Quantum computing has stopped reading as a distant hypothetical on blockchain security roadmaps, and NEAR Protocol has moved earlier than most of its peers. Near One is adding post-quantum cryptography to the network, giving users a practical way to protect their accounts against a future quantum attack, and, distinctively, a way to do it in a single transaction rather than a disruptive overhaul.
The change is narrow in mechanics but wide in implication. It does not promise that quantum computers are coming next year, and it does not rip out the cryptography NEAR runs today. What it does is give every account holder an option to swap their signing key for one designed to survive an attack that does not yet exist — and, in doing so, it spotlights how differently the major blockchains are positioned for a threat they all share.
The clock that suddenly started speeding up
For years, “quantum will break crypto” was the kind of warning that could be safely deferred. That changed over the past several months as the estimates tightened. A Google Quantum AI paper published in March concluded that breaking the elliptic-curve cryptography securing Bitcoin and Ethereum could require roughly 20 times fewer resources than previously believed—fewer than 500,000 physical qubits and in a theoretical attack window measured in minutes rather than years.
The reaction has been a scramble. Ethereum Foundation researcher Justin Drake, a co-author on that paper, now puts the odds of a quantum computer breaking live production cryptography at around 10% by 2030, rising toward a coin flip by 2032. Governments are codifying the same urgency: a recent executive order by President Donald Trump set a 2031 federal post-quantum deadline; the NSA’s CNSA 2.0 suite targets 2030 for national-security systems, and NIST’s transition guidance moves to disallow vulnerable algorithms such as ECDSA entirely by 2035. The industry now has a shorthand for the moment it all points to—”Q-Day,” the day a cryptographically relevant quantum computer can derive a private key from a public one.
The reason: preparation can’t wait for that day is a problem called “harvest now, decrypt later.” Blockchains are public ledgers; a determined adversary can record exposed public keys today and simply store them until the hardware to crack them exists. Anything secured by a vulnerable signature now is, in effect, already on a countdown the owner can’t see.
How a quantum computer actually breaks a blockchain
To understand why NEAR is replacing signatures specifically, it helps to separate the two cryptographic jobs a blockchain depends on.
The first is the digital signature, which proves a transaction came from an account’s owner. NEAR and several other chains default to Ed25519, while Bitcoin and Ethereum use ECDSA on the secp256k1 curve. Both rely on the difficulty of certain math problems, and both fall to Shor’s algorithm, which a sufficiently powerful quantum computer could run to reverse-engineer a private key from its public counterpart. This is the catastrophic, account-draining failure mode, and it is the one with no classical defense.
The second job is hashing, used in mining, transaction IDs, and Merkle trees. Hashes face a different quantum tool, Grover’s algorithm, which offers only a quadratic speedup rather than Shor’s exponential one. In practice that merely halves a hash function’s effective security, a gap that can be closed by using larger parameters or, in Bitcoin’s case, absorbed by the mining difficulty adjustment within weeks. That asymmetry is the whole reason the urgent work across the industry centers on signatures, not hashes.
There is one further wrinkle that shapes every chain’s strategy: a public key is only exposed once it appears on-chain, which typically happens the moment funds are spent from an address, or whenever an address is reused. That is why dormant, reused, and legacy address types carry the most acute “harvest now” risk.
NEAR’s built-in advantage
Most blockchains bolt an account directly to a single cryptographic key pair, and that is precisely what makes their eventual migration so daunting. When the underlying math breaks, every address is exposed at once, and remediation requires either a contentious hard fork or a mass user exodus to new address formats—coordination problems that even minor protocol changes have historically struggled to overcome.
NEAR was built differently from inception. Its accounts use human-readable names like alice.near, are not permanently locked to one kind of cryptography, allow users to add or remove multiple access keys, and already support more than one signing method. Key rotation, in other words, is a normal, low-friction operation rather than an emergency procedure.
That design is the crux of this upgrade. NEAR can introduce a quantum-resistant scheme as simply another signing option, and a user adopts it by sending one transaction to rotate their keys—no fund transfers, no new account, no fork imposed on the network, and no change to how smart contracts fundamentally work. The architectural decision that enables this was made years before the threat felt pressing, which is why NEAR can treat the migration as a feature rollout rather than a network-wide rescue.
What ML-DSA is, and why NEAR chose it
NEAR is starting with ML-DSA, the Module-Lattice-Based Digital Signature Algorithm. It is one of three post-quantum standards NIST finalized on August 13, 2024, after an eight-year public competition. The other two are ML-KEM (FIPS-203) for key exchange and SLH-DSA (FIPS-205), a conservative hash-based signature scheme. ML-DSA, standardized as FIPS-204 and formerly known as CRYSTALS-Dilithium, is the designated replacement for ECDSA-style signatures.
Its security rests on lattice cryptography—problems involving high-dimensional grids of points that are believed to be hard for both classical and quantum computers, a fundamentally different mathematical foundation than the elliptic curves quantum machines threaten. ML-DSA comes in three strengths: ML-DSA-44, 65, and 87, corresponding to rising security levels. NEAR is beginning with ML-DSA-44, the smallest and most practical variant, which still clears the bar for quantum resistance while minimizing the scheme’s overhead.
The choice of lattice-based ML-DSA over alternatives reflects a series of engineering trade-offs the whole industry is weighing. Hash-based schemes like SLH-DSA (SPHINCS+) make the most conservative security assumptions but produce very large signatures. Falcon offers smaller signatures but is notoriously tricky to implement safely. More exotic options such as SQIsign yield tiny signatures yet verify thousands of times slower—fast enough to raise denial-of-service concerns at block scale. ML-DSA sits in the pragmatic middle: well-understood, NIST-blessed, and balanced between size and speed.
The size trade-off, in detail
The cost of all this protection is bytes. Post-quantum signatures are dramatically larger than what NEAR uses today:
| Signing method | Public key | Signature | Quantum-safe |
|---|---|---|---|
| Ed25519 (current default) | 32 bytes | 64 bytes | No |
| ECDSA (supported) | ~33–65 bytes | ~70–72 bytes | No |
| ML-DSA-44 (new) | 1,312 bytes | 2,420 bytes | Yes |
An ML-DSA-44 signature is roughly 38 times larger than an Ed25519 one, with a public key about 41 times bigger. In a blockchain context, that extra heft is not cosmetic: bigger signatures mean larger transactions, more state for nodes to store, higher fees, and slower verification, all of which compound at network scale. This is exactly the constraint that makes Bitcoin’s path so hard, where every byte competes for scarce block space.
NEAR’s argument is that its sharded, parallelized architecture, which splits the network’s workload across multiple shards to sustain high throughput, is built to absorb that overhead in a way a single-threaded chain cannot. It is a credible claim given the design, but it remains a real trade-off rather than a free lunch, and the live testing is precisely what will show how manageable the impact is in practice.
How the rollout works
The deployment is staged and, crucially, opt-in. ML-DSA is being added at the protocol level as a new signing option alongside the existing ones. Once live, any account holder can switch by sending a single transaction to rotate their access keys to the quantum-safe type, with the first phase covering ordinary user accounts and implicit accounts.
On timing, Near One’s Chief Technology Officer, Anton Astafiev, has confirmed a testnet target of end of Q2 2026 — late June or early July—with mainnet to follow only after security audits and community coordination. No mainnet date has been set, a sequencing that reflects standard caution for cryptography that will guard real funds.
The practical dependencies live at the edges of the system. Wallet providers will need to add support for the new signatures, and the team says it is already engaging hardware-wallet makers such as Ledger. Most decentralized applications will be unaffected, though any code that touches raw signatures or key management should be reviewed when the feature ships. For everyday users, going quantum-safe is meant to be close to a one-click action in a supported wallet — no new account, no moving funds.
Beyond signatures: The harder problems left
Near One has been explicit that ML-DSA is “the first of many” steps, and the roadmap beyond it is where the more interesting work sits.
One frontier is cross-chain. NEAR is researching how to make its Chain Signatures—the mechanism behind its intents system, which it is extending to more than 35 external networks—quantum-safe as well. If that succeeds while rival ecosystems lag, NEAR could position itself as a quantum-safe signing layer for users across other chains, turning a defensive upgrade into a competitive surface.
A second frontier is structural: making consensus and validator operations quantum-resistant over time, not just user signing. And the thorniest problem of all is recovery—proving rightful ownership of an account when its older key may already be compromised, a question that bigger signatures alone cannot answer and every chain confronting “harvest now, decrypt later” will eventually have to solve.
How NEAR compares to the rest of the field
NEAR’s smoother path stands out only against the backdrop of how varied, and in places unresolved, the broader response is.
Ethereum has the most developed strategy among the large networks, leaning on account abstraction and EIP-7702 so accounts can upgrade without a network-wide fork. Co-Founder Vitalik Buterin has sketched a multi-stage plan that pairs post-quantum signatures with a public-key registry to limit harvest-now exposure, and researchers recently demonstrated a way to verify a post-quantum signature on-chain for roughly 7 cents. Even so, no version of Ethereum’s migration has reached a testnet rollout, and it carries no public deadline.
Ripple has committed to a four-phase quantum-safe XRP Ledger by 2028, one of the few firm timelines in the industry, and TRON’s Justin Sun has pledged a roadmap of his own. Bitcoin faces the hardest road of all: its BIP-360 proposal, which introduces a quantum-resistant address type using NIST algorithms, was merged into the repository in February, and a companion BIP-361 has floated migrating—and potentially freezing—the roughly 6.5 to 6.9 million BTC sitting in vulnerable addresses, including an estimated 1.7 million coins believed to belong to Satoshi Nakamoto. Both remain drafts with no activation path, and the idea of freezing unmigrated funds is deeply contentious.
Notably, two chains often cited as quantum-ready are less protected than they appear. Solana introduced a Winternitz Vault in late 2025, but it is an optional add-on for cautious users rather than a protocol-level retrofit; the network still relies on Ed25519 and SHA-256 by default. Algorand integrated the FALCON scheme into its state proofs years ago, but that secures blockchain history and cross-chain attestations — not user account signing. Against that field, NEAR’s offer of a one-transaction, network-wide user migration is genuinely early, even if it is not unique in spirit.
The skeptics, and the open debate
Not everyone shares the alarm. Binance co-founder Changpeng Zhao has argued that quantum computing is not an existential threat to crypto, reasoning that cryptography evolves alongside computing power—while cautioning that the upgrades themselves carry real risk of forks, bugs, and stranded funds for users who never migrate. The timeline estimates remain genuinely uncertain, and some of the loudest warnings come from researchers with ecosystem allegiances, which has drawn accusations of motivated framing in the Bitcoin community.
Those critiques land on a real limitation of NEAR’s design too. An opt-in scheme only protects the users who choose to use it; dormant accounts whose owners never rotate their keys remain exposed regardless of how elegant the mechanism is. The convenience of one-transaction migration solves the technical friction, not the human one of getting people to act before there is visible danger.
The bottom line
For most people using NEAR today, none of this will feel like an event. It will land as a quiet background improvement — an extra signing option most never think about, behind a wallet button most never press.
But the move reframes a question the entire industry is now being forced to answer on a compressing schedule. The quantum era may still be years away, and reasonable people dispute how many. The migration problem, however, is a present-tense one—easiest and cheapest to solve while it is still theoretical.
NEAR’s wager is that the networks treating it that way now will look far better prepared than the ones still debating governance when Q-Day stops being a hypothetical.
