blockchain network
Hedera HBAR
Hedera has published one of the most detailed post-quantum migration roadmaps in the blockchain industry (April 2026), with explicit algorithm selection (FN-DSA/ML-DSA for signatures, ML-KEM for TLS), phased sequencing, and dependency analysis. The hashgraph consensus already uses SHA-384 hashing, providing genuine quantum-resistant state integrity. The account model supports in-place key rotation. However, as of June 2026, all production spend authorization, consensus event signing, and the TSS proof system rely entirely on quantum-vulnerable classical signatures (ECDSA secp256k1, Ed25519, Schnorr, BLS). No PQC code, prototype, or testnet exists. The effective QRI score is capped at 25 by the Readiness & Risk Cap for 'Roadmap/proposal only; no public code, prototype, or testnet,' and the Factor Score of 15.28 reflects the gap between excellent planning and zero production protection. The final QRI Score of 15 places Hedera firmly in Stage 2 (Mitigation / Development).
Roadmap OnlyPartial ProtectionPQ-Recoverable
Category breakdown
QRI Factors
Algorithm & Implementation Assurance
2.25 / 20
Migration Mechanism, Governance & Ecosystem Coordination
4.25 / 15
Migration Status & Value-at-Risk
0.5 / 25
Production Cryptographic Protection
3.28 / 35
Security Assessment & Evidence Preparedness
5 / 5
Critical Quantum Blockers
- Active production spend authorization remains entirely ECC (ECDSA secp256k1, Ed25519). All user accounts, transaction signing, and smart-contract authorization use quantum-vulnerable classical signatures with exposed public keys.
- No PQC signature code, prototype, or testnet exists. The published roadmap is a detailed plan only; no production or testnet PQC implementation is available.
- Consensus event signing and the TSS (Threshold Signature Scheme) rely on classical signatures (Ed25519, Schnorr, BLS). A quantum computer could forge consensus events.
- Material long-exposure value-at-risk exists across all accounts that have submitted transactions, with no migration, freeze, deprecation, burn, or enforced policy path.
- Two-way bridges (Axelar, Chainlink CCIP) allow HBAR value to flow into non-PQ-secure systems without quantum-related restrictions.
Key Risks
- All HBAR accounts that have ever submitted a transaction have exposed ECDSA or Ed25519 public keys on-chain, creating a permanent long-exposure attack surface. A future CRQC could derive private keys from these public keys and steal all accessible funds.
- Consensus event forging: nodes sign hashgraph events with classical signatures. A quantum adversary could forge events and potentially disrupt consensus ordering or finality.
- The TSS (Threshold Signature Scheme) being rolled out in 2026 uses Schnorr and BLS signatures for its chain-of-trust proofs (wraps). These are quantum-vulnerable, meaning bridge verifiers and light clients relying on TSS proofs could be compromised by a quantum adversary.
- Axelar and Chainlink CCIP bridges allow unrestricted two-way flow between Hedera and non-PQ-secure chains (Ethereum, etc.), creating cross-chain quantum contagion risk.
- FN-DSA (Falcon), Hedera's preferred PQC signature algorithm, is not yet a finalized NIST standard (FIPS 206). The fallback to ML-DSA carries a approximately 3.6x signature size penalty.
- No deprecation, freeze, or burn policy exists for dormant or unmigrated accounts with exposed classical public keys. Users can indefinitely maintain quantum-vulnerable accounts even after PQC key types become available.
- Signature size increases (20x-72x) may stress Hedera's throughput model, fixed-fee economics, and maximum transaction size limits in ways not yet publicly modeled.
Assurance Notes
- FP Complete audit (2021) covered classical code quality and Hedera Token Service; no PQC scope. Relevant for general engineering rigor but provides zero assurance for quantum-critical signature security.
- CMU Coq formal verification (2018) proved asynchronous Byzantine fault tolerance for the hashgraph consensus algorithm; classical scope only. Does not cover PQC signature security.
- NCC Group audit (2024) covered only the Hedera Transaction Tool demo application, not the consensus node or core cryptographic stack.
- No independent audit of any PQC implementation exists because no PQC implementation exists in production or testnet.
- No formal quantum-specific incident-response playbook has been identified.
- No formal performance benchmarks for PQC signature verification at Hedera-scale transaction volumes have been published.
- The Hiero consensus node is open-source (Apache 2.0) under LF Decentralized Trust, enabling community review of classical cryptographic code.
- Hedera's account model supports in-place key rotation without changing account ID, which is a structural advantage for future migration.
- SHA-384 usage in hashgraph consensus provides quantum-resistant state-integrity hashing (192-bit effective security against Grover's algorithm), a genuine production security property today.
Non-Scoring Caveats
- No on-chain analytics or attestations measuring the percentage of HBAR supply in long-exposure (transacted) accounts were located. Nominal circulating supply is treated as fully vulnerable; actual dormant/unmigratable breakdown is unknown.
- Hedera's roadmap targets FN-DSA (Falcon/FIPS 206) which is not yet a finalized NIST standard as of the evaluation date. The fallback to ML-DSA is documented but increases signature size approximately 3.6x.
- Post-quantum signature sizes (FN-DSA: 1,280 bytes, ML-DSA-87: 4,627 bytes vs Ed25519: 64 bytes) pose unresolved questions for Hedera's high-throughput design, fixed fee model, and maximum transaction size limits.
- The roadmap states existing Ed25519/ECDSA keys will continue working throughout migration with users rotating on their own schedule. No deprecation deadline or enforcement mechanism for unmigrated vulnerable accounts has been published.
- The Hashport bridge is being sunset (replaced by Axelar Interchain Tokens), but Axelar and Chainlink CCIP bridges continue to provide unrestricted two-way flow to non-PQ-secure chains.
- The CLPR bridgeless cross-ledger protocol announced at HederaCon (May 2026) is not yet in production and does not affect the current evaluation scope.
Evidence record
Claims and Caveats
Security Assessment & Evidence Preparedness
Public cryptographic inventory and quantum threat model
Claim: Hedera's April 2026 blog post identifies ECDSA secp256k1 and Ed25519 as quantum-vulnerable, confirms SHA-384 and AES-256 as PQ-resistant, and provides a detailed threat model covering attack assumptions, affected layers, and affected assets.
Coverage basis: Official documentation and blog post identifying cryptographic primitives and quantum vulnerability
Implementation score: 1 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
Assurance: Primary official source; inventory is explicit and comprehensive.
Security Assessment & Evidence Preparedness
Public evidence record supporting assessment
Claim: Evidence record includes official documentation, source code repository (Hiero consensus node), mainnet explorer (HashScan), blog posts with algorithm comparison tables, and DevDay 2026 technical presentations.
Coverage basis: Multiple primary sources across docs, code, and presentations
Implementation score: 1 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
Assurance: Source code and mainnet explorer provide verifiable evidence for classical cryptographic claims.
Production Cryptographic Protection
Spend authorization / transaction signatures are PQC or hybrid-PQC on mainnet
Claim: All Hedera accounts use ECDSA secp256k1 (recommended) or Ed25519 for transaction signing. No PQC or hybrid-PQC signature support exists in production.
Coverage basis: Official documentation and source code confirm ECC-only production spend authorization
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: Active production spend authorization remains entirely ECC (ECDSA secp256k1, Ed25519). All user transaction signing uses quantum-vulnerable classical signatures.
Assurance: Verified from official docs, blog, and open-source consensus node code.
Both supported algorithms are broken by Shor's algorithm. All accounts that have submitted transactions have exposed public keys on-chain.
Production Cryptographic Protection
Account/address/public-key exposure and key-derivation design prevents long-exposure quantum-vulnerable ownership paths
Claim: Hedera accounts expose ECDSA or Ed25519 public keys on-chain when transactions are submitted. Account model supports key rotation without changing account ID, but no PQ key types exist.
Coverage basis: Official documentation confirms classical key types, exposed public keys, and key rotation capability
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: All transacted accounts have permanently exposed classical public keys on-chain. Long-exposure attack surface is universal.
Assurance: Account model's key-rotation capability is a positive structural feature for future migration but provides zero protection today.
Key rotation without account ID change is a genuine architectural advantage for future migration UX.
Production Cryptographic Protection
Consensus-critical authentication is PQC or hybrid-PQC where applicable
Claim: Hashgraph consensus events are signed with classical Ed25519. The TSS system uses Schnorr signatures for chain-of-trust proofs and BLS for threshold signatures. No PQC in consensus authentication.
Coverage basis: Official documentation, DevDay 2026 presentations, and TSS design doc confirm classical signature use
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: Consensus event signing and TSS proofs rely on quantum-vulnerable classical signatures (Ed25519, Schnorr, BLS).
Assurance: TSS documentation is comprehensive and available in the open-source repository. DevDay 2026 confirms post-quantum transition for TSS is planned but not implemented.
The TSS wraps recursive SNARK proof verifies a chain of classical Schnorr signatures. A quantum adversary could forge these, compromising light-client and bridge verification of consensus state.
Production Cryptographic Protection
State-integrity and data-availability mechanisms are quantum-safe where applicable
Claim: Hashgraph consensus uses SHA-384 for event hashing, providing 192-bit effective security against Grover's algorithm. This is PQ-resistant. However, TSS chain-of-trust proofs depend on classical Schnorr/BLS signatures for light-client-verifiable state integrity.
Coverage basis: Official documentation confirms SHA-384 usage; TSS design doc confirms classical signature dependency for proofs
Implementation score: 0.5 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Assurance: SHA-384 hashing for event chains and Merkle trees is verifiable from documentation and provides genuine quantum-resistant state integrity for the ledger history. The TSS signature dependency affects light-client and bridge verifiability, not internal consensus state integrity.
Partial credit: core hashing layer is PQ-resistant. TSS proof system for external verifiers (bridges, light clients) remains classically dependent.
Production Cryptographic Protection
Privacy and proof layers are quantum-safe where applicable
Claim: Hedera is a transparent public ledger with no native shielded transactions, stealth addresses, zk-proof-based privacy, or confidential asset protocols.
Coverage basis: Protocol architecture: Hedera is a transparent DLT without privacy-specific cryptographic layers
Implementation score: 1 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
Production Cryptographic Protection
P2P transport, node identity, and peer authentication are PQC, hybrid-PQC, or satisfied by design
Claim: Node-to-node and client-to-node communication uses TLS with classical key exchange. Node identity in the hashgraph is tied to Ed25519 event signing keys. Hedera states consensus security does not depend on TLS, but node identity authentication uses classical signatures.
Coverage basis: Official documentation confirms TLS usage and classical event signing for node identity
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Assurance: Hedera states consensus security does not depend on TLS, but node identity authentication (event signing) uses classical signatures. P2P transport security is secondary to consensus authentication, which is scored separately.
P2P TLS upgrade to PQ is planned as a configuration change when TLS libraries support ML-KEM; no implementation exists yet.
Production Cryptographic Protection
Critical wallet, custody, HSM, signer, and hardware-wallet workflows support the production PQ/hybrid path
Claim: All wallet, custody, and HSM integrations for Hedera use ECDSA secp256k1 or Ed25519. No PQ-compatible wallet or custody workflows exist.
Coverage basis: Key type documentation confirms only classical key types are supported; no PQ wallet tooling exists
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Assurance: AWS KMS tutorial confirms only ECDSA key support for Hedera HSM signing workflows.
Wallet/custody migration is dependent on protocol-level PQC key type support (targeted 2027).
Migration Status & Value-at-Risk
Percentage of economically relevant value-at-risk protected from quantum key-recovery attacks
Claim: 0% of HBAR value-at-risk is PQ-protected. All circulating HBAR is held in accounts secured by ECDSA or Ed25519 keys. All accounts that have submitted transactions have exposed public keys on-chain.
Coverage basis: All accounts use classical signatures; no PQC key type exists; no migration has occurred
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: Material long-exposure quantum-vulnerable value exists with no migration, freeze, deprecation, burn, recovery, or policy path. 0% of value-at-risk is protected.
Assurance: No on-chain analytics measuring exact breakdown of dormant vs. active exposed accounts were located. Nominal circulating supply is treated as fully vulnerable.
Coverage is 0% (less than 25% threshold). Score of 1 applies at the experimental tier per QRI spec section 9.3.1.
Migration Status & Value-at-Risk
Critical wallets migrated, protected, or inherently PQ-native
Claim: No evidence that any treasury, exchange, custodian, bridge, foundation, or protocol-controlled wallet has migrated to PQC. All critical wallets use classical signatures.
Coverage basis: No PQC key type exists; migration is not possible
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Assurance: No exchange or custodian migration attestations exist because protocol-level PQC support does not exist.
Migration Status & Value-at-Risk
Legacy vulnerable pools identified, measurable, deprecated, migrated, frozen, or proven not to exist by design
Claim: Hedera has publicly acknowledged that all ECDSA and Ed25519 accounts are quantum-vulnerable. However, no measurement, deprecation mechanism, freeze policy, or burn path for vulnerable accounts exists.
Coverage basis: Public acknowledgement exists; measurement and deprecation mechanisms do not
Implementation score: 0.25 · Evidence confidence: High
Issue classification: quantum-critical uncertainty · Score treatment: score-reducing
Assurance: Public acknowledgement (roadmap/proposal level) earns partial credit. No measurement or deprecation mechanism exists.
Vulnerability is identified in official blog and docs. No on-chain measurement, deprecation deadline, freeze mechanism, or burn policy published.
Migration Mechanism, Governance & Ecosystem Coordination
Public migration or protection roadmap with sequencing, activation criteria, and dependencies
Claim: Hedera published a detailed PQC migration roadmap in April 2026 with four sequenced phases: (1) PQ TLS for nodes, (2) PQ TLS for clients, (3) hybrid event signing (Ed25519 + FN-DSA), (4) PQ user key type via HAPI targeted for 2027. Dependencies, activation criteria, and fallback options are documented.
Coverage basis: Official blog post and DevDay 2026 presentation provide explicit sequencing, algorithm selection, and timeline
Implementation score: 1 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
Assurance: Roadmap is detailed, publicly available, and independently verifiable from multiple primary sources. This is one of the most comprehensive PQC roadmaps published by any major DLT project.
The roadmap is explicit about sequencing, algorithm choices, fallback options (ML-DSA if FN-DSA delayed), and dependencies on NIST standardization timelines.
Migration Mechanism, Governance & Ecosystem Coordination
Migration accessibility and defaults
Claim: Hedera's account model supports in-place key rotation without changing account ID. However, no PQ account creation, wallet tooling, custody paths, migration prompts, or user-facing warnings exist today. PQ key type is targeted for 2027.
Coverage basis: Key rotation capability is documented; PQ tooling does not exist
Implementation score: 0.25 · Evidence confidence: High
Issue classification: operational/product caveat · Score treatment: score-reducing
Assurance: Key rotation capability is a structural advantage. The roadmap design exists but no PQ tooling is available.
Partial credit for documented design feature (key rotation) that will facilitate migration. No PQ wallet, custody, or migration prompt infrastructure exists.
Migration Mechanism, Governance & Ecosystem Coordination
Migration enforcement and coordination
Claim: No enforcement mechanisms exist. No deprecation, freeze, disabled legacy signing, restricted withdrawals, or mandatory migration deadlines have been published. Existing Ed25519/ECDSA keys will continue working throughout migration per the roadmap.
Coverage basis: Roadmap explicitly states legacy keys continue working; no enforcement mechanism documented
Implementation score: 0 · Evidence confidence: High
Issue classification: operational/product caveat · Score treatment: score-reducing
Assurance: The permissive migration model (voluntary rotation, no deadline) means vulnerable accounts can persist indefinitely. Exchange, custody, and bridge coordination for migration has not been evidenced.
No enforcement mechanism means quantum-vulnerable accounts could remain active even after PQC key types become available.
Migration Mechanism, Governance & Ecosystem Coordination
Emergency disclosure, incident-response, or governance process for quantum vulnerabilities
Claim: No evidence of a quantum-specific incident-response playbook, disclosure process, or governance mechanism for quantum-related vulnerabilities was identified.
Coverage basis: No public documentation of quantum-specific IR processes found
Implementation score: 0 · Evidence confidence: Low
Issue classification: assurance-only caveat · Score treatment: score-reducing
Assurance: Absence of a public quantum-specific IR process is an assurance gap. Hedera may have internal processes not publicly documented. General security contact and council governance exist but are not quantum-specific.
The Hedera Council governance model provides a structured decision-making framework, but no quantum-specific emergency procedures have been published.
Algorithm & Implementation Assurance
Uses NIST-standardized, standards-track, or broadly reviewed PQC/hybrid-PQC algorithms appropriate to the use case
Claim: Roadmap selects NIST-track algorithms: FN-DSA (FIPS 206, pending finalization) as primary, ML-DSA (FIPS 204, finalized) as fallback, and ML-KEM (FIPS 203, finalized) for TLS. SHA-384 and AES-256 are already in production and are PQ-resistant per NIST and CNSA guidance.
Coverage basis: Roadmap documents algorithm selection aligned with NIST PQC standardization
Implementation score: 0.25 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
Assurance: Algorithm selection is well-aligned with NIST standards. SHA-384 and AES-256 are already in production. However, no PQC signature algorithms are implemented—roadmap/proposal level only.
FN-DSA (Falcon) is not yet a finalized NIST standard. The fallback to ML-DSA (finalized FIPS 204) is documented. SHA-384 usage is genuinely PQ-resistant and in production.
Algorithm & Implementation Assurance
Independent cryptographic and implementation audit for quantum-critical scope
Claim: No PQC audit exists. Historical audits (FP Complete 2021, CMU Coq proof 2018, NCC Group 2024) are classical-scope only and do not cover PQC implementations or migration design.
Coverage basis: All existing audits are classical-scope; no PQC implementation to audit
Implementation score: 0 · Evidence confidence: High
Issue classification: assurance-only caveat · Score treatment: score-reducing
Assurance: FP Complete (2021) covered code quality and HTS; CMU (2018) formally verified ABFT consensus; NCC Group (2024) audited only the Transaction Tool demo app. None are PQC-scoped. The absence of PQC audits is expected given no PQC implementation exists.
Score reflects current state: no PQC implementation exists to audit.
- https://hedera.com/blog/fp-complete-publishes-results-of-independent-3rd-party-audits-of-hedera-platform-and-new-hedera-token-service/
- https://hedera.com/blog/coq-proof-completed-by-carnegie-mellon-professor-confirms-hashgraph-consensus-algorithm-is-asynchronous-byzantine-fault-tolerant/
- https://hedera.com/wp-content/uploads/2025/12/NCC_Group_HederaHashgraph_E017270_Report_2024-11-20_v1.0.pdf
Algorithm & Implementation Assurance
Open-source, reproducible implementation
Claim: The Hiero consensus node is open-source (Apache 2.0) under LF Decentralized Trust. However, no PQC implementation exists in the codebase to be open-source or reproducible.
Coverage basis: Classical codebase is open-source; no PQC code exists
Implementation score: 0 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
Assurance: Current (non-PQC) implementation is open-source and buildable. The subfactor scores the quantum-critical implementation, which does not exist.
Algorithm & Implementation Assurance
Parameter agility and future upgrade path are documented
Claim: Roadmap documents fallback from FN-DSA to ML-DSA if FIPS 206 is delayed, and from hybrid to pure PQC signing after standardization. TLS upgrade path via library support is documented as a configuration change.
Coverage basis: Roadmap documents algorithm agility and fallback options
Implementation score: 0.25 · Evidence confidence: Medium
Issue classification: none · Score treatment: not applicable
Assurance: Parameter agility and fallback strategy are documented in the roadmap but not yet implemented or tested.
Algorithm & Implementation Assurance
Stateful-signature safety, side-channel, fault-injection, and custody implementation risks considered
Claim: No PQC signature implementation exists to evaluate for stateful-signature safety or side-channel risks. The roadmap acknowledges FN-DSA's floating-point implementation complexity and side-channel risk.
Coverage basis: Roadmap acknowledges implementation risks; no PQC implementation to evaluate
Implementation score: 0 · Evidence confidence: Medium
Issue classification: none · Score treatment: not applicable
Assurance: FN-DSA's floating-point dependency is a known implementation risk acknowledged in the roadmap. Not applicable to current production since no PQC signatures are deployed. Neither FN-DSA nor ML-DSA are stateful schemes (unlike XMSS/LMS), so stateful-signature safety is less critical for Hedera's planned algorithm choices.
FN-DSA and ML-DSA are stateless schemes; stateful-signature risks are minimal for Hedera's planned algorithms. Side-channel risk for FN-DSA floating-point operations is a genuine concern noted in the roadmap.
Algorithm & Implementation Assurance
Performance and resource-impact analysis exists where PQ signature/verification costs could affect safe deployment
Claim: Roadmap includes signature size comparison table (FN-DSA: 1,280 bytes, 20x Ed25519; ML-DSA-87: 4,627 bytes, 72x Ed25519) and acknowledges impacts on transaction size, cost, bandwidth, storage, and maximum transaction size limits.
Coverage basis: Blog post provides quantitative size comparison and qualitative impact assessment
Implementation score: 0.25 · Evidence confidence: Medium
Issue classification: operational/product caveat · Score treatment: not applicable
Assurance: Qualitative analysis exists but no formal benchmarks with Hedera-scale transaction volumes, block validation timing, or fee-model impact have been published.
Partial credit for documented awareness and sizing analysis. Formal performance benchmarks at production scale are not yet available.
Report metadata