How to Coordinate Post-Quantum Planning for Blockchain Teams

introduction

INTRODUCTION

How to Coordinate Post-Quantum Planning Across Teams

A practical guide for engineering leads and protocol architects on initiating and synchronizing post-quantum cryptography (PQC) readiness efforts across technical teams.

The transition to post-quantum cryptography (PQC) is a systemic challenge that extends beyond any single developer or protocol. It requires coordinated action across smart contract teams, infrastructure engineers, wallet developers, and governance bodies. Uncoordinated efforts risk creating security gaps, interoperability failures, and wasted resources. This guide outlines a structured approach to align your organization's PQC strategy, from initial risk assessment to implementation roadmaps, ensuring a cohesive defense against future quantum threats.

Begin by establishing a cross-functional PQC working group. This team should include representatives from cryptography research, blockchain protocol development, DevOps, and product security. Their first deliverable is a cryptographic inventory: a comprehensive map of all systems using asymmetric cryptography. For a typical blockchain project, this includes signature schemes (like ECDSA in wallets and validators), key encapsulation mechanisms (KEMs) in network layers, and any use of encryption in off-chain components. Tools like CodeQL or custom scripts can help automate discovery within codebases.

With the inventory complete, the next phase is risk assessment and prioritization. Not all systems are equally vulnerable or urgent. Use a framework to evaluate each component based on: - Asset criticality (e.g., consensus vs. a front-end feature) - Cryptographic exposure (public keys on-chain are immediately vulnerable) - Ecosystem dependencies (modifying a widely-used library has cascading effects). Systems holding long-lived keys or facilitating high-value transactions, such as multisig wallets or cross-chain bridge validators, should be prioritized for migration.

Developing a phased migration roadmap is crucial for managing complexity. The National Institute of Standards and Technology (NIST) has standardized several PQC algorithms, like CRYSTALS-Kyber for encryption and CRYSTALS-Dilithium for signatures. A pragmatic approach is hybrid cryptography, where new PQC algorithms are deployed alongside classical ones during a transition period. For example, a smart contract could require both an ECDSA signature and a Dilithium signature, gracefully degrading security if one is compromised. This allows for incremental testing and deployment without immediate breaking changes.

Finally, coordinate with the broader ecosystem. PQC readiness is a network-level concern. Engage with the libraries and protocols your stack depends on—such as libp2p, Tendermint, or popular SDKs—to understand their PQC timelines. Participate in working groups within alliances like the Post-Quantum Cryptography Alliance (PQCA). Proactively communicating your migration plan to users and integrators builds trust and prepares the community for necessary upgrades, turning a technical challenge into a collaborative advantage for your project's long-term resilience.

prerequisites

PREREQUISITES AND TEAM ALIGNMENT

How to Coordinate Post-Quantum Planning Across Teams

A practical guide for engineering, security, and product teams to synchronize their approach to quantum-resistant cryptography.

Effective post-quantum cryptography (PQC) adoption is a cross-functional challenge. It requires tight coordination between engineering teams implementing new algorithms, security teams assessing risks and compliance, and product teams managing user impact and timelines. The first prerequisite is establishing a shared vocabulary. Ensure all stakeholders understand core concepts like cryptographic agility, the difference between key encapsulation mechanisms (KEMs) and digital signatures, and the threat timeline posed by harvest-now-decrypt-later attacks. A common understanding prevents misalignment on priorities and technical constraints.

Form a dedicated PQC working group with representatives from each function. This group's initial deliverable should be a risk assessment and inventory of all cryptographic assets. This includes identifying systems using elliptic-curve cryptography (ECDSA, EdDSA) for signatures, RSA for key exchange, and symmetric algorithms like AES-256 (which are considered quantum-resistant with sufficient key size). Tools like Google's Tink or internal code scanners can automate discovery. The inventory must classify assets by sensitivity (e.g., root keys vs. session keys) and exposure (on-chain vs. internal), as this dictates migration urgency.

With the inventory complete, the working group must define a phased migration strategy. NIST's selected PQC standards—CRYSTALS-Kyber for key exchange and CRYSTALS-Dilithium for signatures—are the primary candidates, but hybrid modes (combining classical and PQC algorithms) are recommended during transition. The strategy should outline phases: 1) Prototyping with libraries like liboqs, 2) Internal service migration, 3) Protocol and API updates (e.g., modifying a blockchain's consensus or wallet signing), and 4) External key rotation. Each phase requires clear success metrics and rollback plans.

Technical alignment is critical. Engineering teams must agree on library and implementation standards to avoid fragmentation. For Web3, this means evaluating PQC support in common stacks: can Ethereum's keccak256 and secp256k1 be supplemented or replaced? How do PQC signatures affect transaction size and gas costs on L2s? Security teams must develop new audit and testing procedures for PQC code, focusing on side-channel resistance and implementation correctness, as these algorithms are novel and complex. Product teams use this input to plan user communications and coordinate hard forks or mandatory upgrades.

Finally, establish ongoing governance. The PQC landscape is evolving, with NIST's standards still in finalization and new attacks possible. The working group should schedule regular reviews of NIST updates, community adoption (e.g., from IETF or major blockchains), and cryptographic research. Maintain a decision log for algorithm choices and migration steps. This proactive, coordinated approach transforms post-quantum planning from a theoretical risk into a managed technical roadmap, ensuring your organization remains resilient against future threats.

key-concepts

POST-QUANTUM CRYPTOGRAPHY

Core Planning Concepts

Essential frameworks and methodologies for integrating quantum-resistant cryptography into blockchain development and protocol design.

NIST Standardization Roadmap

The National Institute of Standards and Technology (NIST) is the primary authority for post-quantum cryptography (PQC) standards. Their selected algorithms (CRYSTALS-Kyber, CRYSTALS-Dilithium, SPHINCS+, FALCON) form the basis for future-proof systems. Developers should:

Monitor NIST's final standardization (expected 2024).
Understand the trade-offs between lattice-based (Kyber, Dilithium) and hash-based (SPHINCS+) schemes.
Plan for larger key and signature sizes, which impact blockchain state and gas costs.

EXPLORE

Hybrid Cryptographic Schemes

A hybrid approach combines classical (ECDSA, RSA) and post-quantum algorithms to maintain security during the transition period. This provides defense against both current and future quantum attacks. Implementation requires:

Dual signatures: Signing a message with both ECDSA and a PQC algorithm like Dilithium.
Dual key encapsulation: Using both ECDH and Kyber for key agreement.
Careful protocol design to ensure the failure of one scheme doesn't compromise the other.

EXPLORE

Quantum Threat Timeline & Risk Assessment

Effective planning requires a realistic assessment of the cryptographic threat timeline. While large-scale quantum computers capable of breaking ECDSA ("Q-Day") are likely 10-15 years away, harvest-now-decrypt-later attacks are a present danger. Teams must:

Classify data by sensitivity and required longevity of secrecy.
Prioritize migration for systems with long-lived secrets (e.g., root keys, blockchain genesis secrets).
Factor in the development and testing lifecycle of their own systems.

Protocol-Level Migration Strategies

Upgrading blockchain consensus and wallet protocols requires coordinated hard forks or seamless upgrade mechanisms. Key considerations include:

Backwards compatibility: Designing upgrades that don't break existing, non-upgraded nodes or wallets.
State bloat mitigation: PQC keys/signatures are larger; techniques like state rent or signature aggregation may be needed.
Governance activation: Using existing on-chain governance (e.g., Ethereum's EIP process) to trigger the cryptographic transition.

Developer Tooling & Libraries

Adoption depends on accessible, audited libraries. Key projects include:

Open Quantum Safe (OQS): Provides open-source C liboqs and language bindings for NIST PQC algorithms.
PQClean: A clean, portable implementation of PQC algorithms for integration into other projects.
Blockchain-specific integrations: Watch for PQC modules in libraries like ethers.js, web3.js, and libp2p. Start testing with these tools in development environments now.

EXPLORE

Audit & Compliance Planning

Post-quantum systems will require rigorous new security audits and may face regulatory requirements. Planning involves:

Engaging auditors familiar with lattice cryptography and side-channel attacks specific to PQC.
Understanding compliance frameworks like FIPS 140-3 that will eventually certify PQC modules.
Budgeting for multiple audit cycles, as the field and standards are still evolving.

phase-1-assessment

CRYPTOGRAPHIC INVENTORY AND THREAT ASSESSMENT

How to Coordinate Post-Quantum Planning Across Teams

A practical guide for Web3 organizations to identify quantum-vulnerable assets and align engineering, security, and product teams on a mitigation roadmap.

The first step in post-quantum readiness is conducting a cryptographic inventory. This is a systematic audit to catalog every instance where your protocol or application uses cryptography. Focus on identifying systems that rely on public-key cryptography vulnerable to Shor's algorithm, including ECDSA (used for Ethereum and Bitcoin signatures), EdDSA, and RSA. This inventory must extend beyond your core smart contracts to encompass all touchpoints: wallet SDKs, key management services, oracle networks, cross-chain bridges, and any off-chain components that sign or verify transactions. Tools like Slither for Solidity or MythX can help automate parts of this scan, but a manual review of architectural diagrams and codebases is essential for completeness.

With the inventory complete, the next phase is a threat assessment. This analysis translates the raw list of cryptographic uses into a prioritized risk model. For each item, assess its cryptographic context (e.g., is it for transaction signing, on-chain verification, or off-chain authentication?), its asset value (what funds or data does it protect?), and its exposure window (how long are secrets or signatures vulnerable?). A signature algorithm in a wallet's key derivation has a different risk profile than one in a governance voting contract. This assessment creates a shared document—often a spreadsheet or dedicated dashboard—that quantifies risk, enabling objective prioritization for engineering teams and clear communication to leadership.

Effective coordination requires establishing a cross-functional working group with representatives from protocol engineering, security research, devops/SRE, and product management. This group owns the inventory and assessment, meeting regularly to update findings and track progress. Use a framework like DREAD (Damage, Reproducibility, Exploitability, Affected Users, Discoverability) or a simple Critical/High/Medium/Low matrix to score each threat. The output is a post-quantum migration roadmap that sequences work based on risk, dependencies, and resource availability, ensuring all teams are aligned on what to fix first and why.

For development teams, begin planning the cryptographic agility of your systems. This means designing or refactoring code to make cryptographic primitives swappable without requiring a full contract redeployment or hard fork. In Solidity, this could involve using abstract interfaces for signature verification, like IVerifier, allowing you to upgrade from an ECDSA verifier to a post-quantum cryptography (PQC) verifier like Dilithium (selected by NIST for digital signatures) behind a proxy or via a module registry. Document these abstraction patterns and create proof-of-concept implementations for the prioritized high-risk components identified in your threat assessment.

Finally, integrate post-quantum planning into your existing software development lifecycle (SDLC). Update your threat modeling process to include quantum risk as a standard consideration. Mandate that new features requiring cryptography evaluate PQC options during the design phase. Monitor the standardization progress of algorithms by NIST and working groups like the IETF's TLS 1.3 PQC integration. By making post-quantum readiness a continuous, coordinated effort rather than a one-time project, your organization can systematically reduce risk and be prepared to adopt new standards as they become production-ready.

CRITICAL VECTORS

Post-Quantum Risk Assessment Matrix

Assessment of quantum computing threats to blockchain components and recommended mitigation timelines.

System Component	Classical Risk (Now)	Quantum Risk (2030+)	Mitigation Priority	Key Actions
Digital Signatures (ECDSA/EdDSA)	Low	Critical	Immediate	PQC migration plan, hybrid signatures
Symmetric Encryption (AES-256)	Low	Low	Long-term	Monitor NIST standards, increase key size
Hash Functions (SHA-256, Keccak)	Low	Very Low	Monitor	No immediate action required
ZK-SNARKs / zk-STARKs Setup	Medium	High	High	Audit for quantum-vulnerable assumptions
Wallet Seed Phrases (BIP-39)	Medium	Critical	Immediate	Implement SLIP-39 Shamir Backup, key rotation
Consensus Mechanisms (PoS/PoW)	Operational	Theoretical	Low	Research quantum-resistant VDFs or PoS variants
Cross-Chain Bridge Signatures	High	Critical	Immediate	Multi-PQC signature schemes, governance upgrades
Smart Contract State Encryption	Medium	High	Medium	Evaluate PQC libraries (Open Quantum Safe)

phase-2-strategy

PHASE 2

Defining the Migration Strategy

A successful migration requires a unified, cross-functional plan. This phase focuses on establishing governance, timelines, and technical frameworks for transitioning to post-quantum cryptography.

The first step is to form a Post-Quantum Migration Working Group. This team should include representatives from core development, security, DevOps, product management, and protocol governance. Their mandate is to create and oversee a formal migration roadmap. Key deliverables include a risk assessment matrix for different cryptographic components (e.g., digital signatures vs. key encapsulation) and a dependency map of all systems using classical cryptography, from smart contract libraries to node client software and hardware security modules.

Next, define the technical migration framework. This involves selecting specific post-quantum cryptographic algorithms (PQCs) for adoption. For blockchain, focus is often on digital signatures (like CRYSTALS-Dilithium or Falcon) for transactions and key encapsulation mechanisms (KEMs) like CRYSTALS-Kyber for secure channel establishment. The strategy must address hybrid schemes, where a PQC algorithm is used alongside a traditional one (e.g., ECDSA) during a transition period to maintain backward compatibility and allow for graceful upgrades across a decentralized network.

Establish clear governance and communication protocols. For decentralized projects, this requires a protocol upgrade proposal (e.g., an Ethereum EIP or a Cosmos SDK upgrade proposal). The proposal must detail the technical specification, activation timeline, and required client upgrades. For teams, create internal rollback and contingency plans. Define metrics for success and failure, such as the percentage of network validators upgraded or the performance impact on transaction finality, to guide decision-making during the rollout.

Finally, create a phased implementation timeline. A common model is: 1) Research & Standardization (tracking NIST finalization and community libraries), 2) Prototyping & Testing (integrating PQC into a testnet or dev environment), 3) Hybrid Deployment (enabling both classical and PQC schemes on mainnet), and 4) Classic Deprecation (disabling vulnerable algorithms after sufficient adoption). Each phase should have milestones, ownership assignments, and public documentation to ensure all stakeholders, from developers to end-users, are aligned.

implementation-steps

POST-QUANTUM CRYPTOGRAPHY

Phase 3: Coordinated Implementation Steps

Transitioning to quantum-resistant cryptography requires synchronized action across development, security, and infrastructure teams. These steps provide a concrete roadmap.

Establish a Cryptographic Inventory

The first technical step is to create a complete inventory of all cryptographic assets. This includes:

Public-key cryptography: Digital signatures (ECDSA, EdDSA) and key exchange (ECDH) used in wallets, node identities, and consensus.
Symmetric encryption & hashing: AES-256 and SHA-256 used in state encryption and Merkle trees.
Dependencies: Audit all libraries (e.g., libsecp256k1, OpenSSL) and smart contract precompiles.

Tools like Chainguard's grype or OWASP Dependency-Check can automate discovery. Map each asset to its system component and priority level.

EXPLORE

Define a Hybrid Cryptography Strategy

Adopt a hybrid cryptography approach to maintain compatibility during transition. This involves combining classical algorithms with post-quantum candidates.

Implementation patterns:

Hybrid Signatures: Sign a message with both ECDSA and a PQC algorithm (e.g., Dilithium). The signature is valid only if both verify.
Hybrid KEM: Perform key exchange using both ECDH and a PQC-KEM (e.g., Kyber), then combine the derived keys.

Frameworks like Open Quantum Safe's liboqs provide prototype integrations. Start with non-critical, internal systems to test performance and interoperability.

EXPLORE

Implement a Phased Rollout Plan

Coordinate a staged deployment to minimize risk and operational disruption.

Phase 1: Internal Systems

Target developer tooling, CI/CD pipelines, and internal APIs.
Monitor performance and library stability.

Phase 2: Network Periphery

Upgrade wallet SDKs, light clients, and explorer APIs to support hybrid signatures.
Use feature flags to enable PQC for a subset of users.

Phase 3: Core Protocol

Coordinate with other node operators for a coordinated hard fork to change consensus signatures.
Plan for increased block size/weight due to larger PQC signatures.

18-24 months

Typical Rollout Timeline

Coordinate with External Dependencies

Your system's security depends on external protocols and services. Create an engagement plan:

Oracles & Bridges: Contact providers like Chainlink and LayerZero to understand their PQC roadmap. Your smart contracts may need upgrading when their attestation schemes change.
Wallet Providers: Collaborate with MetaMask, WalletConnect, and hardware wallet vendors on key generation and transaction signing standards.
Infrastructure: Ensure your RPC providers (Alchemy, Infura) and node clients (Geth, Erigon) support the new cryptographic primitives.

Maintain a shared registry of dependency statuses using a tool like Dependabot or a dedicated internal dashboard.

Develop a Rollback & Incident Response Plan

Prepare for the possibility that a new PQC algorithm is broken or a deployment fails.

Key components:

Automated Rollback Scripts: Scripts to revert cryptographic libraries and smart contract upgrades within a defined recovery time objective (RTO).
Dual-Signing Periods: Maintain the ability to accept both old and new signatures for a predefined block period after an upgrade.
Incident Communication: Establish clear channels (e.g., Discord, Twitter) and on-call procedures for security announcements.

Conduct a tabletop exercise simulating a critical vulnerability in a deployed hybrid scheme to test the plan.

Monitor and Enforce New Standards

After deployment, continuous validation is required.

Monitoring Tools:

Use Prometheus/Grafana to track metrics like PQC signature verification time, failure rates, and adoption percentage across network traffic.
Implement Slither or Foundry tests to ensure new smart contracts reject non-compliant, classical-only signatures.

Compliance Enforcement:

Update node client configuration to reject blocks with outdated cryptography after the grace period.
Use governance proposals to sunset support for old algorithms, forcing the network upgrade.

NIST's final standards (expected 2024) will be the ultimate benchmark for compliance.

EXPLORE

POST-QUANTUM CRYPTOGRAPHY

Common Coordination Challenges and Solutions

Transitioning blockchain systems to quantum-resistant cryptography requires coordinated planning across development, security, and operations teams. This guide addresses common technical and organizational hurdles.

Post-quantum cryptography (PQC) refers to cryptographic algorithms designed to be secure against attacks from both classical computers and quantum computers. The urgency stems from Shor's algorithm, which a sufficiently powerful quantum computer could use to break the elliptic-curve cryptography (ECDSA) and RSA that secure most blockchain signatures and keys today.

This creates a harvest now, decrypt later risk, where encrypted data or blockchain transactions recorded today could be decrypted in the future once quantum computers are available. For blockchains with long-lived assets or state, this is a critical vulnerability. The transition involves migrating from current algorithms (like ECDSA and BLS) to NIST-standardized PQC algorithms such as CRYSTALS-Dilithium for signatures.

testing-rollout

PHASE 4: TESTING AND PHASED ROLLOUT

How to Coordinate Post-Quantum Planning Across Teams

A structured approach to implementing and testing post-quantum cryptography across development, security, and infrastructure teams.

Effective post-quantum migration requires synchronized action across multiple teams. Establish a central Quantum Readiness Working Group with representatives from application development, cryptography/security, DevOps/SRE, and product management. This group defines the migration roadmap, selects initial PQC algorithms (like Kyber for KEM or Dilithium for signatures), and creates a unified risk assessment. Use a shared project management tool (e.g., Jira, Linear) to track all PQC-related tasks, ensuring visibility and accountability. The first deliverable should be a comprehensive inventory of all systems using cryptographic primitives vulnerable to quantum attack, such as RSA-2048 and ECDSA.

Begin with isolated, non-production environments. Development teams should integrate PQC libraries—such as liboqs from the Open Quantum Safe project or PQClean—into a dedicated test branch. Create a suite of integration tests that verify new PQC algorithms work alongside existing classical ones, a strategy known as hybrid cryptography. For example, a TLS connection might use both X25519 and Kyber768 for key exchange. DevOps teams must build and containerize these test environments, ensuring they can benchmark performance impacts on latency and throughput. Document all code changes and dependencies in a central wiki for reference.

After successful sandbox testing, initiate a phased rollout to production. Phase 1 targets low-risk, internal-facing services where a rollback would be trivial. This could be an internal API authentication layer or a data backup service. Monitor these services closely for performance regressions and interoperability issues. Use this phase to refine deployment playbooks and failure rollback procedures. Phase 2 expands to public-facing, non-critical services, such as a website's TLS termination. Finally, Phase 3 addresses core, high-value systems like blockchain validator keys or wallet signing mechanisms. Each phase must have clear success criteria and a rollback plan approved by the working group.

Continuous testing is critical. Security teams should run differential fuzzing between classical and PQC implementations to uncover subtle bugs. Implement canary deployments where a small percentage of user traffic is routed through PQC-enabled services while monitoring error rates and performance dashboards. Establish alerting rules for cryptographic operation failures. Furthermore, participate in interoperability testing events like the IETF's PQC Hackathons to ensure your implementation works with other vendors and libraries, preventing future ecosystem fragmentation.

The final step is documentation and knowledge transfer. Create internal runbooks for operating PQC systems and conduct training sessions for all engineering staff. Update your company's cryptographic policy to mandate PQC for all new systems and define a sunset date for vulnerable algorithms. Publish a public transparency report detailing your migration progress, which builds trust with users. Coordination turns the theoretical risk of quantum computers into a managed, operational project with measurable milestones.

resource-links

POST-QUANTUM READINESS

Essential Tools and Resources

Post-quantum planning is not only a cryptography problem. It requires coordination across security, protocol engineering, infrastructure, compliance, and executive teams. These tools and resources help organizations align on scope, timelines, and concrete migration steps.

NIST Post-Quantum Cryptography Standards

The NIST PQC program is the authoritative reference for which quantum-resistant algorithms should be adopted and when. It provides a shared technical baseline for security teams, protocol engineers, and auditors.

Key coordination uses:

Standardize on selected algorithms like Kyber (KEM) and Dilithium (signatures) for internal discussions
Anchor roadmaps to NIST standardization milestones rather than speculative timelines
Provide auditors and compliance teams with a defensible reference point

Teams should explicitly track:

Which systems depend on RSA or ECC for key exchange, signatures, or authentication
Where hybrid schemes (classical + PQ) may be required during transition
Version alignment with finalized NIST FIPS documents

Using NIST as the canonical source avoids fragmented decisions across teams and reduces debate around algorithm legitimacy.

EXPLORE

Organization-Wide Cryptographic Inventory

A cryptographic inventory maps all cryptographic primitives, libraries, and trust assumptions across teams. Without this, post-quantum planning fails due to blind spots.

Effective inventories include:

Algorithms in use (RSA-2048, ECDSA-secp256k1, Ed25519, TLS ciphersuites)
Locations: smart contracts, client SDKs, HSMs, CI pipelines, backups
Ownership: which team owns each dependency
Upgrade constraints: gas costs, protocol immutability, external integrations

Coordination benefits:

Security teams can flag quantum-vulnerable paths
Engineering can identify hard-to-upgrade components early
Leadership can prioritize funding based on actual exposure

Many teams start with spreadsheets, but mature programs integrate inventories into asset management or GRC tooling. The key is accuracy and cross-team visibility, not tooling sophistication.

Post-Quantum Threat Modeling Workshops

Cross-functional threat modeling sessions translate abstract quantum risks into concrete system impacts. These workshops align security, protocol, and product teams around shared assumptions.

Focus areas:

Store-now-decrypt-later risks for long-lived encrypted data
Compromise of historical signatures affecting governance or legal validity
Smart contract immutability and inability to rotate keys on deployed protocols
Custody and recovery flows that depend on classical cryptography

Recommended format:

Time-boxed sessions (90–120 minutes)
One system or protocol per session
Clear outputs: risk register entries and mitigation owners

Threat modeling creates a common language between teams and prevents post-quantum planning from being reduced to "wait until standards finalize."

Migration Playbooks and Decision Trees

A post-quantum migration playbook defines how teams move from assessment to execution. This avoids ad hoc decision-making and conflicting implementation choices.

Effective playbooks include:

Decision trees for when to use hybrid cryptography vs full replacement
Guidelines for protocol upgrades, contract redeployments, and key rotations
Rollback and failure handling strategies
Testing requirements including performance and message size impact

For coordination:

Security teams define acceptance criteria
Protocol teams scope on-chain and off-chain changes
Infra teams plan key management, HSM, and TLS updates

Playbooks should be versioned and reviewed quarterly as standards and libraries evolve. They turn post-quantum readiness from theory into an executable program.

IETF and Open Cryptography Working Groups

Many post-quantum transitions will occur at the protocol layer through IETF standards and open cryptography discussions. Monitoring these venues keeps teams aligned with upstream changes.

Relevant efforts include:

IETF work on hybrid key exchange in TLS
Consensus and messaging protocol updates adopting PQ-safe primitives
Debates on performance, bandwidth, and implementation tradeoffs

Coordination value:

Engineering teams anticipate breaking changes early
Security teams validate that plans align with emerging norms
Product teams understand timelines outside direct organizational control

Assign explicit ownership for tracking and summarizing updates. Relying on informal awareness leads to late-stage surprises during migration.

EXPLORE

COORDINATION & IMPLEMENTATION

FAQ: Post-Quantum Planning for Teams

Practical answers for development teams integrating post-quantum cryptography into Web3 protocols and applications. This guide addresses common coordination challenges and implementation roadblocks.

The consensus among cryptographers is that a cryptographically relevant quantum computer (CRQC) capable of breaking ECDSA and Schnorr signatures is at least 10-15 years away. However, the planning timeline is much shorter for two key reasons:

Long Development Cycles: Standardizing, implementing, and auditing new cryptographic primitives like CRYSTALS-Dilithium or Falcon takes 5-7 years.
Data Harvesting Threat: Adversaries can collect and store encrypted data or signed transactions today to decrypt or forge them later once a CRQC exists. This makes migration urgency higher for systems handling long-lived secrets.

Teams building infrastructure or protocols with expected lifespans beyond 10 years should begin threat modeling now. Projects handling high-value, immutable on-chain assets should prioritize post-quantum planning in their 2-3 year roadmap.

conclusion

IMPLEMENTATION ROADMAP

Conclusion and Next Steps

Post-quantum cryptography (PQC) is a long-term, cross-functional initiative. This guide outlines concrete steps to transition from planning to execution.

Successfully coordinating PQC migration requires establishing a centralized governance framework. Appoint a dedicated working group with representatives from engineering, security, product, and legal teams. This group should own a risk register to track quantum-vulnerable components—like signature schemes in wallets, consensus mechanisms, and key derivation functions—and prioritize them based on exposure and impact. Use a tool like the NIST PQC Migration Project's playbook as a template for internal processes.

Your technical roadmap should follow a phased approach. Phase 1: Inventory & Assessment involves auditing all cryptographic dependencies, from low-level libraries (e.g., OpenSSL, libsodium) to application-layer protocols. Phase 2: Hybrid Deployment begins integrating PQC algorithms alongside classical ones. For example, implement CRYSTALS-Dilithium for signatures in a hybrid mode with ECDSA, allowing for a gradual transition. Phase 3: Full Migration involves deprecating classical algorithms once PQC standards are stable and widely supported. This multi-year plan must be reviewed and updated quarterly.

For blockchain developers, next steps are highly protocol-specific. If you're building on Ethereum, monitor EIPs related to PQC, such as proposals for new precompiles. For Cosmos SDK chains, investigate integrating the tendermint library's future PQC modules. Solana developers should track the solana-program library for updates. A critical, immediate action is to ensure all new systems are crypto-agile—designed to easily swap cryptographic primitives. This means abstracting cryptographic calls behind well-defined interfaces rather than hardcoding algorithms.

Engage with the broader ecosystem to share knowledge and align on standards. Participate in working groups like the Post-Quantum Cryptography Alliance (PQCA) or the IETF's PQC working groups. For smart contract auditors, begin training on PQC concepts and the unique failure modes of lattice-based or hash-based signatures. The transition will be a marathon, not a sprint. Start planning your inventory today, prototype hybrid signatures, and build the organizational muscle to adapt as the final NIST standards and community tooling mature in the coming years.