An Explanation of Post-Quantum Signature Schemes | Bitcoin 2026

TL;DR

Faced with the threat of quantum computers, the Bitcoin ecosystem is exploring “post-quantum” signatures capable of replacing current mechanisms without compromising performance or security.

KEY POINTS

A real risk to current cryptography

Bitcoin relies on cryptographic signatures to authorize transactions. A sufficiently powerful quantum computer could break these signatures and enable transaction forgery. This prospect makes it necessary to anticipate a transition to quantum-resistant schemes.

No off-the-shelf solution

Standards defined by the NIST, such as ML-DSA and SLH-DSA, do not directly meet Bitcoin’s needs. Designed for the web or software signing, they prioritize different use cases. Adopting them as-is would reduce network capacity from about 6.5 transactions per second to 0.5, due to much larger signatures.

A wide technological spectrum

Several families of post-quantum signatures coexist:

Hash-based

very secure, fast to verify, but costly in size or management.

Lattice-based

fast but with large signatures.

Isogeny-based

compact signatures but very slow verification. Other approaches exist, such as multivariate or code-based systems, illustrating a broad space of trade-offs.

The performance dilemma

The central issue is the balance between signature size and verification speed. A compact signature that is slow to verify can slow the entire network. Conversely, larger but faster signatures might be acceptable if protocol adjustments are made.

The appeal of hash-based signatures

These rely on simple cryptographic assumptions already used in Bitcoin via SHA-256. Their robustness is seen as a major advantage: if they fail, the entire system would be compromised. Recent optimizations suggest signatures of 300 to 600 bytes, down from several kilobytes previously.

The challenge of “statefulness”

Hash-based signatures often require tracking how many times a key is used, known as a “signature budget.” Exceeding it compromises security. This requires maintaining reliable state over time, which is problematic in cases of backups or data loss, especially on mobile.

Systemic risk vs local risk

Standardized schemes introduce systemic risks, such as a global drop in network performance. Stateful signatures shift this risk to individual users, who must avoid management errors. This trade-off appeals to some researchers.

Advanced features hard to preserve

Innovations like MuSig, aggregated signatures, or certain privacy features would be difficult to reproduce with hash-based signatures without heavy techniques like multiparty computation.

The promise of isogenies

Isogeny-based signatures offer compact keys and natural compatibility with structures like BIP32. Despite renewed interest after recent mathematical advances, their maturity and security remain to be confirmed.

Gradual and uneven migration

Active actors, such as exchanges or wallet developers, are likely to migrate quickly. The main risk concerns inactive users or those reusing addresses. However, mechanisms could allow secure migration even after a threat emerges.

An uncertain timeline

The arrival of a quantum computer capable of attacking Bitcoin remains unpredictable. Some advocate rapid implementation to begin migration, while others prefer to wait for more optimized solutions, believing the network still has time.

CONCLUSION

Balancing technical constraints, security, and performance, the choice of a post-quantum scheme for Bitcoin remains open and will require major trade-offs before large-scale adoption.

More from BTC

• →What Insulin Is to a Diabetic, Bitcoin Is to an African· Jun 18
• →Spotlight Series Ep. 2: Rep. Nick Begich· Jun 17
• →Africa's Bitcoin Carry Trade Explained — The Supercharged BTC Treasury Model w/ Stafford Masie· Jun 17