up:: The New Standards MOC

Post-Quantum Blockchains

A blockchain becomes quantum-resistant by swapping the vulnerable primitive that authorizes spending. Every mainstream chain authorizes transactions with an elliptic-curve signature, and Shor’s algorithm recovers the private key from an exposed public key, so the migration target is the signature scheme, while the SHA-256 hashing that secures proof-of-work faces only Grover’s algorithm and carries forward with a wider margin. Two paths exist. A chain can be built quantum-resistant from day one, which is what the Quantum Resistant Ledger did with XMSS, or an existing chain can retrofit through a signature soft-fork, which is what the current Bitcoin and Ethereum proposals aim at. Both rest on the same finalized post-quantum standards, and none of them needs a quantum computer to arrive before the work can start.

Source: NIST, “Post-Quantum Cryptography FIPS approvals,” August 2024 (FIPS 203, 204, 205 finalized), csrc.nist.gov/news/2024/postquantum-cryptography-fips-approved.

The short version:

  • The quantum exposure in a blockchain sits in the signature scheme that authorizes spends, because Shor’s algorithm breaks the elliptic-curve math behind ECDSA and Ed25519, and the fix is a post-quantum signature.
  • The Quantum Resistant Ledger is the purpose-built case: it authorizes every transaction with XMSS, a hash-based signature whose security rests only on a hash function, so it was quantum-resistant from launch.
  • Bitcoin’s leading retrofit is BIP-360, a soft-fork proposal for a quantum-resistant output type that would let holders move coins behind a NIST post-quantum signature such as SLH-DSA or ML-DSA.
  • Ethereum’s approach routes through account abstraction, letting wallets swap their signature algorithm to a post-quantum one without a protocol-level hard fork.
  • State proofs are a related technique: a chain periodically commits its ledger state with a post-quantum signature, so the compressed proof of history stays verifiable even against a quantum adversary.
  • The hashing that secures mining survives, so a quantum-resistant blockchain is a signature-migration and coordination project rather than a rebuild from scratch.

What actually needs to change to make a blockchain quantum-resistant?

The signature scheme, and almost nothing else in the cryptographic core. A blockchain does two cryptographic jobs that matter for the quantum question, and quantum computers treat them very differently. Transaction authorization proves you are allowed to move coins, and it is done with a public-key signature: ECDSA over secp256k1 on Bitcoin, ECDSA and increasingly other curves on Ethereum, Ed25519 on several newer chains. All of those rest on the elliptic-curve discrete logarithm problem, which Shor’s algorithm solves efficiently, so a cryptographically relevant quantum computer can recover a private key from an exposed public key and forge a spend.

The other job is ordering and securing the ledger, which on proof-of-work chains is a SHA-256 search. The only quantum attack on a hash function is Grover’s algorithm, which gives a square-root speedup rather than the exponential collapse Shor’s brings to signatures, and purpose-built ASIC miners outrun a near-term quantum machine. So the honest scope of a quantum-resistant blockchain is a signature migration: replace the elliptic-curve signature that authorizes spending with a post-quantum signature that has no known efficient quantum attack. The full treatment of why signatures fall and mining holds lives in Bitcoin and Blockchain Quantum Risk.

Source: Divesh Aggarwal, Gavin K. Brennen, Troy Lee, Miklos Santha, Marco Tomamichel, “Quantum attacks on Bitcoin, and how to protect against them,” 2018, arXiv:1710.10377.

How does the Quantum Resistant Ledger build quantum resistance in?

The Quantum Resistant Ledger (QRL) took the from-scratch path: it authorizes every transaction with XMSS, the eXtended Merkle Signature Scheme, so its spend authorization never touched vulnerable elliptic-curve math in the first place. QRL describes itself as the first industrial blockchain to use the IETF-specified XMSS, a hash-based, forward-secure signature scheme. The design choice is the whole point: XMSS derives its security only from the strength of an underlying hash function, which is the property that carries through the quantum transition, so QRL inherits the same durability that keeps SHA-256 standing.

XMSS is built from two pieces. The bottom layer is a set of Winternitz one-time signatures (WOTS+), each of which can safely sign a single message, and the top layer is a Merkle tree that binds many of those one-time keys under a single public root, so one address can sign many messages. The trade-off is that XMSS is stateful: each one-time key must be used exactly once, and the signer has to track which leaves are spent, because reusing a one-time key is where hash-based signatures leak. QRL manages that state at the wallet and protocol level, which is exactly the engineering cost of choosing the most conservative post-quantum signature family. The mechanics of stateful hash-based signing, and why the state requirement is the price of the strongest security assumption, are covered in Stateful Hash-Based Signatures (XMSS - LMS).

Sources: The QRL, “The Quantum Resistant Ledger,” theqrl.org. A. Huelsing, D. Butin, S. Gazdag, J. Rijneveld, A. Mohaisen, “XMSS: eXtended Merkle Signature Scheme,” RFC 8391, May 2018, datatracker.ietf.org/doc/html/rfc8391.

How would Bitcoin retrofit a quantum-safe signature?

Through a soft-fork that adds a new quantum-resistant output type, so holders can move coins behind a post-quantum signature without rewriting the chain. The leading concrete proposal is BIP-360, authored by Hunter Beast with co-authors, which defines a new output type similar to Pay-to-Taproot but with the quantum-vulnerable key-path spend removed, spendable only through a script backed by a quantum-resistant signature algorithm such as ML-DSA or SLH-DSA. It is proposed as a consensus soft-fork adding a new SegWit output version, which means older nodes keep working while upgraded nodes enforce the new rules.

The design targets the long-exposure risk head-on: once a quantum-safe address type exists, holders can move coins out of exposed pay-to-public-key and reused addresses into outputs a CRQC cannot forge. A companion line of work proposes a pre-announced sunset of legacy ECDSA and Schnorr spending after the quantum-resistant type ships, so the exposed supply shrinks on a schedule rather than lingering forever. The proposal is a draft under discussion, so it is the direction to track rather than a shipped feature, and its real difficulty is coordination across wallets, miners, exchanges, and users rather than the cryptography, which already exists as finalized standards.

Source: Hunter Beast et al., “BIP-360: Pay to Quantum Resistant Hash,” Bitcoin Improvement Proposals, github.com/bitcoin/bips/blob/master/bip-0360.mediawiki. [OPERATOR VERIFY: BIP-360 is a draft under active revision; confirm the current status, output-type name, and referenced signature schemes before citing as current.]

How is Ethereum planning to go quantum-resistant?

Ethereum’s plan leans on account abstraction, which lets an account choose its own signature algorithm so a quantum-safe scheme can be adopted without a protocol-level hard fork. In February 2026, Vitalik Buterin published a roadmap identifying four parts of Ethereum’s cryptography that need post-quantum upgrades: consensus-layer signatures, data-availability sampling, externally owned account signatures, and certain zero-knowledge proofs. The account-signature piece is where account abstraction does the heavy lifting, because moving users from bare externally owned accounts to programmable smart-contract wallets means a wallet can swap its verification logic to a post-quantum signature when the standards and tooling are ready.

On the consensus layer, Ethereum Foundation researchers have proposed a hash-based multi-signature construction to replace the current BLS-based aggregation, chosen because a hash-based scheme rests on the same quantum-durable foundation as XMSS and SLH-DSA. The general shape mirrors Bitcoin’s: keep the surviving hash-and-consensus machinery, replace the signature layer, and stage the migration so it does not require an emergency fork. Both timelines and design details are moving, so treat the specifics as a live research program rather than a finished migration.

Source: Ethereum, “Post-quantum cryptography,” ethereum.org/roadmap/future-proofing/quantum-resistance. [OPERATOR VERIFY: Ethereum's post-quantum roadmap, EIP numbers, and fork timelines are evolving; re-confirm current proposal names and status before publishing.]

What are state proofs, and how do they help?

A state proof is a periodic, compact certificate that attests to a blockchain’s ledger state, signed with a post-quantum signature so the proof of history stays verifiable even against a quantum adversary. Algorand is the deployed worked example: it introduced state proofs in 2022 as a post-quantum compact certificate produced every 256 rounds, signed with FALCON, the NIST signature being standardized as FN-DSA. Because each participating validator signs with a post-quantum key, a verifier can trust that a valid state proof was produced by the real network, which protects the entire signed history of the chain rather than only future transactions.

The technique matters for two reasons. It gives a chain a quantum-durable anchor for its own past, so an attacker with a future quantum computer cannot rewrite what a state proof already committed, and because these proofs are compact and verifiable by outside systems, they let other chains confirm a network’s state with quantum resistance, which is the foundation for quantum-safe cross-chain bridging. State proofs address a different exposure from the spend-authorization signatures above: they harden the record of what already happened rather than the authorization of what happens next.

Source: Algorand, “State Proofs Overview,” Algorand Developer Portal, developer.algorand.org/docs/get-details/stateproofs.

Which post-quantum signatures do quantum-safe blockchains use?

They draw from the finalized NIST signature standards plus the older stateful hash-based schemes, and the choice trades size against conservatism. The candidates a chain actually reaches for:

Signature schemeFamilyWhere it appearsWhy chosen
XMSSHash-based (stateful)Quantum Resistant LedgerSecurity rests only on a hash function; most conservative assumption
SLH-DSA (SPHINCS+)Hash-based (stateless)Bitcoin BIP-360 optionHash-only security with no state to manage; large signatures
ML-DSA (Dilithium)LatticeBitcoin BIP-360 option, Ethereum candidateGeneral-purpose default; moderate size and speed
FN-DSA (FALCON)Lattice (NTRU)Algorand state proofsCompact signatures where transaction size is the binding constraint

The pattern across all of them is that the security foundation is a problem with no known efficient quantum attack, either a hash function or a lattice problem, which is what makes each one a durable replacement for ECDSA. The practical tension is size and cost, because post-quantum signatures are larger than the elliptic-curve signatures they replace, and on a blockchain every byte of every transaction is stored forever and paid for in fees. That is why a chain that can tolerate managing state may prefer compact hash-based signing, while a chain that wants a stateless drop-in reaches for a lattice signature and accepts the size.

Source: NIST, “Post-Quantum Cryptography FIPS approvals,” August 2024, csrc.nist.gov/news/2024/postquantum-cryptography-fips-approved.

Common misconceptions

  1. “A blockchain has to be rebuilt from scratch to go quantum-safe.” Most of the machinery survives. The migration replaces the signature scheme that authorizes spending, and the proof-of-work hashing and ledger structure carry forward, which is why soft-fork retrofits are on the table for Bitcoin and Ethereum.
  2. “Quantum computers break blockchains by out-mining the network.” Mining rests on SHA-256 and faces only Grover’s quadratic speedup, which ASIC miners outrun. The break is on the ECDSA signatures that authorize spends.
  3. “The Quantum Resistant Ledger just uses a bigger key.” It uses a different family. QRL authorizes transactions with XMSS, a hash-based signature whose security rests only on a hash function, which is a structurally different foundation from elliptic-curve signing.
  4. “Nothing can be done until a quantum computer exists.” The finalized NIST signatures already exist, so the proposals for Bitcoin and Ethereum can be built and coordinated now, ahead of the CRQC. The scarce resource is coordination time across the ecosystem, since the cryptography is already standardized.
  5. “Post-quantum signatures are a free drop-in.” They are larger and often slower than ECDSA, and on a chain that stores and charges for every byte, that size drives real decisions about which scheme fits, which is why chains split between compact hash-based and stateless lattice options.

Questions people ask

How does a blockchain become quantum-resistant? By replacing the elliptic-curve signature that authorizes transactions with a post-quantum signature that has no known efficient quantum attack, either by building the chain that way from the start like the Quantum Resistant Ledger or by retrofitting an existing chain through a signature soft-fork. The SHA-256 hashing that secures mining survives, so the work concentrates on the signature layer.

What signature does the Quantum Resistant Ledger use? XMSS, the eXtended Merkle Signature Scheme specified in IETF RFC 8391, a hash-based signature whose security rests only on the strength of a hash function. It is stateful, so each one-time key must be used exactly once, which QRL manages at the wallet and protocol level.

Can Bitcoin be made quantum-safe? Yes, through a soft-fork that adds a quantum-resistant output type. The leading proposal, BIP-360, would let holders move coins behind a NIST post-quantum signature such as SLH-DSA or ML-DSA. It is a draft under discussion, so the main open work is ecosystem coordination.

What is Ethereum doing about quantum computing? Ethereum’s plan uses account abstraction so wallets can swap their signature algorithm to a post-quantum scheme without a protocol-level hard fork, alongside a hash-based multi-signature proposal to replace consensus-layer BLS aggregation. The roadmap covers account signatures, consensus signatures, data availability, and some zero-knowledge proofs.

What are blockchain state proofs? A state proof is a periodic compact certificate that attests to the ledger’s state, signed with a post-quantum signature so the proof of history stays verifiable against a quantum adversary. Algorand produces them signed with FALCON, which protects the chain’s entire signed history and enables quantum-safe cross-chain verification.

Which post-quantum signature is best for a blockchain? It depends on the constraint. Chains that can manage signing state may prefer compact hash-based signatures, chains that want a stateless drop-in use a lattice signature like ML-DSA, and chains where transaction size dominates reach for the compact FN-DSA. All rest on problems with no known efficient quantum attack.


Everything here is the map, given freely. When your team needs blockchain or ledger cryptography sorted into what a quantum computer can actually reach and which post-quantum signature fits your constraints, that’s what an alignment briefing is for.

Last verified 2026-07-12 · Maintained by Addie LaMarr, LaMarr Labs.