We explain how blockchains are preparing for the shift to quantum computing. Read our research to see which blockchain layers are vulnerable and more.
Some experts estimate that quantum computers may be powerful enough to threaten blockchain security by 2030. Any cryptographic protocol that relies on elliptic curves or RSA is vulnerable to Shor’s algorithm. Hash functions (SHA256, SHA3) and symmetric encryption (AES) are expected to remain secure. US and EU regulators require critical infrastructure and national security systems to switch to post-quantum algorithms by 2030. Blockchain designers and Web3 developers must upgrade every layer of their technology stack.
Secure Connections
TLS 1.3 already supports post-quantum algorithms and major providers like Google and AWS are quietly migrating their services. The hybrid classic/post-quantum algorithm X25519MLKEM768 appears to be the industry winner (the ML-KEM portion of the protocol is approved by NIST). Developers can secure their connections by upgrading their TLS certificates and storing larger 1,216 byte public keys.
Consensus
Proof-of-Stake blockchains will need to upgrade how validators sign proposals and votes during consensus. The Ethereum Foundation roadmap plans to use XMSS multi-signatures with the Poseidon2 hash function; there is now a reference implementation in Rust. Blockchains that rely on multi-party computation or zero-knowledge proofs will need to switch to post-quantum alternatives.
Note: It is unlikely blockchains will choose XMSS for transaction signatures because XMSS requires signers to maintain state. While validator nodes can maintain state and use complex algorithms to achieve shorter signatures, this is not true for externally owned accounts, especially in Hardware Security Modules (HSM) and cold storage.
Transaction Signatures
Blockchains will need to migrate from short transaction signatures like 65-byte ECDSA (Bitcoin, Ethereum) or 64-byte Ed25519 (Solana, Stellar) to larger post-quantum signatures. There is no industry consensus yet and many post-quantum options. Developers who want HSM support right away may consider the 2,420-byte NIST ML-DSA. Ethereum is looking at 666-byte Falcon, while Aptos recently proposed 7,856-byte SLH-DSA-SHA2-128s for transaction signatures. Cryptographers are experimenting with optimizations like using NIST ML-DSA with the BLAKE3 hash function. Blockchain designers will need to take into account HSM wallets and multi-signatures.
HSM Wallets
Post-quantum HSMs are beginning to appear on the market. Cloud providers like AWS and Google have created post-quantum software KMS services, and cloud HSMs will eventually follow. Blockchain specific HSMs won’t appear until there is sufficient demand. Blockchain designers should publish their specs soon, and consider the trade-off between choosing a less optimal algorithm vs leaving crypto-holders without an HSM option on Q-Day.
MPC Wallets, Threshold Signatures, and Multi-Signature
Most institutional grade crypto-holders prefer to secure their keys using threshold signatures and general MPC protocols. All these currently rely on elliptic curves and will need to be replaced. Transaction signature algorithms should be chosen with threshold signatures in mind. XMSS is technically a multi-signature but would require significant on-chain support for flexible-policies.
Smart Contracts
Smart contract wallets may provide a mechanism for token holders to choose their own post-quantum signature by programming verification into custom smart contracts. They face the same trust issues as on-chain multi-signature smart contracts.
Address Migration
Crypto-holders will need to migrate to post-quantum addresses. Active addresses that have previously signed transactions must migrate before Q-Day because their public key has been exposed. Passive Ed25519 addresses can be recovered after Q-Day by proving knowledge of the seed used to generate the public key. ECDSA addresses derived from BIP-32 or BIP-39 may be able to use a similar technique. Blockchain developers and token providers will need to publish migration roadmaps and develop recovery plans for orphaned tokens whose owners miss the deadline. Recent estimates show it would take 76 days of non-stop processing to migrate all Bitcoin UTXOs to post-quantum wallets.
From SNARKs to STARKs and SNARGs
Quantum computers can break popular zero-knowledge systems like Groth16, Halo2, and PlonK because they use elliptic curves. Blockchains will need to use the newer STARK and SNARG zero-knowledge systems which are quantum resistant at the price of larger proofs and longer verification times. Starknet is transitioning to FRI. Ethereum is looking at FRI, STIR, and WHIR.
Conclusions
Blockchain designers have the tools they need to transition to post-quantum. It is now a question of will. Regulators are pushing financial institutions to be quantum-ready as soon as possible. On the other hand, it is reasonable to delay to see which algorithms the industry will support, and which will become final NIST and IETF standards.
Everybody in the crypto industry needs a quantum transition roadmap. Circle is already considering how to mitigate the cost of address migration, and how to prepare Arc for the transition. The Circle post-quantum roadmap focuses on privacy first to protect our users from harvest-now-decrypt-later attacks. Arc Privacy will be post-quantum secure on day 1.
