Contenu source (brut)
<p>Many thanks to <a href="https://x.com/DiscoKobi"><span style="text-decoration: underline">Kobi</span></a>, <a href="https://x.com/__lostin__"><span style="text-decoration: underline">Lostin</span></a>, <a href="https://x.com/qkniep"><span style="text-decoration: underline">Quentin</span></a>, <a href="https://x.com/0xIchigo"><span style="text-decoration: underline">Ichigo</span></a>, <a href="https://x.com/Princeadxisrael"><span style="text-decoration: underline">Aseneca</span></a>, and <a href="https://x.com/deanmlittle"><span style="text-decoration: underline">Dean</span></a> for reviewing earlier versions of this work.<br></p><p>In recent months, <a href="https://x.com/dotkrueger/status/1869783595319263665?s=20"><span style="text-decoration: underline">various alarmist claims</span></a> have circulated suggesting that we have only a few years to migrate to post-quantum cryptography, and that Solana would be among the first victims of such a scenario. Regardless of the perceived urgency or whether one accepts such claims, it is helpful to map out what the protocol would need to change if, under today’s conditions, Solana were to transition to post-quantum cryptography.</p><h2>Brief Introduction to Quantum Computing</h2><p>Quantum computing is a computational paradigm that departs from the classical model built on binary logic. Instead of processing information strictly as zeros and ones, quantum computers operate on <strong>qubits</strong>, physical systems that follow the rules of quantum mechanics. A qubit can occupy multiple states simultaneously (a property known as <strong>superposition</strong>), allowing quantum processors to explore many possible solutions in parallel.</p><p></p><p>The significance of quantum computing does not lie in speeding up all computations, but in accelerating very specific problems. Despite their theoretical power, today’s quantum devices are far from capable of running these algorithms at meaningful scales. </p><p></p><p>No one knows <strong>when</strong>, or even <strong>if</strong>, quantum computers will ever reach the scale required to threaten modern public-key cryptography. To break schemes like Ed25519, a quantum computer would need hundreds of thousands to millions of stable qubits, extremely high-quality error correction, and sufficiently long coherence times to run deep quantum circuits such as Shor’s algorithm. Today, such machines are purely theoretical. Existing quantum processors operate on noisy, short-lived physical qubits with error rates far too high for any meaningful attempts to break the cryptography. State of the art devices offer only on the order of hundreds to low thousands of physical qubits—not logical ones—and their gate fidelities and coherence properties remain several orders of magnitude below what would be required for a practical attack.</p><p></p><p>Even so, the potential long-term impact of quantum computing is significant enough that security-critical systems (including blockchains) must consider what a transition to post-quantum primitives would entail.</p><h2>Quantum Attacks</h2><p>Modern cryptography relies on hardness assumptions that classical computers cannot efficiently break. Quantum computers introduce two major algorithms that threaten different cryptographic primitives: <strong>Shor’s algorithm</strong> and <strong>Grover’s algorithm</strong>.</p><p></p><p>Shor’s algorithm efficiently breaks (it allows an attacker to derive the private key from the public key) RSA, Diffie–Hellman and, critically for Solana, elliptic-curve cryptography, including <strong>Ed25519</strong>, which is the core signature scheme used across the Solana protocol. This makes Shor a meaningful long-term quantum threat.</p><p>Grover’s algorithm provides only a quadratic speedup for brute-force search. It reduces the effective security of SHA-256 to 128 bits, which is still far beyond any realistic threat horizon. For symmetric cryptography, Merkle trees and hashing, it is still more cost-effective to scale classical hardware than to build a large-scale Grover-capable quantum machine. Therefore, Grover is not a realistic concern for Solana’s long-term security model.</p><p></p><p>Because large-scale quantum computers would fundamentally break today’s public-key cryptography, an entire field known as post-quantum cryptography (PQC) has emerged to develop schemes that remain secure even in the presence of quantum attacks. </p><p></p><p>NIST (National Institute of Standards and Technology) has so far standardized two post-quantum digital signature schemes:</p><ol class="list-number"><li value=1><strong>ML-DSA</strong>, lattice-based, derived from CRYSTALS-Dilithium</li><li value=2><strong>SLH-DSA</strong>, hash-based, derived from SPHINCS+</li></ol><p></p><p>Both use public keys and signatures that are much larger than the elliptic-curve primitives used today. This makes early migration impractical for high-throughput systems like Solana unless quantum computers become an imminent threat. </p><p></p><p>There is also FN-DSA (based on FALCON, designed as a smaller alternative to ML-DSA), which currently exists only as a draft proposal and is not yet an approved NIST standard.</p><p></p><span>unknown node</span><p></p><p>Post-quantum cryptography is still in a very active stage of development. It is likely that long before any quantum computer capable of running Shor’s algorithm against Ed25519 exists, more efficient schemes will be discovered. Early nonstandard approaches, such as <strong>HAWK signatures</strong>, look promising, but are still at the research stage.</p><p></p><p>With internet bandwidth following Nielsen’s law and <a href="https://github.com/solana-foundation/solana-improvement-documents/pull/296"><span style="text-decoration: underline">Solana’s transaction-size limit already increasing to 4096 bytes in 2026</span></a>, it is reasonable to delay full PQ migration until more efficient schemes are available while preparing the protocol for eventual transition. In the meantime, it is also possible to rely on vault constructions based on well-established hash-based one-time signature schemes, such as Winternitz, which offer long-term security even against quantum attacks. <a href="https://github.com/deanmlittle/solana-winternitz-vault"><span style="text-decoration: underline">These solutions exist on Solana today.</span></a></p><p></p><p>This article focuses only on the consensus-critical parts of Solana that rely on Ed25519. A full post-quantum migration would also involve other components, such as validator communication, encrypted networking channels, and symmetric cryptography—areas that would likewise need PQ-safe or hybrid replacements, but which are outside the scope of this overview.</p><p></p><h2>Addresses and transaction signatures</h2><p>Solana’s externally owned accounts (EOAs) use their <strong>public key</strong> as the <strong>address</strong>, with Ed25519’s 32-byte public key acting both as the identifier and the verification key. A post-quantum scheme changes this model, and such changes would naturally be introduced under a <strong>new address format and transaction version</strong>, rather than modifying the existing TX format.</p><p></p><ul class="list-bullet"><li value=1>PQ public keys are much larger, so <strong>32-byte addresses can no longer encode public keys directly</strong>. Addresses would instead become <strong>hashes of the PQ public key</strong> and of the signature scheme identifier.</li><li value=2>If PQ addresses coexist with existing Ed25519 addresses during migration, the address space must be constructed so that PQ-derived hashes <strong>cannot collide with points on the Ed25519 curve</strong>, ensuring that no Ed25519 private key exists for those addresses. This mirrors how PDAs avoid being valid Ed25519 points by using a bump seed.</li><li value=3><strong>PDA security remains unaffected</strong>, because PDAs rely on SHA-256 second preimage resi
