Tezos Post-Quantum Migration: Roadmap, Risks, and Options for Holders

Tezos post-quantum migration is one of the more technically nuanced questions in the layer-1 blockchain space right now. As quantum computing advances and NIST finalises its post-quantum cryptography (PQC) standards, every proof-of-stake network using classical elliptic-curve signatures faces the same existential question: when quantum computers can break ECDSA or Ed25519, what happens to user funds? This article examines where Tezos stands today, what a credible migration path would actually require, and what holders can do in the interim to manage quantum-era risk.

Where Tezos Stands on Post-Quantum Security Today

Tezos currently uses Ed25519 as its default signature scheme, with optional support for secp256k1 and P-256 (secp256r1). All three are elliptic-curve cryptography (ECC) schemes. All three are vulnerable to Shor's algorithm running on a sufficiently powerful quantum computer, sometimes called a cryptographically relevant quantum computer (CRQC).

As of mid-2025, there is no public, formal post-quantum migration plan on the Tezos roadmap. The Tezos Foundation and core development entities (Nomadic Labs, TriliTech, Marigold, Functori) have not published a PQC-specific upgrade proposal in any active Tezos Improvement Proposal (TZIP) or governance amendment. Researchers and community members have raised the topic in forums and Discord channels, but it has not progressed to a scheduled protocol upgrade.

That is not unique to Tezos. Ethereum, Solana, Cardano, and most other major layer-1 networks are in a broadly similar position: aware of the quantum threat, but without a deployed or formally scheduled migration. The difference that matters is timeline and governance agility.

Why Ed25519 Is Not Quantum-Safe

Ed25519 is based on the Curve25519 elliptic curve. Its security assumption is that the discrete logarithm problem on that curve is computationally hard. Shor's algorithm solves the discrete logarithm problem in polynomial time on a quantum computer. A CRQC with roughly 2,000–4,000 stable logical qubits could, in theory, derive a private key from a public key exposed on-chain. Every address that has ever signed a transaction has an exposed public key, making it a priority target.

The current most optimistic academic timelines for a CRQC capable of breaking 256-bit ECC range from 2030 to 2040, though most mainstream assessments place the realistic window further out. The uncertainty itself is the risk: if the event arrives ahead of schedule and a network has no migration in place, there is no orderly fallback.

What NIST PQC Standardisation Means for Blockchains

In August 2024, NIST finalised its first three post-quantum cryptographic standards:

For blockchains, the relevant primitives are signature schemes, specifically ML-DSA and SLH-DSA. These are the algorithms that would need to replace Ed25519 in a protocol like Tezos. NIST's finalisation gives protocol developers a stable, audited target to build toward. The absence of an excuse not to plan has arguably grown.

---

What a Tezos Post-Quantum Migration Would Actually Involve

A genuine post-quantum migration for Tezos is not a simple parameter change. It is a multi-layer cryptographic and governance operation. Understanding the components clarifies why it is both urgent and slow.

1. Signature Scheme Replacement at the Protocol Layer

Tezos would need to add one or more PQC signature algorithms to the protocol's supported signature types. The protocol already supports multiple schemes (Ed25519, secp256k1, P-256), so the *architecture* for multi-scheme support exists. Adding ML-DSA or SLH-DSA is theoretically possible via a standard Tezos governance amendment.

Key considerations:

2. Address Migration for Existing Holders

This is the hardest part. Tezos addresses are derived from public keys, which are derived from private keys. A user's current tz1 (Ed25519), tz2 (secp256k1), or tz3 (P-256) address cannot simply be "upgraded." The private key controlling that address cannot produce a PQC signature.

Migration requires each holder to:

  1. Generate a new PQC key pair using the approved algorithm.
  2. Create a new PQC-derived address.
  3. Sign and broadcast a self-transfer moving all funds and delegations to the new address, before a CRQC exists that could front-run that transaction.

The last point is critical. The window between a network enabling PQC addresses and a CRQC becoming operational is the window in which migration must happen. Anyone who does not migrate in time, or whose private key is compromised during the migration transaction broadcast, loses funds.

3. Baker and Consensus Layer Changes

Tezos uses Tenderbake (BFT-based) consensus with bakers signing blocks using their registered consensus keys. Bakers would need to:

Baker coordination adds operational complexity beyond what individual holders face.

4. Governance Process

Tezos's on-chain governance requires a five-period amendment process (proposal, exploration, cooldown, promotion, adoption) spanning roughly 40 days per cycle, or around five months end-to-end for a major protocol change. This is an advantage: changes are deliberate and community-ratified. It is also a constraint: a rushed emergency migration is structurally difficult. The governance timeline reinforces the case for planning well ahead of any perceived quantum threat.

---

Comparing Post-Quantum Readiness: Tezos vs. Peers

The table below summarises the publicly known PQC status of major layer-1 networks as of mid-2025. Absence of a public plan is noted factually and is not intended as criticism of any project.

NetworkDefault SignaturePQC Plan StatusNotable Activity
**Tezos**Ed25519No public planCommunity discussion only
**Ethereum**secp256k1 (ECDSA)EIP-7212 / account abstraction researchVitalik Buterin recovery-focused blog post (2024)
**Bitcoin**secp256k1 (ECDSA/Schnorr)No formal BIPAcademic proposals (e.g., quantum-resistant address types)
**Cardano**Ed25519Informal research phaseIOHK published PQC research papers
**Algorand**Ed25519No formal planState proofs use Falcon (NIST alternate) for bridges
**QRL**XMSS (hash-based)Already PQC-nativePurpose-built for quantum resistance from genesis
**BMIC**Lattice-based (NIST PQC-aligned)Live, presale-stagePurpose-built post-quantum wallet + token

The table illustrates that Tezos is in the middle of the pack: not lagging uniquely, but not leading either. Networks that built PQC in from genesis (QRL, BMIC) avoid the migration problem entirely. Legacy networks must retrofit, which is harder.

---

Interim Options for Tezos Holders Concerned About Quantum Risk

Given that a formal migration is not imminent, holders who want to manage quantum risk today have several practical strategies.

Use Unexposed Addresses Where Possible

An elliptic-curve public key is only exposed on-chain when you *sign a transaction*. A Tezos address that has only ever *received* funds, with no outgoing transactions, has not exposed its public key. These are sometimes called zero-spend addresses. Keeping long-term holdings in a freshly generated address that has never signed anything reduces the window of vulnerability.

This is not a long-term solution, because you must eventually sign to move funds, but it reduces surface area.

Monitor TZIP and Governance Forums Actively

The Tezos governance process provides early signals. Watch:

When a credible PQC proposal enters the governance pipeline, you will need lead time to migrate before any activation deadline.

Diversify Into Purpose-Built PQC Solutions

Some holders treat quantum risk as a portfolio-level issue rather than a single-protocol issue. Allocating a portion of crypto holdings to networks or wallets built with post-quantum cryptography from the ground up eliminates the migration dependency entirely for that portion of the portfolio.

Hardware Wallet Readiness

Hardware wallet manufacturers (Ledger, Trezor) will need to ship firmware supporting PQC key generation and signing before holders can use PQC Tezos addresses, even if the protocol enables them. Confirm your hardware wallet vendor's PQC roadmap before assuming a migration will be seamless.

---

What a Best-Case Tezos PQC Timeline Might Look Like

While no formal timeline exists, a realistic best-case scenario, assuming community will and developer resources align, might run roughly as follows:

  1. 2025-2026: Community-driven TZIP proposal drafted, academic and security review phase begins.
  2. 2026-2027: Testnet deployment of PQC signature support, wallet and baker tooling development.
  3. 2027-2028: Governance amendment cycle, mainnet activation, PQC addresses available.
  4. 2028-2030: Migration window, old-scheme addresses deprecated with final sunset.

This is analyst scenario modelling, not a confirmed roadmap. It assumes no CRQC threat materialises before 2030, which most expert consensus currently supports, but does not guarantee.

---

Key Takeaways

Frequently Asked Questions

Is Tezos quantum-safe right now?

No. Tezos relies on Ed25519 and other elliptic-curve signature schemes, all of which are vulnerable to Shor's algorithm running on a cryptographically relevant quantum computer. There is no post-quantum upgrade currently deployed or formally scheduled.

Has the Tezos Foundation announced a post-quantum roadmap?

As of mid-2025, no public, formal post-quantum migration plan has been announced by the Tezos Foundation, Nomadic Labs, or any other core development team. The topic has appeared in community discussion but has not advanced to a formal TZIP or governance amendment.

What signature algorithm would Tezos likely adopt for post-quantum security?

The most likely candidates are NIST-standardised schemes: ML-DSA (CRYSTALS-Dilithium) or SLH-DSA (SPHINCS+). Both are finalised NIST standards. ML-DSA offers smaller keys and signatures than SLH-DSA, making it more practical for high-frequency on-chain use, though both are significantly larger than Ed25519.

Do I need to move my XTZ to a new address if Tezos adds post-quantum support?

Yes. Existing addresses are derived from classical key pairs and cannot be upgraded in place. You would need to generate a new PQC key pair, create a new PQC-derived address, and sign a transfer from your old address to the new one. This must be done before a quantum computer capable of breaking your current key exists.

What can I do now to reduce quantum risk as a Tezos holder?

Three practical steps: (1) Keep long-term holdings in addresses that have never signed a transaction, to avoid exposing the public key on-chain. (2) Monitor the TZIP repository and Tezos Agora governance forum for any PQC proposals entering the pipeline. (3) Consider allocating part of your crypto portfolio to networks or wallets purpose-built with post-quantum cryptography, which eliminates migration dependency for that portion.

How long would a Tezos post-quantum migration take once initiated?

The Tezos governance process alone takes roughly five months for a major protocol change (five amendment periods). Add testnet development, wallet tooling, baker infrastructure updates, and a user migration window, and a realistic end-to-end timeline from proposal to full migration is likely two to four years. This underscores why early planning matters.