A multi-signature (multisig) wallet requires multiple private keys to authorize a transaction, a standard for securing high-value assets and DAO treasuries. However, the underlying digital signatures, like ECDSA or EdDSA, rely on mathematical problems that a sufficiently powerful quantum computer could solve using Shor's algorithm. This creates a long-term security risk for any wallet where public keys are exposed on-chain. Post-Quantum Cryptography (PQC) offers cryptographic algorithms designed to be secure against both classical and quantum attacks, making it essential for future-proofing wallet designs.
LABS
Guides
How to Design a Multi-Signature Wallet with PQC
This guide provides the architectural patterns and code examples for building a quantum-resistant multi-signature wallet using post-quantum cryptography (PQC).
Chainscore © 2026
introduction
POST-QUANTUM CRYPTOGRAPHY
Introduction to Quantum-Resistant Multisig Wallets
A guide to designing multi-signature wallets that are secure against future quantum computer attacks using Post-Quantum Cryptography (PQC).
Designing a quantum-resistant multisig involves replacing the classical signature scheme with a PQC alternative. The National Institute of Standards and Technology (NIST) has standardized several PQC algorithms. For digital signatures, CRYSTALS-Dilithium is the primary recommended algorithm, with Falcon and SPHINCS+ as alternatives. A quantum-resistant multisig smart contract would verify signatures from these algorithms instead of, or in addition to, traditional ones. This requires implementing new signature verification logic in your wallet's smart contract code.
A critical design challenge is state management. Many efficient PQC schemes like Dilithium are stateful, meaning the signer must track which signature index they are on to avoid nonce reuse. For a multisig where multiple parties sign independently, coordinating this state securely is complex. Stateless schemes like SPHINCS+ avoid this issue but produce much larger signatures (~41KB). Your design must choose between the efficiency of stateful schemes with coordinated key management or the simplicity of stateless schemes with higher on-chain gas costs.
Implementation requires updated libraries and tools. For development and testing, you can use the Open Quantum Safe (OQS) project's liboqs library, which provides open-source implementations of NIST PQC candidates. In a Solidity smart contract, you would implement a verifyQuantumSignature function. Due to the computational complexity, verification is often performed off-chain via a zero-knowledge proof (e.g., a zk-SNARK) to minimize gas fees, with the contract only verifying a small proof of correct PQC signature verification.
Migration is a key consideration. A practical approach is a hybrid signature scheme, where a transaction requires both a classical ECDSA signature and a PQC signature from each signer. This provides security during the transition period. Wallets should also implement a key rotation protocol to allow signers to update their long-term PQC public keys on-chain without locking funds. The design must be forward-compatible to integrate newer PQC algorithms as standards evolve after NIST's ongoing standardization process.
prerequisites
FOUNDATIONAL CONCEPTS
Prerequisites and Required Knowledge
Before building a quantum-resistant multi-signature wallet, you must understand the core cryptographic principles and development frameworks involved.
A multi-signature (multisig) wallet requires M-of-N signatures to authorize a transaction, where M is the approval threshold and N is the total number of key holders. This is a fundamental security upgrade over single-key wallets, mitigating single points of failure. To design one, you need a solid grasp of digital signature schemes, public-key cryptography (PKI), and how they are implemented on your target blockchain, such as Ethereum (using EIP-712 for structured signing) or Solana (with the @solana/web3.js library). Familiarity with smart contract languages like Solidity or Rust is essential for on-chain logic.
Post-Quantum Cryptography (PQC) refers to cryptographic algorithms designed to be secure against attacks from both classical and quantum computers. The imminent threat is Shor's algorithm, which can break widely used schemes like ECDSA and RSA. For a PQC multisig, you must understand lattice-based cryptography (e.g., CRYSTALS-Dilithium, Falcon), hash-based signatures (e.g., SPHINCS+), or code-based cryptography. These are the algorithms being standardized by NIST. Your design will involve replacing the classical signing/verification module with a PQC alternative, which impacts signature size, gas costs, and key management.
Development requires specific tools. For Ethereum, you'll use the Foundry framework (with forge and cast) or Hardhat for writing, testing, and deploying smart contracts. You will need a PQC library; options include the Open Quantum Safe (OQS) project's liboqs for C/C++ bindings or a JavaScript/TypeScript wrapper like pqc-js. For testing, you'll simulate transactions on a local Anvil node or a testnet like Sepolia. Understanding how to manage private keys securely in a development environment and how to interact with a wallet's Application Binary Interface (ABI) is non-negotiable.
You must architect your system to handle the unique constraints of PQC algorithms. Signature and public key sizes are significantly larger than their classical counterparts—a Dilithium2 signature is ~2.5 KB, compared to 64-65 bytes for an ECDSA signature. This has major implications for blockchain gas costs and transaction calldata. Your smart contract must efficiently verify these large signatures, potentially using verification optimizations or signature aggregation. Furthermore, you need a strategy for key generation and distribution that maintains security without relying on quantum-vulnerable key exchange protocols.
Finally, consider the user experience and integration layer. How will users generate and store their PQC keys? You may need to modify a wallet provider like MetaMask through its Snaps system or build a custom frontend using WalletConnect and Ethers.js v6 or Viem. The frontend must handle the larger cryptographic payloads and potentially longer computation times for signing. Thorough auditing of both the smart contract and the cryptographic implementation is critical, as PQC is still a nascent field in blockchain. Start by reviewing existing research and implementations, such as the Ethereum Foundation's PQC efforts or the PQ-TLS standard for inspiration.
key-concepts
POST-QUANTUM CRYPTOGRAPHY
Core PQC Concepts for Multisig Design
Building a quantum-resistant multi-signature wallet requires understanding the new cryptographic primitives that will replace ECDSA and Schnorr signatures. This guide covers the essential concepts and trade-offs.
03
Key & Signature Sizes
PQC algorithms have larger keys and signatures than classical cryptography, directly impacting blockchain design.
- Dilithium2: ~2.5 KB public key, ~2.4 KB signature.
- SPHINCS+-SHA256-128s: ~1 KB public key, ~17 KB signature.
Implications for Multisig:
- On-chain storage: Storing public keys for a 5-of-10 multisig requires ~25 KB for Dilithium vs. ~1.6 KB for ECDSA.
- Transaction calldata: Larger signatures increase gas costs on EVM chains and transaction sizes on all chains, affecting fees and throughput.
04
Aggregation Techniques
Signature aggregation compresses multiple signatures into one, crucial for scaling multi-signature operations.
- Non-Interactive Aggregation: Schemes like BLS allow aggregating signatures from different signers into a single constant-sized signature.
- PQC Challenges: Most PQC DSAs (like Dilithium) do not natively support aggregation. Research focuses on:
- Falcon: Supports some aggregation properties.
- Custom Protocols: Building aggregation layers on top of non-aggregatable DSAs using zero-knowledge proofs or state channels, though this adds complexity.
Without aggregation, an m-of-n transaction must publish m individual large signatures.
06
Migration & Hybrid Schemes
Transitioning from classical to PQC cryptography requires a strategy to maintain security during the migration period.
- Hybrid Signatures: Sign transactions with both a classical (ECDSA) and a PQC algorithm. This provides defense-in-depth until PQC algorithms are fully vetted and adopted.
- Smart Contract Upgradability: Design wallet contracts with upgradeable signature verification logic to switch algorithms without moving assets.
- Key Rotation Policies: Establish procedures for rotating to new PQC algorithms if vulnerabilities are discovered, which is more likely during early adoption.
Planning for migration is a core part of quantum-resistant design.
SIGNATURE SCHEMES
Comparison of PQC Signature Schemes for Multisig
Evaluating post-quantum cryptographic signature algorithms for multi-signature wallet implementation based on security, performance, and practicality.
| Feature / Metric | Dilithium | SPHINCS+ | Falcon |
|---|---|---|---|
Security Category | Lattice-based | Hash-based | Lattice-based |
NIST Standardization Level | Primary (ML-DSA) | Primary (SLH-DSA) | Primary (FL-DSA) |
Signature Size (approx.) | 2.4 KB | 8-49 KB | 0.7-1.3 KB |
Public Key Size (approx.) | 1.3 KB | 1 KB | 0.9 KB |
Signing Speed | ~1.5 ms | ~10-100 ms | ~1 ms |
Verification Speed | < 0.5 ms | < 1 ms | < 0.5 ms |
Aggregation Support | |||
On-chain Gas Cost (Est.) | High | Very High | Medium |
Implementation Maturity | High | High | Medium |
architecture-design
POST-QUANTUM CRYPTOGRAPHY
Architecture: Smart Contract and Key Management
This guide details the architectural design and implementation of a multi-signature wallet secured by post-quantum cryptography (PQC), focusing on smart contract logic and key management for a quantum-resistant future.
A multi-signature (multisig) wallet requires multiple private keys to authorize a transaction, significantly enhancing security over single-key wallets. In a post-quantum cryptography (PQC) context, the traditional elliptic curve signatures (like ECDSA) used by wallets such as Safe (formerly Gnosis Safe) become vulnerable. The core architectural shift involves replacing these classical digital signatures with quantum-resistant algorithms, such as those selected by NIST (e.g., CRYSTALS-Dilithium for signing). This protects the wallet's transaction authorization process from future attacks by quantum computers capable of breaking current public-key cryptography.
The smart contract architecture for a PQC multisig wallet must be algorithm-agnostic. Instead of hardcoding signature verification logic for ECDSA, the contract should use a generic verification function that can validate signatures from different PQC algorithms. This is often implemented via a verify function that accepts the signature, message, and public key as bytes, delegating the complex cryptographic verification to a pre-compiled contract or a library. The contract stores a list of approved quantum-resistant public keys for the wallet's owners and defines a threshold (e.g., 2-of-3) for transaction execution. This design ensures upgradability as PQC standards evolve.
Key management presents a major challenge. PQC public keys and signatures are significantly larger than their classical counterparts—a Dilithium2 public key is about 1,312 bytes, compared to 33 bytes for a secp256k1 key. Storing these on-chain is expensive. Optimization strategies include:
- Hashing and On-Chain Registry: Store only a hash (e.g., SHA256) of the public key on-chain, submitting the full key with each signature for in-memory verification.
- Key Aggregation: Use advanced schemes like MuSig2 adapted with PQC, allowing multiple signatures to be combined into one, reducing on-chain data.
- Layer-2 Solutions: Perform signature verification off-chain on a rollup, submitting only a validity proof to the mainnet contract.
A basic Solidity function for generic PQC signature verification might look like this. The contract calls a pre-deployed verifier for a specific algorithm ID.
solidityinterface IPQCVerifier { function verify( bytes calldata publicKey, bytes calldata message, bytes calldata signature, uint256 algorithmId // e.g., 1 for Dilithium2 ) external view returns (bool); } contract PQCMultisigWallet { IPQCVerifier public verifier; mapping(address => bytes32) public ownerPublicKeyHash; function executeTransaction( bytes calldata pqcSignature, bytes calldata fullPublicKey, uint256 algorithmId, Transaction calldata txData ) external { bytes32 keyHash = keccak256(fullPublicKey); require(ownerPublicKeyHash[msg.sender] == keyHash, "Invalid owner"); bytes memory message = abi.encodePacked(txData.to, txData.value, txData.data); require(verifier.verify(fullPublicKey, message, pqcSignature, algorithmId), "Invalid PQC sig"); // Proceed with transaction execution } }
Integrating this architecture requires careful consideration of gas costs and user experience. Each transaction will have higher calldata costs due to large signatures. Wallets and dApps must adapt to handle key generation, storage, and signing with PQC libraries like liboqs. The transition path is gradual: a hybrid wallet could accept both classical ECDSA and PQC signatures, eventually phasing out the former. The ultimate goal is a cryptographically agile system where the smart contract can securely update its accepted signature schemes without requiring asset migration to a new wallet address.
PQC WALLET DEVELOPMENT
Implementation Code Examples
Main Wallet Contract Skeleton
Below is a simplified skeleton for the main multi-signature wallet contract. It delegates signature verification to a separate PQCSignatureVerifier library.
solidity// SPDX-License-Identifier: MIT pragma solidity ^0.8.19; import "./IPQCSignatureVerifier.sol"; contract PQCMultiSigWallet { IPQCSignatureVerifier public verifier; address[] public owners; uint256 public threshold; uint256 public nonce; // Maps transaction hash to confirmation count mapping(bytes32 => uint256) public confirmations; event Deposit(address indexed sender, uint256 amount); event ExecutionSuccess(bytes32 indexed txHash); constructor( address[] memory _owners, uint256 _threshold, address _verifier ) { require(_threshold > 0 && _threshold <= _owners.length, "Invalid threshold"); threshold = _threshold; owners = _owners; verifier = IPQCSignatureVerifier(_verifier); } function submitTransaction( address to, uint256 value, bytes calldata data, bytes[] calldata pqcSignatures // Array of PQC signatures ) external onlyOwner returns (bytes32) { bytes32 txHash = getTransactionHash(to, value, data, nonce); require(confirmations[txHash] == 0, "Tx already submitted"); // Verify signatures meet threshold using PQC verifier require( verifier.verifySignatures(txHash, pqcSignatures, owners) >= threshold, "Insufficient valid signatures" ); confirmations[txHash] = pqcSignatures.length; nonce++; executeTransaction(to, value, data, txHash); return txHash; } // Internal execute function and hash logic would follow here... }
This contract assumes an external verifier for the computationally intensive PQC checks, a common pattern to manage gas costs.
migration-strategy
POST-QUANTUM CRYPTOGRAPHY
Migrating Existing Gnosis Safe Deployments
This guide outlines the architectural considerations and practical steps for integrating post-quantum cryptography (PQC) into an existing Gnosis Safe multi-signature wallet deployment to enhance long-term security.
Migrating a Gnosis Safe to use post-quantum cryptography (PQC) is a proactive security upgrade, not a simple signature algorithm swap. The standard Safe uses the ECDSA (Elliptic Curve Digital Signature Algorithm) with the secp256k1 curve, which is vulnerable to attacks from sufficiently powerful quantum computers. A PQC migration involves replacing this core cryptographic primitive with a quantum-resistant alternative, such as a lattice-based scheme like CRYSTALS-Dilithium or a hash-based signature like SPHINCS+. This requires significant changes to the wallet's smart contract logic, signature verification flow, and off-chain tooling.
The primary technical challenge is the signature format and size. A Dilithium2 signature is approximately 2,420 bytes, compared to a 65-byte ECDSA signature. This exceeds Ethereum's calldata limits for simple bytes memory parameters in standard functions. Your migration strategy must therefore redesign the signature handling. Options include: using signature aggregation off-chain before submission, implementing a new isValidSignature function that accepts a structured data type, or utilizing a signature abstraction layer where a relay contract verifies the PQC signature and forwards a validated, condensed proof to the Safe.
A practical migration path involves deploying a new, upgraded Safe singleton contract with PQC-enabled GnosisSafe.sol and GnosisSafeProxyFactory.sol versions. You cannot upgrade the logic of existing proxy contracts directly to such a fundamentally different interface. Instead, you must create a migration module or use the createProxyWithNonce method from a new factory to deploy new PQC-safe proxies. Funds from the old Safe are moved via a execTransaction calling a delegatecall to a migration helper, which must be approved by the old Safe's signers using their legacy ECDSA keys, ensuring a secure transition.
Off-chain components like the Safe Transaction Service, Safe{Wallet} UI, and Safe SDK must be updated to generate, serialize, and submit the new PQC signatures. The @safe-global/safe-core-sdk would need a new signTransaction method using a PQC library such as liboqs. The transaction service's signature validation logic must also be extended. It's crucial to maintain backward compatibility during a transition period, allowing signers to use either ECDSA or PQC signatures until the migration is complete for all signers in a specific Safe.
Thorough testing is essential before mainnet deployment. Use Goerli or Sepolia testnets to deploy your modified Safe contracts and updated front-end. Test all critical flows: Safe creation, adding/removing owners, changing threshold, and executing transactions with PQC signatures. Conduct gas cost analysis, as PQC signature verification on-chain is computationally intensive and will significantly increase transaction costs. Monitor the ongoing NIST PQC standardization process and be prepared to adopt the finalized algorithms, which may require another future migration to the most secure, vetted standard.
ON-CHAIN VERIFICATION
Gas Cost Analysis: ECDSA vs. PQC (FALCON)
Comparison of estimated gas costs for signature verification on the Ethereum Virtual Machine (EVM), using average gas prices and USD equivalents.
| Operation | ECDSA (secp256k1) | FALCON-512 (PQC) | FALCON-1024 (PQC) |
|---|---|---|---|
Signature Verification Gas Cost | ~45,000 gas | ~1,200,000 gas | ~2,400,000 gas |
Typical Transaction Cost (50 Gwei) | $8.10 | $216.00 | $432.00 |
Precompile / Native Support | |||
Requires Custom Verifier Contract | |||
Algorithm Maturity for Blockchains | Production (10+ years) | Experimental (NIST Standard) | Experimental (NIST Standard) |
Key Size (bytes) | 33 (compressed) | ~1,300 | ~2,300 |
Signature Size (bytes) | 64-65 | ~690 | ~1,330 |
tools-and-libraries
POST-QUANTUM CRYPTOGRAPHY
Tools, Libraries, and Testing Frameworks
Essential software and resources for developers building quantum-resistant multi-signature wallets.
05
Smart Contract Integration (EVM)
On Ethereum and EVM chains, you need precompiles or libraries to verify PQC signatures in smart contracts.
- Solidity libraries for BN254/Groth16 can be adapted for certain PQC verification, but general lattice-based verification is currently too expensive.
- A practical approach is off-chain PQC signing with on-chain verification of a classical signature of the PQC signature.
- Monitor EIPs for native precompiled contracts supporting PQC operations, which would change the design calculus.
06
Cryptographic Agility & Migration Planning
Design your wallet architecture for cryptographic agility to seamlessly transition from ECDSA to PQC.
- Implement a versioned signing scheme where the payload specifies the algorithm (e.g.,
\"alg\": \"Dilithium3\"). - Use hybrid signatures (ECDSA + Dilithium) during the transition period to maintain compatibility.
- Plan for key rotation mechanisms to migrate existing multi-signature setups to new PQC key pairs without disrupting governance.
POST-QUANTUM CRYPTOGRAPHY
Frequently Asked Questions (FAQ)
Common developer questions and troubleshooting guidance for implementing multi-signature wallets with post-quantum cryptography (PQC).
Quantum computers capable of breaking ECDSA and EdDSA signatures, which secure wallets like Ethereum and Solana today, are not yet a reality. However, implementing PQC now addresses two critical risks:
Future-Proofing: Cryptographic assets have extremely long lifespans. A transaction signed today with a vulnerable algorithm could be forged decades later if the private key is exposed from public blockchain data. Harvest-Now, Decrypt-Later Attacks: Adversaries can record encrypted or signed data today to decrypt or forge it once a quantum computer is available.
Integrating PQC algorithms like CRYSTALS-Dilithium or Falcon provides crypto-agility, allowing your wallet to transition before quantum threats materialize. The 2022 NIST standardization provides a stable foundation for this migration.
conclusion
POST-QUANTUM SECURITY
Conclusion and Next Steps
This guide has outlined the architectural principles for designing a multi-signature wallet resilient to quantum computing threats.
Designing a post-quantum cryptography (PQC) multi-signature wallet is a proactive security measure, not a speculative exercise. The transition from classical algorithms like ECDSA to quantum-resistant ones such as CRYSTALS-Dilithium or Falcon involves fundamental changes to key generation, signature schemes, and on-chain verification logic. The core takeaway is that security must be designed in layers: the PQC algorithm forms the cryptographic base, while the multi-signature logic (e.g., M-of-N thresholds, policy engines) and secure key management (HSMs, MPC) provide the operational framework. Always prioritize using NIST-standardized algorithms and well-audited libraries from reputable sources like Open Quantum Safe.
For developers, the next practical steps are clear. First, prototype the signing flow using a PQC library in a test environment, focusing on signature size and gas cost implications for on-chain verification. A Dilithium2 signature is ~2.5KB, significantly larger than a 65-byte ECDSA signature, which impacts transaction costs. Second, design the smart contract verifier. This contract must contain the PQC verification logic, which may require custom precompiles or optimistic verification schemes to manage gas efficiently. Third, integrate with existing wallet standards; consider extending ERC-4337 account abstraction or Safe{Wallet} contracts to house PQC signing logic, ensuring compatibility with the broader Ethereum ecosystem.
Looking ahead, the ecosystem needs continued research and development. Key areas include standardization efforts for PQC signatures in Ethereum (EIPs), the creation of efficient verification precompiles to reduce gas overhead, and the development of hybrid signature schemes that use both ECDSA and PQC for a transitional security model. For ongoing learning, monitor the NIST PQC Standardization Process, follow Ethereum Foundation research on quantum resistance, and experiment with emerging SDKs. Building a quantum-resistant wallet today prepares your project for the long-term future of blockchain security, making it a critical investment for any protocol managing high-value assets or requiring long-term guarantees.