.

VOID, Gate 2 below 3 artifacts. No on-chain mixnet or shuffle is in production on Polkadot relay chain. Historical W3F research mentions Polkadot Mixnet (validator-operated mixnet) but its deployment status is uncertain at evidence cutoff.

Substrate's WASM forkless runtime upgrade mechanism allows new signature schemes to be added via runtime upgrade without a hard fork. Crypto pallets are pluggable; the Quantum Guard MVP grant (application PR #2113 merged 2023-12-04) explicitly leveraged this pattern (Substrate crypto pallet customization for Dilithium). Multi-scheme account encoding (SS58 with version byte) is already a native multi-algorithm address format.

Proxy accounts and multisig are native (no contract layer required). Session-key rotation is native for validators. No EIP-7702-style account delegation; AA is structurally different from Ethereum's model. Client-layer PQ migration path is documented in the W3F roadmap but not deployed.

Hundreds of forkless runtime upgrades since launch. OpenGov (formerly Council + Democracy) coordinates upgrades on-chain. March 2026 runtime upgrade enforced new validator self-stake / commission rules. No contested forks recorded.

SS58 multi-scheme address format and pluggable crypto pallet make hybrid signatures architecturally feasible (e.g., a transaction carrying both Sr25519 and Dilithium signatures). The W3F roadmap describes 'hybrid ECC + post-quantum' only for transport-layer KEMs, not for the signature path. No explicit AND/OR composition specification published.

The W3F roadmap names ML-DSA (Dilithium) and Falcon, both stateless lattice schemes. SLH-DSA / XMSS / LMS state management is not in scope for Polkadot's signature path. Default full credit per v3.1.0 rule.

GRANDPA finality currently uses Ed25519 (no aggregation). BLS for GRANDPA is documented as planned in W3F materials but not deployed. BEEFY (light-client/bridge layer) does use BLS12-381 with aggregation. The W3F PQ roadmap states 'validators will sign BEEFY finality messages using each post-quantum secure scheme supported by networks of interest', naming the aggregation problem but not specifying the path. Spec-only level credit.

0% mainnet PQC traffic. No PQ signature, KEM, or VRF is live on Polkadot mainnet at evidence cutoff.

Zero PQ code in the polkadot-sdk consensus path. The W3F roadmap states 'we are preparing RFCs that will be soon posted'. No merged PQ pallet for consensus signatures. Quantum Guard MVP grant (application PR #2113 merged 2023-12-04 in w3f/Grants-Program) was external/parachain-scoped, Substrate crypto pallet customization with Dilithium drop-in, not relay-chain. Delivery / completion outcome of the funded grant requires direct verification against the Web3 Foundation grants dashboard.

0% of validators sign with PQ keys.

VOIDED per v3.1.0, 5a = 0. W3F roadmap (June 5, 2025) names primitives but provides no specific deployment dates; states only 'RFCs will be soon posted' and proposes Kusama-first.

Announced count (trailing 12mo): ~3 substantive (W3F roadmap Jun 2025; PQ signatures forum thread; JAM testnet Jan 2026 supports broader execution environments but is not specifically PQ). Shipped count: 0 (mainnet); 0 (testnet PQ signature in production). Foundation announcements are technical and specific (algorithms named, problem decomposed), not marketing. No 'quantum-resistant Polkadot' press blitz.

Falcon-512 signatures = 666 bytes vs Ed25519 64 bytes = ~10× raw multiplier; ML-DSA-44 ~38× raw. W3F roadmap acknowledges Falcon's smaller size as the reason it's chosen for accounts. Per v3.1.0 scoring: 10× → 5 pts (5-10× tier midpoint).

Top-3: Polkadot.js extension, Talisman, SubWallet. PQ-roadmap count: 0. None has a published PQC roadmap. Quantum Guard MVP grant included a custom browser extension prototype but the project was terminated.

Top-3: XCM (native), Snowbridge (BEEFY → Ethereum), Hyperbridge. PQ-roadmap count: 0. Snowbridge documents BEEFY anchoring on BLS12-381 (Shor-break-via-pairings); no PQ alternative published.

Top-3: Coinbase Custody, BitGo, Anchorage (DOT-supporting). None has published a Polkadot-specific PQ migration plan. Industry-level MPC-PQ statements exist but not for DOT.

Top-3 RPC: OnFinality, Dwellir, Ankr. PQ roadmap count: 0. HSM support for sr25519 is limited (Ledger Polkadot app supports sr25519 + ed25519); no PQ-firmware support announced. No TEE attestation chain claims PQ-readiness for DOT operations.

Polkadot's Nakamoto coefficient was reported at ~149 in early 2025 (foundation/co-founder statement). Active validator set is on the order of several hundred (target maturity ~1000; March 2026 runtime upgrade enforced 10,000 DOT minimum self-stake). Highly decentralized vs L1 peer set. Multiple consensus client implementations (Polkadot-SDK / Parity, Gossamer / ChainSafe planned).

Forkless runtime upgrades on a regular cadence. OpenGov on-chain referenda. 2023 parachain validation function vulnerability was patched via coordinated runtime upgrade. March 2026 economic-parameter upgrade landed on schedule.

Web3 Foundation publishes the PQ roadmap; Parity Technologies is the primary client maintainer; the JAM working group has named contributors. The June 2025 PQ roadmap is signed '[email protected]', institutional rather than named-individual. No public-facing PQ working-group with a published mandate has been chartered.

2023 parachain validity bug patched via emergency coordinated runtime upgrade, credible precedent of governance executing under pressure. No precedent of cryptographic-scheme switch under active attacker.

Kusama functions as Polkadot's canary network for protocol upgrades, a meaningful structural canary, but not a cryptographic tripwire embedded in consensus. No rate-limited spending rule (Hourglass-style) or honeypot-canary. The W3F roadmap proposes 'post-quantum changes first to Kusama', a network-level canary policy, not a cryptographic one.