Quantum-Resistant Cryptography in Blockchain Wallets

2025-02-23T09:43:30 Status: #moc #investmentthesis Tags: #crypto #security #quantum #physics #society #technology #blockchain #bitcoin #investment Links: [[Technology]] | [[Cryptography]] | [[Quantum Computing]] # Quantum-Resistant Cryptography in Blockchain Wallets ## Why Quantum Resistance Matters for Blockchains **Quantum Threat:** Current cryptocurrencies (Bitcoin, Ethereum, etc.) rely on [[Cryptography|cryptographic]] algorithms (like elliptic-curve signatures) that could be broken by sufficiently powerful [[Quantum Computing|quantum computers]] using [Shor’s algorithm](https://en.wikipedia.org/wiki/Shor%27s_algorithm). This could allow an attacker to derive private keys from public keys, endangering wallet security ([Ethereum’s Roadmap for Post-Quantum Cryptography](https://www.btq.com/blog/ethereums-roadmap-post-quantum-cryptography#:~:text=Ethereum%20uses%20common%20cryptographic%20methods,them%20control%20over%20associated%20funds)) ([Is XRP at Risk? Ripple CTO Ends Speculation About Quantum Threat](https://u.today/is-xrp-at-risk-ripple-cto-ends-speculation-about-quantum-threat#:~:text=At%20some%20point%2C%20cryptocurrencies%20like%C2%A0Bitcoin%2C,worth%20the%20tradeoffs%20right%20now)). While today’s quantum machines are not yet at that level, the industry is **preparing now** to avoid future risks. **Quantum-Resistant (Post-Quantum) Cryptography:** Refers to algorithms believed to be secure against attacks by quantum computers. These typically rely on mathematical problems (hash preimage resistance, lattice problems, etc.) that quantum algorithms can’t easily solve. Integrating such algorithms into blockchain wallets means using **private/public key pairs** and signature schemes that remain secure even if large-scale quantum computers emerge ([Which crypto coins are quantum resistant](https://www.uniblock.dev/blog/which-crypto-coins-are-quantum-resistant#:~:text=Quantum,the%20nodes%20in%20the%20network)) ([Which crypto coins are quantum resistant](https://www.uniblock.dev/blog/which-crypto-coins-are-quantum-resistant#:~:text=1.%20Hash,the%20difficulty%20of%20decoding%20a)). ![[QuantumResistantCryptoKB.png]] Below, we examine major blockchains – **Bitcoin, Ethereum, Polygon, Solana, and XRP** – to see if they support quantum-resistant wallets today, what algorithms are in use or proposed, and plans for the future. ## Bitcoin - **Current Cryptography:** Bitcoin uses the Elliptic Curve Digital Signature Algorithm (ECDSA) on the secp256k1 curve (and Schnorr signatures for Taproot) to generate wallet key pairs and sign transactions ([Quantum resistance | Bitcoin Optech](https://bitcoinops.org/en/topics/quantum-resistance/#:~:text=%E2%97%8F%20ECDSA%20public%20keys%20used,delay%20upgrading%20until%20it%E2%80%99s%20necessary)). These elliptic-curve schemes are **not quantum-safe** – a sufficiently advanced quantum computer could solve the discrete logarithm problem and derive the private key from a public key (especially after a public key is revealed on-chain). - **No Native Quantum-Resistant Keys (Yet):** At present, Bitcoin **does not support quantum-resistant public/private key pairs** for normal wallets. All standard Bitcoin addresses ultimately rely on ECDSA/Schnorr signatures which are vulnerable to quantum attack ([Quantum resistance | Bitcoin Optech](https://bitcoinops.org/en/topics/quantum-resistance/#:~:text=%E2%97%8F%20ECDSA%20public%20keys%20used,delay%20upgrading%20until%20it%E2%80%99s%20necessary)). (Hash algorithms like SHA-256 are also used in Bitcoin addresses and mining; those would see reduced security from Grover’s algorithm but not a total break ([Quantum resistance | Bitcoin Optech](https://bitcoinops.org/en/topics/quantum-resistance/#:~:text=%E2%97%8F%20%20SHA256%2C%20SHA256d%2C%20and,going%20from%20SHA256%20to%20SHA512)) – doubling hash size can offset that risk.) - **Mitigations & Key-Reuse Caution:** A Bitcoin address (specifically P2PKH or Bech32) doesn’t expose the public key until you spend from it – only a hash of the pubkey is visible on-chain initially. This offers *some* protection: a quantum attacker can’t target your public key until you make a transaction. However, once you spend (revealing the pubkey in the transaction), an attacker with a quantum computer could theoretically crack it **very quickly**, so key reuse is dangerous in a post-quantum scenario ([Is XRP at Risk? Ripple CTO Ends Speculation About Quantum Threat](https://u.today/is-xrp-at-risk-ripple-cto-ends-speculation-about-quantum-threat#:~:text=Schwartz%20urges%20readers%20to%20hold,not%20exactly%20practical%20at%20scale)). This is why quantum-resistant schemes are being explored for the future. - **Research and Proposals:** Bitcoin developers are actively researching upgrade paths: - A **draft Bitcoin Improvement Proposal (BIP)** was introduced in 2024 to define a new SegWit address version (v3) for a **quantum-resistant signature algorithm** ([Bitcoin Optech Newsletter #307 | Bitcoin Optech](https://bitcoinops.org/en/newsletters/2024/06/14/#draft-bip-for-quantum-safe-address-format#:~:text=,full%20quantum%20resistance%20to%20Bitcoin)). This was later refined and turned into [BIP 360: Pay to Quantum Resistant Hash](https://bip360.org/). This BIP proposes the introduction of a new output type using signatures based on Post-Quantum Cryptography (PQC). This approach for adding a post-quantum secure output type does not require a hard fork or block size increase. - Developers have proposed clever ways to add quantum-safe signatures **without a hard fork**. For example, one idea uses Bitcoin’s scripting (P2SH or P2WSH) to *layer* a Lamport one-time signature on top of the regular ECDSA signature ([Bitcoin Optech Newsletter #301 | Bitcoin Optech](https://bitcoinops.org/en/newsletters/2024/05/08/#consensus-enforced-lamport-signatures-on-top-of-ecdsa-signatures#:~:text=%E2%97%8F%20Consensus,implement%20anything%20based%20on%20this)). In this scheme, a transaction would be considered valid only if it includes a valid **Lamport signature** in addition to the normal signature. Lamport signatures are a hash-based one-time scheme (explained more below) that are **quantum-resistant**, so this would make those particular UTXOs secure against quantum attackers ([Bitcoin Optech Newsletter #301 | Bitcoin Optech](https://bitcoinops.org/en/newsletters/2024/05/08/#consensus-enforced-lamport-signatures-on-top-of-ecdsa-signatures#:~:text=%E2%97%8F%20Consensus,implement%20anything%20based%20on%20this)). Notably, a recent Bitcoin developer mailing list post described how to enforce Lamport signatures for spends from a certain script, effectively making those coins quantum-safe **at the cost of much larger signatures** ([Bitcoin Optech Newsletter #301 | Bitcoin Optech](https://bitcoinops.org/en/newsletters/2024/05/08/#consensus-enforced-lamport-signatures-on-top-of-ecdsa-signatures#:~:text=%E2%97%8F%20Consensus,implement%20anything%20based%20on%20this)) ([Bitcoin Optech Newsletter #301 | Bitcoin Optech](https://bitcoinops.org/en/newsletters/2024/05/08/#consensus-enforced-lamport-signatures-on-top-of-ecdsa-signatures#:~:text=and%20P2WSH%20outputs%20quantum%20resistant,anything%20based%20on%20this%20summary)). This approach doesn’t require changing consensus rules (it uses existing script abilities), but it’s not used in practice yet – it’s a theoretical stop-gap if quantum computers arrive before an official upgrade. - Overall, Bitcoin’s strategy is *wait until necessary but be prepared*. Quantum-resistant signature algorithms do exist, but they tend to have **much larger key and signature sizes**, impacting transaction bandwidth and storage ([Quantum resistance | Bitcoin Optech](https://bitcoinops.org/en/topics/quantum-resistance/#:~:text=used%20for%20proposed%20schnorr%20signatures,delay%20upgrading%20until%20it%E2%80%99s%20necessary)). Developers prefer to **delay a wholesale switch** until quantum computers are closer to reality and a clear best candidate algorithm emerges ([Quantum resistance | Bitcoin Optech](https://bitcoinops.org/en/topics/quantum-resistance/#:~:text=used%20for%20proposed%20schnorr%20signatures,delay%20upgrading%20until%20it%E2%80%99s%20necessary)) ([Quantum resistance | Bitcoin Optech](https://bitcoinops.org/en/topics/quantum-resistance/#:~:text=capacity%20and%20reliability%20to%20perform,like%20it%E2%80%99ll%20soon%20become%20necessary)). Bitcoin’s open-source nature means it can evolve with hard forks if needed – e.g. to swap in a lattice-based or hash-based signature scheme – but given the high stakes, such a change will be introduced only once proven and required. ## Ethereum - **Current Cryptography:** Ethereum’s accounts use the same ECDSA (secp256k1) keys as Bitcoin for externally owned accounts, so they share the **quantum vulnerability**. Additionally, Ethereum 2.0 (Proof-of-Stake) uses BLS12-381 *pairing-based* signatures (for validator authentication and random beacon) – BLS is different math but equally **not quantum-safe** (it’s based on elliptic curves too) ([Ethereum’s Roadmap for Post-Quantum Cryptography](https://www.btq.com/blog/ethereums-roadmap-post-quantum-cryptography#:~:text=Ethereum%20uses%20common%20cryptographic%20methods,them%20control%20over%20associated%20funds)). In short, **no part of Ethereum’s current key system is quantum-resistant**. - **No PQ Wallets Yet:** There is **no native support** for quantum-resistant key pairs in Ethereum at this time. All standard wallets (Metamask, hardware wallets, etc.) use ECDSA keys. If a quantum computer cracked secp256k1, Ethereum accounts would be at risk just like Bitcoin’s. - **Future Roadmap – “The Splurge”:** Ethereum’s core developers are actively planning for post-quantum security in the protocol’s long-term roadmap. Vitalik Buterin (Ethereum’s co-founder) has outlined an upgrade phase called **“The Splurge”** which explicitly targets **quantum-resistant cryptography** and other advanced improvements ([Ethereum Prepares for Quantum-Resistant Future Amid Security Push](https://thequantuminsider.com/2024/10/30/ethereum-prepares-for-quantum-resistant-future-amid-security-push/#:~:text=,network%20rollout%2C%20allowing%20a%20cautious)) ([Ethereum Prepares for Quantum-Resistant Future Amid Security Push](https://thequantuminsider.com/2024/10/30/ethereum-prepares-for-quantum-resistant-future-amid-security-push/#:~:text=To%20achieve%20quantum%20resilience%2C%20The,assets%20remain%20secure%20as%20quantum)). Key points in Ethereum’s quantum-resistance plan: - **Lattice-Based Cryptography:** Buterin mentions exploring **lattice-based** signature schemes as a replacement for ECDSA ([Ethereum Prepares for Quantum-Resistant Future Amid Security Push](https://thequantuminsider.com/2024/10/30/ethereum-prepares-for-quantum-resistant-future-amid-security-push/#:~:text=To%20achieve%20quantum%20resilience%2C%20The,assets%20remain%20secure%20as%20quantum)). Lattice-based algorithms (like CRYSTALS-Dilithium or Falcon) are leading post-quantum contenders that rely on hard problems in lattice math (more details in the algorithm section). Ethereum’s dev teams anticipate integrating such algorithms to secure transactions against quantum attacks in the future ([Ethereum Prepares for Quantum-Resistant Future Amid Security Push](https://thequantuminsider.com/2024/10/30/ethereum-prepares-for-quantum-resistant-future-amid-security-push/#:~:text=To%20achieve%20quantum%20resilience%2C%20The,assets%20remain%20secure%20as%20quantum)). - **Account Abstraction:** A major upgrade in progress is **Account Abstraction (EIP-4337 and related proposals)**, which will allow smart contract wallets and flexible verification logic for transactions. In a recent update (the *Pectra* upgrade part of The Splurge), an Ethereum Improvement Proposal (EIP-7701) is planned to make account abstraction available to all users ([Vitalik Buterin’s ‘The Splurge’ Targets Quantum-Resistant Cryptography for Ethereum’s Future](https://cryptonews.com/news/vitalik-buterins-the-splurge-targets-quantum-resistant-cryptography-for-ethereums-future/#:~:text=Buterin%20explained%20how%20this%20upgrade,resistant%20algorithms%20in%20user%20interactions)). This means instead of the protocol *forcing* ECDSA, users/contract wallets could choose **custom signature algorithms** for validating transactions. Vitalik specifically noted this would enable using **“diverse methods beyond elliptic curve signatures, allowing for integrating quantum-resistant algorithms”** in the validation of transactions ([Vitalik Buterin’s ‘The Splurge’ Targets Quantum-Resistant Cryptography for Ethereum’s Future](https://cryptonews.com/news/vitalik-buterins-the-splurge-targets-quantum-resistant-cryptography-for-ethereums-future/#:~:text=Buterin%20explained%20how%20this%20upgrade,resistant%20algorithms%20in%20user%20interactions)). In other words, Ethereum is redesigning its transaction layer so that adding a post-quantum signature scheme becomes possible and relatively easy once one is standardized. - **Ethereum 3.0 and One-Time Signatures:** Looking further out, Ethereum community members speculate about **Ethereum 3.0 (circa 2027)** including quantum-proof measures by default. For example, one source suggests Ethereum 3.0 will introduce protocols like **Winternitz one-time signatures and zk-STARKs** to enhance quantum security ([Ethereum’s Roadmap for Post-Quantum Cryptography](https://www.btq.com/blog/ethereums-roadmap-post-quantum-cryptography#:~:text=Looking%20ahead%2C%20Ethereum%203,the%20exposure%20of%20private%20keys)). A Winternitz one-time signature (WOTS) is a hash-based scheme (similar to Lamport) that would ensure even if a transaction’s public key is seen, it can’t be used to derive the private key. (In fact, WOTS generates a new key each time, so a given pubkey is never reused – eliminating the risk of key reuse in a quantum context.) This is in line with Ethereum’s goal to “prevent exposure of private keys” and protect transactions from quantum attacks ([Ethereum’s Roadmap for Post-Quantum Cryptography](https://www.btq.com/blog/ethereums-roadmap-post-quantum-cryptography#:~:text=Looking%20ahead%2C%20Ethereum%203,the%20exposure%20of%20private%20keys)). Ethereum researchers are already testing such post-quantum schemes on Layer-2 networks to observe performance, before any mainnet deployment ([Ethereum Prepares for Quantum-Resistant Future Amid Security Push](https://thequantuminsider.com/2024/10/30/ethereum-prepares-for-quantum-resistant-future-amid-security-push/#:~:text=%2A%20New%20upgrades%2C%20like%20lattice,to%20implementing%20advanced%20cryptographic%20safeguards)) ([Ethereum Prepares for Quantum-Resistant Future Amid Security Push](https://thequantuminsider.com/2024/10/30/ethereum-prepares-for-quantum-resistant-future-amid-security-push/#:~:text=built%20on%20top%20of%20the,while%20introducing%20advanced%20security%20measures)). - **Current Options for Users:** While Ethereum’s base layer isn’t PQ-ready yet, there are **third-party solutions** emerging: - **Anchor Wallet (Smart Contract Wallet):** Projects like *Anchor Wallet* have built Ethereum-compatible smart contract wallets that use **Lamport hash-based signatures** internally instead of ECDSA ([Anchor Wallet - Long Term, Quantum Secure Crypto Storage](https://anchorwallet.ca/#:~:text=But%20quantum%20computing%20won%E2%80%99t%20have,and%20manage%20tokens%20and%20currency)). In an Anchor wallet, your “wallet” is actually a smart contract on Ethereum; to move funds, you must provide a valid Lamport signature (which a quantum computer cannot forge) rather than an ECDSA signature. The contract verifies the Lamport signature using on-chain code. This means the security of your funds no longer depends on secp256k1. Anchor advertises itself as “the first quantum resistant smart contract wallet” available on Ethereum (and Polygon) ([Anchor Wallet - Long Term, Quantum Secure Crypto Storage](https://anchorwallet.ca/#:~:text=Available%20for%20Ethereum%2C%20Polygon%20and,more)) ([Anchor Wallet - Long Term, Quantum Secure Crypto Storage](https://anchorwallet.ca/#:~:text=But%20quantum%20computing%20won%E2%80%99t%20have,and%20manage%20tokens%20and%20currency)). This is a **user-level opt-in solution** – it doesn’t change Ethereum’s consensus, but it leverages Ethereum’s flexibility (smart contracts) to achieve quantum-resistant custody of assets. The downside is larger gas costs and complex key management (Lamport sigs are one-time use, so the contract must handle key rotation). - **Layer 2 Trials:** Ethereum is also funding and testing tech like **zk-STARKs** for scaling (e.g., StarkNet, Polygon’s zkEVM efforts). Notably, STARKs use only hash-based cryptography (no classical public-key math) and are considered **quantum-proof** for the proof verification ([](https://polygon.technology/blog/polygons-zero-knowledge-strategy-explained#:~:text=properties,very%20performant%2C%20and%20in%20the)). While STARKs are used for validity proofs (not for user signing), this shows Ethereum’s inclination toward quantum-safe primitives. These trials on L2 give practical data on how quantum-safe cryptography performs in terms of speed and cost ([Ethereum Prepares for Quantum-Resistant Future Amid Security Push](https://thequantuminsider.com/2024/10/30/ethereum-prepares-for-quantum-resistant-future-amid-security-push/#:~:text=built%20on%20top%20of%20the,while%20introducing%20advanced%20security%20measures)). Insights from L2 can guide which post-quantum signature to adopt on L1 in the future. **Bottom line:** Today, an Ethereum wallet is **not quantum-resistant** by default. But Ethereum’s roadmap is actively working toward that goal – likely by introducing new signature schemes (hash-based or lattice-based) in a future hard fork. In the meantime, specialized contract wallets (like Anchor) or L2 solutions can provide quantum-resistant options for those who need it now. ## Polygon - **Current Cryptography:** Polygon is a sidechain / Layer-2 network that is **EVM-compatible**, meaning it uses the **same account model and key crypto as Ethereum** (secp256k1 ECDSA for transactions). Thus, **Polygon’s wallets are not quantum-resistant** today – they have the same vulnerability to quantum attacks as Ethereum’s, by virtue of using identical cryptographic assumptions. - **No Native PQ Support Yet:** Polygon does **not currently offer quantum-resistant wallet keys** or address types. Users manage Polygon funds with standard crypto wallets (MetaMask, etc.), which use non-PQ ECDSA keys. - **Alignment with Ethereum:** As Polygon’s technology closely follows Ethereum’s, it’s likely that any quantum-resistant upgrade in Ethereum would be adopted in Polygon as well. Polygon’s team and community are aware of the quantum issue as an industry-wide concern, but there’s no separate Polygon-specific quantum key initiative announced. Instead, they benefit from and contribute to Ethereum’s research. For example, if Ethereum enables account abstraction and post-quantum signature options, Polygon (especially as a zkEVM rollup or sidechain) could support those same options with minimal friction. - **Zero-Knowledge Initiatives:** One area Polygon is distinguishing itself is via **Zero-Knowledge (ZK) proofs for scalability**, some of which use quantum-resistant cryptography: - Polygon has invested heavily in **zk-STARKs** (via Polygon Miden and Polygon Zero projects). STARKs (Scalable Transparent ARKs) use collision-resistant hash functions and do not require any trusted setup. They are considered *future-proof* because **“STARKs use lean cryptography, which makes them not susceptible to attacks by quantum computers.”** ([](https://polygon.technology/blog/polygons-zero-knowledge-strategy-explained#:~:text=properties,very%20performant%2C%20and%20in%20the)). Polygon’s own blog highlights that STARKs are transparent, scalable, and **quantum-secure**, which is a selling point for their ZK strategy ([](https://polygon.technology/blog/polygons-zero-knowledge-strategy-explained#:~:text=properties,very%20performant%2C%20and%20in%20the)). - However, keep in mind this concerns the **proof system** (used for validating batches of transactions in a rollup, for example), not the user’s wallet keys. So, **Polygon’s rollups might be quantum-resistant in their proof/verification layer**, but **the wallets signing the transactions are still using ECDSA**. In other words, a malicious quantum computer could break a Polygon user’s key and forge transactions, even if the zk-STARK proving system itself remains sound. - **User Solutions:** Like Ethereum, any EVM-based quantum-resistant wallet contract (e.g. Anchor Wallet mentioned above) would also work on Polygon. In fact, Anchor explicitly supports “Ethereum, Polygon and more” networks for its post-quantum contract wallet ([Anchor Wallet - Long Term, Quantum Secure Crypto Storage](https://anchorwallet.ca/#:~:text=Available%20for%20Ethereum%2C%20Polygon%20and,more)). So a Polygon user worried about quantum threats could use such a contract to hold MATIC and tokens, rather than a normal EOA (Externally Owned Address). - **Future Plans:** We expect Polygon will follow Ethereum’s lead on quantum safety. The team behind Polygon has not announced independent PQ cryptography changes for the core chain. Instead, their focus is on scaling and ZK tech (which incidentally yields some quantum resilience in those specific contexts). Once Ethereum finalizes a quantum-resistant signature scheme or address format, Polygon’s equivalent upgrade (or transition for its users) would likely coincide. ## Solana - **Current Cryptography:** Solana uses Ed25519 (an EdDSA signature scheme over Curve25519) for its native account keys. This is an elliptic-curve cryptography method, and like secp256k1, **it is not secure against quantum attacks**. A large quantum computer could, in theory, derive an Ed25519 private key from its public key using Shor’s algorithm. So by default, **Solana’s wallets are *not* quantum-resistant** if we consider the standard key pair usage. - **“Winternitz Vault” – Quantum-Resistant Option:** Uniquely, Solana has taken an early step to offer an **optional quantum-safe wallet solution**. In January 2025, Solana developers (notably Dean Little from the Solana community) introduced the **Solana Winternitz One-Time Signature Vault**, described as a *quantum-resistant vault* program on the blockchain ([Solana is now quantum-resistant, Solana dev claims](https://cointelegraph.com/news/solana-is-now-quantum-resistant-solana-dev-claims#:~:text=Solana%20developers%20have%20created%20a,threats%20posed%20by%20quantum%20computers)). This is not a mandatory network change but an added feature that security-conscious users can choose to use. Key details: - **Hash-Based One-Time Signatures:** The vault uses **Winternitz One-Time Signatures (WOTS)** – a hash-based signature scheme – instead of Ed25519 for securing the funds ([Solana is now quantum-resistant, Solana dev claims](https://cointelegraph.com/news/solana-is-now-quantum-resistant-solana-dev-claims#:~:text=The%20%E2%80%9CSolana%20Winternitz%20Vault%E2%80%9D%20solution,3%20GitHub%20post)). Hash-based signatures are believed to be safe against quantum algorithms since their security relies on hash preimage resistance (no efficient quantum attack other than brute-force/Grover’s algorithm). - **New Key for Every Transaction:** Each time you spend from a Winternitz vault, a brand new one-time keypair is generated and used. As Solana developer Dean Little explained, the system *“generates new keys every time a transaction is made”* ([Solana is now quantum-resistant, Solana dev claims](https://cointelegraph.com/news/solana-is-now-quantum-resistant-solana-dev-claims#:~:text=The%20%E2%80%9CSolana%20Winternitz%20Vault%E2%80%9D%20solution,3%20GitHub%20post)). This means the public key is different on every spend and each key is never reused. Even if a quantum adversary saw one public key and managed to crack it (which is still extremely hard if the hash is strong), it would only compromise that one transaction – because next time a different key is used. This greatly limits an attacker’s window of opportunity. - **Merkle Root & Program Design:** When you open a vault, the program will generate a WOTS keypair for you and compute a **Merkle root** of the public key (or a set of public keys) using Keccak-256 hashing ([GitHub - deanmlittle/solana-winternitz-vault: Solana Winternitz quantum-resistant lamports vault](https://github.com/deanmlittle/solana-winternitz-vault#:~:text=Initialize%20a%20new%20vault%20by%3A)). This Merkle root is stored as an identifier for the vault (in fact, it’s used to derive a Program Derived Address that represents the vault account on-chain) ([GitHub - deanmlittle/solana-winternitz-vault: Solana Winternitz quantum-resistant lamports vault](https://github.com/deanmlittle/solana-winternitz-vault#:~:text=Initialize%20a%20new%20vault%20by%3A)). The use of a Merkle root allows the program to later verify a provided one-time signature by checking it against this root, without needing to store the full public key. Essentially, it’s an on-chain verification mechanism for the hash-based signature. - **224-bit Hash for Preimage Resistance:** The implementation uses a *truncated Keccak-256 hash (224-bit)* for efficiency reasons on Solana ([GitHub - deanmlittle/solana-winternitz-vault: Solana Winternitz quantum-resistant lamports vault](https://github.com/deanmlittle/solana-winternitz-vault#:~:text=The%20Solana%20Winternitz%20Vault%20is,quantum%20threats%2C%20including%20Grover%27s%20algorithm)). Even truncated to 224 bits, this offers very strong security. A 224-bit hash has **112-bit security against quantum attacks** (Grover’s algorithm yields a √N speedup), which is still considered safe. The design choice balances security with Solana’s fast runtime constraints (hashing on chain can be compute-intensive, so they chose a size that fits within compute budgets ([GitHub - deanmlittle/solana-winternitz-vault: Solana Winternitz quantum-resistant lamports vault](https://github.com/deanmlittle/solana-winternitz-vault#:~:text=quantum%20computing%20attacks.%20,conform%20to%20Solana%27s%20compute%2Finstruction%20limits))). - **Workflow:** Using the vault involves three main instructions: **Open Vault**, **Split Vault**, and **Close Vault** ([GitHub - deanmlittle/solana-winternitz-vault: Solana Winternitz quantum-resistant lamports vault](https://github.com/deanmlittle/solana-winternitz-vault#:~:text=The%20program%20provides%20three%20main,instructions)) ([GitHub - deanmlittle/solana-winternitz-vault: Solana Winternitz quantum-resistant lamports vault](https://github.com/deanmlittle/solana-winternitz-vault#:~:text=2)). To spend funds, the user typically uses the *“Split Vault”* operation: you create a WOTS signature on a message specifying how much to send and to what account, and any remainder goes to a new “refund” vault ([GitHub - deanmlittle/solana-winternitz-vault: Solana Winternitz quantum-resistant lamports vault](https://github.com/deanmlittle/solana-winternitz-vault#:~:text=)) ([GitHub - deanmlittle/solana-winternitz-vault: Solana Winternitz quantum-resistant lamports vault](https://github.com/deanmlittle/solana-winternitz-vault#:~:text=1,is%20closed)). The one-time signature is verified against the stored Merkle root to prove you’re the owner. After the split, any leftover funds end up in a **new vault** (with a new one-time pubkey root) so that the chain of quantum-resistant protection continues unbroken ([GitHub - deanmlittle/solana-winternitz-vault: Solana Winternitz quantum-resistant lamports vault](https://github.com/deanmlittle/solana-winternitz-vault#:~:text=This%20enables%20you%20to%20split,resistant%20cryptography)) ([GitHub - deanmlittle/solana-winternitz-vault: Solana Winternitz quantum-resistant lamports vault](https://github.com/deanmlittle/solana-winternitz-vault#:~:text=malleability%20in%20the%20case%20of,is%20closed)). If you want to empty the vault entirely, you use *Close Vault*, signing a message to release all funds to a target address ([GitHub - deanmlittle/solana-winternitz-vault: Solana Winternitz quantum-resistant lamports vault](https://github.com/deanmlittle/solana-winternitz-vault#:~:text=3)). - **Status and Trade-offs:** The Winternitz Vault is **live as an *optional* feature** on Solana’s network (as of early 2025) ([Solana is now quantum-resistant, Solana dev claims](https://cointelegraph.com/news/solana-is-now-quantum-resistant-solana-dev-claims#:~:text=The%20Solana%20quantum,assets%20are%20protected%20against%20potential)). Users must **opt in** by moving their SOL into a vault; regular wallets remain unchanged. This opt-in model is similar to using a smart contract wallet – it requires extra user effort and understanding. There are trade-offs: WOTS signatures are much larger than Ed25519 signatures, which means transactions from the vault will have higher bandwidth and compute costs. They are also one-time use, so key management is more complex (the vault handles generating new keys, but users must be careful to not reuse a key by accident). Despite these drawbacks, this vault provides a working **quantum-resistant wallet solution** for those wanting maximum long-term security on Solana. - **Future Outlook:** Solana’s step indicates that blockchains *can* add quantum-safe options at the application level relatively quickly. If quantum threats grow, Solana might integrate such solutions more deeply or even consider changing its default signature scheme via a network upgrade (which would be a major move). For now, the network’s core remains on Ed25519, but the community has a tested blueprint (the WOTS vault) for quantum-safe key management. This also sets a precedent: other chains could implement similar one-time signature vaults or contract wallets to offer quantum resistance without waiting for a full protocol upgrade. ## XRP (Ripple) - **Current Cryptography:** The XRP Ledger (XRPL) supports two types of account keys: secp256k1 (same curve as Bitcoin) and Ed25519 (same as Solana’s default). Both of these are **classical elliptic-curve algorithms not resistant to quantum attacks** ([Is XRP at Risk? Ripple CTO Ends Speculation About Quantum Threat](https://u.today/is-xrp-at-risk-ripple-cto-ends-speculation-about-quantum-threat#:~:text=At%20some%20point%2C%20cryptocurrencies%20like%C2%A0Bitcoin%2C,worth%20the%20tradeoffs%20right%20now)). If a quantum computer can perform Shor’s algorithm on secp256k1 or Curve25519, it could derive the private key from an XRP public key, compromising the account. In practice, most XRP users today have either a secp256k1-based wallet or an Ed25519-based wallet, neither of which is quantum-safe. - **No Quantum-Resistant Wallets Yet:** XRPL does **not currently offer any quantum-proof key option** or setting for accounts. All transactions on the ledger are authorized by ECDSA or EdDSA signatures that a quantum computer could forge if it were powerful enough. Unlike Ethereum’s smart contracts or Solana’s programs, XRPL is more limited in scripting, so one cannot easily create a custom quantum-safe signature verification program on XRP Ledger. (XRPL has some multi-sign and time-lock features, but not a general-purpose scripting for custom crypto algorithms.) - **Ripple’s Stance and Plans:** Ripple’s CTO David Schwartz has discussed the quantum computing threat. His view is that while eventually **“Bitcoin, Ethereum and the XRP Ledger will need to address quantum resistance,”** the threat is not imminent and current post-quantum solutions aren’t ready for prime time ([Is XRP at Risk? Ripple CTO Ends Speculation About Quantum Threat](https://u.today/is-xrp-at-risk-ripple-cto-ends-speculation-about-quantum-threat#:~:text=At%20some%20point%2C%20cryptocurrencies%20like%C2%A0Bitcoin%2C,worth%20the%20tradeoffs%20right%20now)). He analogized quantum computing progress to “cold fusion” – always seeming 8-10 years away but repeatedly delayed ([Is XRP at Risk? Ripple CTO Ends Speculation About Quantum Threat](https://u.today/is-xrp-at-risk-ripple-cto-ends-speculation-about-quantum-threat#:~:text=He%20compared%20quantum%20computing%20to,here%20we%20are%2C%20still%20waiting)). Key points from Ripple leadership and community: - **Waiting for Better Algorithms:** Schwartz suggests that the crypto community should hold off until **truly efficient, well-vetted quantum-resistant algorithms** emerge, rather than rushing into an inferior solution now ([Is XRP at Risk? Ripple CTO Ends Speculation About Quantum Threat](https://u.today/is-xrp-at-risk-ripple-cto-ends-speculation-about-quantum-threat#:~:text=At%20some%20point%2C%20cryptocurrencies%20like%C2%A0Bitcoin%2C,worth%20the%20tradeoffs%20right%20now)) ([Is XRP at Risk? Ripple CTO Ends Speculation About Quantum Threat](https://u.today/is-xrp-at-risk-ripple-cto-ends-speculation-about-quantum-threat#:~:text=algorithms%20emerge,not%20exactly%20practical%20at%20scale)). The algorithms we have today (hash-based one-times, large lattice sigs, etc.) come with significant downsides like big signatures or statefulness. Switching XRPL’s account system to those prematurely could hurt performance and isn’t “worth the tradeoffs right now” ([Is XRP at Risk? Ripple CTO Ends Speculation About Quantum Threat](https://u.today/is-xrp-at-risk-ripple-cto-ends-speculation-about-quantum-threat#:~:text=At%20some%20point%2C%20cryptocurrencies%20like%C2%A0Bitcoin%2C,worth%20the%20tradeoffs%20right%20now)). The strategy is to monitor NIST’s standardization process and academic advances, and adopt a solution when it’s both safe *and* practical. - **Potential Approaches:** If someone *really* wanted to secure an XRP account today against quantum, Schwartz noted it’s possible but tedious: for instance, one could make an XRPL account that is locked by a **hash preimage** (essentially, sending XRP to a condition where you must reveal a secret that hashes to a given value to claim it) ([Is XRP at Risk? Ripple CTO Ends Speculation About Quantum Threat](https://u.today/is-xrp-at-risk-ripple-cto-ends-speculation-about-quantum-threat#:~:text=Schwartz%20urges%20readers%20to%20hold,not%20exactly%20practical%20at%20scale)). This way, you’re not putting any ECDSA public key on the ledger at all – you’re only ever revealing a secret that hashes to a known value, which is a bit like a Lamport one-time key (the hash acts as the “public key” and the secret is the “private key”). Such tricks can provide quantum safety (since breaking a hash preimage is hard even for quantum, as long as the hash is large), but they are **not standard or convenient** for normal users. - **Timeline:** Ripple hasn’t given a specific timeline for introducing PQ resistance. However, they acknowledge it *will* need to happen. Likely, XRPL would undergo a similar transition as others: define a new type of account or a new signature mechanism (perhaps via a protocol amendment) once an algorithm is chosen. This could be something like a lattice-based signature scheme or a hash-based scheme with manageable size. For now, **“not happening yet”** is the official line – they’re keeping an eye on it and engaging in industry discussions rather than implementing anything on ledger in 2023/2024. - **Related Developments:** Ripple has funded cryptographers and even published research on broader cryptographic improvements. For example, Ripple’s blog has discussed quantum computing’s impact and the need for future quantum-safe cryptography in blockchain ([Is XRP at Risk? Ripple CTO Ends Speculation About Quantum Threat](https://u.today/is-xrp-at-risk-ripple-cto-ends-speculation-about-quantum-threat#:~:text=Is%20XRP%20at%20Risk%3F%20Ripple,quantum%20resistance%2C%20says%20the%20developer)) ([Quantum Threat to Crypto Overstated Says Ripp... - CoinStats](https://coinstats.app/news/64b8db8245b5a089c93ab101515f02af22d6e5d639b5c7df14b07c76b7d9cacc_Quantum-Threat-to-Crypto-Overstated-Says-Ripple-CTO-David-Schwartz/#:~:text=While%20Schwartz%20downplays%20the%20immediate,strategies%20must%20be%20in%20place)). The XRPL community also occasionally discusses proposals, but as of today there’s no concrete proposal in the XRPL spec for quantum-resistant addresses. Expect this to change in coming years as standards mature. In summary, **XRP Ledger currently has no quantum-resistant wallet option**, and the approach is to be vigilant but wait until a clear, efficient solution can be deployed via the network’s amendment process. ## Post-Quantum Cryptographic Algorithms (and Their Status) Several **quantum-resistant cryptographic algorithms** are being researched or deployed in experimental ways on blockchains. Here we outline the main types encountered, along with their security principles and where they’re used: - **Hash-Based Signatures (Lamport, Winternitz, XMSS, SPHINCS+):** These are digital signature schemes that use only cryptographic hash functions (like SHA-2, SHA-3) for security. They have **very strong security assumptions**: if the hash function is preimage-resistant (i.e., hard to invert), then the signature is unforgeable. Even with quantum computers, there’s no known efficient attack except [Grover’s algorithm](https://en.wikipedia.org/wiki/Grover%27s_algorithm), which at most gives a quadratic speed-up of $2^{n/2}$ (meaning a 256-bit hash drops to ~128-bit security, which is still huge). - *Lamport One-Time Signatures:* One of the earliest hash-based schemes, [[Cryptography#4.4.3. Lamport Signatures|Lamport Signatures]] use a pair of large sets of random numbers as a private key. For each bit of the message digest, you reveal one number from one of the sets (if the bit is 0, reveal from the “zero” list; if 1, reveal from the “ones” list) ([Bitcoin Optech Newsletter #301 | Bitcoin Optech](https://bitcoinops.org/en/newsletters/2024/05/08/#consensus-enforced-lamport-signatures-on-top-of-ecdsa-signatures#:~:text=Lamport%20public%20keys%20consist%20of,two%20lists%20of%20random%20numbers)). The unrevealed numbers serve as the secret for the other bit value. The collection of revealed numbers **is the signature**, and the verifier checks each revealed number against the hash of the corresponding public key element. This scheme is **quantum-resistant** because an attacker would need to invert a hash to find a non-revealed number that would make a valid signature, which is considered infeasible ([Bitcoin Optech Newsletter #301 | Bitcoin Optech](https://bitcoinops.org/en/newsletters/2024/05/08/#consensus-enforced-lamport-signatures-on-top-of-ecdsa-signatures#:~:text=%E2%97%8F%20Consensus,implement%20anything%20based%20on%20this)) ([Bitcoin Optech Newsletter #301 | Bitcoin Optech](https://bitcoinops.org/en/newsletters/2024/05/08/#consensus-enforced-lamport-signatures-on-top-of-ecdsa-signatures#:~:text=Lamport%20public%20keys%20consist%20of,two%20lists%20of%20random%20numbers)). Lamport sigs are simple and *fast*, but the signature is large (hundreds of hash outputs) and each key can only sign **one message** (one-time). - *Winternitz One-Time Signatures (WOTS):* An improvement over Lamport that reduces signature size by not signing each bit individually. Instead, it uses a larger base (like base-$2^w$ symbols) and chains of hashes. Essentially, you hash a random value a certain number of times to represent a number (the message digest), rather than revealing a separate value for each bit. WOTS can significantly shrink the signature and public key size compared to Lamport, at the cost of a bit more computation. It’s still one-time use. In practice, WOTS is often used with a Merkle tree of many one-time keys to allow signing multiple messages – this leads to schemes like XMSS. Solana’s quantum vault uses a variant of WOTS with a Merkle root for the public key ([GitHub - deanmlittle/solana-winternitz-vault: Solana Winternitz quantum-resistant lamports vault](https://github.com/deanmlittle/solana-winternitz-vault#:~:text=Initialize%20a%20new%20vault%20by%3A)), indicating it can regenerate a new WOTS key for each transaction under a top-level root. - *XMSS (eXtended [[Cryptography#4.4.4. Merkle Signatures|Merkle Signature Scheme]]):* XMSS is a stateful hash-based signature scheme that’s been standardized (RFC 8391) and approved by NIST for certain applications. XMSS uses a tree of one-time WOTS keys: you generate, say, $2^n$ one-time keypairs, put all their public keys in a Merkle tree, and the root of that tree is your *master public key*. To sign a message, you pick the next unused one-time key, sign with it, and provide the authentication path (a set of sibling hashes) from that leaf up to the root as part of the signature. The verifier uses the one-time public key and that path to recompute the root and compare to the known master public key. XMSS is **quantum-safe** (like other hash systems) and allows many signatures (e.g., $2^{20}$ signatures per tree, if that many one-time keys are pre-generated). The catch is that the signer must *keep track of state* (which one-time keys have been used) to avoid reuse. Also, signatures are fairly large (tens of kilobytes is common, depending on parameters). The **Quantum Resistant Ledger (QRL)**, a niche blockchain project, was built entirely around XMSS – every address in QRL is an XMSS tree root, and every transaction uses a one-time key from that tree. This makes QRL intrinsically quantum-resistant at the signature level ([Which crypto coins are quantum resistant](https://www.uniblock.dev/blog/which-crypto-coins-are-quantum-resistant#:~:text=1,not%20vulnerable%20to%20quantum%20attacks)). IOTA (in its earlier version) likewise used a hash-based one-time signature (WOTS) for signing transactions, making it quantum-resistant in principle ([Which crypto coins are quantum resistant](https://www.uniblock.dev/blog/which-crypto-coins-are-quantum-resistant#:~:text=CoinMarketCap%20www)), though it has since moved to ed25519 for efficiency in its new version. - *SPHINCS+:* This is a stateless hash-based signature scheme (recently selected by NIST as a post-quantum standard). “Stateless” means it doesn’t require the signer to keep track of which one-time keys are used; instead it cleverly uses randomization and a hypertree of many layers of trees so that even if you reuse the key, it’s not catastrophic. SPHINCS+ allows an *unlimited* number of signatures with one public key. The trade-off is that its signatures are huge (around 8–15 KB for even the optimized variants) and signing is slower compared to lattice schemes. SPHINCS+ is attractive for its simplicity and robustness (security relies only on hash), but the size is a concern for blockchains (imagine every signature being 8KB – blockchain throughput and storage would suffer). - *Current Use:* Hash-based signatures **are already used in some contexts** – e.g., Solana’s Winternitz Vault (WOTS) ([Solana is now quantum-resistant, Solana dev claims](https://cointelegraph.com/news/solana-is-now-quantum-resistant-solana-dev-claims#:~:text=The%20%E2%80%9CSolana%20Winternitz%20Vault%E2%80%9D%20solution,3%20GitHub%20post)), QRL’s XMSS ([Which crypto coins are quantum resistant](https://www.uniblock.dev/blog/which-crypto-coins-are-quantum-resistant#:~:text=1,not%20vulnerable%20to%20quantum%20attacks)), and previously IOTA’s WOTS ([Which crypto coins are quantum resistant](https://www.uniblock.dev/blog/which-crypto-coins-are-quantum-resistant#:~:text=CoinMarketCap%20www)). They are also being tested or proposed for Bitcoin and Ethereum (Lamport/WOTS in BIP proposals ([Bitcoin Optech Newsletter #307 | Bitcoin Optech](https://bitcoinops.org/en/newsletters/2024/06/14/#draft-bip-for-quantum-safe-address-format#:~:text=,full%20quantum%20resistance%20to%20Bitcoin)) and Ethereum 3.0 plans ([Ethereum’s Roadmap for Post-Quantum Cryptography](https://www.btq.com/blog/ethereums-roadmap-post-quantum-cryptography#:~:text=Looking%20ahead%2C%20Ethereum%203,the%20exposure%20of%20private%20keys))). The main obstacle for wider use is the **signature size and one-time nature**. For instance, a Lamport or even WOTS signature can be a few kilobytes, versus 64 bytes for a current ECDSA signature. This impacts block size and network bandwidth. There are active research efforts to compress or make these more efficient, as well as combining them with ZK proofs to reduce on-chain footprint. But as of now, no major L1 blockchain has *fully switched* to hash-based signatures due to these practical issues. They are likely to appear first in niche uses or as part of hybrid schemes (e.g., a post-quantum scheme that uses hash-based sig just for key rotation, etc., or as an emergency fall-back). - **Lattice-Based Signatures (e.g., Dilithium, Falcon):** Lattice-based cryptography is viewed as one of the most promising post-quantum approaches. The security comes from problems like **Learning With Errors (LWE)** or the **Shortest Vector Problem (SVP)** in high-dimensional lattices – problems for which no efficient quantum algorithm is known. In essence, one can create a public key that is a random-looking matrix or vector derived from a secret lattice structure; signing involves proving knowledge of a close “short” vector to a certain lattice point without revealing it. The math is complex, but a few key schemes have emerged: - *CRYSTALS-Dilithium:* A lattice (module-LWE) based signature that was selected by NIST for standardization. It has relatively small public keys (~1.5 KB) and signatures (~2.7 KB) at a high security level, which is a big improvement over hash-based signature sizes. Verification and signing are quite fast (milliseconds). Dilithium’s security is well studied and believed to withstand quantum attacks (relies on hardness of lattice problems that have survived extensive cryptanalysis). Ethereum researchers have specifically mentioned lattice-based cryptography as something they want to integrate ([Ethereum Prepares for Quantum-Resistant Future Amid Security Push](https://thequantuminsider.com/2024/10/30/ethereum-prepares-for-quantum-resistant-future-amid-security-push/#:~:text=To%20achieve%20quantum%20resilience%2C%20The,assets%20remain%20secure%20as%20quantum)), and Dilithium would be a top contender. If Ethereum or another chain were to switch to a PQ signature, a scheme like Dilithium could be deployed at the protocol level (perhaps via a new transaction type or account type). No major blockchain has done this yet, mainly because the standards were just finalized and implementing it would require deep changes – but it’s very plausible in the next few years. - *Falcon:* Another NIST-selected lattice signature (based on NTRU lattices). It has even smaller signatures (~~600 bytes) and public keys (~~900 bytes) for similar security, which is excellent, but it uses more complex math (FFT sampling) and is harder to implement correctly. Falcon might be suitable for blockchains if size is paramount, but its computational requirements (floating point operations, etc.) are a bit unusual for typical blockchain environments. It’s an option down the road. - *Other lattice schemes:* There are others like Rainbow (multivariate, not lattice, and broken recently) and GPS, etc., but Dilithium and Falcon are the primary standardized ones. Another lattice approach is using lattice-based **one-way functions** for one-time signatures or encryption (less relevant for signing). Also, **Kyber** (lattice-based KEM for encryption) was standardized, but that affects things like encrypted messaging, not transaction signatures. - *Security Principle:* The best quantum algorithm known for lattice problems is basically a brute-force (there’s no equivalent of Shor’s algorithm). While Grover’s algorithm could brute force search keys, we can make keys larger to compensate. The community is confident that lattice cryptography, if properly parameterized, can thwart even quantum attackers for the foreseeable future. Importantly, these schemes have **much smaller signatures than hash-based ones** and don’t require one-time key management, making them very attractive for blockchain use once fully proven. - *Implementation Status:* As of now, no mainstream blockchain node software has lattice-based signatures built in. But we see movement: the Ethereum Foundation has been funding research into post-quantum cryptography; some projects like **Algorand** have planned to introduce post-quantum secure key options (Algorand announced testing of Falcon signatures for its cryptographic sortition in the future). Also, new blockchains and sidechains (like certain Hyperledger projects or CBDC trials) are experimenting with lattice-based signatures for internal use. It’s likely that within a couple of years, we’ll see at least testnets or optional modes where blockchains accept Dilithium or Falcon signatures for transactions. For now, the focus is on **testing and optimizing** these schemes (for example, ensuring a blockchain can handle the verification throughput if every signature is 2-3 KB). Ethereum’s plan, again, is to possibly allow such algorithms via account abstraction – e.g., a smart contract could verify a Dilithium signature on Ethereum today (in fact, one could write a verification function in EVM and use it for a contract wallet, though it might be slow without a precompile). Eventually, a precompile or built-in support could be added to make it efficient. - **Multivariate and Code-Based Signatures:** These are other classes of post-quantum algorithms: - *Multivariate Quadratic (MQ) Signatures:* Based on the difficulty of solving systems of multivariate quadratic equations over finite fields. Examples include the now-broken Rainbow, and older schemes like MQDSS. Historically, MQ signatures have either been broken or had very large public keys. Rainbow was a second-round NIST candidate that got defeated by cryptanalysis in 2022. At the moment, there isn’t a widely trusted MQ signature scheme ready for use. So blockchains are not focusing here, given lattice and hash-based options are ahead. - *Code-Based Signatures:* Based on error-correcting code problems (like the difficulty of decoding random linear codes, which underlies McEliece encryption). For signatures, code-based approaches haven’t been as successful; one scheme called Picnic uses symmetric (hash) techniques with MPC in a way that also relies on some code-based assumptions. Generally, code-based methods have **huge public keys** (hundreds of kilobytes), which makes them impractical for blockchain identities. Thus, we don’t see much enthusiasm to use code-based signatures for crypto wallets, even though code-based *encryption* (like McEliece) is a strong post-quantum contender in other domains. - *Supersingular Isogeny (SIKE):* This was an isogeny-based public key encryption scheme (not a signature) that was once considered promising for post-quantum cryptography due to very small key sizes. However, SIKE was **broken in 2022** by a classical cryptanalysis, so isogeny-based crypto has fallen out of favor for now. There were no major signature schemes from isogenies that survived, so this is more a cautionary tale that some novel approaches can still get cracked. It underscores the need for caution: blockchains will likely adopt algorithms that have been vetted for many years. - **Zero-Knowledge Proof Systems (STARKs):** While not a signature scheme for wallets, it’s worth noting zero-knowledge proofs as a related cryptographic tool: - *zk-STARKs* (as mentioned earlier) use hashes and Merkle trees to prove knowledge of some computation without revealing inputs. They are **post-quantum secure** because their security reduces to hash assumptions. Blockchains like Ethereum and Polygon plan to use STARKs for scalability (validity rollups) ([](https://polygon.technology/blog/polygons-zero-knowledge-strategy-explained#:~:text=properties,very%20performant%2C%20and%20in%20the)), and projects like Mina and Celo are exploring recursive zk proofs. STARKs could indirectly help in a quantum world by providing proof-of-consistency or linking old keys to new keys securely, etc. They won’t, however, replace the need for PQ signatures, because STARKs prove statements but don’t *authorize transactions* by themselves – you still need a signature to show user intent. Nonetheless, their presence in the ecosystem means more of the crypto infrastructure will be quantum-robust. - **Summary of Implementation Status:** No major L1 blockchain has yet *fully integrated* a quantum-resistant signature scheme for all users. However, the landscape is active: - **Bitcoin:** Discussions of which PQ algorithm and how to deploy (with ideas like hybrid ECDSA+Lamport scripts) are ongoing ([Bitcoin Optech Newsletter #307 | Bitcoin Optech](https://bitcoinops.org/en/newsletters/2024/06/14/#draft-bip-for-quantum-safe-address-format#:~:text=,full%20quantum%20resistance%20to%20Bitcoin)) ([Bitcoin Optech Newsletter #301 | Bitcoin Optech](https://bitcoinops.org/en/newsletters/2024/05/08/#consensus-enforced-lamport-signatures-on-top-of-ecdsa-signatures#:~:text=%E2%97%8F%20Consensus,implement%20anything%20based%20on%20this)). A likely path is a soft fork in the future introducing a new address type that uses a chosen PQ signature (possibly after NIST standards are widely implemented in libraries). This would be optional at first, then could become the norm if quantum threat materializes. - **Ethereum:** Actively preparing the ground by overhauling its transaction mechanism (account abstraction) to be agile in adopting new cryptography ([Vitalik Buterin’s ‘The Splurge’ Targets Quantum-Resistant Cryptography for Ethereum’s Future](https://cryptonews.com/news/vitalik-buterins-the-splurge-targets-quantum-resistant-cryptography-for-ethereums-future/#:~:text=Buterin%20explained%20how%20this%20upgrade,resistant%20algorithms%20in%20user%20interactions)). We might see Ethereum testnets that allow PQ signatures within a couple of years. Ethereum 3.0’s speculative 2027 target for quantum resistance ([Ethereum’s Roadmap for Post-Quantum Cryptography](https://www.btq.com/blog/ethereums-roadmap-post-quantum-cryptography#:~:text=Looking%20ahead%2C%20Ethereum%203,the%20exposure%20of%20private%20keys)) might align with the expected timeframe quantum computers could start being dangerous (late 2020s to 2030s). - **Polygon:** Will benefit from Ethereum’s upgrades; meanwhile, its work on STARKs already bakes in quantum resistance at the proof level ([](https://polygon.technology/blog/polygons-zero-knowledge-strategy-explained#:~:text=properties,very%20performant%2C%20and%20in%20the)). - **Solana:** Ahead of the pack in offering an **actual quantum-resistant wallet option** (the Winternitz vault) on its mainnet for those who want it ([Solana is now quantum-resistant, Solana dev claims](https://cointelegraph.com/news/solana-is-now-quantum-resistant-solana-dev-claims#:~:text=Solana%20developers%20have%20created%20a,threats%20posed%20by%20quantum%20computers)) ([Solana is now quantum-resistant, Solana dev claims](https://cointelegraph.com/news/solana-is-now-quantum-resistant-solana-dev-claims#:~:text=The%20Solana%20quantum,assets%20are%20protected%20against%20potential)). This is currently unique among big platforms. It’s a voluntary solution, but it sets the stage for broader adoption or even a core protocol change down the line. - **XRP:** Conservatively waiting – likely to adopt a solution after it’s proven elsewhere. They acknowledge the need, but prioritizing current efficiency until quantum computing advancements are more certain ([Is XRP at Risk? Ripple CTO Ends Speculation About Quantum Threat](https://u.today/is-xrp-at-risk-ripple-cto-ends-speculation-about-quantum-threat#:~:text=At%20some%20point%2C%20cryptocurrencies%20like%C2%A0Bitcoin%2C,worth%20the%20tradeoffs%20right%20now)). - **Others:** Some projects not asked in the question, like **Cardano**, have also looked into PQ crypto. Cardano’s developers have mentioned researching post-quantum algorithms and even experimenting with a hybrid key system (but nothing live yet) ([Which crypto coins are quantum resistant](https://www.uniblock.dev/blog/which-crypto-coins-are-quantum-resistant#:~:text=CoinSwitch%20www)). Many newer or smaller chains are branding themselves as “quantum-resistant” to attract interest – often using known techniques like hash-based signatures (e.g., QRL as mentioned, or Nexus, HyperCash, etc.). While these aren’t (yet) household names, they provide valuable experimentation and lessons for larger chains. ## Conclusion **No major blockchain has switched over to quantum-proof keys as of early 2025**, but all have either a plan or at least active research in progress: - Bitcoin and Ethereum are *expected* to evolve with soft forks or upgrades to introduce quantum-safe cryptography when needed ([Quantum resistance | Bitcoin Optech](https://bitcoinops.org/en/topics/quantum-resistance/#:~:text=capacity%20and%20reliability%20to%20perform,like%20it%E2%80%99ll%20soon%20become%20necessary)) ([Ethereum Prepares for Quantum-Resistant Future Amid Security Push](https://thequantuminsider.com/2024/10/30/ethereum-prepares-for-quantum-resistant-future-amid-security-push/#:~:text=,network%20rollout%2C%20allowing%20a%20cautious)). Their developer communities are already drafting proposals and doing trial implementations of candidate algorithms. For Bitcoin the most promising proposal currently being discussed is [BIP 360: Pay to Quantum Resistant Hash](https://bip360.org/). - Platforms like Solana are demonstrating that quantum-resistant wallets can be achieved *today* at the application level using hash-based signatures ([Solana is now quantum-resistant, Solana dev claims](https://cointelegraph.com/news/solana-is-now-quantum-resistant-solana-dev-claims#:~:text=Solana%20developers%20have%20created%20a,threats%20posed%20by%20quantum%20computers)), albeit with some practicality trade-offs. - As the field of post-quantum cryptography matures (with NIST standardization of lattice and hash-based signatures completed in 2022-2023), we will see increasing momentum to integrate those into blockchain systems. It’s widely believed that we will transition to quantum-safe wallets **well before** quantum computers become a practical threat, ensuring the longevity and security of blockchain assets ([Quantum resistance | Bitcoin Optech](https://bitcoinops.org/en/topics/quantum-resistance/#:~:text=capacity%20and%20reliability%20to%20perform,like%20it%E2%80%99ll%20soon%20become%20necessary)). For now, the groundwork is being laid, and users and developers interested in quantum-resistant solutions do have early options to experiment with, even if mainstream adoption is a few years away. --- # References - Bitcoin Optech (Bitcoin dev updates): - [Quantum resistance | Bitcoin Optech](https://bitcoinops.org/en/topics/quantum-resistance/#:~:text=%E2%97%8F%20ECDSA%20public%20keys%20used,delay%20upgrading%20until%20it%E2%80%99s%20necessary) - [Quantum resistance Schnorr signatures | Bitcoin Optech](https://bitcoinops.org/en/topics/quantum-resistance/#:~:text=used%20for%20proposed%20schnorr%20signatures,delay%20upgrading%20until%20it%E2%80%99s%20necessary) - [Bitcoin Optech Newsletter #307 | Bitcoin Optech](https://bitcoinops.org/en/newsletters/2024/06/14/#draft-bip-for-quantum-safe-address-format#:~:text=,full%20quantum%20resistance%20to%20Bitcoin) - [Bitcoin Optech Newsletter #301 | Bitcoin Optech](https://bitcoinops.org/en/newsletters/2024/05/08/#consensus-enforced-lamport-signatures-on-top-of-ecdsa-signatures#:~:text=%E2%97%8F%20Consensus,implement%20anything%20based%20on%20this) - Vitalik Buterin & Ethereum roadmap updates: - [Ethereum Prepares for Quantum-Resistant Future Amid Security Push](https://thequantuminsider.com/2024/10/30/ethereum-prepares-for-quantum-resistant-future-amid-security-push/#:~:text=To%20achieve%20quantum%20resilience%2C%20The,assets%20remain%20secure%20as%20quantum) - [Vitalik Buterin’s ‘The Splurge’ Targets Quantum-Resistant Cryptography for Ethereum’s Future](https://cryptonews.com/news/vitalik-buterins-the-splurge-targets-quantum-resistant-cryptography-for-ethereums-future/#:~:text=Buterin%20explained%20how%20this%20upgrade,resistant%20algorithms%20in%20user%20interactions) - [Ethereum’s Roadmap for Post-Quantum Cryptography](https://www.btq.com/blog/ethereums-roadmap-post-quantum-cryptography#:~:text=Looking%20ahead%2C%20Ethereum%203,the%20exposure%20of%20private%20keys) - Polygon technology blog: - [Polygon Zero Knowledge Strategy Explained](https://polygon.technology/blog/polygons-zero-knowledge-strategy-explained#:~:text=properties,very%20performant%2C%20and%20in%20the) - Cointelegraph (Solana Winternitz vault news): - [Solana is now quantum-resistant, Solana dev claims](https://cointelegraph.com/news/solana-is-now-quantum-resistant-solana-dev-claims#:~:text=Solana%20developers%20have%20created%20a,threats%20posed%20by%20quantum%20computers) - Solana Winternitz Vault docs: - [GitHub - deanmlittle/solana-winternitz-vault: Solana Winternitz quantum-resistant lamports vault](https://github.com/deanmlittle/solana-winternitz-vault#:~:text=The%20Solana%20Winternitz%20Vault%20is,quantum%20threats%2C%20including%20Grover%27s%20algorithm) - U.Today (Ripple CTO on quantum resistance): - [Is XRP at Risk? Ripple CTO Ends Speculation About Quantum Threat](https://u.today/is-xrp-at-risk-ripple-cto-ends-speculation-about-quantum-threat#:~:text=At%20some%20point%2C%20cryptocurrencies%20like%C2%A0Bitcoin%2C,worth%20the%20tradeoffs%20right%20now) - Uniblock Dev (quantum-resistant crypto overview): - [Which crypto coins are quantum resistant](https://www.uniblock.dev/blog/which-crypto-coins-are-quantum-resistant#:~:text=1,not%20vulnerable%20to%20quantum%20attacks)