Eight months ago, NIST ended the standards debate and published FIPS 203, 204, 205, the first production-grade post-quantum signature and KEM specifications built on Dilithium, SPHINCS+ and Kyber. That signature ended the algorithm debate and launched a harder one:
How can developers retrofit modern blockchains that are designed for compact 64-byte ECDSA signatures with post-quantum cryptography schemes that are 50 to 500 times larger? |
Investors are bound to feel the shift too. A single quantum-enabled attacker doesn’t have to crack SHA-256 to drain wallets; stealing private keys with Shor’s algorithm would be enough, assuming it ever becomes possible to do. Traffic is already being harvested for future decryption.
The key question now isn’t whether quantum risk is real, it’s how brutally the retrofit will dent throughput, fees, and tokenomics. Let's walk through the engineering choke points, the social bottlenecks, and the hardware that will decide which chains arrive in the quantum era intact, and which are likely to fork themselves into irrelevance while playing catch up.
The efficiency paradox
Running lattice or hash-based signatures on a chain designed for 64-byte ECDSA is more complicated than it may seem. Given that this is a deep surgery that touches many things,, performance metrics could easily become unfavorable, which poses new scaling problems relatively quickly. It's also one of the major reasons why developers are hesitant to invest heavily in implementing quantum-resistant crypto.
Two test-bed studies replayed three years of Bitcoin-sized blocks with PQ signatures and saw a fall-off in effective transactions-per-second (TPS) ranging from 2x to 6x, depending on the algorithm and security level. Independent DLT simulations reported similar compression. Storage, mempool bandwidth and light-client sync times degrade in lock-step.
Below is a quick look at the payload bloat you’re signing up for, including # bytes (B) and the multiplier vs ECDSA (64B):
Signature Schemes by Byte Size & Multiplier
Moving big sigs isn’t the only burden here. Verification is lattice-heavy (FFT or NTT) which is to say that it's roughly two orders of magnitude more cycles than ECDSA on the same core, unless you run AVX2 or custom RTL.
In an Ethereum EVM prototype, a single Dilithium verification costs approximately 200,000 gas. At 30 gwei you’re burning potentially more than $10 just to prove you own the coins, which is without question a major barrier to scaling on a chain that's already notorious for its perpetually-insufficient scaling capabilities. While Layer 2s can mitigate cost per transaction, they still inherit the same relative slowdown from PQ verification. So although L2s help on cost, they don’t erase the fundamental scaling friction introduced by heavier cryptography.
Hybrid signatures are also unlikely to help much. Concatenating ECDSA with Dilithium or Falcon multiplies packet size and adds dual-verification code paths. NIST’s own migration memo calls hybrids "temporary measures" which should tell engineers everything they need to know about relying on hybrids for the long term.
The upgrade dilemma is based in governance, not math
Implementing quantum-resistant crypto is in large part a people problem. The algorithms exist and the standards are published. But deploying post-quantum security means:
Updating consensus rules
Migrating dormant keys
Asking stakeholders to agree on a fork when they may not be technical enough to understand what's going on, or engaged enough to support the chain's health.
Bitcoin developer Agustin Cruz’s QRAMP draft BIP proposes a flag-day hard fork forcing every unspent output into a PQ address. Failure to migrate would result in coins being burned under this proposal. The idea sparked quite the clamor on the mailing lists as well as a few headlines. Yet the physics of the chain leave little room to disagree, as shoe-horning a lattice scheme into Taproot without a fork is simply not possible.
Bitcoin’s real hurdle is social in the sense that miners, exchanges, and holders of long-dormant UTXOs would all have to agree to break many of their prior assumptions. That might even open the door to a crisis of confidence that other aspects of the protocol, like its supply limit, are more malleable than what many had trusted.
Similarly, Ethereum can adopt new sigs at the contract layer, but only if wallets and clients keep up. Per users on ethresear.ch, Falcon verification via EVM pre-compile still hits upwards of 1.9 million gas unless a dedicated NTT opcode lands in a future hard fork. Meanwhile, every exposed EOA public key remains harvestable. So until every actor rotates their keys, the chain inherits the weakest link.
Furthermore, protocols boasting their quantum-safe properties patch a single hop, like a validator handshake, while leaving user wallets, bridges, oracles and backups on ECDSA. Attackers target the unpatched hop because it's (by definition) the weakest point in the security chain. The marketing claims about security do not confer any actual protection, though they might convince investors otherwise.
What’s already moving
The industry is already adapting, but progress remains unevenly distributed. A cluster of green-field chains and hardware vendors are building directly for lattice life. None are mature enough to carry Ethereum-scale value today, but they sketch the road map.
Project/tech | Approach | Status |
|---|---|---|
QRL | XMSS hash-based signatures native since genesis | Mainnet 2018; low TPS but proven. |
Algorand | Falcon for state proofs + upgrades underway | Post-quantum roadmap published 2024. |
SEALSQ QS7001 | Wallet chip with Dilithium/Kyber in silicon | Sampling, launch by YE 2025. |
PHOENIX / FPGA NTT-FFT core | Shared accelerator for ML-KEM & ML-DSA | Prototype SoC shows 5–10× speed-up. |
While signature generation matters for usability, especially on constrained devices, it’s verification throughput that dominates blockchain performance. Chains verify signatures on every transaction, so accelerating verification, especially on-chain, is the real bottleneck.
Unlike SHA-256, where ASICs reinforced an existing algorithm choice, post-quantum adoption won’t be driven by hardware availability alone. But once efficient verification fits into existing fee models and block limits, the ecosystem will converge quickly.
There are at least five metrics that are particularly worth tracking on the hardware front, including:
Signature verification latency per core under peak load
Effective TPS loss relative to 2024 baseline
Hardware-wallet firmware support for Dilithium/Falcon
Alignment with NIST draft migration guide milestones
Total node RAM consumed by signature verification
Clean-sheet L1s can potentially buy freedom from their legacy baggage, but liquidity is sticky and subject to attrition if there's a significant burden for holders to take specific actions to ensure quantum-resistant crypto security. Expect wrapped tokens and bridges rather than cold starts, thereby importing classical risk unless bridge validators also rotate to PQ signatures.
Remember, there's not much point in migrating to quantum-secure systems if doing so introduces higher classical risk, which is practically a guarantee with rushed or poorly-considered implementations. Migrating to quantum-secure systems is self-defeating if it increases classical risk, which is a likely outcome with rushed or fragmented implementations. Some early efforts toward cross-chain coordination exist, such as interoperability protocols like LayerZero and Wormhole, but these focus more on bridging assets than establishing standardized, post-quantum-safe message formats. A cohesive, ecosystem-wide framework for secure quantum-era messaging is still nascent at best, and critical decisions remain unresolved.
Takeaways for builders and backers
Amidst these myriad challenges, there are a handful of practical steps that engineers can take to do their part in preparing for the post-quantum future.
Budgeting for bulk is the first and perhaps the most important step at the moment. Even Falcon’s 752-byte payload multiplies chain storage, mempools and RPC traffic. Expect pressure to raise block caps or move to roll-ups that can aggregate proofs.
The centrality of governance is also hard to overstate. Governance beats cryptography, and for most projects it's an afterthought. Hard forks succeed when miners and exchanges sign on, not when Reddit or Crypto Twitter applauds the move. Start the politics early to finish them before it's a vulnerability, and don't under-invest in making comprehensive solutions, as governance loopholes tend to be exploited on a long enough timescale.
Another takeaway is that hardware is a gating factor, not one that's possible to front-run. If online signing hardware can’t handle PQC operations efficiently, high-frequency traders and other speed-sensitive users will resist adoption. Meanwhile, cold storage, being manual and infrequent, is less affected. SEALSQ and similar efforts are worth watching for timing signals.
Furthermore, while hybrids may be useful for phased cut-overs, they don’t remove the need to migrate everything before Q-day. Acting before that deadline is thus as imperative as ever. Once a practical quantum machine exists, attackers will replay years of archived traffic looking for the lowest-hanging fruit.
Chains that treat quantum resistance as a problem for tomorrow’s CTO may discover that tomorrow arrives without notice and demands adaptations they can’t implement overnight. It's thus much better to be prepared today than to beg for trust after news of the first big problem breaks on social media.
To keep up with the latest in blockchain technology and quantum computing, join us on X and subscribe to our newsletter.
Sources
“NIST Releases First 3 Finalized Post-Quantum Encryption Standards” (NIST Releases First 3 Finalized Post-Quantum Encryption Standards)
“Impact of Post-Quantum Signatures on Blockchain and DLT Systems” ([PDF] Impact of post-quantum signatures on blockchain and DLT systems)
CEUR Workshop Proceedings, tbl. 1 signature sizes (Impact of post-quantum signatures on blockchain and DLT systems)
“A Signature Fit for a Post-Quantum Era” (Medium) (A Signature Fit for a Post Quantum Era: Dilithium-Ed25519 - Medium)
Bernstein et al., SPHINCS: Practical Stateless Hash-Based Signatures ([PDF] SPHINCS: practical stateless hash-based signatures)
CoinDesk, “Bitcoin Developer Proposes Hard Fork to Protect BTC…” (Bitcoin Developer Proposes Hard Fork to Protect BTC ... - CoinDesk)
ethresear.ch, “So You Wanna Post-Quantum Ethereum Transaction Signature” (So you wanna Post-Quantum Ethereum transaction signature)
Xiphera ML-KEM datasheet (xQlave® ML-KEM (Kyber) Key Encapsulation Mechanism - Xiphera)
SEALSQ QS7001 announcement (Protecting your data's integrity with a Quantum-safe hybrid digital ...)
