As quantum computing advances toward real-world impact, the Aptos post quantum strategy is emerging as a key test case for conservative blockchain security design.
AIP-137 brings SLH-DSA-SHA2-128s to the Aptos blockchain
Aptos has unveiled AIP-137, a proposal that introduces SLH-DSA-SHA2-128s as its first post-quantum signature scheme to defend the network against future quantum computing attacks. The initiative aims to harden the blockchain before quantum machines become a direct cryptographic threat.
Moreover, the proposal lands as quantum computing shifts from theory to implementation. IBM is discussing scaling paths for large-scale quantum systems, while NIST has published finalized post-quantum standards. Experts still disagree on timing, debating whether serious threats will appear in five or fifty years, yet Aptos is opting for early, conservative preparation.
Why Aptos chose a conservative hash-based scheme
AIP-137 prioritizes security assumptions over raw performance by selecting SLH-DSA-SHA2-128s, a stateless hash-based signature scheme standardized by NIST as FIPS 205. It relies exclusively on SHA-256, a hash function already integrated across Aptos infrastructure, which avoids introducing any new cryptographic assumptions.
However, this conservative stance is informed by past failures in post-quantum cryptography. The Rainbow scheme, once a NIST finalist built on multivariate cryptography, was completely broken on commodity laptops in 2022. By basing security on well-understood hash functions rather than more exotic mathematics, Aptos seeks to reduce the risk that classical attacks will defeat supposedly quantum-safe designs.
In this context, the aptos post quantum approach is framed as a baseline that favors robustness over speed, creating room for more aggressive optimizations only once the conservative layer has proven itself in production.
Performance trade-offs: size and speed versus security
The main trade-off with SLH-DSA-SHA2-128s concerns signature size and verification speed. Signatures will measure 7,856 bytes, which is 82 times larger than Ed25519, while verification takes approximately 294 microseconds, about 4.8 times slower. These overheads are deliberate, accepting efficiency costs in exchange for security guarantees that avoid untested assumptions.
Moreover, Aptos is explicitly contrasting this design with alternative schemes. Options such as ML-DSA offer smaller signatures and faster verification but rely on the hardness of structured lattice problems, which introduces new mathematical risks. Falcon delivers even better performance with compressed signatures around 1.5 KB, yet it depends on floating-point arithmetic, making implementations more error-prone and harder to audit.
Optional activation and phased rollout strategy
The proposal carefully avoids any forced migration. Ed25519 remains the default signature scheme, while SLH-DSA-SHA2-128s is introduced as an optional layer that on-chain governance can activate once quantum threats justify deployment. That said, users who require post-quantum assurances can selectively adopt the new scheme without disturbing the wider network.
For Aptos, implementation relies on feature flags to coordinate a controlled rollout across validators, indexers, wallets, and developer tools. This phased strategy gives ecosystem participants time to adjust infrastructure well before quantum computers can realistically break existing public-key cryptography.
Quantum risk across crypto and timelines to disruption
The initiative reflects wider anxiety in the digital asset sector about quantum timelines. Industry researchers estimate that about 30% of Bitcoin‘s supply, roughly 6–7 million BTC, remains exposed in legacy address formats that directly reveal public keys. This pool is considered vulnerable once scalable quantum computers emerge.
Meanwhile, large technology players are racing toward quantum milestones. IBM plans to build 100,000-qubit chipsets by the end of the decade, while PsiQuantum targets one million photonic qubits in the same timeframe. Microsoft has argued that quantum progress has moved from being “decades” away to “years” away, and Google has already reported quantum chips solving problems that are infeasible for classical systems.
Estimates for breaking 256-bit elliptic curve signatures continue to tighten. Some researchers now suggest around one million qubits could be sufficient, and they see a plausible window for cracking 256-bit digital signatures by the mid-2030s. Asset managers therefore increasingly treat quantum computing as a long-term cryptographic risk, expecting that most major blockchains will ultimately require post-quantum upgrades as the technology matures.
In summary, AIP-137 positions Aptos on a defensive footing against quantum-era attacks by adopting a NIST-standardized, hash-based scheme and an optional, phased rollout, trading efficiency for durability while the broader crypto ecosystem races to prepare for the mid-2030s threat horizon.
Source: https://en.cryptonomist.ch/2025/12/19/aptos-post-quantum-slh-dsa/
