How Quantum Resistant Wallets Work
Understanding how quantum resistant wallets work is essential for anyone serious about long-term crypto security. Standard wallets rely on elliptic curve cryptography (ECDSA) and RSA, algorithms that a sufficiently powerful quantum computer could break using Shor's algorithm, exposing private keys from public ones. Quantum resistant wallets replace those algorithms with post-quantum cryptographic (PQC) schemes that remain computationally hard even against quantum attack. This article explains the mechanisms in precise terms: which signature schemes are used, how keys are derived, how addresses are generated, and how to tell a genuinely quantum-safe wallet from one that merely uses the label for marketing.
Why Classical Wallet Cryptography Is Vulnerable
Every standard Bitcoin or Ethereum wallet generates a private key, derives a public key from it using elliptic curve multiplication, and then produces an address from that public key. The security assumption is that reversing elliptic curve discrete logarithm (ECDLP) is computationally infeasible.
That assumption holds against classical computers. Against quantum computers it does not.
Shor's Algorithm and the ECDLP Problem
Peter Shor's 1994 algorithm can solve the integer factorisation problem and the discrete logarithm problem in polynomial time on a quantum computer. Applied to ECDSA, a quantum computer with enough stable qubits could derive a wallet's private key from its public key. The public key is exposed the moment a transaction is broadcast, giving an attacker a window to recover the private key and sign fraudulent transactions.
Estimates for when this becomes practically threatening vary. Most cryptographers place the risk horizon between 2030 and 2040, though advances in error correction could move that window earlier. The term used in the industry is Q-day: the point at which a cryptographically relevant quantum computer (CRQC) can execute Shor's algorithm at scale.
What Grover's Algorithm Adds
Grover's algorithm provides a quadratic speedup for unstructured search problems, effectively halving the security level of symmetric algorithms and hash functions. A 256-bit hash offers roughly 128 bits of quantum security. This is significant but manageable: increasing key and hash sizes is sufficient mitigation for symmetric primitives. The more severe threat is asymmetric cryptography, where Shor's algorithm is exponentially destructive.
---
The NIST PQC Standardisation Process
The U.S. National Institute of Standards and Technology (NIST) ran a multi-year competition to identify quantum-safe algorithms suitable for standardisation. In 2024, NIST finalised its first set of post-quantum standards:
| Standard | Algorithm | Type | Primary Use |
|---|---|---|---|
| FIPS 203 | ML-KEM (Kyber) | Lattice-based | Key encapsulation |
| FIPS 204 | ML-DSA (Dilithium) | Lattice-based | Digital signatures |
| FIPS 205 | SLH-DSA (SPHINCS+) | Hash-based | Digital signatures |
| (Candidate) | FALCON | Lattice-based | Digital signatures (compact) |
For wallet applications, the signature standards matter most: ML-DSA, SLH-DSA, and FALCON are the primary candidates. Each has different trade-offs in signature size, key size, signing speed, and security assumptions.
---
PQC Signature Schemes Used in Quantum Resistant Wallets
Lattice-Based Signatures: ML-DSA and FALCON
Lattice-based schemes derive their security from the hardness of problems in high-dimensional lattices, specifically the Learning With Errors (LWE) problem and its variants. No known quantum algorithm solves these efficiently.
ML-DSA (Dilithium) is the NIST primary recommendation for general use:
- Public key size: ~1,312 bytes (Dilithium2)
- Signature size: ~2,420 bytes (Dilithium2)
- Deterministic signing, strong security proof
- Straightforward to implement correctly
FALCON uses NTRU lattices and the Fast Fourier Sampling technique:
- Public key size: ~897 bytes (FALCON-512)
- Signature size: ~666 bytes (FALCON-512)
- Smaller signatures than Dilithium, but more complex to implement securely
- Timing side-channel risks if not implemented with care
For a wallet, the practical implication is that transactions will carry larger signatures than ECDSA (which produces ~71 bytes). Blockchain networks adopting PQC must account for increased transaction sizes and the associated fees and throughput considerations.
Hash-Based Signatures: SLH-DSA (SPHINCS+)
Hash-based schemes rely only on the security of the underlying hash function, making them the most conservatively secure option. They carry no algebraic structure that could be attacked by a novel algorithm.
SLH-DSA (SPHINCS+):
- Signature sizes are large: 8–50 KB depending on parameter set
- Stateless: no need to track which keys have been used (unlike XMSS or LMS)
- Suitable for high-value, low-frequency signing scenarios
Stateless hash-based signatures are attractive for wallet signing precisely because they eliminate the state management problem that makes stateful schemes (XMSS, LMS) operationally risky for end users.
Code-Based and Other Candidates
Classic McEliece is a code-based scheme with extremely large public keys (hundreds of kilobytes) but a 40-year security track record. It is a NIST Key Encapsulation candidate, not a signature scheme, so it is less directly relevant to wallet signing but relevant to encrypted communication layers.
---
Key Generation and Derivation in a Quantum Resistant Wallet
Classical HD wallets (BIP32/BIP44) use ECDSA key pairs. A quantum resistant wallet replaces the key generation step but may preserve the hierarchical derivation concept using a quantum-safe PRF or hash-based construction.
Seed and Entropy
The process begins identically to a classical wallet: a high-entropy seed (typically 256 bits) is generated from a CSPRNG. This seed is used to derive a master secret. Because the security of PQC schemes relies on key secrecy rather than the hardness of key inversion, seed entropy requirements are similar to classical wallets.
PQC Key Pair Generation
From the master secret, the wallet derives one or more PQC key pairs using the target algorithm's key generation procedure:
- Expand the master seed using a hash function (e.g., SHAKE-256) to produce the required randomness for the PQC key generation algorithm.
- Run the PQC `KeyGen()` function to produce a public key `pk` and private key `sk`.
- Store `sk` securely (encrypted at rest, ideally in a hardware security element).
- Derive the wallet address from `pk`.
For FALCON and Dilithium, key generation involves sampling from specific lattice distributions. The randomness quality is critical: weak entropy during key generation undermines all downstream security guarantees.
Address Derivation
In a quantum resistant wallet, the address is derived from the PQC public key rather than an EC public key. The derivation typically follows:
```
address = Encode( Hash( pk ) )
```
Where `Hash` is a collision-resistant function (e.g., SHA3-256 or BLAKE3) and `Encode` applies the network's address encoding scheme (e.g., Bech32 or a custom format). The hash step is important: it means even if the public key is large, the address remains compact. It also provides one additional layer of security via pre-image resistance.
A subtlety: once a PQC address is used and the public key is revealed on-chain, the on-chain security relies entirely on the PQC signature scheme. The hash pre-image security no longer applies. This mirrors the classical wallet situation, reinforcing the general best practice of not reusing addresses.
---
What Makes a Wallet Genuinely Quantum Safe vs. Marketing
The phrase "quantum resistant" has appeared in marketing copy for products that do not implement any recognised PQC algorithms. Here is how to evaluate claims rigorously.
Genuine Quantum Resistance: The Checklist
- NIST-standardised or NIST-finalist algorithm used for signing and/or key encapsulation (ML-DSA, SLH-DSA, FALCON, ML-KEM).
- Open source implementation with verifiable code. Security claims without auditable code are unverifiable.
- Third-party cryptographic audit by a recognised security firm, covering both the algorithm implementation and side-channel mitigations.
- No reliance on ECDSA or RSA for the core signing path. Hybrid schemes that combine classical and PQC are transitional and reduce, but do not eliminate, classical vulnerability.
- Secure key storage: private keys protected at rest using AES-256 or ChaCha20-Poly1305, ideally with hardware-backed key storage (TEE, HSM, or secure enclave).
- Clear documentation of which algorithm, parameter set, and standard version is implemented.
Red Flags to Watch For
- Vague claims of "military-grade" or "future-proof" encryption without specifying the algorithm.
- References to "256-bit quantum security" without clarifying whether this refers to symmetric or asymmetric components.
- No source code or audit reports available.
- Use of post-quantum terminology combined with ECDSA key generation underneath.
- Claims that their proprietary algorithm is more secure than NIST standards.
Hybrid Schemes: Transitional but Not Fully Quantum Safe
Several projects implement hybrid signatures, combining an ECDSA signature with a PQC signature so that an attacker must break both to forge a transaction. This is a reasonable transitional approach recommended by bodies including ETSI and NIST during the migration period. However, a hybrid scheme is only as quantum resistant as its PQC component. The ECDSA component adds no security against a quantum adversary, it adds only classical security for the present.
One project building directly on this challenge is BMIC.ai, which implements lattice-based, NIST PQC-aligned cryptography in its wallet architecture, aiming to protect holdings against Q-day without relying on classical ECDSA as a fallback.
---
Hardware Wallets and Quantum Resistance
Current hardware wallets (Ledger, Trezor, Coldcard) use ECDSA internally. Their secure elements store classical keys. They are not quantum resistant.
Migrating hardware wallets to PQC involves challenges beyond software:
- Secure element constraints: Existing secure elements are optimised for ECDSA operations. PQC algorithms require more memory and different computational patterns.
- Firmware updates: Some secure element architectures allow firmware updates; others have immutable bootloaders. Quantum migration may require hardware replacement.
- Key size accommodation: PQC public and private keys are significantly larger. Storage and communication buffers must be sufficient.
Hardware wallet manufacturers are aware of the roadmap. NIST's finalisation of PQC standards in 2024 has accelerated planning, but no major hardware wallet has shipped a PQC-enabled device at scale as of the time of writing.
---
On-Chain Compatibility: Quantum Resistant Wallets and Existing Blockchains
A quantum resistant wallet operating on Bitcoin or Ethereum today faces an immediate practical challenge: those networks do not yet validate PQC signatures. The wallet can use PQC internally for key management, but transactions submitted to these networks must still conform to their signature verification rules.
Genuine quantum resistance at the network level requires protocol-level changes:
- Bitcoin: Proposals exist (e.g., using Tapscript to accommodate alternative signature schemes), but none are active BIPs with consensus support yet.
- Ethereum: The Ethereum Foundation has acknowledged post-quantum migration as a long-term requirement. EIP proposals addressing PQC address formats and signature verification are in early research stages.
- Purpose-built PQC chains: Some newer networks are designed from genesis with PQC signature verification, avoiding the migration burden entirely.
Until L1 protocols adopt PQC signature verification, users face a layered risk model: their wallet key management may be quantum safe, but the network's transaction validation is not. This makes the distinction between wallet-level and network-level quantum resistance critical to understand.
---
Key Takeaways
- Quantum resistant wallets replace ECDSA and RSA with PQC algorithms, primarily lattice-based (ML-DSA, FALCON) or hash-based (SLH-DSA) schemes standardised by NIST.
- Key generation starts with high-entropy seeds and uses PQC `KeyGen()` functions; addresses are derived by hashing the PQC public key.
- Genuine quantum safety requires a NIST-standardised algorithm, open source code, independent audit, and no classical ECDSA dependency in the signing path.
- Hybrid schemes are a reasonable transition measure but not a complete solution.
- Hardware wallet migration and L1 protocol adoption of PQC verification are active areas of development but not yet production-ready at scale.
- Evaluating any quantum resistance claim requires checking the specific algorithm, parameter set, implementation provenance, and audit status.
Frequently Asked Questions
What algorithm does a quantum resistant wallet use instead of ECDSA?
Quantum resistant wallets use post-quantum cryptographic (PQC) signature algorithms standardised by NIST. The primary options are ML-DSA (Dilithium) and SLH-DSA (SPHINCS+), which are fully standardised as FIPS 204 and FIPS 205 respectively, and FALCON, which is a NIST-selected alternate. These are lattice-based or hash-based schemes whose security does not depend on the discrete logarithm problem and therefore cannot be broken by Shor's algorithm.
Can a quantum resistant wallet still be used on Bitcoin or Ethereum?
A wallet can use PQC algorithms for internal key management on any network, but actually submitting transactions that are validated using PQC signatures requires the underlying blockchain to support those signature schemes. Bitcoin and Ethereum currently validate ECDSA signatures. Full on-chain quantum resistance therefore requires protocol-level changes to those networks, which are still in research and proposal stages. Some purpose-built blockchains support PQC validation natively from genesis.
How much larger are PQC signatures compared to ECDSA?
ECDSA produces signatures of roughly 71 bytes. PQC signature sizes are substantially larger: FALCON-512 produces signatures around 666 bytes, ML-DSA (Dilithium2) around 2,420 bytes, and SLH-DSA variants range from approximately 8 KB to 50 KB depending on the parameter set. This size increase has implications for transaction fees and blockchain throughput, and network protocols must be designed to accommodate it.
Is a hybrid ECDSA plus PQC wallet fully quantum safe?
Not fully. A hybrid scheme requires an attacker to break both the ECDSA and PQC components simultaneously, which provides stronger security than ECDSA alone. However, against a quantum adversary, ECDSA provides no additional resistance. The scheme is only as quantum safe as its PQC component. Hybrid approaches are considered a sound transitional strategy by NIST and ETSI, but they are not a permanent replacement for a purely PQC architecture.
How can I verify that a wallet's quantum resistance claim is genuine?
Check for four things: first, identification of a specific NIST-standardised or NIST-finalist PQC algorithm and parameter set (not just vague 'quantum-grade' language); second, publicly available source code that can be independently reviewed; third, a cryptographic audit by a recognised third-party security firm covering the PQC implementation; and fourth, confirmation that ECDSA or RSA is not used in the core signing path. The absence of any of these should be treated as a significant red flag.
Are existing hardware wallets quantum resistant?
No. Current mainstream hardware wallets such as Ledger, Trezor, and Coldcard use ECDSA-based secure elements and are not quantum resistant. Migrating to PQC requires both firmware changes and, in many cases, hardware replacement because existing secure elements are not designed for the memory and computational requirements of PQC algorithms. Hardware wallet manufacturers are tracking NIST's standards, but no major vendor has shipped a production PQC-enabled device at scale as of 2024.