Is Adshares Quantum Safe?
Whether Adshares is quantum safe is a question every serious ADS holder should be asking as quantum computing hardware accelerates toward cryptographic relevance. This analysis breaks down the exact signature schemes Adshares relies on, models what happens to those schemes at Q-day, evaluates any public migration roadmap from the Adshares team, and compares the broader landscape of post-quantum alternatives. By the end you will have a clear, mechanism-level picture of the risk and the options available to mitigate it.
What Cryptography Does Adshares Actually Use?
Adshares (ADS) is a decentralised programmatic advertising protocol built on its own blockchain, the Adshares Network. Unlike Ethereum-based tokens that inherit Ethereum's cryptographic stack wholesale, Adshares operates a bespoke layer-1 with its own node software and transaction signing mechanism.
The Signature Scheme Under the Hood
Adshares uses Ed25519, a specific instantiation of EdDSA (Edwards-curve Digital Signature Algorithm) built on Curve25519. Ed25519 is a modern, well-audited scheme, faster than legacy ECDSA on the secp256k1 curve used by Bitcoin and Ethereum, and resistant to several classical attack classes such as timing side-channels.
Key properties of Ed25519 in Adshares:
- Private key length: 32 bytes (256 bits)
- Public key length: 32 bytes
- Signature length: 64 bytes
- Security assumption: Hardness of the discrete logarithm problem on Curve25519
That last point is the crux of the quantum safety question. The discrete logarithm problem on elliptic curves is not hard for a sufficiently powerful quantum computer. Shor's algorithm, published in 1994, solves it in polynomial time. Every wallet address, every signed transaction, every proof of fund ownership in Adshares is ultimately protected by a mathematical problem that quantum computers are specifically designed to break.
How Ed25519 Compares to ECDSA for Quantum Exposure
A common misconception is that Ed25519 is quantum-resistant because it is newer or because it uses a twisted Edwards curve rather than a Weierstrass curve. The curve shape is irrelevant to the quantum threat. What matters is the underlying hard problem.
| Scheme | Curve / Group | Hard Problem | Broken by Shor's? |
|---|---|---|---|
| ECDSA (secp256k1) | Weierstrass | ECDLP | Yes |
| EdDSA / Ed25519 | Twisted Edwards (Curve25519) | ECDLP | Yes |
| RSA-2048 | Integer factoring | IFP | Yes |
| CRYSTALS-Dilithium | Lattice (Module-LWE) | MLWE | No |
| FALCON | Lattice (NTRU) | NTRU hardness | No |
| SPHINCS+ | Hash-based | Pre-image resistance | Effectively No |
The takeaway is unambiguous: Ed25519 and ECDSA share the same quantum vulnerability class. Adshares is not meaningfully safer than Bitcoin or Ethereum from a post-quantum perspective.
---
Understanding Q-Day: When Does the Risk Become Real?
Q-day refers to the point at which a cryptographically relevant quantum computer (CRQC) can run Shor's algorithm against real-world key lengths fast enough to be practically exploitable. Current estimates from the quantum computing research community vary, but mainstream projections cluster the highest-risk window between 2030 and 2040, with a non-trivial tail risk of earlier breakthrough.
The Two Attack Surfaces for ADS Holders
1. Exposed public keys (immediate-risk addresses)
When an ADS address has ever broadcast a transaction, the public key is on-chain and permanently visible. A CRQC can derive the private key from this public key using Shor's algorithm. Any funds sitting at such an address become attackable the moment a CRQC is operational. Estimates suggest a large fraction of all crypto addresses in existence have exposed public keys due to prior transaction history.
2. In-flight transaction interception (harvest-now-decrypt-later)
Even for addresses whose public keys have not yet been broadcast, adversaries are already harvesting encrypted and signed data. Once a CRQC is available, signed transactions broadcast in the window between submission and inclusion in a block could theoretically be intercepted, the private key derived, and a double-spend substituted. The time window is narrow but non-zero, particularly in periods of network congestion.
The "Harvest Now, Decrypt Later" Threat to ADS Specifically
The Adshares network processes advertising settlement transactions, meaning there is a continuous flow of on-chain signed messages. Any entity logging Adshares network traffic today is building a dataset that becomes actionable at Q-day. This is not theoretical: nation-state actors have documented HNDL programs targeting financial data.
---
Does Adshares Have a Post-Quantum Migration Roadmap?
As of the most recent public documentation and governance proposals, Adshares has not published a post-quantum cryptography migration roadmap. The project's development focus has been on protocol features including ADS Ecosystem expansion, operator tooling, and cross-chain bridges rather than cryptographic primitives.
Why Migration Is Non-Trivial
Migrating a live blockchain's signature scheme is among the most technically complex upgrades any network can undertake. It requires:
- Consensus rule change - all nodes must agree to accept a new signature format simultaneously or via a flag-day hard fork.
- Wallet software update - every user's wallet must generate new key pairs under the new scheme.
- Key migration window - funds must be moved from old (vulnerable) addresses to new (quantum-safe) addresses before Q-day.
- Address format versioning - the address derivation and encoding must be versioned so nodes can distinguish classical from quantum-safe signatures.
- Performance trade-offs - NIST PQC finalist schemes such as CRYSTALS-Dilithium produce signatures 20 to 50 times larger than Ed25519. This has block-size and throughput implications.
Bitcoin and Ethereum, with their vast developer communities and billions in ecosystem value, are still only in early research phases for post-quantum migration (BIP-360 for Bitcoin's P2QRH addresses, Ethereum's Verkle tree work touching adjacent areas). A smaller-cap protocol like Adshares faces the same technical mountain with a proportionally smaller engineering team.
What ADS Holders Can Do Now
While waiting for network-level migration, individual holders have a few partial mitigations:
- Use fresh addresses for every receive. If a public key has never appeared on-chain, the only attack vector is in-flight interception, which requires a much more capable adversary.
- Move funds immediately post-receipt. Minimise the window in which funds sit at an address with an exposed public key.
- Monitor NIST PQC standardisation. NIST finalised CRYSTALS-Dilithium (ML-DSA), FALCON (FN-DSA), and SPHINCS+ (SLH-DSA) in August 2024. Any credible migration plan should reference these standards.
- Diversify custody into wallets that already implement post-quantum schemes for holdings you intend to hold long-term.
---
How Lattice-Based Post-Quantum Wallets Differ
The NIST-standardised post-quantum signature schemes rely primarily on lattice mathematics rather than elliptic curve discrete logarithm problems. Understanding the difference matters for evaluating any migration claim.
Lattice Cryptography Primer
A lattice is a regular grid of points in high-dimensional space. The hard problems underpinning lattice cryptography, specifically Learning With Errors (LWE) and its module variant (MLWE), involve finding a short vector in a high-dimensional lattice given only noisy linear combinations of it. No known quantum algorithm, including Shor's or Grover's, reduces this problem to polynomial time. The best quantum attacks offer only modest speedups over classical attacks, which is why NIST selected lattice-based schemes as primary standards.
CRYSTALS-Dilithium vs Ed25519: A Practical Comparison
| Property | Ed25519 (Adshares) | CRYSTALS-Dilithium (ML-DSA Level 3) |
|---|---|---|
| Signature size | 64 bytes | ~3,293 bytes |
| Public key size | 32 bytes | ~1,952 bytes |
| Key generation speed | Very fast | Fast |
| Signing speed | Very fast | Moderate |
| Quantum resistant | No | Yes |
| NIST standardised | No (IETF RFC 8032) | Yes (FIPS 204, 2024) |
| Blockchain adoption | Widespread | Emerging |
The signature size increase is the primary engineering challenge for blockchain adoption. A block that currently holds 2,000 Ed25519-signed transactions would hold roughly 60 to 80 Dilithium-signed transactions at the same block size, a reduction that demands either larger blocks, reduced throughput, or layer-2 aggregation techniques.
Projects that have been designed from the ground up with post-quantum assumptions, such as BMIC.ai, implement lattice-based cryptography natively, avoiding the painful retrofit problem that networks like Adshares would face. That architectural head-start is a meaningful differentiator for long-duration holders concerned about Q-day exposure.
---
Risk Scenarios for ADS Holders
Framing this as scenario analysis rather than prediction is the honest approach.
Scenario A: Q-Day Arrives Before Migration (High-Impact)
A CRQC becomes operationally available, potentially without public announcement, as state actors would have strong incentives to use the capability silently. ADS addresses with exposed public keys become drainable. The Adshares network would face an emergency hard fork with a compressed timeline. Historical precedent in crypto suggests such emergency responses introduce their own risks, including chain splits, replay attacks, and exchange halts.
Scenario B: Adshares Implements PQC Before Q-Day (Positive)
The development team prioritises a post-quantum signature upgrade, perhaps inspired by Bitcoin and Ethereum's migration timelines. A well-executed flag-day hard fork migrates the network to Dilithium or FALCON. Holders who migrate their keys promptly are protected. This is technically feasible and would require sustained developer commitment and community coordination.
Scenario C: Q-Day Is Later Than 2040 (Extended Runway)
Quantum hardware progress stalls due to error-correction challenges, decoherence issues, or engineering bottlenecks. The urgent timeline relaxes and the industry has more time for measured, well-tested migrations. Even in this scenario, holding assets in classically-vulnerable addresses for decades is poor security hygiene.
---
Key Takeaways for ADS Investors and Holders
- Adshares uses Ed25519 (EdDSA on Curve25519), which is not quantum safe. The underlying discrete logarithm problem is broken by Shor's algorithm.
- Ed25519 is not meaningfully more quantum-resistant than ECDSA. The curve variant is irrelevant; the problem class is identical.
- No public post-quantum migration roadmap currently exists for the Adshares protocol.
- The practical risk window is most credibly 2030 to 2040, but tail-risk scenarios and harvest-now-decrypt-later threats are active today.
- Individual holders can reduce exposure through address hygiene but cannot eliminate the protocol-level risk without network-level migration.
- NIST-standardised lattice-based schemes (ML-DSA, FN-DSA, SLH-DSA) are the credible migration targets any serious blockchain should be evaluating now.
Frequently Asked Questions
Is Adshares quantum safe?
No. Adshares uses Ed25519 (EdDSA on Curve25519), whose security relies on the elliptic curve discrete logarithm problem. Shor's algorithm, running on a sufficiently powerful quantum computer, can solve this problem and derive private keys from public keys. Adshares is therefore not quantum safe under current cryptographic standards.
Does Ed25519 offer any quantum resistance compared to ECDSA?
No meaningful quantum resistance. Both Ed25519 and ECDSA rely on the elliptic curve discrete logarithm problem. While Ed25519 has advantages over ECDSA in classical security (speed, resistance to timing attacks, no nonce reuse vulnerability), they are identically vulnerable to Shor's algorithm. The curve shape does not affect quantum exposure.
Has Adshares published a post-quantum upgrade roadmap?
As of the most recent public documentation, Adshares has not published a formal post-quantum cryptography migration roadmap. Development focus has been on protocol features and ecosystem tools rather than cryptographic primitives. Holders should monitor official Adshares governance channels for any future announcements.
What is Q-day and when might it happen?
Q-day is the point at which a cryptographically relevant quantum computer can run Shor's algorithm against real-world key lengths fast enough to break live blockchain signatures. Mainstream research projections place the highest-risk window between 2030 and 2040, though significant uncertainty exists in both directions. Harvest-now-decrypt-later threats are active regardless of when Q-day arrives.
Which signature schemes are considered quantum safe?
The leading quantum-safe signature schemes are the NIST-standardised lattice-based algorithms: CRYSTALS-Dilithium (ML-DSA, FIPS 204), FALCON (FN-DSA), and the hash-based scheme SPHINCS+ (SLH-DSA). All were finalised by NIST in August 2024. These rely on mathematical problems such as Module Learning With Errors (MLWE) that are not efficiently solvable by known quantum algorithms.
What can ADS holders do to reduce quantum risk right now?
Practical mitigations include: always using fresh receive addresses (so public keys are never exposed on-chain until a spend is needed), moving funds quickly after receipt to minimise time at exposed-key addresses, and diversifying long-term holdings into wallets and protocols that implement post-quantum cryptography natively. These are partial mitigations; full protection requires a network-level protocol upgrade.