Alex Pruden
Alex Pruden
BTC+3.15%
ETH+2.38%
SOL+5.14%
APT+5.88%
SUI+6.07%
NEAR+7.65%
Great thread by @ConorDeegan4 reviewing approaches for post-quantum migrations without a change of address (also the subject of a recent paper on EdDSA by @kostascrypto et al). TLDR, canonical seed-to-key derivation should be treated as a first-class primitive vs an afterthought
Conor Deegan
Conor Deegan
I've been looking into more post-quantum upgrade mechanisms, especially ones which do not require a change of address. EdDSA chains that follow RFC-8032 (Ed25519 style) have a built-in advantage. Your signing key isn’t a raw random scalar, it’s deterministically derived from a short seed by hashing. That means you can prove you know the seed (in a post-quantum-sound ZK proof) and bind a new post-quantum key to the same address. No fund moves and no new curve data on-chain. Even dormant accounts can be upgraded if the seed exists. This covers chains like Sui, Solana, NEAR, Stellar, Aptos. Bitcoin/Ethereum don’t have that invariant by default because many ECDSA keys came from "just pick a random scalar". But there is a possible path for big cohorts that use BIP-39 → BIP-32 with well defined paths. You can prove that exact derivation and bind a post-quantum key without moving funds. But, it’s wallet-specific and may be complex: -  BIP-39’s PBKDF2-HMAC-SHA512 (2048 rounds) is costly in ZK - BIP-32 adds HMAC-SHA512 and secp256k1 math inside the circuit Still, for common paths (e.g., Ethereum m/44’/60’/0’/0/x), it may be feasible. Generally there are two deployment patterns: 1. One-time proof + mapping: publish a proof once and record address → post-quantum key. From then on, you sign post-quantum for that address. 2. Per-transaction proof: each transaction carries a single proof that ties the seed to the address and authorizes the message. Stateless, but every verifier must check the proof. This may rule out a lot of chains given the performance overhead of verifying the proof per tx. Why this works: Shor’s algorithm breaks discrete logs (so public-key systems like ECDSA/EdDSA fail once the public key is exposed). Grover’s algorithm only gives a quadratic speedup for hash preimages. So if your private key is derived from a seed via a strong hash (e.g., SHA-512), the seed remains hidden even if a future machine recovers today’s key. That’s why the "seed-first" design in EdDSA helps. Also, you don’t need a hard fork to start. Before Q-Day you can also bind identities without ZK by cross-signing the legacy address and the post-quantum key in both directions and anchoring it to time. That’s what we built with yellowpages. In the post I break down the mechanics, what you can save today on EdDSA chains, what you can realistically save on ECDSA, the trade-offs of one-time vs per-tx proofs, and the limits you should care about (seed handling, replay protection, proof cost). Full write-up below.
Sourced fromtwitter
11.85K
10
The content on this page is provided by third parties. Unless otherwise stated, OKX is not the author of the cited article(s) and does not claim any copyright in the materials. The content is provided for informational purposes only and does not represent the views of OKX. It is not intended to be an endorsement of any kind and should not be considered investment advice or a solicitation to buy or sell digital assets. To the extent generative AI is utilized to provide summaries or other information, such AI generated content may be inaccurate or inconsistent. Please read the linked article for more details and information. OKX is not responsible for content hosted on third party sites. Digital asset holdings, including stablecoins and NFTs, involve a high degree of risk and can fluctuate greatly. You should carefully consider whether trading or holding digital assets is suitable for you in light of your financial condition.