Post-quantum blockchains (survey)
Post-quantum blockchains use signature schemes designed to resist quantum attack in place of the elliptic curve signatures that secure most networks today. A small number run post-quantum signatures in production, several major ecosystems are researching retrofits, and every design pays the same cost: post-quantum signatures and keys are roughly 10 to 100 times larger than the elliptic curve values they replace.
Why blockchains are a hard migration case
The threat is uniform: nearly every chain signs transactions over a discrete-logarithm-based curve, so quantum threat to ECDSA applies to Bitcoin, Ethereum, and most of their successors alike. The migration is not uniform. In post-quantum TLS, operators upgrade servers and clients centrally; on a blockchain, new consensus rules must be agreed, and then every individual key holder must move funds, so coins whose owners are absent stay exposed indefinitely (the governance consequences are examined in is Bitcoin quantum safe?). Ledger history is also permanent, so any key ever revealed remains attackable forever. This is why some projects chose post-quantum signatures from genesis while others plan cryptographic agility into account models so schemes can be swapped later.
Chains with post-quantum signatures in production
The Quantum Resistant Ledger (QRL) has run XMSS signatures since its mainnet launch in June 2018, one of the longest-running production deployments of post-quantum signatures on a public chain. XMSS is a stateful hash-based scheme built from Merkle trees of one-time keys: its security assumptions are conservative and well studied, but each one-time key may sign exactly once, so wallets must track signature indexes, and signatures run to several kilobytes. As of early 2026 the project is developing an EVM-compatible successor network that replaces XMSS with ML-DSA.
BTX is a proof-of-work chain derived from the Bitcoin codebase that replaces ECDSA with the two primary NIST signature standards, ML-DSA and SLH-DSA, at the protocol level (project site). The network is live as of early 2026 with a small mining base and an early ecosystem; like other from-genesis designs, it accepts larger transaction sizes up front so that no later signature migration is needed.
Post-quantum components inside classical chains
Algorand illustrates a partial approach. Everyday account transactions use Ed25519, which is quantum-vulnerable like ECDSA, but since 2022 the chain's State Proofs have been signed with Falcon, the compact lattice scheme standardized as FN-DSA / Falcon. State Proofs let light clients and bridges verify Algorand's history without trusting validators, so the chain's exported history is post-quantum protected even though individual account keys are not.
IOTA moved in the opposite direction, and the history is instructive. Its original protocol used Winternitz one-time signatures, a hash-based scheme that resists quantum attack but makes address reuse dangerous because each key is single-use. With the Chrysalis upgrade in 2021, IOTA adopted Ed25519, giving up quantum resistance in exchange for reusable addresses, standard tooling, and better performance. Post-quantum migration is not a one-way ratchet; usability pressures can and do push projects back to classical schemes.
Retrofit research on Bitcoin and Ethereum
Bitcoin's main concrete proposal is BIP 360, a draft pay-to-quantum-resistant-hash output type that would let coins commit to post-quantum verification data and be deployed as a soft fork; is Bitcoin quantum safe? covers it alongside the migration and governance questions.
Ethereum research runs along three lines as of early 2026: account abstraction, which lets individual accounts choose their own signature verification and therefore adopt post-quantum schemes without a global fork; validity proofs built only from hash functions (STARKs), which are conjectured quantum-resistant and could carry both scaling and signature aggregation; and contingency planning, including a hard-fork sketch by Vitalik Buterin for recovering most user funds after a surprise quantum break. None of these is deployed for ordinary transactions on mainnet.
Comparison
| Network | Signature scheme | Status as of early 2026 |
|---|---|---|
| QRL | XMSS (hash-based, stateful) | Live since 2018 |
| BTX | ML-DSA and SLH-DSA | Live proof-of-work network, small ecosystem |
| Algorand | FN-DSA (Falcon) for State Proofs; Ed25519 for accounts | State Proofs live since 2022 |
| IOTA | W-OTS historically; Ed25519 since 2021 | Moved away from hash-based signatures |
| Ethereum | ECDSA; post-quantum directions in research | Research stage |
| Bitcoin | ECDSA and Schnorr; BIP 360 drafted | Proposal stage |
The cost every design pays
Size is the unavoidable tradeoff. An ECDSA signature is 64 to 72 bytes with a 33-byte key; the standardized replacements are far larger, per FIPS 204 and FIPS 205.
| Scheme | Public key | Signature |
|---|---|---|
| ECDSA (secp256k1) | 33 bytes | about 71 bytes |
| Schnorr (BIP 340) | 32 bytes | 64 bytes |
| [[ml-dsa | ML-DSA-44]] | 1312 bytes |
| [[slh-dsa | SLH-DSA-128s]] | 32 bytes |
| [[fn-dsa | FN-DSA-512 (Falcon)]] | 897 bytes |
Every transaction carries at least one signature, so scheme size multiplies directly into block size, bandwidth, and archival storage, and verification cost shapes node requirements. Falcon's compactness makes it attractive for chains, but its signing algorithm needs careful floating-point implementation, which is why some projects avoid generating Falcon signatures in consumer wallets. Stateful hash-based schemes like XMSS shift risk into wallet engineering. The honest summary of the field as of early 2026: production experience exists and the standards are settled, but no design escapes the size penalty, and the largest ecosystems remain at the research or proposal stage.
Sources
- QRL documentation (The Quantum Resistant Ledger, 2018)
- Falcon signature implementation (Algorand (GitHub), 2022)
- IOTA Tangle Improvement Proposals (IOTA Foundation (GitHub), 2021)
- How to hard-fork to save most users' funds in a quantum emergency (Ethereum Research, 2024)
- BIP 360: Pay to Quantum Resistant Hash (Bitcoin BIPs repository, 2024)
- FIPS 204, Module-Lattice-Based Digital Signature Standard (NIST, 2024)
- FIPS 205, Stateless Hash-Based Digital Signature Standard (NIST, 2024)
- BTX project site (btx.best, 2026)
Cite this entry
"Post-quantum blockchains (survey)." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/post-quantum-blockchains@misc{pqwiki-post-quantum-blockchains,
title = {Post-quantum blockchains (survey)},
howpublished = {\url{https://postquantum.wiki/post-quantum-blockchains}},
year = {2026},
note = {postquantum.wiki, updated 2026-07-11}
}