Chains

MAIN CHAINS

BNB Smart Chain

Fast. Affordable. EVM-Compatible

opBNB

Built with the OP Stack

BNB Greenfield

Decentralized data storage & economy

BNB Beacon Chain

Sunset Complete

BNB ecosystem’s staking & governance layer

SHAPE THE CHAIN

Staking

Earn rewards by securing the network

Governance

Submit proposals & participate in on-chain governance

Documentation Faucet BscScan BSCTrace Documentation Faucet Bridge opBNBScan Documentation Faucet Bridge GreenfieldScan DCellar Learn more about Fusion Token Recovery Tool Beacon Chain Explorer Native Staking Liquid Staking

Build

GET STARTED

Wallets

Your gateway to BNB Chain

Examples & Tutorials

Start with example and tutorials

Networks and RPC

A list of BNB Chain related networks

Faucet

Pilot tokens on BNB Smart Chain

ADVANCED

Documentation

Full technical documentation

Tools

Essential tools for builders

EXPLORERS

BscScan

opBNBScan

GreenfieldScan

SOLUTIONS

Institutional Finance

Privacy

AI Agent

Real World Assets Tokenization

Stablecoin

Memecoin

Payment

MEV Protection

BNB Chain Layer 2

Submit dApps

Explore

Release Note

Strategic updates for your advantage

Blog

Follow our blog for the latest updates

Wallets

Securely connect to funds & dApps

Explore dApps

Explore dApps on BNB Chain

Bridge

Cross-chain transfer between networks

Get BNB

Get BNB & explore use cases

Accelerate

Ideation

BNB Hack

Explore online & offline hackathons on BNB Chain

BNB Incubation Alliance (BIA)

Building together to fast-track your Web3 journey

Most Valuable Builder Accelerator Program (MVB)

Incubation for top Web3 projects

Deployment

BNB Chain Grants

Grants for ecosystem builders

Kickstart

Explore essential tools & support

Space

Builder Bunker

A Workspace to Meet & Build

See All Programs

Connect

Community

Community Hub

Connect with the community

Build N’ Build Forum

A public, community-driven dev forum

in Real Life

Events

Global and local meetups, conferences, and hackathons

Join us

Careers🔥

Explore Opportunities on BNB Chain

Connect with BD

BNB Chain Careers Ecosystem Jobs

BSC Post-Quantum Cryptography Migration Report

2026.5.14 • 4 min read

TL;DR

Post-quantum readiness is achievable on BSC today, with data size growth and network constraints as the main trade-offs.
Transaction signatures and consensus votes are migrated to ML-DSA-44 (NIST FIPS 204) and pqSTARK aggregation.
Transaction size increases from 110 B to ~2.5 KB, and block size grows to ~2 MB, reducing throughput by ~40–50% in tests.
Consensus-layer aggregation remains efficient, with ~43:1 compression keeping validator overhead manageable.

Background

Post-quantum cryptography is an area of ongoing research and preparation across the industry. While quantum computing is advancing, it is not yet at a stage where it can break current production cryptography in real-world systems. This work reflects a forward-looking approach to ensure BSC remains resilient over the long term, rather than a response to an immediate risk.

In that context, quantum computing poses a long-term threat to elliptic-curve cryptography. Shor's algorithm can break discrete-logarithm-based systems, including ECDSA and BLS12-381, in polynomial time. In August 2024, NIST formally published FIPS 204, standardizing ML-DSA (Dilithium) as the post-quantum digital signature algorithm.

This marks the point where a production-ready defence is available, and provides the foundation for the migration approach evaluated in this report, including design choices, implementation details, and observed performance trade-offs.

BSC's full cryptographic attack surface spans four layers:

Layer	Current Algorithm	Quantum Threat	This PR
Transaction signature	ECDSA (secp256k1)	Shor breaks private key	✅ Replaced → ML-DSA-44
Consensus vote aggregation	BLS12-381	Shor breaks private key	✅ Replaced → pqSTARK
P2P handshake	ECDH (secp256k1)	Shor breaks session key	⬜ Pending → ML-KEM
KZG commitment (EIP-4844)	BLS12-381 pairing	Shor forges blob proofs	⬜ Pending → lattice-based commitment

P2P and KZG are out of scope for this PR. P2P session keys are ephemeral. This means the attack window is far narrower than for persistent keys, so they are lower priority. KZG replacement requires coordination across the broader Ethereum ecosystem.

Algorithm Selection

Why ML-DSA (Dilithium)

ML-DSA is a lattice-based signature scheme built on the Module Learning With Errors (MLWE) problem. It is the only signature algorithm standardized in NIST FIPS 204 and the most widely deployed PQC scheme in production today. Compared to the other NIST standard SLH-DSA (SPHINCS+), ML-DSA produces smaller signatures and verifies faster. This makes it better suited to high-throughput onchain environments.

Why ML-DSA-44

ML-DSA has three parameter sets:

Variant	Security Level	Public Key	Signature
ML-DSA-44 (Dilithium2)	NIST Level 2 (≈ AES-128)	1,312 bytes	2,420 bytes
ML-DSA-65 (Dilithium3)	NIST Level 3 (≈ AES-192)	1,952 bytes	3,293 bytes
ML-DSA-87 (Dilithium5)	NIST Level 5 (≈ AES-256)	2,592 bytes	4,595 bytes

Rationale for ML-DSA-44:

Sufficient security margin. A cryptographically relevant quantum computer (CRQC) is generally estimated to be 10–20 years away. Level 2 (AES-128 equivalent) provides adequate headroom over that window. The additional protection from Level 3/5 offers limited practical benefit given the current threat timeline.
Signature size is the dominant onchain cost. PQ blocks are already ~18× larger than non-PQ blocks at equivalent TPS. Upgrading to ML-DSA-65 would increase signature size by a further 36%, reducing the TPS ceiling without a proportionate security return.
Verification sits on the hot path. Every transaction requires signature verification. ML-DSA-44 is the fastest of the three variants, which directly impacts block processing throughput.

Implementation

Overview of Changes

Component	Before	After	Note
Transaction signature	ECDSA (secp256k1)	ML-DSA-44	NIST FIPS 204
Public key size	64 bytes	1,312 bytes	+20×
Signature size	65 bytes	2,420 bytes	+37×
Transaction type	Legacy / EIP-1559	Type 0x05	Embeds From; no sig recovery needed
PQ public key storage	—	0x70 precompile, 41 storage slots/key	Process-level LRU cache accelerates hot path
Transaction verification	secp256k1 recovery	Registry lookup + ML-DSA verify	Cache miss falls back to stateDB read
Consensus vote aggregation	BLS aggregate sig	pqSTARK	Single proof covers all validator signatures
Aggregated proof size	96 bytes	~340 bytes	+3.5×, written to block header Extra
Block size at 2,000 TPS native transfer	~130 KB	~2 MB	+18×, driven by per-tx signature size

Address Compatibility

The address format is unchanged. It is still 20 bytes and derived from the ML-DSA-44 public key via keccak-256. No changes are required to RPCs, SDKs, or wallets.

pqSTARK Aggregation Efficiency

Six validators' raw signatures total 6 × 2,420 = 14.5 KB. The resulting aggregate proof is ~340 bytes, which gives a compression ratio of roughly 43:1. Despite the increase in per-transaction signature size, the consensus-layer onchain footprint remains manageable.

Test Results

Table 1 - Single Region vs Cross Region (PQ, Native Transfer)

	TPS ceiling	mgasps	Chain Insert	Finalized P50/P90/P99
Single Region	4,720	219	330 ms	2 / 2 / 2
Cross Region	2,997	196	248 ms	2 / 5 / 11

Cross-region TPS is 63% of single-region at equivalent load. Finality P99 degrades from 2 to 11 slots, driven by larger block propagation latency across regions rather than any consensus protocol regression.

Table 2 — Cross Region: Non-PQ Baseline vs PQ

Workload		TPS ceiling	mgasps	Chain Insert	Finalized P50/P90/P99
Native Transfer	Non-PQ	4,973	392	189 ms	2 / 2 / 2
	PQ	2,997	196	248 ms	2 / 5 / 11
Mix + Opt	Non-PQ	3,695	513	397 ms	2 / 4 / 7
	PQ	2,406	403	709 ms	2 / 4 / 8

Native transfer: TPS −40%, mgasps −50%. Root cause is PQ transaction size ×35. The block byte budget becomes the binding constraint before the gas limit is reached.
Mixed workload: TPS −35%, mgasps −22%. The impact is smaller because contract transactions carry higher gas-per-byte, which reduces the relative overhead of the larger signature.
Finality P50 = 2 slots in all cases. Median latency is unaffected. The P99 gap (11 vs 2) is a network propagation effect of larger blocks over cross-region links, not a consensus protocol issue.

Conclusion

This migration demonstrates that post-quantum signature schemes can be integrated into BSC’s transaction and consensus layers today, using standardized primitives such as ML-DSA-44 and pqSTARK aggregation.

The results highlight a clear trade-off. Quantum-resistant signatures significantly increase transaction and block sizes, which reduces throughput under current network constraints. At the same time, consensus-layer aggregation remains efficient, keeping validator overhead manageable.

Overall, this work shows that post-quantum readiness is achievable with existing approaches, but scaling constraints at the network and data layer remain the primary challenge for production deployment.

References

post quantum migration https://github.com/bnb-chain/bsc/pull/3660
https://x.com/yq_acc/status/2042491006449496424
https://x.com/eth_daily/status/2040952675626627531