Quantum Blockchain Technology

Hash-based signatures are attractive because they rely on conservative assumptions: the security of hash functions. The hard part for Bitcoin is not only cryptography. It is migrating a live monetary network without breaking incentives, fees, wallets, lost coins and social consensus. That is why QBTC is being designed PQ-native from genesis. #QBTC #PostQuantum #QuantumSafe

This is a list I compiled several years ago outlining the obstacles to Bitcoin’s migration to quantum-resistant, for your reference. I may add a few more critical—perhaps even fatal—barriers in the future. The barriers to migration are as follows. 1. No suitable quantum-resistant algorithm 2. Hash-based and lattice-based algorithms have excessively large public keys and signatures 3. Migrating to quantum-resistant algorithms could cause severe on-chain congestion and even paralysis 4. Quantum-resistant algorithms result in a significant reduction in transaction efficiency 5. Increased node and transaction fees 6. Who has the authority to freeze or burn Satoshi’s addresses and other lost addresses 7. The aggregation threshold in quantum-resistant algorithms is challenging 8. Taproot makes the transition to quantum-resistant even more difficult 9. High hardware upgrade costs 10. 1MB block size is not suitable for quantum-resistant algorithms 11.Achieving global consensus is extremely difficult and more...

There are largely two families of post-quantum signatures available today: hash-based and lattice-based. Hash-based schemes (SLH-DSA, XMSS, LMS): Reply only on the security of hash functions, the most conservative assumption available and one with decades of cryptanalysis behind it. The cost is size and operational overhead (signatures can run to several kilobytes, with slower operations than ECDSA/EdDSA). Hash-based schemes also lack the algebraic structure needed for threshold signing, aggregation, and re-randomisation natively, so those primitives have to be reconstructed externally with things like PQ-SNARKs, which can be expensive. Within the family there is a further choice between stateless and stateful. SLH-DSA is stateless and safe to use without tracking signing state, at the cost of larger signatures. XMSS and LMS are smaller and faster but a single state reuse breaks the scheme, and getting state right across distributed signers can be hard (although not impossible). Lattice-based schemes (ML-DSA, Falcon): Reply on newer assumptions, but ones that have still been subject to substantial cryptanalysis. Signatures are smaller and operations are typically faster than in stateless hash-based schemes. The algebraic structure can support threshold, aggregation, and re-randomisation, though production-ready versions of these are still a work in progress. ML-DSA is what the wider internet is converging on across all PQ signatures (TLS, browsers, cloud KMS, messaging), which means more implementations, more audits, and more eyes on the cryptography over time. It's also my default recommendation. Falcon (to be standardised as FN-DSA) has the smallest combined public key + signature, but with some tricky internals (solvable, just requires care). Some great schemes are coming through the NIST on-ramp but they have a long way to go (a few years at a minimum). I suggest we pick from what's standardised/available now and plan a future change should something better come along later.

Most chains face a post-quantum migration problem. QBTC is taking a different route: not retrofitting quantum resistance later, but designing a Bitcoin-like PoW/UTXO network with post-quantum assumptions from genesis. The challenge is not only cryptography. It is migration, coordination and time. #QBTC #PostQuantum #PoW #QuantumSafe

The quantum threat is no longer a distant theoretical debate. Most chains will need a painful migration. QBTC is being designed differently: post-quantum from genesis, PoW-based, UTXO-oriented, fair-launch, and built without depending on legacy ECDSA assumptions. Quantum safety should not be an afterthought. #QBTC #QuantumSafe #PostQuantum #Crypto

⚠️ALERT: FT reports that the crypto industry is now bracing for quantum computing threat. Here's the brutal truth nobody in CT wants to hear: Only ~15 crypto projects on Earth are seriously building for quantum. If your favorite coin isn't one of them, you're holding a wallet with a death clock. The list 👇 PROTOCOL-NATIVE QUANTUM RESISTANT (mainnet, today): 🔷 QRL (XMSS, mainnet since 2018) 🔶 Abelian (lattice-based, mainnet 2022) 🔷 Cellframe (Dilithium + Picnic) 🔶 Mochimo (WOTS+, audited by Dr. Hülsing) 🔷 xx Network (David Chaum, PQ BFT consensus) 🔶 Nexus (FALCON + Signature Chains) PQC LIVE IN PRODUCTION (partial): 🔷 Algorand — Falcon state proofs since 2022, first Falcon mainnet tx Nov 2025 (consensus still Ed25519) 🔶 Hedera — SEALSQ QS7001 chip, shipped Nov 2025 ACTIVELY IMPLEMENTING (testnet): 🔷 QANplatform — Dilithium, EVM-compatible testnet 🔶 Tron — QuantumShield hybrid signatures on testnet 🔷 Circle's Arc — USDC-native L1, opt-in Dilithium + Falcon at mainnet (2026) ROADMAP ONLY (still vulnerable today): 🔷 Bitcoin — BIP-360 + BIP-361 (7-year migration) 🔶 Ethereum — $2M PQ team, pq.ethereum .org, 2029 target 🔷 Cardano — IO Research "Vision 2026: Post Quantum Secure" proposal 🔶 Solana — Falcon roadmap (April 2026), Winternitz Vault live 2+ yrs 🔷 Ripple/XRP — 4-phase roadmap, ML-DSA on AlphaNet, 2028 target Not listed = not building = your funds, eventually someone else's. Harvest now, decrypt later.

DON'T SIGN IN WITH GOOGLE DON'T SIGN IN WITH GOOGLE DON'T SIGN IN WITH GOOGLE DON'T SIGN IN WITH GOOGLE DON'T SIGN IN WITH GOOGLE DON'T SIGN IN WITH GOOGLE DON'T SIGN IN WITH GOOGLE

Starting early matters. Once post-quantum readiness becomes urgent, the hardest part is no longer just choosing stronger cryptography — it is avoiding the migration, coordination, and legacy exposure problems that come with changing a live network under pressure. Architectures built for it from genesis are in a much cleaner position.

While others are just starting to plan for the quantum threat, Mochimo has been ready since day one. - WOTS+ Hash-Based Signatures: Built for maximum security. - No Migration Needed: Because already Quantum-resistant from the very first block. - Proven Track Record: Securing the future since 2018. Security that stands today, resilient for tomorrow. $MCM #Mochimo #PostQuantum #Blockchain #Cryptography

@mochimocrypto Starting early matters. Once post-quantum readiness becomes urgent, the real challenge is no longer just cryptography — it is migration, coordination, and legacy exposure across a live network. Architectures built for it from genesis are simply in a cleaner position.

Mochimo has been post-quantum resistant since 2018. the world’s first quantum-safe Layer-1 blockchain! No retrofits. No ECDSA risks. Built from day one with WOTS+ (Winternitz One-Time Signature Plus) signatures that laugh at quantum attacks. Fully #QDay ready while others scramble. The future-proof crypto is already here. #Mochimo #PostQuantum #WOTSPlus #Crypto mochimo.org

@chillerid76 Important nuance: this does not mean token endorsement. But the diagram explicitly referencing a QRL Blockchain layer and XMSS-signed transactions is a strong signal that post-quantum ledger infrastructure is being taken seriously in applied security design.

$LMT Lockheed Martin's patent uses $QRL tech. Since QRL is an open-source project released under the MIT License, the code can generally be used freely within the terms of that license. @QRLedger #quantumsafe #blockchain #undertheradar reddit.com/r/CryptoCurren…

@TheCyyber @HTX_Global Projects built quantum-safe from genesis deserve more attention. The hard part is not only adding PQ signatures later — it is designing the whole network, wallet model, mining/consensus assumptions and migration story around long-term quantum resilience.

QRL ( $QRL ) A live Layer 1 focused on post-quantum security since genesis using hash-based cryptography. Referenced by Google Quantum AI researchers: quantumai.google/static/site-as… Referenced in a Lockheed Martin patent: patents.google.com/patent/US20240… Feels massively overlooked right now. 👀

project you bullieve in? 👀

Post-quantum readiness is not just a wallet problem. It is also a migration, coordination, consensus, and long-term auditability problem. Starknet’s direction is important. At QBTC, we are exploring a complementary path: an independent PoW-based, fair-launch network designed post-quantum-native from genesis, without legacy signature migration.

Post-quantum secure wallets are already live on Mainnet too. Just pivot to Starknet.

How STARKs work? Call it moon math or ZK-magic, STARKs are too beautiful to require a PhD to understand them. So here is my best attempt yet to explain how they work for non-mathematicians, in a simplified and clear way. I focused on explaining how a STARK proof is generated, but this is a long explanation, packed with concepts, so I broke it down to 6 parts. I'm posting today the first and second parts. I hope you read it, enjoy it, learn from it, ask me questions about it, and eagerly wait for the next parts which I'll post in the coming days. Here is Part 1: The Problem

@QtonicQuantum Exactly. For blockchains, the real issue is not only when CRQCs arrive. It is how long migration takes. Consensus rules, wallets, exposed public keys, inactive users, audits, and coordination are multi-year problems. Waiting for visible attacks means starting too late.

For 20 years, Scott Aaronson has been the person who tells you to calm down about quantum computing. His blog tagline: “quantum computers won’t solve hard problems instantly by just trying all solutions in parallel.” He has corrected more quantum hype than anyone alive. Yesterday he was elected to the US National Academy of Sciences. Today he titled his blog post: “Will you heed my warnings NOW?” His words: “If quantum computers start breaking cryptography a few years from now, don’t you dare come to this blog and tell me that I failed to warn you. This post is your warning.” He says the most reputable people in quantum hardware are now telling him a fault-tolerant quantum computer able to break deployed cryptosystems ought to be possible by around 2029. He co-authored the Coinbase advisory board paper with Dan Boneh. The same Dan Boneh who co-authored the Google paper showing Bitcoin’s signature breaks in nine minutes with under 500,000 physical qubits. This is not a vendor. Not a startup. Not a stock promoter. This is the most trusted voice in quantum computing, a newly elected member of the National Academy of Sciences, telling the world on the record: act now. If Scott Aaronson is warning you, who exactly are you still waiting to hear it from? scottaaronson.blog/?p=9718 @QtonicQuantum | qtonicquantum.com

The exact CRQC timeline remains uncertain. But the migration timeline is not. For blockchains, post-quantum readiness is not just swapping signatures. It means consensus rules, wallets, exposed keys, inactive users, audits, and coordination. That work has to begin before the emergency.

Scott Aaronson weighs in with an urgent warning about cryptographically relevant quantum computers, likely within this decade: "So, here it is: if quantum computers start breaking cryptography a few years from now, don’t you dare come to this blog and tell me that I failed to warn you. This post is your warning. Please start switching to quantum-resistant encryption, and urge your company or organization or blockchain or standards body to do the same." More excerpts: "See, some of the most reputable people in quantum hardware and quantum error-correction—people whose judgment I trust more than my own on those topics—are now telling me that a fault-tolerant quantum computer able to break deployed cryptosystems ought to be possible by around 2029." "The companies racing to scale up fault-tolerant QC, have no plans to slow down in order to “give cybersecurity time to adapt” or whatever. The way they see it, cryptographically relevant QCs will plausibly be built sometime soon..." Read the full blog post: scottaaronson.blog/?p=9718 $INFQ $RGTI $QBTS $IONQ $XNDU $QUBT $BBCQ $RAAQ $HQ $BTQ $LAES $OONEF $QNC $ARQQ

@conordeegan For blockchains, PQC is not only about cryptographic strength. It is also about deterministic, portable, auditable implementation behavior. Falcon/FN-DSA has attractive sizes, but ML-DSA and SLH-DSA are safer defaults for new consensus-critical deployments.

Falcon (FN-DSA, FIPS 206) is one of the post-quantum signature schemes NIST is standardising. It uses floating point arithmetic during signing. ML-DSA and SLH-DSA do not. A few things you can run right now in any JavaScript console: 0.1 + 0.2 returns 0.30000000000000004. Not 0.3. The numbers being added are not the numbers you wrote down. They are the closest 64-bit approximations, because most decimal fractions cannot be stored exactly in binary. Math.tan(1e16) returns -1.2451734357184066 in Node and -1.245173435718406 in Safari. Same input, different output. IEEE 754 does not require bit-exact results for functions like tan, sin, log, or exp. Each library and chip approximates them differently. (0.1 * 0.2) * 0.3 returns 0.006000000000000001 whereas 0.1 * (0.2 * 0.3) returns 0.006. The associative law from school does not hold. The compiler is free to pick either order. Falcon's signing process calls functions like these on values that depend on the secret key. The same key signing the same message in two browsers can produce two different signatures. Both verify correctly, because the verifier does not redo the sampling, but the signatures are not reproducible across platforms. A Falcon library that is correct and safe on a Linux server is not automatically correct or safe in Safari on an iPhone. ML-DSA uses integer arithmetic throughout. For new deployments it is the safer default. Falcon may be appropriate when signature size matters enough to justify validating floating point behaviour on every target platform. Full post below.

This is one of the most serious ways to frame the post-quantum problem. The challenge is not just “which new signature scheme replaces ECC?” The challenge is how a live monetary network migrates under real constraints: exposed public keys, inactive users, coordination across wallets and infrastructure, consensus sensitivity, and the tradeoff between conservative cryptography and practical usability. That is why starting early with conservative post-quantum foundations matters so much. Once the pressure becomes urgent, migration is no longer only a cryptography question — it becomes a systems, coordination, and legitimacy problem.

1/4 Today, Localhost Research is announcing a new Post Quantum Cryptography Group in partnership with two world-class cryptographers: @benediktbuenz and @danboneh.

Chapter 4: The real problem is migration Changing a signature scheme on a live blockchain is not like swapping one library for another. It touches wallets, transaction formats, validation rules, user behavior, exchanges, and social coordination. That is why post-quantum readiness is not just a cryptography problem. It is an architecture problem.

Chapter 3: Why small quantum demos still matter No, a tiny key demo is not the same as breaking real 256-bit production cryptography. But small demonstrations still matter because they show direction: practical experimentation is happening barriers are dropping engineering progress is real The point is not panic. The point is that migration windows do not stay open forever.

Chapter 2: Why ECC matters Most major blockchains were built around elliptic curve cryptography. That worked well for the era they were designed in. The long-term concern is that Shor’s algorithm targets exactly the kind of math ECC depends on. So the issue is not “crypto in general,” but a very specific dependency built deeply into many live systems.

Chapter 1: The quantum problem is not just “When is Q-Day?” That question sounds precise, but it can be misleading. The better questions are: What breaks first? Which systems are hardest to migrate? How much legacy exposure already exists? How fast can a network actually change cryptography? That is where the real risk lives.

Quantum risk in crypto is often discussed badly. Some people reduce it to panic. Others reduce it to “not in our lifetime.” Both are weak ways to think about it. The real issue is simpler: if a system depends on cryptography that may become breakable, the hardest problem is not just the math — it is whether the system can adapt before the pressure becomes urgent. We’ll be writing a short series on this. @amarchenkova