Which Post-Quantum Signature Scheme Is the Safest for Institutional Use?

Over $2.5 billion in tokenized US Treasuries sits on BlackRock's BUIDL fund, issued through Securitize. Broadridge's DLR platform settles more than one trillion dollars per month in digital repo. Canton Network connects Goldman Sachs, BNY Mellon, Cboe, and Microsoft in multi-institution tokenized asset workflows. JPMorgan's Kinexys (formerly Onyx) processes cross-border payments and intraday repo settlement. Franklin Templeton's BENJI runs a $400M+ tokenized money market fund on public blockchains. MAS Project Guardian and BIS Project Agora are piloting tokenized bonds and cross-border FX settlement at sovereign scale. Every one of these platforms depends on digital signatures that must remain unforgeable for the lifetime of the assets they protect — years, decades, or indefinitely.

The post-quantum cryptography transition forces a choice. NIST has standardized three post-quantum signature schemes (ML-DSA, FN-DSA, SLH-DSA) and is evaluating nine additional candidates in a third round announced May 14, 2026. Which one should an institutional risk officer select?

The answer, on the dimension that matters most to risk officers — assumption minimality and long-term survivability — is unambiguous. SPHINCS+ (SLH-DSA, FIPS 205) is the only scheme whose security reduces entirely to hash function properties. Every alternative adds at least one algebraic hardness assumption on top of hash security. Those additional assumptions are exactly the components that fail.

This analysis ranks every NIST-standardized and candidate post-quantum signature scheme by security assumption depth, reviews the pattern of cryptographic scheme failures since 2022, constructs the institutional decision framework for CROs and risk committees, and identifies the only infrastructure capable of deploying SPHINCS+ at institutional throughput. It is written for institutional risk officers, compliance teams, blockchain architects, and investors evaluating post-quantum cryptographic infrastructure.

Why Do Post-Quantum Signature Schemes Keep Getting Broken?

Four post-quantum signature schemes or their underlying primitives have been publicly broken or degraded below claimed security since 2022. Each was designed by expert cryptographers, subjected to multi-year public review, and in two cases advanced deep into national standardization processes. Each failed because its security depended on a computational assumption that turned out to be weaker than believed.

Rainbow (February 2022). Multivariate signature scheme based on structured polynomial systems. NIST Round 3 finalist — one step from federal standardization. Broken by Ward Beullens via a rectangular MinRank attack that exploited the algebraic structure of Rainbow's layered Oil-and-Vinegar construction. A scheme that had been under public scrutiny for approximately ten years was completely broken in a matter of weeks once the right algebraic technique was found.

SIKE/SIDH (July 2022). Isogeny-based key encapsulation mechanism. NIST Round 4 candidate. Broken by Wouter Castryck and Thomas Decru via a torsion point attack that reduced the supersingular isogeny walk problem to polynomial time. The entire SIDH assumption class — believed to be one of the most promising post-quantum foundations — was invalidated overnight after approximately eleven years of study.

AIM v1 (2023). Symmetric-primitive-based signature scheme using the MPC-in-the-Head paradigm. NIST Round 1 candidate for additional digital signatures. Broken below claimed security by multiple independent teams using algebraic equivalent representations. Eliminated from the NIST process after less than one year of public evaluation.

AIM2 v2.1 / Magic Pot (2026). Redesigned specifically to resist the attacks that broke AIM v1. Won the Korean Post-Quantum Cryptography (KpqC) national competition. Broken again by Alex Biryukov, Pablo Garcia Fernandez, and Aleksei Udovenko in a paper accepted at Eurocrypt 2026 — cryptography's top venue. AIM2-I, targeting 128-bit security, was broken to approximately 103.66 bits in the standard single-key setting. Practical key recovery was demonstrated on a laptop in 33 hours using only 11 reused initialization vectors. A nationally standardized scheme, redesigned to resist known attacks, broken again within two years of its redesign.

The common thread across all four failures is structural: every broken scheme relied on security assumptions tied to algebraic structure — structured multivariate polynomials (Rainbow), supersingular isogeny graphs (SIKE), monomial S-box systems in a parallel architecture (AIM/AIM2). Schemes that rely only on hash function properties — the simplest, most studied primitive class in cryptography — have never been broken in over 45 years of sustained cryptanalysis, tracing back to Ralph Merkle's original hash-based signature construction in 1979. SPHINCS+ belongs to this category. None of the broken schemes do.

Table 1: Post-Quantum Cryptographic Scheme Failures Since 2022
Year Scheme Stage When Broken Assumption Attack Studied
2022 Rainbow NIST Round 3 Finalist Multivariate (structured) Beullens rectangular MinRank ~10 y
2022 SIKE/SIDH NIST Round 4 Candidate Isogeny Castryck-Decru torsion point ~11 y
2023 AIM v1 NIST Round 1 Candidate Symmetric (MPCitH) Liu-Mahzoun-Oygarden-Meier <1 y
2026 AIM2 v2.1 KpqC National Winner Symmetric (MPCitH) Biryukov et al. (Magic Pot, Eurocrypt 2026) ~2 y
Scheme Survival: Years from Proposal/Standardization to Break
SIKE/SIDH
~11 years
Rainbow
~10 years
AIM2 v2.1
~2 years
AIM v1
<1 year
SPHINCS+
45+ years — no break

Hash-based signature foundations (Merkle 1979, SPHINCS 2015, SPHINCS+ / FIPS 205): 45+ years of cryptanalysis, zero successful attacks.

How Do All NIST Post-Quantum Signature Schemes Compare on Security in 2026?

NIST's post-quantum signature portfolio now spans three standardized schemes and nine Round 3 candidates announced on May 14, 2026 (per NIST IR 8610). The critical distinction among them is not performance, signature size, or implementation maturity. It is assumption depth: how many independent computational conjectures must hold for the scheme to remain secure over the asset's lifetime.

NIST-Standardized Schemes

ML-DSA (FIPS 204, Dilithium). Lattice-based. Security reduces to hash function security AND Module-LWE/Module-SIS hardness. Module-LWE has approximately 25 years of cryptanalytic study, tracing to Ajtai (1996) and Regev (2005). No polynomial-time quantum attack is known. But lattice cryptanalysis is an active field with incremental improvements, and the structured algebraic ring underlying ML-DSA's efficiency is the same category of structural assumption that has failed in other families. NTRU, a related lattice construction dating to 1996, has had its original security parameters weakened multiple times. ML-DSA is a defensible general-purpose choice, but it carries algebraic-structure risk that SPHINCS+ does not. Notably, Ethereum's PQ team has chosen to go hash-based rather than lattice-based for its consensus layer. Solana, by contrast, selected Falcon (lattice-based). Assumption depth: 2.

"Hash-based cryptography is believed to stand the test of time and is by far the most conservative and minimal assumption. If you're going to go with the hash-based SNARKs, you might as well also go with the hash-based leaf signatures." — Justin Drake, Ethereum Foundation, on Ethereum's post-quantum direction

FN-DSA (Falcon, standardization underway). Also lattice-based, using NTRU structure. Carries the same Module-LWE/NTRU hardness assumptions as ML-DSA plus additional implementation complexity from its use of floating-point arithmetic during signing, which creates side-channel attack surface. Compact signatures (approximately 690 bytes at Level I), but the assumption stack is no shallower than ML-DSA. Assumption depth: 2.

SLH-DSA (SPHINCS+, FIPS 205). Hash-based. Security reduces to hash function security only: second-preimage resistance, pseudorandom function behavior, and target subset resilience of SHA-256 or SHAKE256. No algebraic structure. No lattice. No polynomial system. No isogeny. The construction — Merkle trees of WOTS+ chains with FORS few-time signatures — traces to Merkle's 1979 work and has been studied in various forms for over 45 years. Proven secure in the quantum random oracle model (QROM) with tight reductions. Assumption depth: 1.

"If in the future someone discovers some brilliant new attack, we want to have other algorithms that don't depend on lattices. That is why we selected SPHINCS+." — Dustin Moody, NIST Post-Quantum Cryptography Project Lead

Round 3 Candidates (announced May 14, 2026)

FAEST (AES-based, symmetric). The closest challenger to SPHINCS+ on the assumption axis. Security reduces to AES one-wayness — a symmetric primitive with 25+ years of intensive cryptanalysis — plus the soundness of its VOLEitH (Vector Oblivious Linear Evaluation in the Head) proof system, which has approximately three years of public study. AES itself is as battle-tested as SHA-256. But the proof framework wrapping it is substantially newer and less mature than SPHINCS+'s Merkle-tree construction. The AIM/AIM2 breaks are cautionary: AIM2 used the same MPC-in-the-Head proof paradigm (with a different underlying primitive) and failed. Additionally, FAEST is a Round 3 candidate with no FIPS number and is 2-4 years from potential standardization. For institutions facing CISA's 2027 migration deadline, FAEST is not yet available. Assumption depth: 3.

HAWK (Module-LIP lattice). Based on the Lattice Isomorphism Problem (LIP), a novel hardness assumption with approximately five years of cryptanalytic history. Excellent performance: HAWK-512 signs four times faster than Falcon with 15% smaller signatures and no floating-point arithmetic. But Module-LIP is the youngest security assumption in the entire NIST portfolio. A risk officer who exercises caution about 25-year-old lattice assumptions cannot rationally accept a 5-year-old assumption for assets with multi-decade lifetimes. Assumption depth: 2.

MAYO, UOV, QR-UOV, SNOVA (multivariate family). All derive from the Oil-and-Vinegar framework for solving structured multivariate quadratic (MQ) systems. UOV itself has approximately 27 years of cryptanalytic history and has not been directly broken. But Rainbow, a structured derivative of Oil-and-Vinegar, was catastrophically broken in 2022. MAYO's key compression introduces novel algebraic structure with only three years of study. QR-UOV adds quotient-ring structure with even less scrutiny. SNOVA has already faced published fault-attack vulnerabilities. NIST retained all four multivariate candidates despite recent cryptanalytic attacks affecting several parameter sets, noting that unbroken parameter sets remain available — but this is precisely the pattern that precedes a Rainbow-type event. Assumption depth: 2-3.

MQOM, SDitH (MPC-in-the-Head family). Security composites two layers: an underlying hardness assumption (multivariate quadratic for MQOM, syndrome decoding for SDitH) plus the soundness of the MPCitH proof compilation. Syndrome decoding has approximately 45 years of study and well-characterized quantum resistance. But the composite construction adds proof-system risk. The AIM/AIM2 breaks — which used the same MPC-in-the-Head paradigm with a different primitive — demonstrate that the composite assumption surface is wider than the individual components suggest. Assumption depth: 3.

SQIsign (isogeny-based). The smallest combined signature and public key size of any candidate (approximately 177 + 64 bytes). But security reduces to the hardness of computing endomorphism rings on supersingular elliptic curves — the same broad mathematical family that produced the SIKE/SIDH catastrophe of 2022. SQIsign's specific construction differs from SIDH, but the Castryck-Decru break demonstrated that isogeny-class assumptions can fail suddenly and completely after years of sustained study. Verification is computationally expensive, and timing side-channel resistance remains an open problem. Assumption depth: 3+.

Five additional schemes were eliminated between Round 2 and Round 3: CROSS and LESS (code-based), Mirath (MinRank-based, a merger of MIRA and MiRitH), PERK, and RYDE. Their elimination further narrows the non-lattice signature pipeline and reinforces the attrition pattern: 50 submissions entered in 2023, 40 were accepted, 14 survived Round 1, and only 9 survived Round 2. The survival rate for computational assumptions under sustained public review is 22.5%.

Can a Future NIST Round Change This Conclusion?

No. SPHINCS+ already occupies the theoretical minimum for assumption depth in digital signature design. Hash function security is the irreducible foundation of all digital signature schemes, including classical ones. Any new scheme either matches SPHINCS+ on assumptions (producing a redundant hash-based standard) or introduces additional assumptions (making it strictly weaker on the risk officer's decision axis). FAEST is the only pipeline candidate that approaches SPHINCS+ on assumption conservatism, trading hash-based security for AES-based security. If FAEST achieves FIPS standardization in 2028-2030, it would become a credible complement to SPHINCS+, but not a replacement, because its proof framework is less mature than SPHINCS+'s 45-year Merkle-tree foundation. The security ranking cannot change. Hash-only will always be the minimal assumption surface.

Table 2: Post-Quantum Signature Scheme Security Comparison (2026)
Scheme NIST Status Assumption Class Security Reduces To Depth Cryptanalytic History Broken Precedent in Family
SLH-DSA (SPHINCS+) FIPS 205 (Final) Hash-based Hash function security only 1 45 years (Merkle 1979) None
ML-DSA (Dilithium) FIPS 204 (Final) Structured lattice Hash + Module-LWE/SIS 2 25 years (lattice) NTRU params weakened
FN-DSA (Falcon) Standardization in progress Structured lattice (NTRU) Hash + NTRU + short vector 2 25 years (NTRU 1996) NTRU params weakened
FAEST Round 3 Candidate Symmetric (AES) Hash + AES OWF + VOLEitH 3 AES: 25yr, VOLEitH: 3yr AIM/AIM2 (same paradigm)
HAWK Round 3 Candidate Novel lattice (LIP) Hash + Module-LIP 2 5 years None (too new)
MAYO Round 3 Candidate Multivariate (MQ) Hash + structured MQ 2 UOV: 27yr, MAYO: 3yr Rainbow (2022)
UOV Round 3 Candidate Multivariate (MQ) Hash + MQ + Oil subspace 2 27 years Rainbow (2022)
MQOM Round 3 Candidate MPCitH (MQ) Hash + MQ + MPCitH 3 MQ: 25yr, MPCitH: 18yr AIM/AIM2 (same paradigm)
SDitH Round 3 Candidate MPCitH (code) Hash + Syndrome Decoding + MPCitH 3 SD: 45yr, MPCitH: 18yr AIM/AIM2 (same paradigm)
SNOVA Round 3 Candidate Multivariate (structured) Hash + structured MQ + ring 3 3 years Rainbow; fault attacks (2025)
QR-UOV Round 3 Candidate Multivariate (structured) Hash + MQ + quotient ring 3 3 years Rainbow (2022)
SQIsign Round 3 Candidate Isogeny Hash + endomorphism ring 3+ 10 years SIKE/SIDH (2022)
Assumption Stack: Each Layer Is a Point of Failure
SILMARILS
No computational assumption
SPHINCS+
Hash function
ML-DSA
Hash
Lattice (M-LWE)
FN-DSA
Hash
Lattice (NTRU)
HAWK
Hash
Lattice (LIP) — 5yr
MAYO
Hash
Multivariate (MQ)
FAEST
Hash
AES OWF
VOLEitH proof
SDitH
Hash
Syndrome Dec.
MPCitH proof
SQIsign
Hash
Isogeny
Endo. ring
Heuristic est.
Information-theoretic
Hash / symmetric
Lattice / code
Multivariate
Isogeny
Proof system

Why Should Institutions Choose SPHINCS+ Over Dilithium or Falcon?

Asset lifetime versus assumption lifetime

The assets on institutional tokenization platforms are not ephemeral. BlackRock's BUIDL holds US Treasuries with maturities extending decades. Broadridge's DLR settles over a trillion dollars per month in repo with counterparty obligations spanning years. Canton Network's multi-institution workflows produce settlement records that must remain verifiable for the life of the underlying asset. Franklin Templeton's BENJI operates a tokenized fund with indefinite duration. JPMorgan Kinexys processes cross-border payments where settlement finality is permanent and irrevocable.

The signature scheme protecting these assets must outlive the longest-dated instrument on the platform. If the scheme's underlying assumption is broken in year 15 of a 30-year bond, every signature issued under that scheme is retroactively invalidated. There is no post-hoc remediation for on-chain provenance. The original signature is the provenance record, and it cannot be re-signed after the fact.

This means the risk officer is not selecting for today's security margin. The risk officer is selecting for the probability of assumption survival over 20, 30, or 50 years. On that dimension, the ranking is clear: hash functions (45+ years, no break) versus structured lattices (25 years, parameter erosions) versus multivariate systems (27 years for UOV, but Rainbow broken) versus isogenies (11 years, then catastrophic failure). SPHINCS+ inherits the entire track record of hash-based cryptography. No other post-quantum scheme comes close.

Correlated risk versus idiosyncratic risk

If an institution deploys ML-DSA and a lattice breakthrough occurs in 2035, that institution is uniquely exposed. Its tokenized assets have invalid provenance. Its counterparties and competitors who chose SPHINCS+ are unaffected. The institution faces counterparty litigation, regulatory scrutiny, and the question every plaintiff's attorney will ask: why did you choose a scheme with additional algebraic assumptions when a hash-only alternative was available as a published FIPS standard?

If the same institution deploys SPHINCS+ and SPHINCS+ is broken, it means SHA-256 or SHAKE256 is broken. That simultaneously invalidates TLS, Bitcoin, every certificate authority, every digital signature in the global financial system. The institution's choice was not the proximate cause. This is correlated risk versus idiosyncratic risk — a distinction every risk officer understands intuitively. Correlated failures are systemic events. Idiosyncratic failures are attributable decisions. SPHINCS+ is the only post-quantum signature scheme where scheme failure implies universal infrastructure failure, making the institution's selection non-attributable.

Regulatory readiness

FIPS 205 (SLH-DSA / SPHINCS+) is published and in force. CISA's federal post-quantum migration deadline targets 2027. NSA's CNSA 2.0 mandates post-quantum migration for national security systems by 2033. The EU Cyber Resilience Act requires demonstrable quantum resistance for critical infrastructure. Financial regulators including the SEC, FINRA, OCC, MAS, and ADGM are incorporating post-quantum readiness into supervisory expectations.

"We encourage system administrators to start integrating them into their systems immediately, because full integration will take time." — Dustin Moody, NIST, on the release of FIPS 203, 204, and 205 (August 2024)

SPHINCS+ satisfies every current and anticipated regulatory requirement today. No Round 3 candidate will receive a FIPS number before 2028-2029 at the earliest. An institution that deploys a non-standardized scheme must justify to auditors and regulators why it selected an unstandardized algorithm when a published FIPS standard was available. For regulated financial institutions — including FINRA member firms such as Securitize, Fidelity, JPMorgan Securities, and DTCC — the signature scheme underlying tokenized securities settlement will be subject to supervisory examination. FIPS 205 is the examination-proof answer.

Portfolio risk for investors

For venture capital firms and institutional investors in blockchain infrastructure, the post-quantum signature choice of a portfolio company is a material risk factor. A Layer 1 chain built on ML-DSA or Falcon carries lattice-assumption risk that could render its entire signature history invalid in a single cryptanalytic event. Investor due diligence should include three questions: which post-quantum scheme does the chain use, what is its assumption depth, and can the chain deploy SPHINCS+ without catastrophic throughput loss? If the answer to the third question is no — and for most incumbent chains it is, given 84-90% TPS loss under SPHINCS+ integration — the chain carries both cryptographic risk and migration risk simultaneously.

SPHINCS+ is the only post-quantum signature scheme that meets institutional security requirements for multi-decade assets: minimal assumptions, 45+ years of cryptanalytic foundation, published FIPS standard, and regulatory readiness across all major jurisdictions. The security question is settled. But security without deployability is academic. Existing chains lose 84–90% throughput under SPHINCS+ integration. The question every institution should now be asking: which infrastructure can deliver SPHINCS+ security at market speed?

Can Any Infrastructure Actually Deploy SPHINCS+ at Institutional Speed?

SPHINCS+ signatures range from 7,856 bytes (SPHINCS+-128s) to 49,856 bytes (SPHINCS+-256f). For on-chain applications — stablecoin settlement, RWA tokenization, derivatives clearing, cross-border payments — every transaction carries at least one signature. When existing Layer 1 chains integrate SPHINCS+-grade post-quantum signatures, throughput collapses. Live testnet data and modelled projections confirm the losses: Solana loses approximately 90% of its TPS (confirmed on a live testnet by Project Eleven and the Solana Foundation, April 2026). Ethereum models at approximately 84% throughput loss. Canton Network drops to sub-1 TPS (approximately 88% loss). Stellar loses approximately 90%. These are not acceptable performance envelopes for institutional settlement infrastructure operating at market speed.

This throughput penalty explains why no major institutional chain has deployed SPHINCS+ in production despite it being the clearly correct security choice since FIPS 205 was published. Ethereum has identified hash-based signatures as the right direction but cannot deliver until 2029 and adds SNARK aggregation assumptions. Solana chose Falcon (lattice-based), prioritizing compact signatures over security conservatism. Canton, Stellar, Bitcoin, and Hyperliquid have no PQ roadmap at all. Institutions are trapped: the scheme they should use (SPHINCS+) is not deployable on any chain they currently operate on. "Migrate later" is itself a risk position: every day of delay extends the harvest-now-decrypt-later exposure window for on-chain assets. As Alex Pruden, CEO of Project Eleven, stated in April 2026: "This is a tomorrow problem — until it is today's problem. And then it takes four years to fix."

EternaX is post-quantum market infrastructure purpose-built to eliminate this tradeoff. The performance targets: 50,000-200,000 TPS for post-quantum market infrastructure workloads. 20-50ms soft finality for fast institutional execution. 400-520ms hard-finality settlement for final execution assurance. The TPS loss under full post-quantum signature integration is approximately 2% — compared to 84-90% for every incumbent chain. This is not incremental improvement. It is a categorical difference. EternaX is the only infrastructure where SPHINCS+-grade security does not come at the cost of market-speed execution.

Solana
-90%
TPS loss under PQ
Ethereum
-84%
TPS loss under PQ
Canton
-88%
TPS loss under PQ
EternaX
-2%
TPS loss under PQ

The architectural innovation that makes this possible is a proprietary signature design built on SPHINCS+ (NIST FIPS 205) for full post-quantum security, combined with SILMARILS (arXiv:2605.03230, Khodaiemehr, Bagheri, Feng, Porechna) for compact on-chain settlement records at 160 bytes. SILMARILS is EternaX's novel post-quantum authentication scheme, providing information-theoretic security with a forgery probability of approximately 1/2255 — a mathematical guarantee that holds unconditionally, with no computational assumptions whatsoever. No hash function dependency. No algebraic structure to attack. The security guarantee is a theorem, not a conjecture. The net result: SPHINCS+-grade security with an on-chain footprint 49 times smaller than standalone SPHINCS+, preserving market-speed throughput.

The result: SPHINCS+ security at the speed operations teams need — 50,000-200,000 TPS target, 20-50ms soft finality, 400-520ms hard-finality settlement — with settlement state that survives any future computational breakthrough, including breakthroughs against hash functions themselves. No pairings, no BLS, no Groth16, no PLONK-KZG. Hash-only cryptography plus information-theoretic authentication. The minimal assumption surface, deployed at market speed.

Post-quantum security alone is necessary but not sufficient for institutional settlement. Canton Network proved Goldman Sachs, BNY Mellon, and Broadridge will not settle institutional value on transparent rails. MiFID II, MAR, and GDPR make public-by-default chains structurally non-compliant for regulated finance. DTCC called collateral mobility the institutional "killer app." Aave Horizon proved that idle tokenized RWAs without programmable collateral reuse are a capital efficiency failure. Institutions need three capabilities simultaneously: privacy that is quantum-durable (not privacy that expires when classical keys break), DeFi composability for programmable collateral substitution and atomic DvP, and post-quantum security from genesis. No existing chain delivers all three. EternaX is EVM-compatible — existing Solidity DeFi protocols deploy with minimal modifications and automatically inherit PQ security and institutional-grade auditable privacy with tiered selective disclosure, per-transaction unlinkability, and zero ZK overhead. It is the only infrastructure where institutional privacy, DeFi composability, and post-quantum security are native from block zero.

Where Every Major Chain Stands Today

Institutions do not choose signature schemes in a vacuum. They inherit the PQ posture of the chain they deploy on. The following table maps the current or announced PQ signature selection of every major institutional chain, the assumption risk that selection carries, and the throughput cost of migration. For any institution running tokenized assets on these rails, this is the risk they are carrying today.

Table 3: Institutional Chain PQ Scheme Selection and Risk Exposure (May 2026)
Chain Current PQ Selected Depth TPS With PQ Programmes at Risk Institutional Consequence
Ethereum ECDSA + BLS + KZG Hash-based sigs + SNARK aggregation (Drake et al., ePrint 2025/055); leanVM; targets 2029 1+SNARK ~4.1 TPS (-84%) BlackRock BUIDL ($2.85B), JPMorgan MONY, Fidelity FIDD/FYOXX, DTCC Right security direction (hash-based), but 3+ years away. SNARK aggregation layer adds Poseidon + proof-system assumptions on top of leaf sigs. Three PQ-vulnerable primitives today (ECDSA, BLS, KZG) need independent migration. L2s, contracts, admin keys not covered. 84% TPS loss unsolved. Every asset issued now through 2029 accumulates irremediable migration debt.
Solana Ed25519 Falcon (FN-DSA); phased roadmap 2 ~85 TPS (-90%) Visa ($3.5B stablecoin), PayPal PYUSD Wrong security choice. Falcon = NTRU-lattice assumptions (depth 2). Selected for compact signatures, not for security. Lattice break invalidates every Visa settlement and PYUSD tx retroactively. 100% of addresses quantum-vulnerable today. 90% TPS loss confirmed live (Project Eleven, Apr 2026): commercially non-viable under PQ. Ethereum chose hash-based. Solana chose lattice. Attributable scheme-selection risk.
Canton Ed25519 / ECDSA / P-256 None. No PQ roadmap. N/A ~0.84 TPS (-88%) Goldman Sachs, BNY Mellon, Broadridge ($1T+/mo repo) Zero PQ plan. Canton's entire value proposition is privacy. That privacy expires on Q-day: Ed25519 breaks, retroactively exposing every historical repo settlement and counterparty relationship to HNDL adversaries. Sub-1 TPS under any PQ migration makes settlement operationally impossible. Goldman, BNY, Broadridge face simultaneous privacy breach + signature invalidation.
Stellar Ed25519 None. No PQ roadmap. N/A ~13.9 TPS (-90%) Franklin Templeton BENJI ($400M+), WisdomTree Zero PQ plan. Zero migration timeline. Ed25519 fully quantum-vulnerable. BENJI's entire tokenized money market fund faces complete signature invalidation with no fallback. 90% TPS loss makes chain non-viable under any PQ migration.
Bitcoin secp256k1 None. No formal roadmap. N/A Not modelled BlackRock IBIT, Fidelity FBTC, all BTC ETFs Zero PQ plan. ~30% of supply in quantum-vulnerable addresses. Decentralized governance makes protocol change a 10-15 year coordination event. secp256k1 break = custodial wallets directly attackable. ETF custodians carry custody-level quantum exposure with no disclosed mitigation.
Hyperliquid secp256k1 None. No PQ roadmap. N/A Not survivable S&P Global partnership, institutional perps Zero PQ plan. Zero migration path. S&P Global perpetuals partnership places institutional index products on rails with zero quantum resistance. Validator signatures forgeable under quantum attack. Total infrastructure risk, no mitigation timeline.
Algorand Ed25519 + Falcon (State Proofs) Falcon for State Proofs only (Sep 2022) 2 (partial) Not tested Lofty (RWA), Folks Finance Partial PQ: cross-chain State Proofs use Falcon (lattice risk), but user accounts, consensus, and on-chain tx remain Ed25519 (fully quantum-vulnerable). Split exposure. Lattice assumption on the protected layer.
EternaX SPHINCS+ + SILMARILS SPHINCS+ (FIPS 205) from genesis; SILMARILS 160B info-theoretic 1 / 0 50K-200K TPS (-2%) PQ-native issuance; zero migration debt Hash-only + information-theoretic. No lattice. No SNARK aggregation layer. EVM-compatible: Solidity DeFi deploys with PQ + auditable privacy inherited automatically. Quantum-durable privacy with tiered selective disclosure. DeFi composability for programmable collateral and atomic DvP. Available now, not 2029. The only chain delivering all three — privacy, composability, PQ security — from genesis.

The pattern is unambiguous. Ethereum has identified the right security direction (hash-based) but cannot deliver it until 2029, adds SNARK aggregation assumptions, and faces 84% TPS loss. Solana chose lattice (Falcon) over hash-based, prioritizing performance over security conservatism. Canton has institutional privacy but it is not quantum-durable and has no PQ roadmap. Every other major chain has no PQ plan at all. No incumbent chain delivers institutional privacy, DeFi composability, and SPHINCS+-grade post-quantum security simultaneously. EternaX is the only infrastructure where all three are native from genesis, at market speed, without SNARK-layer assumptions, and without throughput collapse.

For stablecoin issuance, RWA tokenization, intraday repo settlement, derivatives clearing, and cross-border payments, EternaX provides the infrastructure layer where the SPHINCS+ security conclusion can actually be operationalized — with the privacy and composability that institutional finance requires. The question is no longer which signature scheme. The question is no longer which infrastructure. The question is: why would any institution issue another dollar of long-duration value onto rails that do not deliver all three?

Frequently Asked Questions About Post-Quantum Signature Selection

What is the safest post-quantum signature scheme?
SPHINCS+ (SLH-DSA, FIPS 205) is the only NIST-standardized post-quantum signature scheme whose security reduces entirely to hash function properties. It carries no algebraic hardness assumptions. Every alternative — ML-DSA (lattice), FN-DSA (lattice), and all nine NIST Round 3 candidates — adds at least one computational conjecture beyond hash security.
Should I use Dilithium or SPHINCS+ for blockchain?
For any application where signature provenance must survive decades — tokenized securities, RWA, settlement records — SPHINCS+ is the defensible choice. ML-DSA (Dilithium) adds a lattice hardness assumption with 25 years of cryptanalytic history. SPHINCS+'s hash foundation has 45+ years with no break. The throughput penalty of SPHINCS+ on existing chains (84-90% TPS loss) is eliminated by EternaX's proprietary architecture, which delivers SPHINCS+ security at 50,000-200,000 TPS with approximately 2% performance loss.
What did NIST select for post-quantum signatures in 2026?
NIST announced nine Round 3 candidates on May 14, 2026 (NIST IR 8610): FAEST, HAWK, MAYO, MQOM, QR-UOV, SDitH, SNOVA, SQIsign, and UOV. These are under evaluation for potential future standardization. The already-published standards remain ML-DSA (FIPS 204), FN-DSA (in progress), and SLH-DSA / SPHINCS+ (FIPS 205).
Can quantum computers break SPHINCS+?
SPHINCS+ is designed to be quantum-resistant. Breaking it would require breaking the underlying hash function (SHA-256 or SHAKE256). The best known quantum attack against these hash functions is Grover's algorithm, which provides only a quadratic speedup against preimage search and does not threaten SPHINCS+'s security parameters. No meaningful quantum attack vector against SPHINCS+ exists.
Is Falcon quantum-safe for institutional use?
Falcon (FN-DSA) is quantum-resistant under the assumption that NTRU-lattice problems remain hard for quantum computers. This is a reasonable assumption, but it is an additional assumption beyond hash security. For institutions prioritizing long-term assumption minimality, SPHINCS+ is the more conservative selection.
Why not use ML-DSA as primary and SPHINCS+ as backup?
Because "backup" implies switching after the primary breaks. If ML-DSA breaks, every signature already issued under it is retroactively invalidated. On-chain provenance cannot be re-signed after the fact. The conservative scheme must be deployed from day one, not held in reserve.
Can blockchain infrastructure handle SPHINCS+ signature sizes?
Existing chains cannot without severe throughput loss: Solana loses approximately 90% TPS (confirmed on live testnet, April 2026), Ethereum models at approximately 84% loss, and Canton drops to sub-1 TPS under post-quantum signature integration. EternaX solves this through a proprietary architecture combining SPHINCS+ (FIPS 205) with SILMARILS for 160-byte information-theoretically secure on-chain settlement records. The result is 50,000-200,000 TPS with approximately 2% performance loss.
Which institutions are migrating to post-quantum cryptography?
JPMorgan (Kinexys), BlackRock (BUIDL via Securitize), Franklin Templeton (BENJI), Canton Network (Goldman Sachs, BNY Mellon, Cboe), and Broadridge (DLR) all operate tokenized asset platforms that will require post-quantum signature migration. CISA's 2027 federal deadline and CNSA 2.0's 2033 mandate are the forcing functions. SPHINCS+ (FIPS 205) is the examination-proof answer for regulated financial institutions.
Is there a post-quantum blockchain that supports SPHINCS+ without losing throughput?
EternaX is currently the only Layer 1 infrastructure that integrates SPHINCS+ (FIPS 205) at market speed. While existing chains lose 84-90% throughput under post-quantum signature integration, EternaX achieves 50,000-200,000 TPS with approximately 2% performance loss through a proprietary architecture combining SPHINCS+ with SILMARILS for 160-byte on-chain settlement records.