News
Research

from the migration desk

Migration options for quantum-ready multisigs

The long-form version of Quorum's migration path: start post-quantum now, or move in stages without changing the vault address.

Migration options for quantum-ready multisigs research title card

The safest migration is not the most dramatic one. Most teams do not need to rebuild their treasury process overnight. They need a way to introduce post-quantum approval while keeping the address, workflow, and accountability model their organization already understands.

Quorum is built around that premise.

Option 1: Start post-quantum from day one

New vaults can begin with Falcon or Winternitz members immediately. This is the cleanest path for high-value cold storage, new protocol authorities, and teams that can train operators before assets arrive.

Example policies:

  • 1-of-1 Falcon for a personal devnet vault.
  • 2-of-3 with two Falcon members and one Ed25519 operator.
  • 3-of-5, including at least two post-quantum approvals.

The benefit is clarity. The team never has to unwind a purely classical quorum. The cost is operational readiness: Falcon and Winternitz signing are less familiar than ordinary wallet signing.

Option 2: Hybrid migration

Existing teams can create or operate a Quorum multisig with Ed25519 and secp256k1 continuity, then add Falcon or Winternitz members as people become ready. This is the path for treasuries, protocols, and enterprises that need training, policy review, or staged hardware support.

The key is pq_threshold. The normal threshold answers how many approvals are required. The PQ threshold answers how many of those approvals must come from Falcon or Winternitz members.

Total threshold
3 of 5
PQ threshold
1
Address
Stable through rotation

That second rule is what changes the risk model. A classical-only 3-of-5 quorum can fail if a quantum attacker recovers enough classical private keys. A 3-of-5 quorum with pq_threshold = 1 still needs post-quantum evidence.

Option 3: Role rotation

Not every classical signer has to disappear. As quantum readiness improves, Ed25519 or secp256k1 members can move into lower-trust roles: proposer, executor, fee payer, reviewer, or emergency coordinator. High-value final approval can move to Falcon or Winternitz.

That is often healthier than a hard cutover. It preserves human accountability and continuity while reducing the number of classical keys that can authorize final execution.

What does not have to change

The governed vault address does not need to change just because member identities change. Proposal history remains in one place. Integrations can continue pointing at the same multisig authority. Teams can migrate signer policy without turning every asset movement into a separate migration event.

Operational checklist

  1. Inventory long-lived Solana authorities and exposed public keys.
  2. Identify which authorities need post-quantum approval first.
  3. Add Falcon members for compact recurring approval.
  4. Add Winternitz members where a hash-based assumption is valuable.
  5. Set pq_threshold to 1 for the first high-value policies.
  6. Raise the PQ requirement as operator readiness improves.
  7. Keep classical signers where compatibility and fee payment still matter.

Post-quantum migration should feel like governed rotation, not a vault migration.

Quorum

Bottom line

Quantum readiness is a policy journey. Quorum gives teams two practical starting points: go post-quantum immediately, or introduce post-quantum approval in stages while preserving operational continuity.

References