The post-quantum threat is on everyone’s mind. Given the recent analysis by Google Quantum AI that identifies Algorand among the limited set of smart-contract platforms to achieve real-world deployment of post-quantum cryptography (PQC), and Algorand’s execution of its first PQC-secured transaction in 2025, we have been approached by multiple groups, Foundations, and researchers about what we are planning next.
Algorand Foundation’s philosophy is to be research-driven and lead from the front while maintaining caution and care. Other ecosystems and projects have built on Algorand’s published research on implementations (e.g., VRF, Falcon). We want to be clear and transparent about our next steps and explain why we are taking them. We have an expert team of cryptographers, researchers, and engineers at the Foundation who deemed the quantum threat a serious risk to the security of blockchain technology. We also want to keep in mind that the field of post-quantum cryptography is maturing quickly. Post-quantum migration is a balancing act. Moving too slowly leaves systems exposed to future quantum attacks, but moving too quickly can mean relying on algorithms and implementations that have not yet been sufficiently battle-tested.
With that said, we are excited to share our latest updates on Algorand’s post-quantum roadmap and research efforts. This document outlines Algorand’s progress, milestones, and ongoing research in the area of post-quantum cryptography for the Algorand protocol.
Roadmap overview
Native post-quantum accounts
Algorand previously enabled Falcon accounts through LogicSig programs that the Algorand Virtual Machine (AVM) executes on behalf of an account. This required the addition of the FALCON_VERIFY opcode to the AVM. While these Lsig-based accounts demonstrated the viability of post-quantum signatures on the Algorand protocol, they were not natively supported by the ledger, developer tooling, or consensus rules.
Native support for post-quantum accounts will be introduced in the Q3 2026 protocol release.
Account representation
In the ledger, a post-quantum account address is derived as:
SHA512_256(domain || scheme[2] || explicit_salt[1] || pk)
This construction preserves the existing 32-byte address scheme, which is commonly encoded in Algorand’s 58-character textual format. It also prevents ledger-space expansion that would result from storing large public keys directly.
| Parameter | Description |
| domain | is a protocol fixed-length hash domain separator |
| scheme | is a 2-byte ASCII identifier for the PQ signature scheme |
| explicit_salt | is a single byte value chosen to ensure the SHA512_256 hash does not derive an address that can be mistaken for an ed25519 public key |
| pk | is the public key of the scheme |
Tooling (SDKs, AlgoKit, hardware wallets)
With the Q3 2026 protocol release, legacy software development kits (SDKs) will support the derivation of Falcon-1024 accounts from the standard 25-word seed phrase. Pera Wallet and AlgoKit are expected to support Falcon account derivation within the same release window.
Seed derivation
Although not set in stone yet, the derivation of the seed (for key generation) from the 25 words will likely be something close to:
SHA512_256(domain || scheme || 256-bit word entropy)
Hardware wallets & standards
Algorand supports both a 25-word single-key mnemonic scheme and the industry standards for Hierarchical Deterministic (HD) wallets (BIP39 / BIP32(ed25519) / BIP44). Algorand’s 25-word scheme will be updated in the short term to support Falcon native accounts because we do not want to make a unilateral decision on the HD wallet scheme without industry alignment. We are actively engaging with other ecosystems and manufacturers to help standardize a new derivation scheme for lattice-based (and other post-quantum) keys. Updates to hardware wallets, AlgoKit, and SDKs on the HD wallet front will be made once we have a clear direction.
Cryptographic agility
The Q3 2026 protocol release will introduce network-level support for multiple concurrent signature schemes. This represents a foundational step toward cryptographic agility: the protocol will continue to support traditional Ed25519 accounts while incorporating additional signature schemes without requiring further structural overhauls. As the post-quantum research landscape evolves, this architecture enables the integration of future advances with minimal protocol disruption.
This means that Algorand could eventually be easily integrated by systems that support Ed25519, Falcon-1024/Falcon-512 (or subsequent NIST standard FN-DSA), ML-DSA, and others. Although our adoption, implementations, and research around Falcon-1024 are one of our main focuses, this is not to the exclusion of other schemes, and we plan to be ready to support them if they prove to be viable and secure.
Hybrid accounts
By supporting multiple signature schemes and increasing the LogicSig budget, we will enable the creation of individual accounts secured by any combination of keys. As previously highlighted, the primary application for this is merging ECC-based accounts with lattice-based ones to provide a robust defense against both classical and post-quantum security risks.
Post-quantum multisig
Building on our robust history of native multisig, the arrival of cryptographic agility and native post-quantum accounts enables us to deploy native multisig support for multi-cryptography schemes by the end of 2026. We view this as an essential advancement for institutional operations, treasury management, and high-stakes financial applications. These users can benefit from hybrid schemes that merge ECC and post-quantum signatures, ensuring comprehensive protection against both classical and quantum-era threats.
The next design step explores post-quantum multisignatures as a generic policy layer over independently verifiable signatures, rather than relying on scheme-specific threshold cryptography. This allows the model to support weighted approvals, hybrid combinations of classical and post-quantum signers, and future post-quantum digital signature algorithms as standards evolve.
Falcon-512
The Q3 2026 release will offer Falcon-1024 account support, but native Falcon-512 support is planned for year’s end. The implementation is based on the Falcon team’s work, with contributions from Algorand Chief Scientific Officer Chris Peikert on the deterministic variants. Before Falcon-512 support is released in the protocol, our C and Go implementations will be expanded to expose the Falcon-512 variant.
The key sizes of both schemes are several times larger than Ed25519:
| Scheme | Public key size (bytes) | Signature size (bytes) |
| Ed25519 | 32 | 64 |
| Falcon-512 | 897 | ~640 |
| Falcon-1024 | 1793 | ~1280 |
Ongoing research
Verifiable Random Function (VRF)
A Verifiable Random Function (VRF) is the cryptographic primitive that underpins Algorand’s committee selection and cryptographic sortition processes. It provides a way to generate random values that can be publicly verified, ensuring the integrity and fairness of the selection process.
The current Algorand VRF implementation relies on elliptic-curve cryptography (ECC) and thus is not fully resistant to quantum adversaries. In a post-quantum world, an ECC-based VRF would no longer guarantee membership anonymity before a member vote is cast (though our published research shows that Algorand’s VRF appears to prevent attackers from falsely claiming committee membership).
Research is underway to identify a replacement VRF construction that fully withstands quantum attacks while maintaining computational efficiency for committee selection and cryptographic sortition.
A specific candidate construction is under active security and efficiency analysis. Should the analysis yield positive results, a corresponding research paper is expected for publication by early 2027.
Post-quantum consensus
Besides Ledger accounts and the VRF, the Algorand network relies on consensus messages and voter signatures for the core consensus protocol. These messages are currently signed using Ed25519, which is vulnerable to quantum attacks. Research is ongoing to evaluate signature schemes to give Algorand quantum resistance for consensus messaging. The biggest issue to solve is the size of the keys and signatures of post-quantum schemes. Following the completed work to compress the consensus votes, Falcon, which offers the most compact size of keys and signature from the lattice-based schemes, is the strongest candidate to add to Algorand’s consensus messages.
However, a post-quantum resistance scheme does not necessarily mean it’s classically secure. Most likely, Algorand will operate under a hybrid model for a while, where both Ed25519 and Falcon signatures will be used for consensus messages. The team will evaluate the security of the new scheme in parallel to its deployment. More information on this will be shared closer to the end of 2026.
Hardware wallets & PQ-signatures
Implementing lattice-based cryptography on hardware wallets presents challenges we are currently addressing. Algorand’s proof-of-concept implementation on Trezor Safe 5 (Cortex-M33) features on-device Falcon-1024 key generation and signing. Initial results using FALCON-DET1024 are promising: signing takes ~0.7 seconds per transaction, while an integer-only (non-floating-point) key-generation algorithm using the `ntrugen` solver has reduced median times to ~2.2 seconds. Optimization is ongoing.
| Operation (Trezor Safe 5) |
Median | P99 | Max |
| Keygen (float emulation) | 3.79 s | 10.13 s | 12.01 s |
| Keygen (ntrugen, integer-only) | 2.22 s | 6.61 s | 7.48 s |
| Sign (per transaction) | ~0.69 s | constant (σ < 1 ms) | - |
Deploying this technology requires collaboration with manufacturers and the wider ecosystem. While we cannot ship support independently, our proof-of-concept demonstrates Falcon's practicality on constrained hardware, providing a solid foundation for industry discussions alongside our derivation-path research.
Release schedule
Disclaimer: The content provided in this blog is for informational purposes only. The information is provided by the Algorand Foundation and while we strive to keep the information up-to-date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to the blog or the information, products, services, or related graphics contained in the blog for any purpose. This blog contains forward-looking statements regarding Algorand’s planned post-quantum protocol upgrades, product releases, and timelines. These statements reflect Algorand Foundation’s current expectations and are subject to change as development progresses, as research in post-quantum cryptography evolves, and as external standards (including those of NIST and other standards bodies) develop. Actual results, timing, and scope may differ. Algorand Foundation undertakes no obligation to update these statements except as required. The content of this blog is not intended to be legal, financial, or investment advice nor is it an endorsement, guarantee, or investment recommendation. You should not take any action before conducting your own research or consulting with a qualified professional. Any reliance you place on such information is therefore strictly at your own risk. All companies are independent entities solely responsible for their operations, marketing, and compliance with applicable laws and regulations. In no event will Algorand Foundation nor any affiliates be liable for any loss or damage including without limitation, indirect, or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this blog. Through this blog, you may be able to link to other websites which are not under the control of the Algorand Foundation. We have no control over the nature, content, and availability of those sites. The inclusion of any links does not imply a recommendation nor endorse the views expressed therein.