Quantum-Proofing Solana

Quantum-proofing Solana

As authors of the only Solana-specific Post-Quantum Cryptography (PQC) solution cited in Google’s recent whitepaper, Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations, it should come as no surprise that we believe Solana is one of the best-positioned blockchains to tackle the quantum threat. In this article, we lay out the problem space, present the arguments for and against urgency, demonstrate practical quantum-resistant solutions available today, and outline how we see Solana evolving towards full PQC migration.

Introduction

In December 2024, Google released its Willow processor: a state-of-the-art 105-qubit quantum chip that significantly advances quantum error correction — one of the largest barriers to scaling up the number of logical qubits to a level sufficient to threaten elliptic curve cryptography (ECC). In practical terms, we are still many orders of magnitude away from a viable threat. As is often the case when such breakthroughs are announced, however, it prompted a great deal of speculation about what this could mean for blockchains and the ECC underpinning their public-key security.

Willow’s headline achievement was below-threshold error correction: the demonstration that adding more qubits to the system actually reduces the error rate, rather than compounding it. This is a prerequisite for fault-tolerant quantum computing, and while 105 physical qubits is a far cry from the hundreds of thousands estimated to be necessary for cracking elliptic curves, the trajectory matters more than the snapshot. Google’s own 2026 paper estimates that breaking a 256-bit elliptic curve discrete logarithm would require fewer than 1,200 logical qubits — achievable with under 500,000 physical qubits on superconducting hardware, executing in minutes. The gap between 105 and 500,000 is large, but it is finite, and it is slowly shrinking.

After the Willow announcement, the discourse predictably bifurcated into those declaring the death of cryptocurrency and those dismissing the threat entirely. Neither camp was particularly well served by the evidence. At Blueshift, we decided the most productive response was code, not commentary. In January 2025, we released the Solana Winternitz Vault: the first quantum-resistant cryptographic primitive on Solana, made possible without any protocol changes. To date, it remains the only Solana-specific solution cited by Google in their post-quantum cryptography whitepaper, and it has since evolved into Winterwallet — an end-to-end wallet solution that enables users to secure their funds behind quantum-resistant signatures on devnet and mainnet today.

What is the quantum threat?

The quantum threat to blockchain security primarily reduces to two quantum algorithms that could give sufficiently capable quantum computers a significant advantage against the hard problems underpinning modern cryptography: Grover’s Algorithm and Shor’s Algorithm. Broadly speaking, Grover’s algorithm threatens hash-based security assumptions, while Shor’s algorithm threatens elliptic-curve cryptography.

Grover’s Algorithm

Grover’s algorithm provides a theoretical quadratic advantage for unstructured search: a class of problems that includes brute-force-style attacks on symmetric keys and certain hash-function preimages. This turns an n-bit brute-force search into roughly 2^(n/2) quantum queries, which is often translated as “cutting hash preimage security in half.”

As any economist worth their salt could tell you, however, a theoretical quadratic advantage does not automatically translate into a practical threat if the machine used to carry out the attack is vastly more expensive to manufacture, operate, cool, error-correct, and scale than the classical hardware it is supposedly outpacing. This is especially true when the algorithm in question is notoriously resistant to parallelization. Furthermore, the payoff from such an attack pales in comparison to that of the far more consequential task of breaking ECC outright. As such, Grover’s algorithm is a much more distant concern for blockchain security — a threat further up the Kardashev scale.

Shor’s Algorithm

By contrast, Shor’s algorithm provides a feasible, exponential advantage in solving the mathematical problems underlying much of today’s public-key cryptography, including integer factorization and elliptic-curve discrete logarithms. In plain terms, if a viable quantum computer with sufficient logical qubits and error correction were to be built, deriving the private key corresponding to an exposed ECC public key would become computationally trivial — not merely difficult, but effectively instantaneous.

This is the primary reason why the Q-day clock is ticking. While that day may not be tomorrow, it is plausibly within the planning horizon of systems that are expected to secure hundreds of billions of dollars in value for at least the next few decades. Cryptographic migrations are not the sort of thing one undertakes on short notice, and the history of infrastructure security is not kind to those who assumed they had more time than they did. As such, it is our duty to prepare ahead of time, protect users, and provide adequate runway to migrate to PQC.

How quantum-resistant is Solana today?

There are levels to what it means to be quantum-resistant. In this article, we primarily concern ourselves with the most immediate questions: the runtime and users’ funds. If the basic assumption is, “It doesn’t matter what happens to the broader ecosystem. What matters is that in whatever version of the ledger we roll back to in a Q-day event, my assets are safe,” then Solana already does a remarkably good job of protecting asset holders.

The Good

Several aspects of Solana make it better positioned than other blockchains to withstand a Q-day event.

Winternitz Signatures

There is already a viable PQC scheme available on Solana today in the form of Winternitz One-Time Signatures (WOTS). They protect users against Shor’s algorithm via single-use, hash-based signatures whose security rests entirely on the one-wayness of the hash function — with no elliptic curves involved. This is what we used to build Winterwallet, and it works on mainnet today.

Program Derived Addresses

Program Derived Addresses (PDAs) are quantum-resistant by default. PDAs are derived from hash-based seeds that are provably off-curve, meaning they are not associated with any elliptic curve keypair, and thus there is no associated private key to extract. Much of the on-chain program logic, along with upgrade authorities, mint authorities, token accounts, and other protocol-level accounts for widely adopted applications, already operates through PDAs, giving Solana a substantial quantum-resistant surface area without any additional effort.

Speed and Scalability

In the event that a mass migration to PQC becomes necessary, Solana’s throughput means it could migrate its entire user base in a matter of minutes. Many other blockchains would require months or even years to accomplish the same feat. This is not merely a theoretical claim, but a consequence of Solana’s parallel transaction processing, and it represents one of the network’s most underappreciated security properties.

Frequent Release Schedule

Solana ships roughly quarterly protocol upgrades, and has demonstrated the commitment of its validator community to rapidly and widely adopt emergency security patches in a decentralized fashion. The infrastructure for coordinated action already exists, it has been exercised, and it works.

EdDSA Key Derivation

On Solana, canonical EdDSA keypairs are derived from the clamped scalar of the first 32 bytes of a SHA-512 hash of the seed. This is significant because the original seed material is protected behind a hash function — which, as we established in the discussion of Grover’s algorithm, remains quantum-resistant for all practical purposes. This property makes EdDSA keypairs well-suited to emergency migration via hash-based commit-and-reveal schemes.

The Bad

Large Attack Surface

Solana is extremely scalable and widely adopted, which means there are millions of accounts representing a large attack surface. Fortunately, the same property that creates this surface area — Solana’s extraordinary throughput — is also what makes rapid migration feasible. The problem contains its own remedy.

Supply Chain Attacks

Although most programs and tokens with significant adoption are controlled by quantum-resistant PDA multisigs, the signatories of those multisigs are overwhelmingly quantum-vulnerable EdDSA keypairs. This enables a class of downstream supply chain attacks: a quantum-capable adversary need not attack the programs directly, but could instead derive the private keys of upgrade authorities and signers, enabling unauthorized program upgrades, token mints, or treasury drains.

This is arguably the most consequential near-term quantum vulnerability on Solana, and it is entirely addressable today. Migrating signing authorities to Winternitz signatures via Winterwallet eliminates this attack vector entirely. The technology exists and is ready to use today. The only remaining barrier is adoption.

Winternitz One-Time Signatures (WOTS)

At the core of both the Solana Winternitz Vault and Winterwallet lies a deceptively simple cryptographic primitive: Winternitz One-Time Signatures. Understanding how they work is worthwhile because the elegance of the construction is precisely what makes it so robust.

The Construction

WOTS is a hash-based signature scheme. Unlike ECDSA or Ed25519, its security derives entirely from the one-wayness of a hash function — no number theory, no structured mathematical problems, no assumptions beyond the basic difficulty of inverting a hash. If the hash function is secure, the signatures are secure. The scheme works as follows:

Key generation. A set of random secret values is generated. Each secret is iteratively hashed 2^w − 1 times, where w is the Winternitz parameter — a tunable value that controls the trade-off between signature size and computational cost. The final hash values constitute the public key.

Signing. The message to be signed is hashed and split into base-2^w digit chunks. For each chunk, the corresponding secret value is hashed a number of times determined by the chunk’s digit value, producing an intermediate hash chain value. The collection of these intermediate values forms the signature.

Verification. The verifier takes each signature component and continues hashing it the remaining number of steps to reconstruct the expected public key. If the reconstructed public key matches the one on record, the signature is valid.

The critical constraint — and the reason it is called a one-time signature — is that each keypair must only ever be used once. Signing with a keypair reveals intermediate hash chain values; signing again with the same keypair reveals additional intermediate values, progressively leaking private key material. This is less a limitation than a fundamental property of the construction, and Winterwallet handles it transparently by generating a fresh vault for every transaction.

Why WOTS for Solana?

Several properties make WOTS particularly well-suited to Solana’s current constraints:

• No protocol changes required. The vault operates as a standard Solana program. No SIMDs, no validator upgrades, no governance votes. It works today, on mainnet, with the runtime as it currently exists.
• Fits within current transaction limits. Our implementation uses truncated SHA-256 with a carefully tuned Winternitz parameter to produce signatures that fit within Solana’s current 1,232-byte transaction size limit, providing 176 bits of post-quantum security. For reference, this is still greater than the effective security level of a standard Ethereum address.
• Conservative security assumptions. WOTS does not rely on any structured mathematical problem that might itself prove vulnerable to future algorithmic advances. Its sole assumption — that the hash function is irreversible — is as conservative as cryptographic assumptions get.

WOTS is also a foundational building block in larger post-quantum signature schemes such as XMSS and SPHINCS+. While they are not the most computationally efficient signature schemes for long-term use, they are entirely adequate as a life raft in the event of an unforeseen Q-day scenario, as well as a medium-term solution for users concerned about quantum risk.

Winterwallet

The Solana Winternitz Vault was our proof of concept: a simple demonstration that post-quantum cryptography on Solana is not only theoretically possible but practically deployable. Winterwallet is its production evolution — an end-to-end wallet solution consisting of an open-source Rust and TypeScript SDK, CLI, and onchain program that work together to make quantum resistance accessible to all.

Each deposit creates a new vault secured by a fresh Winternitz keypair. The public key is hashed to derive a PDA — itself quantum-resistant — and funds are held behind a cryptographic barrier that Shor’s algorithm cannot breach. When you spend, the vault is signed and closed, and a new vault is created for the change output. The one-time constraint of WOTS is handled entirely by the wallet; users need not think about it.

Under current transaction size constraints, Winterwallet provides 176 bits of post-quantum security. With the arrival of SIMD-0296 — which increases the maximum transaction size from 1,232 bytes to 4,096 bytes and is expected to land later this year — we will be able to offer a full 256 bits of post-quantum security across all standard use cases.

If you hold significant value on Solana, whether as an individual, a protocol treasury, a token mint authority, or a multisig signer, Winterwallet represents the simplest path to quantum resistance available today. This is particularly true for upgrade authorities and signing keys that control high-value programs and mints, as these constitute the most consequential attack surface in a Q-day scenario.

The vault code is open source, the cryptography is well understood and peer reviewed, and Google’s own quantum security researchers saw fit to cite it. We are not asking anyone to take our word for it; we are inviting them to inspect the code.

PQC Migration

Winterwallet addresses the immediate need: protecting individual users and signing authorities today. The longer-term objective is network-wide PQC migration. There are broadly two scenarios to plan for.

Proactive Migration

The preferred path is migrating the network to PQC well in advance of a cryptographically relevant quantum computer becoming available. This involves several coordinated changes:

Larger transactions. SIMD-0296 proposes increasing the maximum Solana transaction size from 1,232 bytes to 4,096 bytes. This is a prerequisite for native post-quantum signatures, as even the most compact PQC schemes produce signatures and public keys that exceed the current limit. The proposal has been accepted by core engineers, is under active development, and is due to go live on mainnet this year.

New signature schemes. The most promising candidate for Solana’s post-quantum signature scheme is Falcon-512, soon to be standardized as NIST FIPS 206 (FN-DSA). Based on the GPV framework instantiated over NTRU lattices, Falcon-512 offers relatively compact public keys (~897 bytes) and signatures (~666 bytes) — substantially smaller than alternatives such as Dilithium at comparable security levels, making it the most practical fit for a bandwidth-conscious blockchain environment. It is also IBRL, as it is roughly 3x faster to verify than EdDSA signatures.

Account address migration. The 32-byte account address space can be preserved by deriving addresses from the hash of a Falcon-512 public key, maintaining compatibility with existing on-chain infrastructure while upgrading the underlying cryptographic scheme. This approach allows for an incremental rollout: new accounts can adopt PQC keypairs while a deprecation timeline is established for legacy Ed25519 signatures.

Given Solana’s throughput and upgrade cadence, this migration could be executed incrementally over one or two release cycles with minimal disruption.

Reactive Migration

If Q-day arrives sooner than anticipated — or if a sufficiently capable quantum computer is believed to be imminent — a more aggressive migration path is available. This leverages the previously discussed property of canonically derived EdDSA keypairs: the original seed is protected behind a SHA-512 hash, which remains quantum-resistant.

Migration can therefore be handled by any hash-based commit-and-reveal scheme that allows users to prove knowledge of their seed without exposing it to quantum attack. Three viable approaches:

1. Proof-of-work commitments. Users prove knowledge of their seed by publishing a hash commitment backed by proof of work, then revealing the preimage. The computational cost makes it infeasible for an attacker to indiscriminately DoS the migration process. One-time use; reveals the preimage for re-derivation under a PQC scheme.

2. Timelocked state bonds. Users post a bond alongside a timelocked commitment to an account. If the preimage is not revealed within the challenge window, the bond is forfeited. This makes it economically prohibitive to flood the migration process with fraudulent claims. One-time use; reveals the preimage.

3. Post-quantum zero-knowledge proofs. Schemes such as STARKs or PQC-compatible MPC-in-the-Head (MPCitH) constructions can verify knowledge of the seed without revealing it. These carry a substantially larger proof size but offer stronger privacy guarantees.

In the most severe scenario, the network would halt, disable Ed25519 as a signature verification scheme, introduce a new transaction type supporting Falcon-512 signatures, run a migration period using one of the above schemes, and resume operations under post-quantum cryptography. Given Solana’s throughput, the entire process — from halt to fully-migrated network — could plausibly be completed in hours or days rather than the months or years many other major blockchains would require.

What can you do today?

You do not need to wait for any of the above. If the quantum threat is within your risk horizon:

1. Secure high-value funds with Winterwallet. Your assets sit behind Winternitz signatures that no quantum computer, present or foreseeable, can crack.
2. Migrate signing authorities. If you control program upgrade keys, token mint authorities, or multisig signers, moving them to Winterwallet today closes the most critical supply chain attack vector on the network.
3. Stay informed. Follow @blueshift for ongoing updates on Solana PQC tooling.

Conclusion

The quantum threat to blockchain security is real, quantifiable, and approaching, but it is likely not imminent and, for Solana, definitely not insurmountable. The network’s throughput, culture, architecture, and key-derivation properties give it many unique advantages in a PQC migration over comparable blockchains. Combined with the practical tooling Blueshift and other contributors have already built today, and a clear roadmap for future PQC migration, Solana users can be assured that core contributors are on top of the quantum threat and will keep their funds and applications safe.