Tezos Post-Quantum Migration: Roadmap, Risks, and Options for Holders
Tezos post-quantum migration is one of the more technically nuanced questions in the layer-1 blockchain space right now. As quantum computing advances and NIST finalises its post-quantum cryptography (PQC) standards, every proof-of-stake network using classical elliptic-curve signatures faces the same existential question: when quantum computers can break ECDSA or Ed25519, what happens to user funds? This article examines where Tezos stands today, what a credible migration path would actually require, and what holders can do in the interim to manage quantum-era risk.
Where Tezos Stands on Post-Quantum Security Today
Tezos currently uses Ed25519 as its default signature scheme, with optional support for secp256k1 and P-256 (secp256r1). All three are elliptic-curve cryptography (ECC) schemes. All three are vulnerable to Shor's algorithm running on a sufficiently powerful quantum computer, sometimes called a cryptographically relevant quantum computer (CRQC).
As of mid-2025, there is no public, formal post-quantum migration plan on the Tezos roadmap. The Tezos Foundation and core development entities (Nomadic Labs, TriliTech, Marigold, Functori) have not published a PQC-specific upgrade proposal in any active Tezos Improvement Proposal (TZIP) or governance amendment. Researchers and community members have raised the topic in forums and Discord channels, but it has not progressed to a scheduled protocol upgrade.
That is not unique to Tezos. Ethereum, Solana, Cardano, and most other major layer-1 networks are in a broadly similar position: aware of the quantum threat, but without a deployed or formally scheduled migration. The difference that matters is timeline and governance agility.
Why Ed25519 Is Not Quantum-Safe
Ed25519 is based on the Curve25519 elliptic curve. Its security assumption is that the discrete logarithm problem on that curve is computationally hard. Shor's algorithm solves the discrete logarithm problem in polynomial time on a quantum computer. A CRQC with roughly 2,000–4,000 stable logical qubits could, in theory, derive a private key from a public key exposed on-chain. Every address that has ever signed a transaction has an exposed public key, making it a priority target.
The current most optimistic academic timelines for a CRQC capable of breaking 256-bit ECC range from 2030 to 2040, though most mainstream assessments place the realistic window further out. The uncertainty itself is the risk: if the event arrives ahead of schedule and a network has no migration in place, there is no orderly fallback.
What NIST PQC Standardisation Means for Blockchains
In August 2024, NIST finalised its first three post-quantum cryptographic standards:
- ML-KEM (CRYSTALS-Kyber) for key encapsulation
- ML-DSA (CRYSTALS-Dilithium) for digital signatures
- SLH-DSA (SPHINCS+) for hash-based signatures
For blockchains, the relevant primitives are signature schemes, specifically ML-DSA and SLH-DSA. These are the algorithms that would need to replace Ed25519 in a protocol like Tezos. NIST's finalisation gives protocol developers a stable, audited target to build toward. The absence of an excuse not to plan has arguably grown.
---
What a Tezos Post-Quantum Migration Would Actually Involve
A genuine post-quantum migration for Tezos is not a simple parameter change. It is a multi-layer cryptographic and governance operation. Understanding the components clarifies why it is both urgent and slow.
1. Signature Scheme Replacement at the Protocol Layer
Tezos would need to add one or more PQC signature algorithms to the protocol's supported signature types. The protocol already supports multiple schemes (Ed25519, secp256k1, P-256), so the *architecture* for multi-scheme support exists. Adding ML-DSA or SLH-DSA is theoretically possible via a standard Tezos governance amendment.
Key considerations:
- Key and signature sizes. ML-DSA-65 produces public keys of 1,952 bytes and signatures of 3,309 bytes, compared to 32 bytes and 64 bytes for Ed25519. This increases transaction size and therefore gas costs and storage requirements significantly.
- Verification speed. PQC signature verification is generally slower than ECC, which affects block production and validation throughput.
- Smart contract compatibility. Any contract that checks signatures (multisigs, DAOs, bridges) would need updating.
2. Address Migration for Existing Holders
This is the hardest part. Tezos addresses are derived from public keys, which are derived from private keys. A user's current tz1 (Ed25519), tz2 (secp256k1), or tz3 (P-256) address cannot simply be "upgraded." The private key controlling that address cannot produce a PQC signature.
Migration requires each holder to:
- Generate a new PQC key pair using the approved algorithm.
- Create a new PQC-derived address.
- Sign and broadcast a self-transfer moving all funds and delegations to the new address, before a CRQC exists that could front-run that transaction.
The last point is critical. The window between a network enabling PQC addresses and a CRQC becoming operational is the window in which migration must happen. Anyone who does not migrate in time, or whose private key is compromised during the migration transaction broadcast, loses funds.
3. Baker and Consensus Layer Changes
Tezos uses Tenderbake (BFT-based) consensus with bakers signing blocks using their registered consensus keys. Bakers would need to:
- Register new PQC consensus keys
- Update their infrastructure to support larger key and signature payloads
- Coordinate the transition to avoid missed blocks or forks
Baker coordination adds operational complexity beyond what individual holders face.
4. Governance Process
Tezos's on-chain governance requires a five-period amendment process (proposal, exploration, cooldown, promotion, adoption) spanning roughly 40 days per cycle, or around five months end-to-end for a major protocol change. This is an advantage: changes are deliberate and community-ratified. It is also a constraint: a rushed emergency migration is structurally difficult. The governance timeline reinforces the case for planning well ahead of any perceived quantum threat.
---
Comparing Post-Quantum Readiness: Tezos vs. Peers
The table below summarises the publicly known PQC status of major layer-1 networks as of mid-2025. Absence of a public plan is noted factually and is not intended as criticism of any project.
| Network | Default Signature | PQC Plan Status | Notable Activity |
|---|---|---|---|
| **Tezos** | Ed25519 | No public plan | Community discussion only |
| **Ethereum** | secp256k1 (ECDSA) | EIP-7212 / account abstraction research | Vitalik Buterin recovery-focused blog post (2024) |
| **Bitcoin** | secp256k1 (ECDSA/Schnorr) | No formal BIP | Academic proposals (e.g., quantum-resistant address types) |
| **Cardano** | Ed25519 | Informal research phase | IOHK published PQC research papers |
| **Algorand** | Ed25519 | No formal plan | State proofs use Falcon (NIST alternate) for bridges |
| **QRL** | XMSS (hash-based) | Already PQC-native | Purpose-built for quantum resistance from genesis |
| **BMIC** | Lattice-based (NIST PQC-aligned) | Live, presale-stage | Purpose-built post-quantum wallet + token |
The table illustrates that Tezos is in the middle of the pack: not lagging uniquely, but not leading either. Networks that built PQC in from genesis (QRL, BMIC) avoid the migration problem entirely. Legacy networks must retrofit, which is harder.
---
Interim Options for Tezos Holders Concerned About Quantum Risk
Given that a formal migration is not imminent, holders who want to manage quantum risk today have several practical strategies.
Use Unexposed Addresses Where Possible
An elliptic-curve public key is only exposed on-chain when you *sign a transaction*. A Tezos address that has only ever *received* funds, with no outgoing transactions, has not exposed its public key. These are sometimes called zero-spend addresses. Keeping long-term holdings in a freshly generated address that has never signed anything reduces the window of vulnerability.
This is not a long-term solution, because you must eventually sign to move funds, but it reduces surface area.
Monitor TZIP and Governance Forums Actively
The Tezos governance process provides early signals. Watch:
- TZIP repository (GitHub: tezos/tzip) for new cryptography-related proposals
- Tezos Agora governance forum for amendment discussions
- Official communications from Nomadic Labs, TriliTech, and the Tezos Foundation
When a credible PQC proposal enters the governance pipeline, you will need lead time to migrate before any activation deadline.
Diversify Into Purpose-Built PQC Solutions
Some holders treat quantum risk as a portfolio-level issue rather than a single-protocol issue. Allocating a portion of crypto holdings to networks or wallets built with post-quantum cryptography from the ground up eliminates the migration dependency entirely for that portion of the portfolio.
Hardware Wallet Readiness
Hardware wallet manufacturers (Ledger, Trezor) will need to ship firmware supporting PQC key generation and signing before holders can use PQC Tezos addresses, even if the protocol enables them. Confirm your hardware wallet vendor's PQC roadmap before assuming a migration will be seamless.
---
What a Best-Case Tezos PQC Timeline Might Look Like
While no formal timeline exists, a realistic best-case scenario, assuming community will and developer resources align, might run roughly as follows:
- 2025-2026: Community-driven TZIP proposal drafted, academic and security review phase begins.
- 2026-2027: Testnet deployment of PQC signature support, wallet and baker tooling development.
- 2027-2028: Governance amendment cycle, mainnet activation, PQC addresses available.
- 2028-2030: Migration window, old-scheme addresses deprecated with final sunset.
This is analyst scenario modelling, not a confirmed roadmap. It assumes no CRQC threat materialises before 2030, which most expert consensus currently supports, but does not guarantee.
---
Key Takeaways
- Tezos uses Ed25519, which is vulnerable to a sufficiently powerful quantum computer.
- As of mid-2025, there is no public Tezos post-quantum migration plan.
- A real migration would require protocol-level signature scheme additions, address migration by every holder, baker infrastructure updates, and a full governance cycle.
- The architecture Tezos already has (multi-scheme support, on-chain governance) is an asset; the absence of urgency is the gap.
- Holders can partially mitigate risk today through unexposed address hygiene, active governance monitoring, and diversification into natively PQC-secured solutions.
- The broader blockchain industry faces the same challenge. Tezos is neither uniquely exposed nor uniquely prepared.
Frequently Asked Questions
Is Tezos quantum-safe right now?
No. Tezos relies on Ed25519 and other elliptic-curve signature schemes, all of which are vulnerable to Shor's algorithm running on a cryptographically relevant quantum computer. There is no post-quantum upgrade currently deployed or formally scheduled.
Has the Tezos Foundation announced a post-quantum roadmap?
As of mid-2025, no public, formal post-quantum migration plan has been announced by the Tezos Foundation, Nomadic Labs, or any other core development team. The topic has appeared in community discussion but has not advanced to a formal TZIP or governance amendment.
What signature algorithm would Tezos likely adopt for post-quantum security?
The most likely candidates are NIST-standardised schemes: ML-DSA (CRYSTALS-Dilithium) or SLH-DSA (SPHINCS+). Both are finalised NIST standards. ML-DSA offers smaller keys and signatures than SLH-DSA, making it more practical for high-frequency on-chain use, though both are significantly larger than Ed25519.
Do I need to move my XTZ to a new address if Tezos adds post-quantum support?
Yes. Existing addresses are derived from classical key pairs and cannot be upgraded in place. You would need to generate a new PQC key pair, create a new PQC-derived address, and sign a transfer from your old address to the new one. This must be done before a quantum computer capable of breaking your current key exists.
What can I do now to reduce quantum risk as a Tezos holder?
Three practical steps: (1) Keep long-term holdings in addresses that have never signed a transaction, to avoid exposing the public key on-chain. (2) Monitor the TZIP repository and Tezos Agora governance forum for any PQC proposals entering the pipeline. (3) Consider allocating part of your crypto portfolio to networks or wallets purpose-built with post-quantum cryptography, which eliminates migration dependency for that portion.
How long would a Tezos post-quantum migration take once initiated?
The Tezos governance process alone takes roughly five months for a major protocol change (five amendment periods). Add testnet development, wallet tooling, baker infrastructure updates, and a user migration window, and a realistic end-to-end timeline from proposal to full migration is likely two to four years. This underscores why early planning matters.