I've been looking into more post-quantum upgrade mechanisms, especially ones which do not require a change of address. EdDSA chains that follow RFC-8032 (Ed25519 style) have a built-in advantage. Your signing key isn’t a raw random scalar, it’s deterministically derived from a short seed by hashing. That means you can prove you know the seed (in a post-quantum-sound ZK proof) and bind a new post-quantum key to the same address. No fund moves and no new curve data on-chain. Even dormant accounts can be upgraded if the seed exists. This covers chains like Sui, Solana, NEAR, Stellar, Aptos. Bitcoin/Ethereum don’t have that invariant by default because many ECDSA keys came from "just pick a random scalar". But there is a possible path for big cohorts that use BIP-39 → BIP-32 with well defined paths. You can prove that exact derivation and bind a post-quantum key without moving funds. But, it’s wallet-specific and may be complex: -  BIP-39’s PBKDF2-HMAC-SHA512 (2048 rounds) is costly in ZK - BIP-32 adds HMAC-SHA512 and secp256k1 math inside the circuit Still, for common paths (e.g., Ethereum m/44’/60’/0’/0/x), it may be feasible. Generally there are two deployment patterns: 1. One-time proof + mapping: publish a proof once and record address → post-quantum key. From then on, you sign post-quantum for that address. 2. Per-transaction proof: each transaction carries a single proof that ties the seed to the address and authorizes the message. Stateless, but every verifier must check the proof. This may rule out a lot of chains given the performance overhead of verifying the proof per tx. Why this works: Shor’s algorithm breaks discrete logs (so public-key systems like ECDSA/EdDSA fail once the public key is exposed). Grover’s algorithm only gives a quadratic speedup for hash preimages. So if your private key is derived from a seed via a strong hash (e.g., SHA-512), the seed remains hidden even if a future machine recovers today’s key. That’s why the "seed-first" design in EdDSA helps. Also, you don’t need a hard fork to start. Before Q-Day you can also bind identities without ZK by cross-signing the legacy address and the post-quantum key in both directions and anchoring it to time. That’s what we built with yellowpages. In the post I break down the mechanics, what you can save today on EdDSA chains, what you can realistically save on ECDSA, the trade-offs of one-time vs per-tx proofs, and the limits you should care about (seed handling, replay protection, proof cost). Full write-up below.