Why Code-Based Cryptography Is Fading for Blockchain Use

Code-based schemes like Classic McEliece require megabyte-sized public keys, making on-chain storage and transaction overheads economically impossible. This clashes with the need for light clients and efficient state management.

• Public Key Size: ~1 MB vs. ECDSA's 33 bytes
• State Bloat: Incompatible with EVM gas economics and zk-rollup proof sizes

Encryption/decryption in code-based cryptography is orders of magnitude slower than lattice-based alternatives like Kyber (ML-KEM). For consensus and high-frequency DeFi settlements, latency is a non-negotiable constraint.

• Signing Latency: ~10s of ms for Dilithium vs. ~100s of ms for Classic McEliece
• Throughput: Cripples TPS targets for L1s like Solana and Avalanche

Blockchains require cryptographic agility to respond to breaks. Code-based schemes lack the small, composable primitives that lattice-based cryptography provides, which are essential for zk-SNARKs and FHE. NIST's standardization of CRYSTALS-Dilithium and Falcon sealed its fate.

• Agility: Lattice schemes enable STARKs and Bulletproofs
• Momentum: Ethereum, Algorand, and Polkadot are all evaluating lattice-based PQCs

Classic McEliece keys are ~1MB, making them impossible for on-chain verification or consensus messaging. This breaks the core assumption that all nodes can cheaply verify all signatures, a requirement for networks like Ethereum or Solana.

• State Bloat: Storing public keys would dominate chain storage.
• Network Overhead: Propagating signatures would cripple block propagation times.

Projects like QANplatform and SandboxAQ are standardizing on lattice-based schemes (e.g., CRYSTALS-Dilithium). These offer ~2KB keys/signatures, making them viable for blockchains. The NIST standardization process has cemented this as the industry's path forward.

• Performance: Verification is fast enough for high-TPS chains.
• Agility: Supports signature aggregation, crucial for rollups like Arbitrum and Optimism.

Protocols aren't waiting for a full transition. Chainlink's CCIP and cross-chain bridges like LayerZero are deploying hybrid signatures, combining classical ECDSA with post-quantum algorithms. This provides quantum resistance today without breaking existing infrastructure.

• Backwards Compatible: Works with current wallets and tools.
• Risk Mitigation: Protects against 'harvest now, decrypt later' attacks on sensitive data.

Post-quantum signatures kill a key scaling primitive. BLS signatures, used by Ethereum for consensus and rollups like zkSync for cheap batch verification, rely on pairing-friendly curves with no known PQ equivalent. This forces a trade-off between quantum security and scalability.

• Scalability Hit: Rollup proof aggregation becomes more expensive.
• Research Gap: New math is needed to reconcile PQ security with efficient aggregation.

Code-based schemes like Classic McEliece produce signatures in the megabyte range and public keys in hundreds of kilobytes. This is untenable for blockchains where every node must store and verify every signature, bloating state and crippling throughput.\n- State Bloat: A single signature can be larger than an entire block.\n- Network Overhead: Propagating transactions becomes a bandwidth DoS attack.

Schemes like CRYSTALS-Dilithium (NIST-standardized) and FALCON offer compact signatures (~2-4KB) and fast verification, aligning with blockchain's resource constraints. Projects like QANplatform and SandboxAQ are pioneering integrations.\n- Compact Footprint: Keys and signatures are orders of magnitude smaller.\n- Performance: Verification is fast enough for high-TPS environments.

Blockchain scaling relies on signature aggregation (BLS in Ethereum, EdDSA in Solana) and smart contract composability. Code-based schemes are mathematically opaque and cannot be efficiently aggregated or easily used in ZK-SNARK circuits.\n- No BLS-Like Magic: Kills layer-2 and rollup efficiency gains.\n- ZK-Unfriendly: Hinders privacy-preserving applications.

The industry consensus is to use hybrid signatures (e.g., ECDSA + Dilithium) during transition, as seen in proposals from the PQShield and Cloudflare research. This preserves current security while adding quantum resistance.\n- Backwards Compatibility: No breaking changes to existing wallets/transactions.\n- Risk Mitigation: Defends against both classical and quantum adversaries.

The final arbiter is gas. Early benchmarks show lattice-based verification at ~500k gas vs. ECDSA's ~3k gas. Code-based would be prohibitively expensive (>10M gas), making simple transfers economically impossible.\n- Economic Viability: Lattice is expensive but feasible; code-based is not.\n- Optimization Frontier: Dedicated precompiles (like EIP-7212) are essential.

While theoretical papers still explore code-based crypto, real-world blockchain builders have unanimously pivoted. QANplatform launched the first quantum-resistant L1 with lattice-based sigs. Ethereum, Algorand, and Polkadot ecosystems are all researching lattice/ZKP hybrids, not code-based.\n- Market Signal: Builders vote with their code.\n- Future-Proofing: Lattice schemes are agile and can be upgraded as math advances.