Starknet publicly names every active primitive.

Proof layer is structurally PQ-safe (FRI-based STARK, hash bound). User-signature layer and Pedersen-based commitments are Shor-vulnerable.

Hash-based count = 1 deployed. No lattice / code / isogeny family at signature layer in mainnet production. S2morrow (lattice-Falcon) demo and BTQ Falcon-on-Starknet verification exist but neither is the default account scheme. Diversity Cap (lowered to 60 in v3.1) does not fire here because there is no second family deployed at 5b/5c, credit for hash-based proof layer caps at 10 (hash-only).

STARK-curve ECDSA ≈ 125-bit classical / 0-bit PQ for signatures; Pedersen ≈ ~125-bit classical (DL-bound on STARK curve); Poseidon ≈ 128-bit classical hash, research-tier; S-two FRI ≈ 128-bit hash-bound conjectured PQ. No NIST-standardized PQ primitive is mainnet-active in user-signature path. Proof layer aligns with hash-based PQ assumptions but is not a NIST-certified primitive.

Cairo verification toolchain exists (Lean-based and Cairo-native auditing tools, third-party audits of Stone and S-two referenced); constant_time: standard for Stark-curve ECDSA implementations; library_provenance: scure-starknet (paulmillr, audited); statefulness: stateless schemes throughout; cryptanalytic_tier: tier-1 ECDSA, tier-2 Keccak/Blake2, tier-4 Poseidon (research-grade ZK hash), Pedersen tier-1 by hardness (DL) but binding broken by Shor.

Every account is a contract; signing key is held by the account-contract owner. Native AA permits per-account key rotation, social recovery, and signer-scheme upgrade, so active-key Forge exposure is structurally lower than EOA chains. But the default scheme is STARK-curve ECDSA, public key recoverable from any signed transaction. ~$573M TVL (Apr 2026, includes ~$214M BTC) sits at addresses whose owners' signing pubkeys are revealed on first spend.

Chain age ~3.5 years (testnet 2021, mainnet alpha 2021-11; STRK token 2024-02). Smaller dormant-coin surface than L1s. AA gives dormant accounts a re-key path ONCE owners act, but unmoved accounts whose keys are now lost remain Shor-vulnerable.

Historical STARK-curve ECDSA signatures are post-Shor forgeable. Inclusion-validity is, however, settled by FRI-based STARK proofs (PQ-safe), so historical state-transition integrity is independent of Shor-breaking the signature curve. Re-org via signature forgery is moot once a block is L1-final (Ethereum settlement).

RPC and validator/sequencer transports use standard TLS 1.3 (X25519, ECDHE-secp256r1, RSA cert chains). No hybrid PQ KEM in deployed RPC stack. StarkGate L1↔L2 messaging is plaintext on-chain; bridge does not introduce PQ-relevant encryption surface. Sequencer gossip is centralized today (Starkware-operated).

Pseudonymous, transparent ledger; full tx graph visible via L2 explorers (Voyager, Starkscan) and by inspection of L1 blob/calldata.

Top-3 RPC providers (Alchemy, Infura, Blast API) concentrate >70% of inbound traffic. Mempool gossip observability, sequencer mempool visible to Starkware-operated nodes. Validator metadata retention policy not publicly declared.

StarkGate canonical bridge correlates L1↔L2 addresses by message-passing contract. Third-party bridges (Orbiter, LayerSwap) compound source-dest correlation across chains.

No mainnet shielded pool. Retroactive de-anon under Shor is limited to: (i) recovery of STARK-curve / secp256k1 private keys from public keys, allowing historical address-to-owner attribution if any off-chain identity link existed; (ii) Pedersen commitment binding broken (relevant for application-layer commitments, not transaction privacy). Tx graph itself is already public.

No structural mix layer. No on-chain commit-reveal scheme as a default. Privacy efforts on Starknet are application-layer prototypes; no mainnet privacy-default.

Native AA from genesis means signature-scheme migration is per-account contract logic, not protocol fork. New signature verifier (e.g., Falcon-512, ML-DSA) ships as a library/contract; account contracts opt in. S2morrow (Falcon-512) demonstrates this end-to-end without protocol change. Protocol-level hash agility (Pedersen→Poseidon) is more constrained because Pedersen commitments are baked into state-trie binding.

Strongest AA in the evaluated set. Every account is a smart contract since day one; per-account signature scheme, per-account rotation, multisig, social recovery deployed on mainnet by Argent X and Braavos for years. S2morrow demonstrates Falcon-512 PQ-signed account-contract working in browser across Devnet/Sepolia/Mainnet target environments. No client-layer PQC integrated path declared at sequencer/prover level.

Multiple coordinated upgrades: Cairo v1 migration (Regenesis, 2023-2024), v0.13 series, v0.14.0 Grinta (2025-09-01) introducing distributed sequencer and consensus, S-two prover swap (2025-11-03). No contested forks.

Architecturally trivial via AA, an account contract can require AND-composed STARK-curve + Falcon signatures, or OR-composed with commit-to-hash. No mainnet hybrid signature scheme is the default account class today. Foundation roadmap mentions 'quantum-resistant cryptography' in Phase 4 without dates or composition spec.

No stateful-hash scheme (XMSS/LMS) in scope. Stateless schemes (Stark-curve ECDSA, Falcon, Poseidon) throughout.

Starknet's v0.14.0 introduced a 3f+1 distributed-sequencer consensus (CometBFT-derived). Validator signatures in this consensus path are documented as ECDSA / Ed25519 family (not BLS aggregation). No PQ aggregation path spec'd. Spec exists for the consensus layer; PQ migration of consensus signatures is not declared.

Mainnet PQC %: estimated <1% of user signatures; ~100% of proof-layer artifacts are FRI-based (PQ-safe by family). v3.1.0 5a is defined on user-signature traffic; Starknet's structural FRI proof-layer is PQ-safe but is not a 'signature.' Conservative score reflects no mainnet PQ signature default.

S-two (Circle STARK, FRI-based, PQ-safe-by-family) is the production prover since 2025-11-03, that is shipped PQ-safe code in the proof path. No ML-DSA / Falcon / SLH-DSA verifier in any default account class. S2morrow Cairo verifier is publicly available (97.8% Cairo) but is research code by labelling.

Sequencer is operated by Starkware (3 sequencers in rotation as of v0.14.0, all Starkware-run). Decentralized sequencer-validator set targeted for 2026 (Staking v3/v4). No PQ keys in current sequencer signing path.

VOIDED to 0 per v3.1 (5a effectively zero in user-signature path). Count of enforcement-mechanism-backed milestones with PQ dates: 0 (roadmap mentions 'quantum-resistant cryptography' in Phase 4 with no dates).

Announced PQ-related claims trailing 12mo: ~10-15 (S-two-is-PQ-safe blog posts, 'Starknet has the answer,' BTCFi quantum framing, S2morrow demo coverage). Shipped PQ on user-signature path: 0. Shipped PQ on proof path: 1 (S-two production). Estimated ratio ≈1.5×; below the >1.5 deduction threshold borderline.

VOIDED (undisclosed at production-signature level, no PQ scheme is the default; S2morrow Falcon-512 measured at 9.5M L2 gas, 62 felts calldata, 65% savings vs secp256r1 in the demo, but this is not the production signing footprint).

Argent X (Ready), Braavos, Ledger (via wallet integrations). PQC roadmap published by named top-3 vendor: 0. Braavos and Argent describe themselves as 'smart contract wallets' with future-proof signature swap; neither has shipped a PQ default or published a dated PQ roadmap.

StarkGate (canonical), Orbiter, LayerSwap. PQC roadmap: 0.

Coinbase Custody, BitGo, Anchorage. None has published Starknet-asset-specific PQ roadmap.

Alchemy, Infura, Blast API top-3 RPC. None ships PQC-enabled RPC TLS. HSM/TEE provenance for sequencer keys not publicly disclosed.

Sequencer set = 3 nodes, all Starkware-operated. Nakamoto coefficient at sequencer layer = 1. STRK-staking validator set exists for attestation but does not yet sign blocks at consensus quorum (Staking v3 targeted Q1 2026).

Cairo v1 migration, Regenesis, v0.14.0 Grinta, S-two swap all coordinated without contested fork. Demonstrated upgrade capacity is high.

Starknet Foundation (executive director public, board public); Starkware (Eli Ben-Sasson founder). No named PQ-migration working group with published mandate. Roadmap names Phase 4 quantum but no lead.

STRK launch 2024 had governance turbulence (airdrop disputes); no demonstrated coordinated cryptographic change under live attacker pressure.

No canary, honeypot, or rate-limit tripwire embedded in consensus declared.