Nobody knows if quantum secure cryptography will even work

Why upgrade if PQ signatures are not yet proven?

The dirty secret of efforts to upgrade blockchains to post-quantum cryptography is that no one is sure if any of them work.

None of the signatures being considered by major blockchains as quantum-resistant upgrades have been 100% proven to work. Until a quantum computer is invented, we won’t know for certain if they can successfully protect against an attack. Some may fall to an attack even before Q Day using existing computer technology.

The National Institute of Standards and Technology tested 69 post-quantum candidate algorithms, and two of them — Rainbow and SIKE — were broken with classical computers during testing.

The three digital signature schemes it recommends are its best guess as to which ones are most likely to survive a quantum attack. It selected the lattice-based CRYSTALS-Dilithium (ML-DSA) as the primary scheme, another lattice-based scheme called Falcon (FN-DSA) for use cases that demand smaller signatures and the hash based SPHINCS+ (SLH-DSA) as the final candidate.

“If something looks good, they’re going to say: ‘OK, try it. We’ll let you know when something fails.’ And then we expect you to change,” explains Yoon Auh from post-quantum tech provider BOLTS.

He adds that existing cryptography, like RSA, ECC and AES, have only been proven to be secure by the passage of time. Other algorithms did not survive.

“Cryptographers and applied cryptographers don’t like to point this out,” he chuckles. “In the entire history of modern cryptography, there’s only ever been one provably secure cipher mathematically. One. And that’s called a one-time pad. And it is virtually useless for digital commerce.”

“Everything we’ve been using: AES, RSA, ECC. Everything that’s coming out in the PQC [post quantum computer] universe with all its variants are unprovable secure. You can’t prove it. That is the reason why there’s so many PQC variants coming out of standards agencies like NIST. They can’t tell you which one’s going to be secure definitively and mathematically.” 

“Over time, we’re going to do a systematic weeding out. But, the only way you’re going to do that is you’re going to have people actually trying to research and attack this thing, and whatever variants are being used.”

Why upgrade if PQ signatures are not yet 100% proven?

For some Bitcoiners, that’s reason enough to hold off on upgrading Bitcoin to post-quantum for now. Coinshares analyst Christopher Bendiksen argued in a recent report that even upgrades like BIP-360, which is a new type of quantum-resistant output or address, are pointless for now.

“Introducing new address formats before the cryptography underpinning them is fully understood and proven is extremely risky and not advisable,” argued Coinshares analyst Christopher Bendiksen in a recent report.

“Before practical quantum computers exist, we cannot know whether quantum resistant cryptography provably works…. We risk spending scarce development resources on implementing solutions that turn out to be inefficient at best, and rapidly obsolete or outright faulty at worst.”

Unfortunately, blockchains don’t have the luxury to wait around for proven quantum resistance before upgrading. Quantum computing experts believe there’s a live possibility a cryptographically relevant quantum computer could emerge in the next five to ten years. Construction of PsiQuantum’s 1 million qubit array has already begun in Chicago.

One idea that Bitcoin and Ethereum devs are considering is to upgrade in a way that allows for multiple signature types — so that if one breaks, another can be used in its place.

BOLTS is working on a pilot program for the CANTON network that enables banks and institutions to use different signatures complying with standards in different parts of the world. Its QFlex technology allows for dynamic switching between different classical and post-quantum algorithms, enabling users to hot swap signatures as frequently as they’d like. QFlex received an SBIR Phase 1 Award from NIST, but it’s a commercial technology that needs to be licensed, meaning it’s unlikely to be embraced by the open source blockchain community.

Ethereum has three main areas to upgrade to post-quantum

Ethereum has three main areas it needs to upgrade: the secp256k1 elliptic curve signatures on the execution layer, the BLS validator signatures on the consensus layer and the KZG commitments on the data availability layer. 

The plan at this stage — and it’s subject to change — is to use account abstraction (smart accounts) to offer a menu of post-quantum signatures on the execution layer. These may be both lattice and hash-based, allowing users to employ the smaller but newer lattice variants, but with the older and more proven hash-based signatures as the bomb-proof fallback.

“For execution we do not really need to choose a single one thanks to account abstraction,” explains Antonio Sanso from Ethereum’s post quantum team. “We can ship multiple and let the user choose the signature.”

High-profile researcher Justin Drake explained recently that upgrading to native account abstraction is the key to signature switching.

“You can switch your signature scheme very easily because smart contracts are very flexible. And so inside the smart contract, for example, we can say that today we want signature scheme A. And if we find some very interesting research topic in five years, you can switch to a signature scheme B so that it will not impact you at all as a user. And you can still have your funds in the same address without any change for you.”

Bitcoiner helped develop ETH’s consensus layer signature scheme

The consensus layer overhaul will likely use a hash-based ZK friendly version of the eXtended Merkle Signature Scheme (XMSS). Called LeanSig, it was developed in conjunction with Blockstream cryptographer Mikhail Kudinov.

Sanso explains that based cryptography is the most battle-tested cryptography. Hashing is generally considered superior to the newer lattice structures, and it’s believed that Shor’s algorithm cannot reverse engineer them.  

“We took the most conservative assumption there—hash functions. We are not taking fancy assumptions in Lean Ethereum. It uses only hashing technology,” says Sanso, adding that if quantum computers can crack hashing, then all cryptography is dead.

“Cryptography cannot exist without hashing. All cryptography uses hash functions…. if it exists [a way to break hashing] we are doomed as human beings. That’s over for cryptography.”

The NIST-approved post-quantum signatures are at least ten times larger than the existing signatures, and with one million validators, the consensus layer needs to process thousands of signatures per second. That’s why Ethereum is aggregating and compressing signatures into ZK proofs, and why it hopes to use the ZK friendly Poseidon2 hash function.

“By the time we launch Poseidon, it should be pretty safe in the sense that it will have been analyzed for a whole ten years,” Drake told Bankless this week. “It will have been securing many billions of dollars through the L2’s, and it will have gone through cryptanalysis by all of the top experts in the field. And also recently, we just announced a $1 million prize to try and break Poseidon.”

Drake says they plan to pull the trigger on integrating Poseidon next year. That will be eight years after the hash function was first introduced in a preprint paper in 2019.

“You can’t just prove that they’re secure. The best that you can do is the lack of an attack that proves that they are insecure. And so there’s basically this baking time and the order of magnitude that I have in mind is eight years. Why eight years? Because when Satoshi picked ShA-256, it was eight years old. When Vitalik picked Keccak. It was eight years old, coincidentally. And so, you know, I would want Poseidon to be at least eight years old, which it will be when we do deploy it on Ethereum.”

(Technically, Keccak was six years old when Vitalik picked it in 2014, but it was based on work that was eight years old, so we’ll give that a pass.)

The data availability layer also seems likely to migrate to ZK-based constructions.

Bitcoin’s BIP-360 does not pick a PQ signature

BIP-360 coauthor Ethan Heilman explains the latest version of the proposal allows post-quantum signature algorithms to be added to Bitcoin at a later date by adding new op codes to Tapscript.

“There is a lot of work happening on post quantum signature schemes, we might want to adopt one signature scheme and then later design another scheme that is more desirable. Maybe it is more secure, has smaller signatures, or supports some new scaling approach. The approach taken in BIP 360 provides us a nice way to add signature algorithms if the Bitcoin community decides they want a new algorithm. If we think about Bitcoin in twenty years, 2046-era Bitcoin, we are likely to have absurdly better post quantum signature schemes.

“Another benefit of having this flexibility, is hedging the risk of choosing a post quantum signature scheme and then discovering it is broken with a classic attack. Most post quantum signatures schemes are fairly new and not yet mature.”

He says the script tree system BIP-360 uses would allow for the use of two different signature algorithms — perhaps a more conservative hash-based but very inefficient and large scheme like SLH-DSA (SPHINCS+) as well as a lighter but less battle-tested algo like ML-DSA (Dilithium).

“This means if ML-DSA was broken, you could just switch over to SLH-DSA and be safe from attacks on ML-DSA.”

Another option Heilman has suggested would be to keep using the existing Schnorr signatures, but build in the ability to switch over to SLH-DSA when Q Day approaches. As better post-quantum signatures were developed, they could be considered for inclusion instead. 

Yet another possibility is SHRINCS signatures, which are a tenth the size of SLH-DSA signatures. They were proposed by Blocksteam Research’s Kudinov and Jonas Nick in late 2025, and optimizes more conservative hash-based signature technology for Bitcoin.