Is Across Protocol Quantum Safe?
Is Across Protocol quantum safe? It is a question that most ACX holders have not yet asked, but cryptographers are already treating it as urgent. Across Protocol is a cross-chain bridge built on optimistic verification and UMA's oracle system, secured, like virtually every other EVM-compatible protocol, by elliptic-curve cryptography. That single fact places it squarely in the crosshairs of the quantum computing threat. This article breaks down exactly what cryptography Across uses, where the exposure points are, what a credible migration would require, and how today's post-quantum wallets approach the problem differently.
What Is Across Protocol and How Does It Work?
Across Protocol (ACX) is a cross-chain bridge that allows users to move assets between Ethereum mainnet and layer-2 networks such as Arbitrum, Optimism, Base, Polygon, and zkSync. It uses a system of liquidity providers, relayers, and UMA's optimistic oracle to settle cross-chain transfers quickly and cheaply.
Three roles underpin the system:
- Depositors lock funds on the origin chain and specify destination chain details.
- Relayers front the capital on the destination chain, earning a fee.
- Liquidity providers deposit into a Hub Pool on mainnet, bearing the settlement risk in exchange for yield.
UMA's optimistic oracle finalises disputed claims after a challenge window. If no dispute is raised, the claim is accepted and relayers are reimbursed from the Hub Pool.
The Cryptographic Foundations of Across
Every transaction in this system is secured by the same primitive that secures almost every other EVM-compatible protocol: the Elliptic Curve Digital Signature Algorithm (ECDSA) over the secp256k1 curve. When a user signs a deposit transaction, when a relayer signs a fill, when a governance vote is cast, all of these operations produce ECDSA signatures that Ethereum's validator network and the Across smart contracts treat as proof of authorisation.
EdDSA (Edwards-curve Digital Signature Algorithm), used on certain other chains, relies on a structurally similar mathematical problem. Both ECDSA and EdDSA derive their security from the elliptic curve discrete logarithm problem (ECDLP), which classical computers cannot solve at scale. Quantum computers can.
---
The Quantum Threat: Why ECDLP Breaks on Q-Day
A sufficiently large, fault-tolerant quantum computer running Shor's algorithm can solve the ECDLP in polynomial time. For a 256-bit elliptic curve key, the attack requires roughly 2,330 logical qubits with full error correction, according to estimates published by researchers at Google and Microsoft. Today's machines have hundreds of noisy physical qubits. The gap is narrowing faster than most protocol roadmaps acknowledge.
Q-day is the threshold at which a quantum adversary can:
- Observe a public key broadcast in a pending transaction.
- Derive the corresponding private key using Shor's algorithm before the block is confirmed.
- Broadcast a competing transaction with a higher gas fee, stealing the funds.
This is sometimes called the "harvest now, decrypt later" attack in the context of encrypted data. For blockchain signatures, the real-time variant is more immediate: an attacker does not need to wait years. They need only act within the mempool window.
Which Across Users Are Most Exposed?
The exposure is not uniform. It depends on how a wallet is used:
| Wallet behaviour | Quantum exposure level | Reason |
|---|---|---|
| Address reused for multiple txns | **High** | Public key exposed after first transaction |
| Address used once, funds moved | **Moderate** | Public key visible in blockchain history |
| Funds sitting in an unused address | **Lower (for now)** | Public key not yet revealed on-chain |
| Smart contract address (e.g. Hub Pool) | **High** | Code and logic publicly visible; admin keys are ECDSA |
The Hub Pool and SpokePool contracts are governed by multisig or DAO mechanisms, all of which ultimately resolve to ECDSA key pairs. A quantum adversary capable of breaking ECDSA could impersonate governance signers or drain liquidity without triggering the challenge mechanism.
Does Across Protocol Use Any Post-Quantum Cryptography?
As of the time of writing, Across Protocol has published no post-quantum cryptography (PQC) migration roadmap. This is not a criticism unique to Across. The overwhelming majority of EVM-compatible protocols have no PQC plan. Ethereum's core developers have discussed quantum resistance in the context of account abstraction (EIP-7560 and related proposals), but a protocol-wide migration is a multi-year project that has not formally begun.
---
What a Post-Quantum Migration Would Actually Require
A genuine PQC migration for a protocol like Across is not a simple contract upgrade. It involves every layer of the stack.
Layer 1: Ethereum's Signature Scheme Must Change First
Across inherits its security assumptions from Ethereum. For ACX to be quantum safe, Ethereum itself would need to support PQC signatures natively. The NIST PQC standardisation process, finalised in 2024, produced three primary standards:
- ML-KEM (Module Lattice Key Encapsulation Mechanism, formerly CRYSTALS-Kyber) for key exchange.
- ML-DSA (Module Lattice Digital Signature Algorithm, formerly CRYSTALS-Dilithium) for signatures.
- SLH-DSA (Stateless Hash-based Digital Signature Algorithm, formerly SPHINCS+) for hash-based signatures.
Lattice-based schemes like ML-DSA produce significantly larger signatures than ECDSA. A typical ECDSA signature is 64 bytes. An ML-DSA-65 signature is approximately 3,293 bytes. At current Ethereum gas prices, this size increase has material cost implications for every on-chain operation, from routine transfers to complex bridge interactions.
Layer 2: Smart Contracts Must Be Redeployed
All SpokePool and HubPool contracts would need to be redeployed to verify PQC signatures rather than ECDSA signatures. Solidity has no native support for lattice-based verification today. Implementations would require either precompiles (protocol-level changes) or expensive on-chain verification libraries, which could be prohibitively costly in gas until precompiles are introduced.
Layer 3: Relayers and Off-Chain Infrastructure
Across relies on a network of off-chain relayers to observe deposits and fill orders. Each relayer runs its own key management infrastructure. A PQC migration would require every relayer to rotate keys, update signing software, and maintain compatibility with a bridge protocol that may be operating in a hybrid mode (accepting both ECDSA and PQC signatures) during the transition period.
Layer 4: User Wallets
Finally, every end user would need a wallet capable of generating and storing PQC key pairs. This is perhaps the highest friction point. Hardware wallets, browser extensions, and mobile apps would all require firmware and software updates before users could safely participate in a post-quantum version of Across.
---
Timeline Scenarios: When Does This Actually Matter?
Analyst views on Q-day range widely, but several credible institutions have moved from "decades away" to "within 10 to 15 years" as a central scenario.
- NIST began the PQC standardisation process in 2016 and completed it in 2024, signalling institutional urgency.
- The NSA issued guidance in 2022 stating that agencies should migrate to PQC standards before 2030 for the most sensitive systems.
- Google's 2023 research demonstrated willow-chip progress that accelerated timelines in public discourse.
- IBM's roadmap targets fault-tolerant quantum systems within the same decade.
For a DeFi protocol like Across, the critical window is not the moment a quantum computer can break ECDSA in a lab. It is the moment a well-capitalised adversary can do so quietly, repeatedly, and profitably. That window could open before full public awareness, which is precisely why the "harvest now, decrypt later" framing matters for data, and why "attack now on a live mempool" matters for blockchain funds.
---
How Lattice-Based Post-Quantum Wallets Approach This Differently
While protocol-level migration remains speculative, wallet-level protection is available today for users who seek it. The architectural difference is significant.
A standard Ethereum wallet generates an ECDSA key pair. The private key is typically a 256-bit scalar; the public key is a point on secp256k1. The security assumption is that deriving the private key from the public key is computationally infeasible for any classical adversary.
A lattice-based PQC wallet instead derives key security from the hardness of lattice problems, specifically the Short Integer Solution (SIS) and Learning With Errors (LWE) problems. These problems are believed to be resistant to both classical and quantum attacks, a belief that underpins the NIST PQC standards.
Projects building at this layer, such as BMIC.ai, align their cryptographic architecture with NIST PQC standards, offering lattice-based key generation and storage that does not share ECDSA's vulnerability to Shor's algorithm. For users actively concerned about the quantum timeline, holding assets in a quantum-resistant wallet is a meaningful hedge independent of whether the underlying protocol has migrated.
It is worth being precise about what this does and does not protect. A PQC wallet protects the custody of your keys. It does not retroactively make the Across Protocol smart contracts quantum resistant. Users interacting with Across from a PQC wallet are still submitting transactions to an ECDSA-secured contract environment. The protection is asymmetric but still valuable: your private key cannot be derived even if a quantum adversary captures your public key.
---
What ACX Holders Should Monitor
If you hold ACX or use Across as a bridge, the following signals are worth tracking:
- Ethereum core developer posts and EIPs related to account abstraction and PQC signature support (EIP-7560, EIP-7685, and the broader EOF initiative).
- Across governance forum for any posts discussing cryptographic infrastructure upgrades.
- UMA Protocol's oracle security assumptions, since Across's dispute resolution layer inherits UMA's key management.
- NIST PQC implementation guides for blockchain, which are being developed with input from the crypto community.
- Hardware wallet announcements from Ledger and Trezor regarding PQC firmware support, as these often set de facto standards for the broader ecosystem.
No action needs to be panicked or immediate. The threat is real but the timeline is not weeks. The appropriate response is informed monitoring and, for high-value holdings, proactive migration to quantum-resistant custody as that infrastructure matures.
---
Summary: The Honest Verdict on Across Protocol's Quantum Safety
Across Protocol is not quantum safe. Neither is Ethereum. Neither is Bitcoin, Solana, or any production blockchain that relies on elliptic-curve signatures. This is not a unique vulnerability of Across, nor does it reflect poor engineering. It reflects the fact that every major public blockchain was designed before post-quantum cryptography reached standardisation maturity.
The difference between protocols will emerge in the coming years based on:
- How quickly they integrate PQC signing support at the contract and validator layer.
- Whether governance key management is migrated to lattice-based or hash-based alternatives.
- Whether their ecosystems (wallets, relayers, front-ends) can coordinate a migration without fragmenting liquidity.
Across Protocol has meaningful strengths as a bridge design. Its optimistic oracle model is capital-efficient, and its relayer network has proven resilient. But quantum safety is not one of its current attributes, and it is prudent for technically engaged users to understand that distinction clearly.
Frequently Asked Questions
Is Across Protocol quantum safe right now?
No. Across Protocol relies on ECDSA signatures, which are vulnerable to Shor's algorithm running on a sufficiently powerful quantum computer. The protocol has no published post-quantum cryptography migration roadmap as of writing, which is consistent with the broader EVM ecosystem.
What cryptography does Across Protocol use?
Across uses ECDSA over the secp256k1 elliptic curve, the same signature scheme used by Ethereum and most EVM-compatible protocols. This covers user transaction signing, relayer operations, and governance key pairs controlling the Hub Pool and SpokePool contracts.
When could a quantum computer break Across Protocol's security?
Credible analyst scenarios place Q-day, the threshold at which a fault-tolerant quantum computer can break ECDSA, somewhere between 10 and 20 years from now, with some researchers citing closer timelines. Institutions such as NIST and the NSA recommend beginning migration to post-quantum standards before 2030 for sensitive systems.
Would using a post-quantum wallet fully protect me when using Across?
Partially. A lattice-based post-quantum wallet protects your private key from being derived by a quantum adversary. However, the Across smart contracts themselves remain ECDSA-secured. Your custody is stronger, but the protocol environment you are interacting with is not independently quantum resistant.
What would a full post-quantum migration for Across require?
It would require changes at four layers: Ethereum's core signature verification (likely via new precompiles), redeployment of all Across smart contracts to verify PQC signatures, updated signing software for every relayer in the network, and PQC-capable wallets for all end users. This is a multi-year, ecosystem-wide effort.
Which post-quantum signature standards should I watch for in blockchain?
The three NIST PQC standards finalised in 2024 are the most relevant: ML-DSA (lattice-based signatures, formerly CRYSTALS-Dilithium), SLH-DSA (hash-based signatures, formerly SPHINCS+), and ML-KEM for key encapsulation. ML-DSA is the most likely candidate for blockchain signature replacement due to its performance profile.