Explicit per-curve documentation; tz5/ML-DSA-44 named in the Ushuaia announcement and the Nomadic Labs forum heads-up.

4 of 5 deployed signature families are Shor-broken; BLS12-381 (tz4) is now consensus-relevant after Seoul/Tallinn aggregation work.

Families: lattice (1: ML-DSA via Ushuaia), classical-EC (4 deployed). Only declared PQ family is lattice. No hash-based, code-based, or isogeny path on the protocol roadmap or in the Ushuaia announcement. Lattice-monoculture Cryptographic-Diversity Cap fires (QRI ≤ 60 per v3.1).

ML-DSA-44: NIST cat 2; ECDSA secp256k1/Ed25519/P-256: 128-bit classical; BLS12-381: 128-bit classical for the discrete-log security level. ML-DSA-44 chosen at the lower NIST category (cat 2) rather than ML-DSA-65 (cat 3) or ML-DSA-87 (cat 5).

formal_verif: HACL* + EverCrypt for classical primitives in Octez (functional correctness, memory safety, secret independence i.e. constant-time); ML-DSA-44 implementation per the heads-up uses libcrux-ml-dsa (Cryspen, Rust, hax-toolchain verified components mixed with unverified components). constant_time: claimed for HACL*-backed primitives; secp256k1 imported directly from Bitcoin reference. cryptanalytic_tier: tier 1 (Ed25519/ECDSA classical), tier 3 (ML-DSA, NIST-standardized). Caveat: an independent 2026 audit (eprint.iacr.org/2026/192) of the libcrux ecosystem found 13 vulnerabilities including specification-level issues in ML-DSA proofs. Documented externally, not a Tezos-side claim.

Tezos uses the 'reveal' operation: pubkey is broadcast on first outgoing tx, after which it is permanently public. Vast majority of active addresses have revealed pubkeys. ML-DSA tz5 is feature-flagged off on mainnet, no active funds protected by PQ today.

Pre-reveal cold accounts (never-spent) keep pubkeys hidden behind the tz1/2/3 hash. Once Shor is feasible, an attacker would need to either find unrevealed-but-public pubkeys or wait for a spend that reveals. Lower exposure than Bitcoin P2PK / Ethereum (where pubkeys are always visible after first send). 2017 ICO-era dormant holders with revealed keys remain at risk.

Every historical signature on Tezos mainnet is under one of Ed25519/ECDSA-secp256k1/ECDSA-P-256/BLS12-381, all Shor-broken. No retroactive re-signing or commit-to-hash mechanism declared in Ushuaia.

Validator gossip and RPC use standard TLS (X25519/ECDH classical); no documented hybrid KEM (Kyber/ML-KEM) deployment in Octez transport. Ushuaia addresses signatures only.

Transparent ledger by default. A Sapling-on-Tezos integration was added at the protocol layer in earlier amendments, but adoption is limited; the dominant mode is fully transparent.

Multiple RPC providers (Nomadic Labs public RPC, TzKT, TzStats, Marigold, Blockdaemon). No documented validator-metadata retention policy. Mempool gossip is observable.

Etherlink (enshrined optimistic rollup) provides Tezos↔EVM bridging at protocol level; secondary bridges (Wrap, Allbridge) connect to other chains. Linkability across these bridges is straightforward for a passive observer.

Sapling's encryption uses Jubjub (a Curve25519-derivative edwards curve); Shor-feasible attackers could de-anonymize historical Sapling notes. Limited practical impact because Sapling adoption is small.

No on-chain or protocol-layer mixnet.

Self-amending governance has activated 20 protocol amendments autonomously since Athens 2019 (Athens through Tallinn). Ushuaia (proposal in voting phase as of April 2026, would be the 21st) introduces a new signature scheme (ML-DSA-44) and a new account prefix (tz5) without a hard fork, exactly the production instance the rubric requires. Tallinn (Jan 2026, amendment 20) similarly added a new BLS-aggregation feature.

No native AA (no ERC-4337 equivalent). Multi-curve account selection (tz1/2/3/4/5) gives per-account scheme choice at creation. The Ushuaia announcement explicitly flags that 'stateful addresses which allow for key rotation while preserving an account's address and history' are deferred to a later amendment, i.e., key-rotation is not yet shipped. Seoul (Sep 2025) introduced protocol-native multisig; this is account-flexibility but not full AA.

20 amendments autonomously activated (Athens through Tallinn), zero contested hard forks. Two proposals rejected during voting (Brest A, Carthage), orderly governance, not contested forks.

Ushuaia ships pure ML-DSA-44 in a parallel account type (tz5), not a hybrid composition with Ed25519 or another scheme. The forum heads-up explicitly states: 'No deprecation of existing elliptic curve signatures at this stage.' Architecturally Tezos can run any composition (multi-curve already in production), but no hybrid-composition spec has been declared.

ML-DSA-44 is stateless; full credit by default. Tezos does not use stateful hash schemes (XMSS/LMS) anywhere.

Tenderbake is BFT-style with deterministic finality. After Seoul (Sep 2025) and Tallinn (Jan 2026), consensus attestations are aggregated under BLS12-381 (tz4), a Shor-vulnerable scheme. The Ushuaia post-quantum proposal explicitly excludes baking ('baking support will follow later'), so the current PQ deployment path leaves consensus aggregation classical. No published spec for a PQ aggregation path.

Mainnet PQC traffic: 0%. tz5 / ML-DSA-44 is feature-flagged off on mainnet per Ushuaia. Activation is testnet-only.

Ushuaia proposal merges ML-DSA-44 support into Octez (the dominant client) via libcrux-ml-dsa. Code is in production, gated by feature flag. Substantive code presence but not active.

ML-DSA-44 explicitly does not support baking in Ushuaia. Zero validator PQ key adoption.

VOIDED to 0 per v3.1 rule (5a = 0). Ushuaia announcement names ML-DSA-44 / tz5 / future stateful-addresses / future baking, credible roadmap without a dated public sunset.

Announcements limited to two primary artifacts (Ushuaia announcement + agora forum heads-up); shipped status (testnet feature flag on mainnet) consistent with the announcement. Ratio close to 1:1. No press inflation.

ML-DSA-44 reference signature size ~2420 bytes vs Ed25519 64 bytes, i.e. ~38× raw. Ushuaia does not publish per-block bandwidth budget under post-tz5-adoption assumptions. Falls in the 10-38× band (5pts).

Top-3: Temple, Kukai, Ledger Live (Tezos app). PQC roadmap count: 0 published. Note: current Ledger HW signers cannot process tz4/BLS at consensus speed; tz5/ML-DSA support across wallets is not announced.

Top-3: Etherlink (enshrined L2), Wrap, Allbridge. PQC roadmap count: 0.

Top-3 commonly named for Tezos staking: Coinbase Custody, Kiln, Ledger Enterprise. PQC roadmap count: 0 published for Tezos asset support specifically.

Top-3 RPC: Nomadic Labs public RPC, TzKT, Blockdaemon. HSM: Tezos uses cloud-HSM-friendly P-256 (tz3) by design; Signatory (ecadlabs) supports YubiHSM, AWS CloudHSM, AWS Nitro Enclaves, Confidential Space, none with PQC roadmap published.

300+ active bakers; staking is proof-of-stake with delegation. Some concentration at top stakers (Coinbase Cloud historically prominent), but distribution is reasonable for an L1. Octez is the dominant client; tezedge is a secondary Rust implementation, providing partial client diversity.

20 activated amendments since Athens 2019, with Quebec/Rio/Seoul/Tallinn all activating on schedule in 2025–2026. Cadence has been consistent across the chain's history.

Nomadic Labs publishes Ushuaia and the post-quantum heads-up under its R&D channel; Trilitech, Marigold, Functori, ecadlabs (Signatory) are named contributors; Tezos Foundation provides funding. PQ-specific WG not formally named, but Nomadic Labs R&D is the de-facto coordinator.

Founder governance dispute resolved 2018 via Tezos Foundation; subsequent governance has been on-chain and orderly. No adversarial coordinated cryptographic change under attack.

No canary, no rate-limited spending rule, no embedded cryptographic tripwire declared.