Blockchains, like other systems making use of public key cryptography, face a growing risk from advances in quantum computing.
Sufficiently powerful quantum computers can break many of the cryptographic algorithms used in these systems. In particular, an attacker could recover a user’s private key solely from knowing their public key. This does not affect all public key cryptography algorithms, some are said to be “quantum-resistant”, but it does affect the most popular ones, and the ones most widely deployed in blockchains.
While this doesn’t pose an acute threat against Tezos and other public blockchains today, it is prudent to put the functionality and processes in place to mitigate this risk by enabling the migration of accounts to a quantum-resistant signature scheme. Preparing early allows for necessary upgrades to signing infrastructure, custody systems, and operational tooling to be deployed within realistic timelines.
It is a case where being early has few downsides, while being late can have severe consequences, as users who fail to migrate ahead of a cryptographic break may ultimately risk losing access to their funds.
With the upcoming protocol proposal, Tezos protocol developers from Nomadic Labs, Trilitech, and Functori take a first concrete step towards quantum readiness, while continuing to fully support existing cryptographic schemes, which remain secure today.
The road to quantum resistance
Quantum readiness is not a one-off upgrade, but a progressive adaptation. Preparing the Tezos network consists of two main tracks:
- Migrating user keys to a quantum-resistant signature scheme. The technical integration is fairly straightforward, but users and tool providers must eventually adopt the new scheme, which can take time. It is technologically easy, but socially difficult.
- Migrating cryptography used in the protocol itself. This can be implemented through protocol upgrades – with no action by users – but is more challenging in terms of R&D to maintain performance. It is socially easy, but technologically more difficult.
Because of the time and coordination required, we intend to take the very first steps towards user key migration now. It gives the ecosystem time to study and adapt to the new signature scheme, while the more technically demanding protocol work is carried out.
Wallets and tool providers can begin integrating the new signature scheme, custodians and infrastructure providers can upgrade their systems with realistic timelines, and users can gain early experience with new account options before any urgency arises.
Adopting post-quantum user keys with minimal friction
The proposed approach for Tezos is to let users and wallets assign a backup post-quantum key to their accounts. This process can take place gradually, over a couple of years, and comes with minimal friction for users.
Elliptic curve signatures aren’t under threat today and, as long as that remains the case, there is no reason to introduce unnecessary friction. When advances in quantum computing create a clear and present danger, the protocol can be amended to deprecate those signatures.
The simplest approach is to let users attach multiple keys to their existing account. This would render the implicit account stateful and open the door to more advanced account abstraction. In particular, it would also allow key rotation while preserving the transaction history associated with the account, an important feature for creators and collectors on Tezos.
In summary, the proposed migration to post-quantum cryptography for user keys consists of these steps:
- Introduce a post-quantum signature scheme for Tezos (protocol U proposal)
- Introduce stateful addresses enabling new signature schemes to be attached to existing public addresses (in a future protocol proposal)
- Encourage users to add post-quantum public keys to their address at their convenience
- Deprecate elliptic curve signatures if and when there is a clear and present danger from quantum computing
What is included in the U protocol proposal?
In the upcoming protocol U proposal, we intend to lay the foundation for Tezos’ quantum readiness by implementing ML-DSA-44, a quantum-resistant signature scheme standardized by the U.S. National Institute of Standards and Technology (NIST) under FIPS 204.
To ensure both safety and practicality, the integration on Tezos relies on the libcrux-ml-dsa implementation of ML-DSA-44. This library is written in Rust, formally verified, and provides both portable and optimized implementations (using Intel AVX2 and ARM Neon vector instructions).
Notably, the performance of the portable implementation is close to that of today’s tz1 accounts, thus preserving usability while enhancing long-term security.
In the protocol, but not available yet
Given the early stage of the process, and to remove any doubts about whether users should begin to migrate now (not recommended), it will be kept behind a feature flag – deployed in production, but not available to users yet.
The implementation covered by the feature flag is:
- tz5 accounts: Accounts using the ML-DSA-44 signature scheme will be identified by the tz5 account type. We expect account types to be merged in the future, with the numeric identifiers (1, 2, 3, 4, 5) eventually becoming meaningless.
- User operations are fully supported: transfers, smart contract originations and calls, delegation, and staking can all be authorized by tz5 accounts.
- Baking is not supported (yet): Requires tz1-tz4 accounts
- Native multisig signing is not supported (yet): Requires tz4 accounts
It allows the ecosystem a peek into what is being built. The feature flag will be removed once stateful addresses are live, at which point the tz5 prefix will no longer be relevant.
A foundation for the future
The upcoming U proposal will not deprecate existing signature schemes, nor does it require immediate or near-term action from users.
These changes enable the ecosystem to prepare well in advance for any future migration, all while maintaining usability, governance continuity, and compatibility with existing accounts and tools.
Tezos’ on-chain governance enables these changes to be introduced incrementally, transparently, and under community oversight, ensuring that long-term cryptographic security evolves in lockstep with ecosystem readiness.
