Skip to content
Encryptorium

PQC

Solana's quantum-readiness post: what the engineering shows, what the framing softens

Andreas Renz · · 14 min read
PQC Solana Falcon Blockchain Opinion

Solana published a "Quantum Readiness" announcement this week. Two validator client teams behind the work, Anza and Jump Crypto's Firedancer, landed on Falcon independently. That is a credible engineering signal, and the post deserves credit for it. The framing around the engineering is the part worth reading carefully.

The thesis

Solana's engineering is real. The framing around it understates implementation maturity, side-channel risk, and migration mechanics, and overstates Solana's position relative to peers. Both failure modes (vendor fear-selling and L1 reassurance) skip the same step: discovery of the actual threat model. A reader who takes the post at face value will conclude that PQC migration is largely an engineering matter handled, when it is at least as much a coordination, instrumentation, and disclosure matter that has not yet been done in public. A week ago Encryptorium published a piece on PQC fear-selling. This is the inverse failure mode from the same root cause.

What the post got right

Three things in the announcement deserve credit before the rest of the read.

Two independent client teams converging on the same post-quantum signature scheme is a credible engineering signal. Anza and Firedancer both landed on Falcon (selected for NIST standardization as FN-DSA, to be published as FIPS 206, still in development) without coordinating their selection. Convergence under independent constraints is the kind of outcome you want to see when an L1 commits to a primitive. The public artifacts also show this is still early implementation work: Firedancer's open pull request is verification-focused, while Anza's work is still marked draft.

Falcon's signature compactness genuinely matters for a high-throughput chain. Common Falcon-512 / Falcon-padded encodings sit in the roughly 666–752 byte range; ML-DSA-44 signatures are 2,420 bytes. The two are not the same NIST security category (Falcon-512 is Category 1; ML-DSA-44 is Category 2 in FIPS 204), so this is not a like-for-like comparison, but it captures the engineering pressure: Falcon offers substantially smaller signatures than the more conservative ML-DSA family, which matters per-transaction at Solana's target throughput.

Hash-based primitives are genuinely post-quantum. Blueshift's Winternitz Vault is a real construct, and the security argument for hash-based one-time signatures is one of the cleanest in cryptography: it reduces to preimage resistance of the underlying hash function, against which Grover's algorithm gives only quadratic speedup. Treating that as a serious foundation, rather than as marketing, is the right starting point.

Where the framing softens the picture

Six places where the post says less than the situation calls for.

"Ahead in its preparation" overstates relative position

The post says Solana has been "early to quantum readiness" and "remains ahead in its preparation." Against Bitcoin, this is defensible only in a narrow sense: BIP-360 (Pay-to-Merkle-Root) remains a draft, with no mainnet activation, and the recent BTQ Bitcoin Quantum testnet v0.3.0 deployment in March 2026 is a third-party testnet step rather than a Bitcoin Core activation path.

Against Ethereum the claim is harder to support. The Ethereum Foundation formed a dedicated post-quantum team in January 2026, initiated by Justin Drake (a co-author of the Google Quantum AI cryptocurrency whitepaper) and led by Thomas Coratger. The team publishes a roadmap at pq.ethereum.org covering execution-layer PQ signature precompiles, consensus-layer replacement of BLS with leanXMSS aggregated via a minimal zkVM (leanVM), and account-abstraction-based migration as the off-ramp from elliptic-curve transaction authentication. ERC-4337 is the application-layer smart-account path usable today; EIP-8141 ("Frame Transaction"), drafted January 2026 by Buterin and others, is the cleaner protocol-level off-ramp under discussion. Solana is engaged. So is Ethereum, with a deeper public surface area on the migration mechanism specifically. Cardano's Key Evolving Signature scheme is forward-secure key rotation over Ed25519, not a post-quantum primitive, and is intentionally absent from this comparison.

"Ahead in preparation" is a stronger claim than "engaged in preparation." The post does not show the work that would justify it.

Public-key exposure applies here too

The post argues that "no change is required today or likely anytime soon." For confidentiality this is approximately right: Solana account balances are public, so there is no encrypted long-lived data on chain to harvest now and decrypt later in the conventional sense.

The signature-side analogue is a different issue. For normal Solana keypair accounts, the account address is the Ed25519 public key; it is not hidden behind a hash the way Bitcoin's P2PKH addresses are. Once that address appears on-chain or in transaction history, a future cryptographically relevant quantum computer could use it as offline input for key recovery against any account that has not migrated. (Program-derived addresses are a separate class: they are off-curve and have no associated private key, so they are not part of this exposure.) Solana's fast confirmation and finality window also makes the live "on-spend" attack window from the Google Quantum AI paper (where a quantum attacker derives the private key from a broadcast public key faster than the transaction settles) much less relevant: current Solana payment guidance describes confirmation in roughly 1–2 seconds and full finalization around 13 seconds, far below the paper's Bitcoin-scale attack window. The structural exposure is what remains: dormant accounts whose owners may not return to migrate. Bitcoin faces the same shape of exposure with reused-pubkey inputs and pre-Taproot outputs; we covered it in an earlier walk-through of the Google paper.

"No change is required today" applies to confidentiality and to live transaction front-running. It does not apply to long-lived account keys whose owners may not return to migrate them. That is a different planning horizon, and the post does not separate the two.

"Quick" hides the real migration problem

The post promises "manageable" migration and a transition that "can happen quickly when the time is right." The cryptography is the easy part. The mechanics are the hard part.

A migration from Ed25519 to Falcon on a chain with millions of active signing keys (plus a much larger account surface of PDAs, associated token accounts, program-owned state, and other state containers) has a small set of available mechanisms: an opt-in window where both signature schemes remain valid for old accounts; a new account scheme that coexists with the legacy one (the pattern Bitcoin used for SegWit and Taproot); or a hard fork that invalidates Ed25519 signing past a deadline. This is illustrative, not exhaustive, but any credible roadmap has to choose some combination of these mechanics. The opt-in window leaves residual exposure for users who do not act, and historically most users do not. A coexisting new-account scheme leaves the same residual exposure and adds a continuous administrative cost as long as both schemes are live. The hard fork forces coordination across exchanges, custodians, wallets, validator clients, and dApp integrations on a chain whose advertised strength is throughput.

The phased roadmap names the order: continue research, adopt PQ schemes for new wallets, migrate existing wallets. It does not name the mechanism for any of those steps. "Quick" is a property of the cryptography. The migration mechanism is what determines whether the transition is quick or not, and the post is silent on it.

The Winternitz Vault is scope-limited

The post describes Blueshift's Winternitz Vault as "one of the few quantum-resistant primitives shipped and in use on any major blockchain today," in place for "over two years." Both halves are technically true. The framing invites the reader to infer something the design does not provide.

The Vault is a Winternitz one-time signature (WOTS) construct deployed as a separate vault contract, not as a replacement for normal Solana account signing. Each WOTS signature reveals intermediate hash-chain values; reusing the same key leaks additional material, so the safe pattern is one-time use, and the construct enforces a fresh-vault-per-spend flow: the user closes one vault and opens a new one with each transaction. This is sound for cold-storage with very low signing frequency. It is not, and does not claim to be, a general-purpose account signing primitive.

Calling the Vault "one of the few quantum-resistant primitives shipped on any major blockchain" is correct in the same sense that calling a quantum-safe escrow address quantum-safe is correct: it covers the scope it covers. It does not extend to the much larger surface of Ed25519 accounts the announcement is also discussing.

Falcon's implementation hazards are absent from the post

Falcon is a strong scheme on paper. It is also one of the more demanding NIST-selected signature schemes to implement safely. The signing path requires Gaussian sampling over a discrete distribution, typically implemented in floating-point arithmetic for performance. NIST's Round-3 selection report flagged the difficulty of secure floating-point implementations, and FIPS 206 is not yet finalized; NIST's 2025 status material described the Initial Public Draft as essentially written and awaiting approval, while emphasizing that FN-DSA's signing and key-generation paths create validation and side-channel challenges.

The academic literature has been pointing at this for years. Karabulut and Aysu's "Falcon Down" (IACR ePrint 2021/772) recovered Falcon secret keys via electromagnetic side-channel measurements on FFT multiplications. Guerreau, Martinelli, Ricosset, and Rossi's "The Hidden Parallelepiped Is Back Again" (IACR ePrint 2022/057) demonstrated power-analysis recovery of base-sampler output. More recent work, including ePrint 2025/146 ("SHIFT SNARE") and 2025/351 on Gaussian-sampler power analysis with countermeasures, extends the attack surface around Falcon implementation paths. None of these results demolish Falcon as a scheme. They do demolish the idea that Falcon signing can be treated as routine plumbing: production use needs hardened constant-time behavior, side-channel and fault countermeasures for signing devices, and careful handling of native or emulated floating-point paths.

The validator side and the wallet side have asymmetric exposure here. Validators verify signatures and do not hold user keys; verification uses no floating-point arithmetic in FN-DSA, and side-channel attacks on the verification path do not lead to key recovery. Signing is what the side-channel literature targets, and signing happens in user wallets, including hardware wallets and secure-element devices, where hardware vendors have publicly noted the difficulty of integrating Falcon into constrained signing environments. The Solana announcement does not specify the wallet-side signing implementation, whether signing will use native or emulated floating point, what side-channel or fault countermeasures will be required, or what external review will cover that path. Firedancer's open pull request is verification-focused; the side-channel hazards above target signing and key-generation paths, so that public artifact cannot answer them. "Initial implementations on GitHub" is the appropriate stage for this work to be at. It is not the stage at which a public "ready" framing is yet defensible, particularly when the unsolved hardening lives in client software the announcement does not discuss.

Performance reassurance needs migration-level benchmarks

"Network performance is not expected to see a meaningful impact" is the kind of claim a reader should expect numbers underneath. The announcement does not publish the benchmark a validator operator actually needs.

Ed25519 verification is fast and well-characterized, with sigverify parallelization built into Solana's runtime. Falcon-512 verification is more expensive, and the cost depends on the lattice arithmetic implementation, the verifier's CPU, and how aggressively signatures are batched. Firedancer's open pull request includes useful microbenchmarks and backtest-style numbers for verification timing. Microbenchmarks are not the same artifact as a migration-level performance disclosure across validator hardware, client implementations, batching assumptions, and sustained target throughput.

The wire format makes the size pressure concrete. Solana's documented transaction size limit is 1,232 bytes (a single MTU minus headers), and a current Ed25519 signature is 64 bytes. A 666-byte Falcon signature consumes more than half of the transaction envelope by itself; multi-signer transactions (multisig, fee payer plus authority, etc.) start to hit the limit fast. The figure a Solana validator operator would want is a per-block verification budget at target throughput, how many Falcon signatures per second a node can verify, where the bottleneck moves under sustained load, how block propagation via Turbine behaves with 666-byte signatures, and how that compares to current Ed25519 numbers on the same hardware.

Without those numbers, "not expected to see a meaningful impact" is an assurance, not a measurement. The two are different artifacts.

The counterargument

The strongest objection to this read is that surfacing side-channel risk and missing benchmarks before a chain has migrated is itself premature: the engineering is in the right phase, and demanding production-ready disclosures from initial implementations is a category error.

That is partly fair. Early-stage prototypes are precisely where these hazards should be surfaced internally. The disconnect is between the engineering stage and the public framing. "Initial implementations on GitHub" is honest. "Ahead in its preparation" sitting next to it is not. The fix is not to rush the engineering. It is to match the public framing to the engineering stage. Engaged, prototyping, surfacing implementation hazards in the open. That description is more useful to readers than ahead, manageable, quick, and not expected to have impact.

The takeaway

Three concrete reads.

For Solana watchers. The engineering is credible. The post's confidence is ahead of the engineering. Track Anza's and Firedancer's commit history, their disclosure of side-channel posture, and the published verification benchmarks at target throughput. The announcement is not the artifact to track.

For other L1 communications teams. Reassurance and fear-selling are the same anti-pattern from opposite ends. Both substitute confidence for discovery. The defensible posture is to publish what has been measured (signature size, verification cost at target throughput, side-channel posture, migration mechanism) and to acknowledge what has not.

For practitioners reading any "quantum-ready" announcement. Ask the same questions you would ask of an "AES-256" marketing line: which mode, which library, which side-channel posture, which key lifecycle, which migration mechanism. Marketing is downstream of those answers. If marketing arrives first, the answers are not yet there.

Sources:

  1. Solana, "Quantum Readiness", Solana News, April 2026.
  2. Anza, anza-xyz/solana-sdk PR #537: "implement falcon from liboqs", draft Falcon implementation, GitHub.
  3. Firedancer, firedancer-io/firedancer PR #9446: "ballet: implement falcon signature verification", open Falcon verification pull request, GitHub.
  4. NIST, "Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process", NIST IR 8413 (rev), July 2022.
  5. NIST, Post-Quantum Cryptography Standardization (FIPS 206 / FN-DSA, in development), CSRC project page, accessed April 2026.
  6. Ray Perlner (NIST), "FIPS 206 Status Update", 6th PQC Standardization Conference, September 2025.
  7. NIST, FIPS 204: Module-Lattice-Based Digital Signature Standard, August 2024.
  8. Open Quantum Safe, Falcon parameter table, liboqs documentation.
  9. Karabulut and Aysu, "FALCON Down: Breaking FALCON Post-Quantum Signature Scheme through Side-Channel Attacks", IACR ePrint 2021/772.
  10. Guerreau, Martinelli, Ricosset, and Rossi, "The Hidden Parallelepiped Is Back Again: Power Analysis Attacks on Falcon", IACR ePrint 2022/057, TCHES 2022.
  11. "SHIFT SNARE: Uncovering Secret Keys in FALCON via Single-Trace Analysis", IACR ePrint 2025/146.
  12. "Thorough Power Analysis on Falcon Gaussian Samplers and Practical Countermeasure", IACR ePrint 2025/351.
  13. Yannick Seurin and Alain Magazin (Ledger Donjon), "Quantum Computing's Threat to Blockchain: The Enduring Need for Secure Keys", Ledger blog, 26 February 2026.
  14. Dean Little, "Quantum-Proofing Solana", Blueshift research, 27 April 2026.
  15. Blueshift, solana-winternitz-vault repository, GitHub.
  16. Hunter Beast, Ethan Heilman, and Isabel Foxen Duke, BIP-360 "Pay-to-Merkle-Root", Bitcoin Improvement Proposal, draft.
  17. BTQ Technologies, "BTQ Technologies Announces First Deployment of BIP-360 on Bitcoin Quantum Testnet v0.3.0", PR Newswire, March 2026.
  18. Ethereum Foundation, Post-Quantum Ethereum roadmap, accessed April 2026.
  19. Buterin et al., EIP-8141: Frame Transaction, Ethereum Improvement Proposal, draft, January 2026.
  20. Babbush et al. (Google Quantum AI, with Stanford, UC Berkeley, and Ethereum Foundation), "Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities", 31 March 2026.
  21. Solana, Transactions documentation, accessed April 2026 (1,232-byte transaction limit, 64-byte Ed25519 signatures).
  22. Solana, Verification Tools, accept-payments documentation, accessed April 2026 (1–2 second confirmed commitment, ~13 second finalized commitment for high-value transactions).
  23. Solana, Confirmation and expiration guide, accessed April 2026 (32-slot ≈ 13-second gap between confirmed and finalized).
  24. Solana, Account structure documentation, accessed April 2026 (account address is either an Ed25519 public key or a PDA).
  25. Solana, Program Derived Addresses documentation, accessed April 2026 (PDAs are off-curve and have no associated private key).
  26. Coindesk, "Solana Developers Outline Plan to Protect Network from Quantum Threats", 27 April 2026.
  27. Cointelegraph, "Solana Clients Introduce Post-Quantum Solution Falcon", 27 April 2026.
  28. Coindesk, "Ethereum Foundation Makes Post-Quantum Security a Top Priority as New Team Forms", 24 January 2026.