After XRP is launched, prepare for post-quantum security; complete the XRPL quantum protection roadmap by 2028

Ripple’s Senior Director of Engineering, Ayo Akinyele, released its latest “Insights” report on April 20, outlining a multi-stage roadmap aimed at making XRP ledgers (XRPL) fully capable of post-quantum security defenses by 2028. Ripple is working with Project Eleven to accelerate development, including validated node testing and an early custody prototype.

Why XRPL Needs to Prepare for Post-Quantum Security

XRPL faces quantum-security risks that are structurally unique. On XRPL, every signed transaction exposes the public key on-chain—harmless in a traditional cryptographic environment, but with sufficiently advanced quantum computers, this could allow attackers to derive private keys from public keys, threatening the long-term security of wallets.

Akinyele noted that the “collect now, decrypt later” characteristic means that responding only when quantum threats break out is already too late. While today’s protective measures won’t immediately fail, it underscores the urgency of building systems that safeguard long-term asset security as early as possible.

Four-Stage Roadmap: From Emergency Response to Full Protection

Ripple’s roadmap includes four sequential stages:

First stage (emergency response plan): Develop contingency plans in case existing cryptographic standards become ineffective, including the “Quantum-Day” framework, to ensure that once a vulnerability is exploited, user accounts can be safely migrated to post-quantum addresses.

Second stage (algorithm evaluation): Assess the performance of post-quantum cryptographic algorithms recommended by the U.S. National Institute of Standards and Technology (NIST) in real XRPL network environments.

Third stage (performance testing): Measure the real-world impact of post-quantum algorithms on network throughput, storage requirements, and verification efficiency.

Fourth stage (parallel testing on the development network): Conduct parallel tests on the XRPL development network so developers can evaluate performance trade-offs before full implementation, ensuring stability for official deployment.

XRPL’s Native Advantages: Support for Gradual Migration

XRPL’s key rotation and deterministic key generation features provide important technical advantages, allowing a gradual transition to post-quantum standards without forcing users to give up existing accounts. Akinyele emphasized, “We should not treat the response to quantum threats on XRPL as a single standalone upgrade, but as a multi-stage strategy—carefully migrating existing global financial infrastructure without impairing the value of the digital assets that XRPL protects.”

Frequently Asked Questions

What is a “collect now, decrypt later” attack, and what impact does it have on XRP?

An attacker collects encrypted data (such as publicly available public keys on-chain) before quantum computers are powerful enough, and then decrypts it once future quantum technology matures. For XRPL, every confirmed transaction leaves a public key on-chain, which means historical records may face the risk of being reverse-engineered and analyzed when future quantum threats become mature.

What are the four key stages of XRPL’s quantum-security roadmap?

The first stage formulates the “Quantum-Day” emergency migration plan; the second stage evaluates the post-quantum cryptographic algorithms recommended by NIST; the third stage tests the performance impact of these algorithms; the fourth stage performs parallel testing on the XRPL development network to ensure the stability of official deployment.

Why does Ripple frame this as a “multi-stage strategy” rather than a single upgrade?

XRPL protects global financial infrastructure, and any rapid, non-structured replacement of cryptographic standards could cause irreversible damage to the assets of hundreds of millions of users. A phased strategy allows developers to evaluate performance impacts in test environments, giving users ample time to proactively migrate instead of being forcibly disconnected from existing accounts.