Solana tests quantum shield at a cost

Solana’s effort to prepare for a future quantum-computing threat is exposing a basic tension for high-speed blockchains: the safer the signature system becomes, the heavier and slower it is likely to be. That trade-off has moved into sharper focus as Bitcoin developers debate draft quantum-safe address proposals, Ethereum’s post-quantum team lays out a multi-year migration plan, and new research from Google and outside experts brings forward the timetable under discussion for so-called “Q-day”.

At the centre of Solana’s approach is an attempt to get ahead of the risk rather than wait for a crisis. Work around the network has centred on quantum-resistant vault designs using hash-based signatures, including Winternitz one-time signatures, which are meant to avoid the vulnerabilities that a sufficiently capable quantum machine would pose to today’s elliptic-curve systems. Solana research discussions published in February said the chain’s main exposure sits first in the signature layer, not in its hashing layer or consensus as presently modelled.

That distinction matters. Solana, like many major chains, depends on public-key cryptography for transaction approval. In Solana’s case that means Ed25519 signatures, which quantum attackers using Shor’s algorithm would eventually be able to target. By contrast, SHA-256-based components are seen as more resilient, because Grover’s algorithm weakens them rather than rendering them useless outright. Solana-focused technical analysis published late last year said Grover-style threats are not the realistic near-term concern for the network; signature systems are.

The problem is that post-quantum signatures are far bulkier than the compact cryptography that made fast chains efficient in the first place. Solana analysis comparing current and candidate schemes shows a steep jump in size: Ed25519 uses a 32-byte public key and a 64-byte signature, while NIST-backed post-quantum options such as ML-DSA and SLH-DSA are materially larger. That increases transaction size, raises verification costs and strains network performance. Solana researchers say those costs would be especially acute for real-time voting and certificate formation under the chain’s evolving consensus design, where there is still no practically deployable post-quantum equivalent to the compact aggregation properties developers enjoy today.

That is the harshness of the trade-off. A chain built to maximise throughput and low latency has less room to absorb cryptographic bloat than a slower, more conservative network. Solana commentary from developers has suggested that a full protocol migration is not yet necessary, partly because more efficient post-quantum schemes may emerge before a machine powerful enough to crack Ed25519 arrives. For now, optional vault constructions and preparatory research look more feasible than a chain-wide conversion.

Bitcoin is confronting the same broad problem from a different angle. Its ecosystem has been debating quantum resistance for some time, and Bitcoin Optech said this week that a draft BIP for a quantum-safe address format has now been announced. The wider Bitcoin discussion remains bound up with questions of backward compatibility, exposed public keys and how aggressively the community should move before the threat becomes immediate. Optech’s current material also notes that Bitcoin uses several cryptographic components with different levels of vulnerability to fast quantum computers, adding to the complexity of any eventual upgrade path.

Ethereum, meanwhile, is trying to make the transition a systems-design exercise rather than a single emergency patch. The Ethereum Foundation’s post-quantum team says the work will span execution, consensus and data layers over years, using “cryptographic agility” to avoid locking the network too early into one scheme. Its published roadmap points to post-quantum signature precompiles, account-abstraction based migration paths, and replacement of validator signatures with alternatives that can preserve performance and finality. The Foundation has also said post-quantum security now has a clear place in its protocol roadmap for 2026 and beyond.

The urgency has grown because the underlying science is moving. A Google Quantum AI white paper dated March 30 said breaking the secp256k1 elliptic-curve problem could require as few as roughly 1,200 to 1,450 logical qubits, or fewer than half a million physical qubits on certain superconducting architectures, with execution times measured in minutes under those assumptions. NIST, for its part, finalised its first principal post-quantum standards in August 2024 and has urged organisations to begin migrating. No such cryptographically relevant quantum computer exists today, but the policy and engineering message is no longer to wait for certainty.