Skip to main content
cryptographyJanuary 17, 2026·12 min read

Post-Quantum Encryption On-Chain: Replacing ElGamal with PQC Algorithms

Exploring the transition from ElGamal to post-quantum cryptography (Kyber, Dilithium) for future-proof on-chain privacy. A deep dive into lattice-based schemes and their blockchain applications.

R

Research Team

NixProtocol

Share:

The quantum elephant in the room

Here's an uncomfortable truth: most of the cryptography protecting your crypto will break when quantum computers get powerful enough.

Your Ethereum wallet's private key? Derivable from your public key with Shor's algorithm. The Diffie-Hellman key exchanges in stealth addresses? Broken. The ElGamal encryption we use for private balances? Gone.

This isn't science fiction. It's math that's been understood since 1994. The only question is when the hardware catches up.

When should we actually worry?

Nobody knows exactly. Estimates range from 2030 to 2050 for "cryptographically relevant" quantum computers. IBM, Google, and a dozen startups are racing to get there.

But here's the thing: even if it's 20 years away, there's an attack called "harvest now, decrypt later." Someone captures your encrypted transactions today, stores them, and decrypts them in 2040 when they have a quantum computer.

For financial privacy, that matters. Your encrypted balance from 2025 being revealed in 2045 might not be a disaster. But it might be. We'd rather not find out.

What we use today (and why it's vulnerable)

NixProtocol currently uses ElGamal encryption. It's elegant: you can do math on encrypted values without decrypting them (homomorphic properties), which is essential for updating balances privately.

The problem is ElGamal's security rests on the "discrete logarithm problem" being hard. Quantum computers make it easy.

We need a replacement that:

  1. Survives quantum computers
  2. Still has the homomorphic properties we need
  3. Doesn't make transactions impossibly expensive

Enter lattice cryptography

The solution comes from a weird branch of math involving high-dimensional grids called lattices. Finding short vectors in these lattices is hard. Really hard. Even for quantum computers.

NIST spent years evaluating post-quantum candidates and picked:

  • Kyber for encryption/key exchange
  • Dilithium for signatures

These are now standards. They work. They're fast enough for real use.

The size problem

Here's the catch: post-quantum crypto is bigger. Way bigger.

WhatCurrentPost-Quantum
Public key33 bytes1,184 bytes
Signature64 bytes3,293 bytes

That's roughly 35-50x larger. On a blockchain where every byte costs gas, that's painful.

But it's not as bad as it sounds. The actual computation is fast (microseconds). The main cost is data size, and we can optimize around that in various ways.

The homomorphism problem

The bigger challenge: Kyber doesn't have the nice algebraic properties ElGamal has. With ElGamal, you can add encrypted values without decrypting:

Enc(a) * Enc(b) = Enc(a + b)

That's how we update encrypted balances privately. Kyber can't do this directly.

Options:

  1. Use lattice-based homomorphic encryption schemes (slower, but they exist)
  2. Hybrid approaches: Kyber for keys, something else for computation
  3. Replace homomorphic updates with ZK proofs

We're exploring all three.

Our migration plan

We're not waiting for quantum computers to arrive before we start.

Phase 1 (now): Hybrid encryption. Every balance gets encrypted with both ElGamal AND Kyber. If quantum computers never arrive, no harm. If they do, the Kyber layer protects you.

Phase 2 (future): Once the ecosystem matures, migrate fully to lattice-based systems. Kyber for stealth addresses, Dilithium for signatures, STARK proofs instead of SNARKs.

Phase 3: Optimize. Post-quantum crypto is improving fast. Parameters will shrink. Hardware acceleration will arrive. What's expensive today will be cheap in a few years.

What changes for stealth addresses

Current stealth addresses use Diffie-Hellman, which quantum breaks.

Post-quantum version uses Kyber. Instead of a 32-byte ephemeral point, there's a 1KB ciphertext. Transactions get bigger. Scanning for incoming payments takes more work.

Not ideal, but manageable. And it survives the quantum apocalypse.

Practical advice

If you're building privacy tech:

Now: Abstract your cryptography. Don't hardcode secp256k1 everywhere. Make it easy to swap algorithms.

Soon: Add hybrid encryption for long-term secrets. Anything that needs to stay private for 10+ years should have a post-quantum layer.

Watch: NIST standardization is mostly done, but IETF integration and Ethereum research are ongoing. EIP proposals for PQC precompiles would make this much cheaper on-chain.

The bottom line

We don't know when quantum computers will break current crypto. Could be 2030. Could be 2050. Could be never (but probably not).

What we do know: the transition isn't optional. Financial privacy that breaks in 15 years isn't really privacy. And the "harvest now, decrypt later" threat means the clock is already ticking on today's encrypted data.

We're building NixProtocol to survive the transition. Start with what works today, add quantum resistance as a layer, then migrate fully when the tech matures.

Privacy that lasts.

Continue Reading

Explore more research articles on privacy infrastructure and zero-knowledge proofs.

View All Articles