The National Institute of Standards and Technology’s draft SP 800-230 marks a turning point in how we should think about post-quantum security. It outlines how the future of cryptography is not about selecting a single “quantum-safe” algorithm, but about deploying multiple levels of security based on risk, context, and time horizon.
This draft NIST document confirms something I have argued for years. The blockchain industry is solving the wrong problem. Most blockchain networks are racing to implement static post-quantum cryptography.
But post quantum security is not a one-time upgrade. It is a logistics problem, one that requires flexibility at the transaction level, not rigidity at the protocol level.
Static Upgrades in a Dynamic Threat Environment
SP 800-230 proposes 6 new SPHINCS+ algo variants in addition to the 12 variants already standardized by FIPS-205 (SLH-DSA). If accepted and standardized, the total number of variants of PQC algos will stand at 24 for only 3 standards.
Additionally, NIST will not be the only PQC standards-making organization, there are country specific PQC algo variants being standardized for their jurisdictions.
An adaptable framework is needed: hybrid cryptographic models, layered defenses, and the ability to evolve as threats change.
That reflects how risk actually works in financial systems. Not all transactions are equal, and not all exposures should be treated the same.
Blockchains, however, are built on uniformity. Every transaction is governed by the same cryptographic rules, regardless of whether it is a $10 transfer or a $10 billion settlement. From a market structure perspective, that is a mispricing of risk. In traditional finance, we never applied a single risk model across all trades. We adjusted margin, collateral, and controls dynamically.
Yet in blockchain, we are attempting to secure a highly heterogeneous system with a single cryptographic assumption. We are still thinking with a legacy mindset, ignoring the realities that are happening now.
This is why simply swapping in a post-quantum algorithm does not solve the problem. It replaces one static system with another. It does not give asset holders the ability to adapt as threats evolve, or as the value and exposure of their assets change over time.