Chain upgrades will not automatically protect institutional tokenization, stablecoins, custody, DeFi liquidity, or private settlement. Ethereum, Solana, and Canton carry non-upgradeable cryptographic dependencies across immutable contracts, frozen standards, exposed public keys, identity systems, and historical encrypted data. EO 14412 now makes post-quantum cryptographic inventory and migration a federal compliance priority. For new issuance, the strategic answer is not retrofit. It is PQ-native rails.
Ethereum, Solana, and Canton cannot be made fully post-quantum safe through chain upgrades alone. Institutional exposure sits in immutable contracts, frozen token standards, exposed public keys, identity systems, custody workflows, and historical encrypted settlement data.
The institutional decision is therefore not only whether a chain may upgrade later. It is whether the product, compliance gate, custody stack, liquidity path, and settlement record can survive the parts that do not migrate. New issuance should evaluate PQ-native rails before avoidable migration debt becomes permanent.
A forged ONCHAINID claim can bypass compliance gates on regulated tokenized securities. $32 billion in ERC-3643 assets can move to unauthorized wallets while the issuer's legal control layer appears valid onchain. A forged ERC-2612 permit can drain stablecoin balances routed through DeFi approval infrastructure without the owner transacting. A compromised Solana authority key can mint, freeze, or seize tokenized assets. A harvested Canton encrypted view can expose private institutional settlement history once a cryptographically relevant quantum computer arrives. This is not abstract blockchain security. It is tokenization, DeFi liquidity, custody control, stablecoin authorization, and settlement privacy exposure across the rails institutions already use.
"Quantum computers will break currently deployed public-key cryptography, and significantly weaken symmetric key cryptography."
Institutional digital assets totaling $38B+ in Ethereum DeFi TVL, $32B+ in regulated tokenized securities, $80B+ in stablecoin market cap with native permit exposure, $6-8B in Solana DeFi TVL, and $9 trillion per month in Canton settlement volume run on Ethereum, Solana, and Canton Network. All three chains rely on elliptic curve cryptography that Shor's algorithm will break. The market's default assumption is that chains will upgrade and institutions can wait. This report demonstrates why that assumption is dangerous.
The issue is not only transaction signing. Across all three chains, critical cryptographic dependencies are hardcoded into standards, compiled into validator binaries, embedded in immutable contracts, frozen into interfaces, bound into identity systems, or preserved forever in historical encrypted data. Chain upgrades can change future protocol behavior. They do not automatically repair the products, compliance gates, custody workflows, liquidity integrations, or settlement records already built on top.
This report focuses on the institutional markets sitting directly on these rails: tokenized securities, tokenized funds, stablecoins, DeFi liquidity, custody platforms, fund administration, wallet infrastructure, and post-trade settlement.
For executives, the post-quantum question is not whether an algorithm is elegant. It is whether a tokenized product can remain transferable, compliant, private, liquid, and insurable when its cryptographic assumptions expire.
| Exposure | Technical Issue | Business Consequence |
|---|---|---|
| Ethereum tokenized funds | ECDSA accounts, ecrecover, permit flows, immutable DeFi contracts | Admin-key exposure, forged approvals, liquidity migration debt, unresolved custody diligence |
| ERC-3643 securities | ONCHAINID claim verification depends on ECDSA | Forged compliance attestations, transfer-rule failure, regulatory control breakdown |
| Solana stablecoins and RWAs | Ed25519 account authority, SPL Token immutability, hardcoded verification path | Issuer authority exposure, freeze/mint-control risk, ecosystem-wide migration burden |
| Canton settlement | ECIES P-256 encrypted views, namespace key binding, Synchronizer scheme gate | Historical privacy loss, identity migration shock, simultaneous-participant coordination risk |
| Custody and MPC stacks | Final onchain signature remains ECDSA or Ed25519 | MPC reduces operational key risk but does not remove algorithm-level quantum exposure |
EternaX exists because post-quantum migration is not only an algorithm swap. It is a market-infrastructure redesign. Institutional rails need PQ-safe accounts, signatures, verifier logic, identity, custody workflows, compliance modules, and settlement assumptions from genesis.
That is the core architectural difference: EternaX does not ask institutions to wait for legacy chains to repair cryptographic debt after liquidity, custody, and compliance integrations become immovable. It removes the debt before issuance.
"The key is to be on this journey today and not wait until the last minute."
Every major chain now has, or will claim to have, a post-quantum roadmap. That is not enough. The institutional exposure does not end at the protocol layer. It lives inside products, standards, custody flows, compliance gates, immutable contracts, frozen interfaces, and historical settlement data.
A chain upgrade can change the base layer. It cannot rewrite your issued token, your permit interface, your ONCHAINID compliance logic, your SPL Token authority model, your custody integration, or the encrypted settlement history already recorded on quantum-vulnerable keys. This is the blind spot this report is designed to expose.
ERC-3643 ONCHAINID still uses ECDSA ecrecover. Your $32B in regulated securities still has forgeable compliance gates.
ERC-2612 permit still requires (v, r, s). $80B+ in tokens cannot accept PQ signatures through their existing ABI.
Permit2, V2/V3, Compound V2, WETH9 are still immutable. $15B+ TVL in contracts with permanent ECDSA logic.
SPL Token is still immutable via BPFLoader2. The entire $6-8B token ecosystem must migrate to a new program.
Throughput drops ~90%. Confirmed by Solana Foundation / Project Eleven testnet (April 2026). GPU pipeline requires full CUDA rewrite.
Every address is a raw public key. Zero address-level quantum protection. All accounts permanently exposed from creation.
EternaX eliminates all three problems: SPHINCS+ signing from genesis, ~2% TPS loss (not ~90%), and PQ-safe address derivation with no exposed classical keys.
Namespace identity must be destroyed and recreated. Canton's own documentation states root signing keys cannot be rotated without losing the namespace.
$60T+ in historical settlements is still decryptable. Every prior trade between Goldman Sachs, DTCC, JPMorgan, HSBC can be decrypted.
Throughput drops ~88%. $9T/month in settlements faces systemic risk during migration. AWS/GCP KMS do not support PQ signing.
700+ institutions must coordinate simultaneously. Synchronizer enforces minimum scheme set. Partial migration is technically impossible.
EternaX eliminates all four problems: PQ identity from genesis, ~2% TPS loss, no coordination required, and PQ encryption protecting settlement privacy from day one.
| Migration Challenge | Ethereum | Solana | Canton | PQ-Native Chain |
|---|---|---|---|---|
| Address / identity model | Requires new account model; public keys exposed after first tx | Requires new account model; addresses ARE raw public keys (always exposed, zero address-level protection) | Namespace = hash of root key fingerprint. Changing key type destroys identity. Canton docs: "cannot be rotated without losing the namespace" | Solved at genesis |
| Transaction signing | Coordinated hard fork, all clients | Coordinated upgrade, all validators; GPU sigverify pipeline hardcoded for Ed25519 CUDA requires full rewrite | Six-layer signing across topology, confirmations, mediator, transfers, ACS commitments, sequencer auth | Solved at genesis |
| Signature precompiles | ecrecover cannot be patched | Ed25519Verify is native code; programs using precompiles inherit vulnerability after migration | Pluggable API (application-layer advantage); protocol layer still requires full migration | PQ verifier from day one |
| Immutable contracts | Permit2, V2/V3, WETH9: permanent | SPL Token: BPFLoader2, permanent | No immutable contracts (application-layer advantage) | No legacy to inherit |
| Broken standards | ERC-2612: must be replaced; ERC-3643: ONCHAINID must be rebuilt | SPL Token: immutable, all authority keys (mint, freeze, upgrade) are Ed25519-locked. Token-2022 Confidential Transfers derive ElGamal keys from Ed25519. Transaction ID is first Ed25519 signature. | N/A (Daml abstraction, application-layer advantage) | PQ-permit + PQ-ONCHAINID from day one |
| Consensus | PoS: consensus-layer PQ key registry proposed (EIP-8141, Hegotá H2 2026). leanXMSS + SNARK aggregation. | Alpenglow BLS aggregation: no PQ equivalent exists. Research active (LaBRADOR, Raccoon) but not production-ready. | Synchronizer enforces minimum scheme set; partial migration technically impossible | PQ-safe consensus from day one |
| Privacy / HNDL | Public chain: N/A | Public chain: N/A | ECIES P-256: $60T+ historical views exposed. Cannot be un-collected. | PQ encryption from day one |
| Infrastructure dependencies | L2s, wallets, custody, DeFi integrations | Wallets, custody, hardware (no Falcon HSM support); vault fee payers still Ed25519 | AWS/GCP KMS do not support PQ signing; production deployments blocked until cloud providers add support | No legacy dependencies |
| Performance under PQ | ~84% TPS loss (modeled, SPHINCS+ substitution) | ~90% TPS loss (Solana Foundation / Project Eleven testnet, April 2026) | ~88% TPS loss (modeled, SPHINCS+ substitution) | ~2% TPS loss |
| Estimated migration timeline | L1 target ~2029; full execution-layer migration years beyond (pq.ethereum.org). EIP-8141 proposed for Hegotá H2 2026. | Falcon prototypes on GitHub, no mainnet deployment, no timeline set. FIPS 206 (Falcon) not yet finalized. | Unknown. Zero public documentation, zero roadmap published as of June 2026. | Day one |
Historical precedent: SHA-1 to SHA-2 took over a decade. 3DES to AES took 5-20 years. PQ migration is orders of magnitude more complex, touching every layer simultaneously. No blockchain has completed one. Ethereum targets L1 upgrades by ~2029 with full execution-layer migration taking additional years (pq.ethereum.org). Solana has prototypes but no mainnet deployment or timeline. Canton has zero public roadmap. Academic research estimates 5-7 years optimistic, 10-15 years realistic for full blockchain PQ migration (JBBA, 2026). EternaX eliminates this migration timeline entirely: institutions deploy on PQ-native rails from day one rather than waiting for legacy chains to complete multi-year transitions.
The United States has moved from guidance to enforcement. Finalized NIST standards, binding inventory requirements, and Executive Order 14412 create a compliance cascade that reaches every institutional digital-asset product through procurement, custody, and settlement.
"We encourage system administrators to start integrating them into their systems immediately, because full integration will take time."
| Verified source | What it establishes | Institutional implication |
|---|---|---|
| NSM-10 White House, May 2022 |
Quantum-vulnerable cryptography classified as national security risk. Migration planning directed. | PQC is a national-security transition program, not optional research. |
| OMB M-23-02 November 2022 |
Federal agencies directed to inventory and prioritize migration of quantum-vulnerable cryptography. | CBOM-style diligence becomes the institutional baseline. |
| NSA CNSA 2.0 September 2022 |
Quantum-resistant algorithm requirements for National Security Systems. Preference dates 2025-2026, required dates 2030-2033. | Financial market infrastructure will face the same assurance expectations. |
| NIST FIPS 203, 204, 205 August 2024 |
ML-KEM, ML-DSA, and SLH-DSA (SPHINCS+) finalized as federal standards. | Institutions now have recognized standards against which vendors and settlement rails can be evaluated. |
| NIST IR 8547 November 2024 |
ECDSA/RSA deprecated after 2030 (112-bit security). All ECDSA/RSA/EdDSA disallowed after 2035. | Every chain using ECDSA or Ed25519 is on a published deprecation/disallowance schedule. |
| Executive Order 14412 "Securing the Nation Against Advanced Cryptographic Attacks" White House, June 22, 2026 |
First enforceable federal PQC deadlines. 30 days: agency PQC leads. 90 days: OMB binding guidance. 180 days: FAR contractor compliance rule (deadline Dec 31, 2030). 270 days: CISA/NIST CBOM guidance. Dec 31, 2031: PQC for all federal digital signatures. | Converts PQC from research into procurement gates. CBOM will expose ECDSA/EdDSA dependencies across custody, tokenization, and settlement. The order states adversaries "may already be collecting" encrypted data for future quantum decryption. |
EO 14412 (Federal Register Vol. 91, No. 121, June 25, 2026) directly binds federal agencies. Its private-sector impact flows through procurement, federal contractors, critical-infrastructure expectations, regulated-client diligence, vendor risk reviews, and CBOM disclosure. That distinction matters: the order does not instantly regulate every crypto institution, but it creates the compliance standard those institutions will increasingly be measured against.
Channel 1: FAR Procurement (Section 6c). Federal contractors must comply with NIST FIPS PQC by December 31, 2030. Digital-asset vendors with federal contract exposure, federal clients, or federal-adjacent market infrastructure relationships will be pulled into that requirement first.
Channel 2: CBOM Disclosure (Section 5d). By ~March 2027, CISA and NIST publish CBOM guidance: machine-readable inventories of every algorithm, key, and protocol. For a blockchain product, that means declaring ECDSA, Ed25519, ECIES, permit logic, identity-verification logic, and custody signing dependencies as deployed cryptographic components. A roadmap is not a CBOM entry.
Channel 3: Critical Infrastructure Pressure (Section 5a). Financial market infrastructure, clearing, settlement, custody, and post-trade technology providers will face higher assurance expectations even where the order reaches them indirectly through clients, supervisors, procurement, and resilience standards.
Channel 4: Regulated Client Cascade. BlackRock, Goldman Sachs, JPMorgan, State Street, and other regulated financial institutions will increasingly ask their digital-asset vendors the same question: which deployed algorithms secure this product today, and are they aligned with NIST-approved PQC migration plans?
Channel 5: Section 6(d) Vulnerability Disclosure. Contractor vulnerability disclosure expands to cover the use of non-FIPS approved algorithms. For products touching federal procurement or federal-adjacent systems, ECDSA and Ed25519 dependencies become diligence items, not abstract cryptography.
A CBOM audit reports what is deployed, not what is planned:
| Chain | Tx Signing Algorithm | NIST PQ Status | PQ TPS Impact | In-Place Migration Path | CBOM Result |
|---|---|---|---|---|---|
| Ethereum | ECDSA (secp256k1) | Deprecated 2030 / Disallowed 2035 | ~84% loss | Requires hard fork + account migration + immutable contract ecosystem | FAIL |
| Solana | EdDSA (Ed25519) | Disallowed 2035 | ~90% loss | Requires runtime overhaul + GPU pipeline rewrite + SPL Token migration | FAIL |
| Canton | Ed25519 / ECDSA P-256 | Disallowed 2035 | ~88% loss | Namespace identity impossibility + Synchronizer gate + KMS blocker | FAIL |
| Stellar | EdDSA (Ed25519) | Disallowed 2035 | ~90% loss | Requires protocol upgrade across validator network | FAIL |
| Bitcoin | ECDSA (secp256k1) | Deprecated 2030 / Disallowed 2035 | No PQ proposal | No consensus on PQ migration path | FAIL |
| EternaX | SPHINCS+ / SLH-DSA (FIPS 205) | NIST Approved | ~2% loss | Native from day one. No migration required. | PASS |
Ethereum has five layers where ECDSA (secp256k1) is embedded in ways no software upgrade can remove. Each layer is independently non-upgradeable. Together they constitute a permanent architectural commitment to quantum-vulnerable cryptography.
Three of the eight most institutionally relevant ERC standards have ECDSA embedded at levels that prevent clean post-quantum migration. They are ordered here by institutional exposure severity.
| Standard | Institutional Function | ECDSA Location | Severity | What Breaks Under Quantum Attack |
|---|---|---|---|---|
| ERC-3643 | Regulated security tokens. $32B+ tokenized across 180+ jurisdictions. DTCC/SEC endorsed. | Embedded in ONCHAINID claim verification. isClaimValid verifies claim issuer signatures via ECDSA ecrecover. | Critical | Attacker fabricates KYC/AML attestations, bypasses all compliance gates, moves regulated securities to ineligible wallets. |
| ERC-2612 | Gasless approvals. USDC, DAI, PYUSD, institutional DeFi flows. | Hardcoded in spec. permit(... uint8 v, bytes32 r, bytes32 s). Uses ecrecover. v/r/s is ECDSA-specific. | Critical | Attacker drains any token balance by forging gasless approvals. No onchain transaction by victim required. |
| ERC-1400 | Security token suite. Partitioned tokens, transfer agent certificates. | Implementation-level. CertificateController uses ecrecover to verify transfer agent signatures. | High | Attacker authorizes unauthorized transfers of partitioned security tokens without issuer approval. |
permit(address owner, address spender, uint value, uint deadline, uint8 v, bytes32 r, bytes32 s) and requires a valid secp256k1 signature. That is why the standard cannot simply accept large post-quantum signatures without a replacement interface. See ERC-2612 and EIP-712.
"If a user has made even one transaction, then the signature of that transaction reveals the public key."
ERC-3643 is the dominant institutional tokenization standard: $32B+ tokenized, 180+ jurisdictions, DTCC ComposerX integration, SEC endorsement, ISO standardization underway, 92+ association members. Its compliance enforcement depends on ONCHAINID, which verifies claim issuer signatures using ECDSA ecrecover. A quantum adversary forges a claim issuer signature, fabricates a KYC attestation, and any address appears compliant. $32 billion in regulated securities has its compliance gates bypassed. Migration requires a PQ-ONCHAINID variant. The chain upgrading does not fix ONCHAINID.
If you issued a regulated security on ERC-3643, the compliance layer that makes your product legal depends on ECDSA. A quantum adversary bypasses your compliance gates with one forged signature. Your tokenized bond, your fund shares, your structured product moves to an unauthorized wallet. This is not a protocol risk you can defer to Ethereum. This is a product risk on your issued securities. You must rebuild the identity verification layer underneath your product.
ERC-2612 hardcodes ECDSA into the standard specification. The permit function uses (uint8 v, bytes32 r, bytes32 s), which is ECDSA-specific. SPHINCS+ signatures (7,856-49,856 bytes) cannot fit. The standard cannot be adapted. It must be replaced.
Dollar exposure: USDC ($55B+), DAI/USDS (~$5B), stETH ($15B+), PYUSD, GHO, crvUSD, and all tokens deployed via OpenZeppelin ERC20Permit. Total permit token market cap exceeds $80B. Through Permit2, exposure extends to every ERC-20 on every EVM chain. Ethereum DeFi alone holds ~$38B TVL, nearly all routing through permit-dependent infrastructure.
When Fireblocks processes a permit signature for an institutional USDC transfer, that signature is ECDSA. A quantum adversary forges it and drains the balance without the owner transacting. This is a custody risk, a fiduciary risk, and a regulatory risk. The standard cannot be adapted. Even after Ethereum hard forks to PQ transaction signing, your permit interface remains ECDSA-only. Your product remains vulnerable after the chain upgrades.
Core DeFi infrastructure was deliberately made immutable so no administrator could alter behavior post-deployment. This design choice, which was correct for trust minimization, now creates permanent quantum vulnerability. These contracts collectively hold or route over $15 billion in TVL and serve as foundational infrastructure for the entire EVM ecosystem. They contain ECDSA logic (via ecrecover calls or hardcoded v/r/s permit signatures) that can never be replaced. They must be abandoned and redeployed as entirely new contracts on any PQ-safe chain.
| Contract | Deployer | ECDSA Dependency | Approx. TVL / Impact |
|---|---|---|---|
| Uniswap Permit2 | Uniswap Labs | ecrecover for signature verification | Universal EVM approval layer |
| Uniswap V2 Pair | Uniswap Labs | ERC-2612 permit, hardcoded v/r/s | $2B+ TVL |
| Uniswap V3 Pool | Uniswap Labs | Immutable core | $3B+ TVL |
| Compound V2 cTokens | Compound Labs | ecrecover in governance | Multi-billion TVL |
| Curve Base Pools | Curve Finance | Immutable core logic | Multi-billion TVL |
| Balancer V2 Vault | Balancer | Immutable core | Multi-billion TVL |
| WETH9 | Community | Immutable, no permit but foundational | $5B+ deposited |
| ENS Registry | ENS | Immutable | Ethereum naming infrastructure |
Institutional products do not exist in isolation from DeFi. BlackRock BUIDL uses ERC-4626 vaults. Those vaults interact with DeFi liquidity routing through Uniswap pools and Permit2. The institutional product and DeFi infrastructure are the same stack. When Permit2's ecrecover becomes forgeable, every token approval routed through it is compromised. These contracts cannot be upgraded. The only path is to deploy new contracts on PQ-safe infrastructure. EternaX offers this: the same institutional APIs (ERC-20, ERC-4626, ERC-4337) running on SPHINCS+ from day one, without inheriting Ethereum's immutable contract debt.
"Using Shor's algorithms, factoring large numbers on a quantum computer would be just as fast as multiplication."
Solana uses Ed25519 (Curve25519 elliptic curve) for every cryptographic operation on the chain. Ed25519 is equally vulnerable to Shor's algorithm as Ethereum's secp256k1 ECDSA. The vulnerability extends deeper on Solana because Ed25519 is not just the transaction signing scheme. It is the identity of every account, every authority key, every validator, and every governance surface on the network. Critically, Solana addresses are the raw 32-byte Ed25519 public keys themselves, not hashes of keys. Unlike Ethereum, where public keys are only revealed when an account first transacts, every Solana account's public key is permanently exposed on-chain from the moment of creation. There is no address-level quantum protection for any account on the network. Solana's DeFi ecosystem holds approximately $6-8 billion in TVL, with institutional products including Circle's USDC on Solana, BlackRock's BUIDL (Solana class), Visa stablecoin settlement pilots, and WisdomTree tokenized funds all dependent on Ed25519 at every layer.
Solana's Ed25519 and Secp256k1 verification programs are precompiled into the validator runtime as native code. They cannot be upgraded by any on-chain mechanism. Replacing them requires a coordinated validator software upgrade, equivalent to an Ethereum hard fork. Every on-chain program that uses these precompiles for custom authorization, including multisigs, custody schemes, and DeFi authorization logic, inherits quantum vulnerability and persists after any base protocol migration until individually updated.
Solana's Transaction Processing Unit verifies Ed25519 signatures using GPU-accelerated CUDA kernels, achieving nearly one million verifications per second. The SigVerify stage sits on the critical path: no transaction can execute until its signatures are verified. The GPU pipeline is hardcoded for Ed25519 point arithmetic. Migrating to any PQ scheme requires entirely new GPU kernels with fundamentally different mathematical operations, introducing an engineering cost and performance unknown that no other chain faces at this scale.
SPL Token and Associated Token are loaded by the deprecated BPFLoader2, making them permanently immutable. Every token on Solana, every stablecoin, every DeFi position depends on these programs. PQ migration requires deploying an entirely new token program and migrating all token state across the ecosystem.
Solana's Alpenglow consensus uses BLS signature aggregation for validator voting. There is no post-quantum equivalent to BLS aggregation. Even if user transactions migrate to PQ, the consensus layer has an unsolved cryptographic problem.
Solana's only deployed PQ primitive is the Winternitz Vault: hash-based one-time signatures suitable for cold storage only. Each signature reveals ~50% of the private key. Not default. Users must opt in. Does not protect validator identities, consensus, transaction signing, DeFi programs, or any authority key. Critically, the Solana protocol requires a standard Ed25519 account to pay transaction fees. Vaults are user-defined programs that cannot pay fees directly. Anza's own research confirms: "Vaults alone are not sufficient because the account model is used to pay fees directly. Any fee payer account will be drainable if no action is taken to harden the account model." Even assets inside a vault require a quantum-vulnerable fee payer to access them.
In April 2026, the Solana Foundation and Project Eleven published testnet results from PQ signature trials. Post-quantum signatures tested were 20-40x larger than Ed25519. Project Eleven CEO Alex Pruden confirmed to CoinDesk that throughput declined by approximately 90%. The specific scheme was not publicly confirmed, but the 20-40x size range is consistent with NIST FIPS 204 (ML-DSA/Dilithium). Subsequently, both Anza and Firedancer converged on Falcon (FN-DSA, FIPS 206 track) as the preferred migration scheme, with smaller signatures (~10x Ed25519). But even with Falcon, a single signature plus public key (~1,563 bytes) exceeds Solana's current 1,232-byte transaction limit. The structural migration challenges, including transaction format overhaul, GPU pipeline rewrite, SPL Token immutability, consensus aggregation, fee model redesign, and hardware wallet support, persist regardless of scheme choice. No mainnet deployment exists. No timeline has been set. FIPS 206 (Falcon) is not yet finalized. No hardware wallet, institutional custodian, or threshold-signing provider supports Falcon. A CBOM audit of Solana today reports Ed25519 as the deployed signing scheme.
"A quantum adversary can not only decrypt future traffic but, if they want to, past traffic."
Canton processes over $9 trillion per month in settlements across 700+ institutions including DTCC, Goldman Sachs, Broadridge, JPMorgan, HSBC, BNY Mellon, and Franklin Templeton. By settlement volume, it is the most consequential institutional blockchain in production. Its entire cryptographic stack is elliptic curve based. Zero post-quantum algorithms are deployed.
| Primitive | Supported Schemes | Quantum Status | Institutional Impact |
|---|---|---|---|
| Signing | Ed25519 (default), ECDSA P-256, ECDSA P-384 | All Vulnerable | Six protocol layers: topology transactions, confirmation request Merkle root signing, confirmation response signing to mediator, transfer message signing, ACS commitment signing, and sequencer challenge-response authentication. Multi-view privacy multiplies the signature count per transaction across involved parties. |
| Asymmetric Encryption | ECIES on P-256 with HMAC-SHA256 and AES128-GCM | Key Exchange Vulnerable | View encryption for sub-transaction privacy. Every encrypted view is decryptable once ECDLP is broken. |
| Symmetric Encryption | AES128-GCM | Adequate | View content encryption. Secure if key exchange is PQ-safe. Currently compromised by vulnerable ECIES layer above. |
| MAC | HMAC with SHA-256 | Adequate | Message authentication. Not the primary risk surface. |
Canton's core value proposition is sub-transaction privacy, implemented using ECIES encryption on P-256. Every encrypted view ever sequenced through Canton's Global Synchronizer is stored with quantum-vulnerable keys. An adversary collecting sequencer traffic today decrypts every private transaction view once a CRQC arrives. For a network whose institutional justification is privacy, this is a present-tense data collection opportunity for sophisticated adversaries.
Canton's Daml abstraction layer means application contracts do not hardcode ECDSA in the way Ethereum's ERC-2612 or Uniswap Permit2 do. This is a genuine application-layer advantage. But the protocol layer, where signatures, encryption, identity, and consensus operate, faces structural migration challenges that are arguably harder than Ethereum's. As of June 2026, Digital Asset has published zero blog posts, zero documentation pages, zero GitHub activity, and zero conference presentations addressing post-quantum migration. For comparison: the Solana Foundation published a PQ readiness blog, testnet results, and multiple SIMDs. Ripple published a multi-phase XRPL PQ roadmap. Canton's public PQ posture consists of a CISO confirmation that the cryptographic API is extensible. For a network processing $9 trillion per month in institutional settlements, this silence is itself a material finding.
Canton's identity model permanently binds every namespace to the cryptographic fingerprint of its root signing key. Canton's own documentation states: "A namespace root signing key is a permanent key. It cannot be rotated without losing the namespace, as the namespace is identified by the fingerprint of the signing key. This is an architectural feature." Changing the root key from Ed25519 to a PQ scheme changes the fingerprint, which changes the namespace, which destroys the identity. Every party, every node, every topology delegation, and every contract reference under that namespace breaks. This is not a coordination problem. It is a structural identity impossibility that must be solved before any of the migration challenges below become relevant.
Replacing Ed25519 (64 bytes) with SPHINCS+ (7,856 bytes) inflates every signed message 122x. Canton's multi-view privacy model compounds this: every transaction view requires separate signing and encryption operations across all involved parties, multiplying the PQ penalty per transaction. For $9T/month in settlements, degraded throughput during migration creates systemic settlement risk. Additionally, Canton production deployments use AWS or GCP KMS for key management. Canton's documentation states that "Canton's supported schemes must match those provided by the KMS." Neither AWS KMS nor GCP KMS supports PQ signing (ML-DSA, SLH-DSA, or FN-DSA) as of June 2026. Even if Canton adds PQ support to its codebase, production institutional deployments cannot use PQ keys until cloud KMS providers add support.
Canton's privacy model requires all parties to agree on the cryptographic scheme. Partial migration breaks atomic settlement. Canton's Synchronizer enforces this technically: the documentation states that every Synchronizer imposes a minimum set of cryptographic schemes, and any node that does not support the required set is unable to connect. Partial migration is not merely organizationally difficult. It is architecturally impossible. Goldman Sachs, DTCC, JPMorgan, HSBC, Broadridge, and 690+ others must upgrade to PQ simultaneously, or the classical scheme remains the operating standard and no quantum safety is achieved. No precedent exists for coordinated cryptographic migration across this many regulated institutions.
Even perfect future migration cannot protect $60T+ in cumulative settlement volume already encrypted with quantum-vulnerable ECIES P-256. Every trade, every position, every counterparty relationship settled on Canton is retrospectively exposed. Upgrading protects future transactions. It does not protect the past.
"If quantum computing becomes a threat to Bitcoin's elliptic curve cryptography, an inviolable property of Bitcoin will be violated one way or another."
The evidence in this report points to four immediate actions for any institution issuing, holding, or custodying digital assets on Ethereum, Solana, or Canton.
| Action | Why Now | Who Owns It |
|---|---|---|
| 1. Conduct a cryptographic inventory | Federal PQC guidance requires cryptographic inventory and migration planning for high-assurance systems. Institutional products on public blockchains must enumerate: which signing scheme secures each asset, which standards embed ECDSA in their specification or implementation, which contracts are immutable, and which custody integrations depend on permit flows. | CISO / CTO |
| 2. Assess application-layer PQ exposure | Chain-layer upgrades do not fix application-layer problems. Institutions must separately assess: ERC-3643 ONCHAINID claim verification, ERC-2612 permit interface dependencies, immutable contract dependencies in DeFi routing, and custody platform signature schemes. Each of these persists after any chain upgrade. | CTO / Engineering |
| 3. Evaluate PQ-native settlement rails | For new issuance and long-duration tokenized products (bonds, fund shares, structured credit), the cost of issuing onto quantum-vulnerable rails today is the guaranteed migration debt tomorrow. PQ-native chains eliminate this debt at issuance. The evaluation criteria: native PQ signing (not optional vaults), institutional-grade throughput under PQ (~2% loss, not ~90%), and day-one compatibility with ERC-20/ERC-721/ERC-4626/ERC-4337. | Product / Strategy |
| 4. Engage custodians on CBOM readiness | Custodians subject to federal mandates will be required to justify the cryptographic posture of every asset they custody. If your custodian cannot answer the CBOM question for your product's underlying chain, your product faces restriction or restructuring. Start the conversation now, not when the FAR amendment takes effect. | Operations / Compliance |
For Action Item 3, EternaX offers a practical next step: a chain-aware CBOM exposure review for tokenized funds, stablecoins, custody stacks, settlement workflows, and DeFi integrations, followed by a PQ-native issuance path using the same institutional APIs institutions already use.
For institutions evaluating post-quantum settlement rails, EternaX is PQ-native market infrastructure for stablecoin issuance, RWA tokenization, custody-adjacent workflows, and institutional settlement. The premise is simple: do not inherit cryptographic debt that must be repaired later. Every layer documented in this report as non-upgradeable on existing chains is addressed at genesis: accounts, signatures, verifier logic, identity, permits, compliance modules, and settlement assumptions.
The primary defense is SPHINCS+ (NIST FIPS 205, SLH-DSA), a hash-based signature standard whose security reduces to well-understood hash function properties. SPHINCS+ is not an add-on or optional feature. It is the native signing scheme at the protocol level. Every address, every transaction, every precompile, every consensus attestation uses PQ-safe cryptography from the first block.
The institutional objection to PQ is performance. SPHINCS+ signatures are 122x larger than ECDSA. Every existing chain that attempts PQ migration faces severe throughput penalties. EternaX absorbs this cost at the architecture level.
The ~2% cost results from architectural decisions at the protocol design stage. Consensus is designed from genesis to handle PQ signature sizes efficiently. A compact permanent receipt layer reduces per-transaction storage by 49x (160 bytes vs 7,856 bytes). Existing chains face ~84-90% loss. The difference between ~2% and ~90% is the difference between a chain institutions can use and one they cannot.
Institutions do not need to learn new standards. EternaX provides the same facilities they already use for compliance, permits, security tokens, vaults, and programmable custody, running on PQ-native rails that will never need to be ripped out.
| Tier | Standards | What the Institution Sees | What Changes Underneath |
|---|---|---|---|
| Tier 1: Deploy unchanged | ERC-20, ERC-721, ERC-4626, ERC-4337, ERC-7943 | Identical API. Same functions, same parameters, same integration code. Zero learning curve. | SPHINCS+ operates at the transaction layer. The institution never touches the cryptography. |
| Tier 2: Same API, PQ module | ERC-3643, ERC-1400 | Same ONCHAINID concept, same claim topics, same trusted issuers, same compliance flow. Same CertificateController interface. | isClaimValid verifies with SPHINCS+ instead of ecrecover. Certificate signatures verified with SPHINCS+. Interface identical. |
| Tier 3: PQ-native redesign | ERC-2612 replacement | Same facility: gasless approvals, off-chain authorization. Custody platforms authorize token movements without on-chain transactions. | New PQ-permit interface with bytes signature parameter accepting SPHINCS+. Whoever ships this first defines the standard. |
U.S. Executive Order titled "Securing the Nation Against Advanced Cryptographic Attacks." It directly binds federal agencies and creates a private-sector cascade through procurement, contractors, regulated clients, CBOM disclosure, and vendor diligence.
Cryptographic Bill of Materials. A machine-readable inventory of cryptographic algorithms, libraries, keys, standards, and dependencies used by a system or product.
Classical elliptic-curve signature scheme used by Ethereum, Bitcoin, and many institutional custody flows. It is vulnerable to Shor's algorithm once public keys are exposed.
Edwards-curve signature scheme used across Solana, Stellar, and Canton defaults. It is not post-quantum secure and appears across account, validator, and authority models.
Classical elliptic-curve encryption scheme used in privacy-sensitive systems. Historical encrypted traffic can remain exposed to harvest-now-decrypt-later attacks.
Regulated token standard for permissioned securities and tokenized assets. Its ONCHAINID claim verification can inherit ECDSA-based compliance exposure.
Permit approval standard with ECDSA-shaped v, r, s signature parameters. It cannot directly encode large post-quantum signatures without a replacement interface.
NIST-standardized stateless hash-based post-quantum signature scheme under FIPS 205. EternaX uses this family as its conservative PQ-native signing anchor.
Core Solana token program used for fungible assets, mint authority, freeze authority, and token account control. Its authority model depends on Ed25519.
Canton identity construct tied to the fingerprint of a root signing key. This creates a hard migration problem if the root key must move from classical to PQ cryptography.
| Report Claim | Primary Source | Why It Matters |
|---|---|---|
| NIST has standardized SLH-DSA as a stateless hash-based post-quantum signature standard. | NIST FIPS 205 / SLH-DSA | Anchors the EternaX conservative PQ-signature posture to an official NIST standard. |
| EO 14412 makes PQC migration a direct federal priority and creates contractor, procurement, and CBOM pressure. | Federal Register: EO 14412 | Turns PQC from future planning into board-level compliance and vendor-risk diligence. |
| ERC-2612 is structurally ECDSA-shaped through v, r, s permit parameters. | Ethereum EIP-2612 | Explains why existing permit interfaces cannot simply accept large PQ signatures. |
| EIP-712 typed-data signing supports permit, custody, and institutional authorization flows that depend on classical signature verification. | Ethereum EIP-712 | Shows how transaction authorization and offchain approvals inherit the same cryptographic base. |
| Solana exposes signature-verification primitives at the runtime and program layer. | Solana Program Documentation | Supports the claim that Solana's exposure is not limited to wallet signing. |
| Canton documents classical signing and encryption scheme support, including Ed25519, ECDSA, and ECIES. | Canton Security and Key Management | Supports the report's claim that Canton has signing, identity, and privacy-layer PQ migration challenges. |
| Ethereum public keys become exposed after an account transacts, making active accounts materially different from dormant addresses in a PQ world. | Ethereum Research: Quantum Emergency | Explains why active institutional admin, treasury, custody, and signer keys need special treatment. |
| Public agencies recommend preparing cryptographic inventories and migration plans before a cryptographically relevant quantum computer arrives. | CISA, NIST, and NSA PQC Guidance | Supports the report's CBOM-first action framework for institutions. |
| Claim family | Primary source | Why it matters |
|---|---|---|
| NIST PQC standards | NIST finalized PQC standards, FIPS 205 / SLH-DSA | Confirms finalized PQC standards and the hash-based SLH-DSA signature standard. |
| U.S. national-security PQC transition | NSA CNSA 2.0 announcement | Confirms official quantum-resistant algorithm requirements for National Security Systems. |
| Ethereum permit exposure | ERC-2612, EIP-712 | Confirms the v/r/s and secp256k1 structure of permit-based approvals. |
| Solana runtime exposure | Solana Programs documentation | Confirms precompiled signature verification programs and immutability after upgrade authority revocation. |
| Canton signing and encryption exposure | Canton Security and Key Management | Confirms Ed25519, ECDSA P-256/P-384, and ECIES P-256 schemes in Canton documentation. |
| Quantum threat and migration urgency | Michele Mosca, IACR ePrint, CISA, NIST, and NSA guidance, NIST IR 8547 | Confirms that today's public-key cryptography must migrate and that migration should begin before CRQC arrival. |
| Ethereum public-key exposure | Vitalik Buterin, Ethereum Research | Confirms that a single transaction reveals the public key, making transacted EOAs exposed in a post-quantum world. |
| Harvest-now-decrypt-later and crypto governance | Cloudflare post-quantum future, Jameson Lopp on quantum recovery, CERN interview with Peter Shor | Supports the report's claims on stored encrypted-data exposure, elliptic-curve migration tradeoffs, and Shor's algorithm risk. |
For deeper diligence, read the Post-Quantum Signature Security Ranking 2026, the PQC Risk Framework for Institutions, the PQ Exposure Map for Institutional Crypto and Tokenized Assets, and Why EternaX.
Optimized for institutional diligence, search discovery, and direct answers on Ethereum, Solana, Canton, custody, tokenization, and PQ-native migration.
The team behind EternaX combines protocol research, cryptography, distributed systems, institutional digital-assets strategy, and post-quantum market-infrastructure execution.
For institutional inquiries regarding post-quantum financial infrastructure, tokenization post-quantum risk, custody post-quantum exposure, cryptographic migration debt, EO 14412 compliance, or EternaX PQ-native infrastructure.
Evaluating PQ-native issuance for your institution?
Map your non-upgradeable exposure and evaluate EternaX testnet before your next rail decision hardens.