Is ConstitutionDAO Quantum Safe?
Is ConstitutionDAO quantum safe? It's a question that sounds futuristic until you understand how close quantum computing is to breaking the cryptographic assumptions every Ethereum-based token, including PEOPLE, relies on. ConstitutionDAO raised over $47 million in ETH in 2021, and although it failed to acquire the US Constitution at auction, its PEOPLE token lives on as a widely held cultural artifact in crypto. This article examines the specific cryptographic stack underpinning PEOPLE, what "Q-day" means for holders, whether any migration path exists, and how lattice-based post-quantum wallets change the threat picture.
What Is ConstitutionDAO and Why Does Its Cryptography Matter?
ConstitutionDAO launched in November 2021 as a decentralised autonomous organisation with a single mission: collectively purchase one of the thirteen surviving original copies of the United States Constitution. The project raised approximately 11,600 ETH, made history as the largest crowdfunded bid for a physical artefact, and lost the Sotheby's auction to Citadel CEO Ken Griffin by a narrow margin.
After the failed bid, contributors were offered refunds in ETH. Many chose not to claim them, and the PEOPLE token, originally issued as a governance receipt, evolved into a freely traded speculative asset. It gained renewed attention during the 2021 bull market and again during various governance and memecoin cycles. Today it sits on decentralised exchanges and centralised platforms alike, with a dispersed global holder base.
None of that narrative changes the technical reality: PEOPLE is an ERC-20 token issued on Ethereum. Every wallet that holds PEOPLE, and every transaction that moves it, is secured by the same elliptic-curve cryptography that secures all standard Ethereum activity. That cryptographic layer is the source of the quantum threat.
---
How Ethereum's Cryptography Actually Works
ECDSA and the secp256k1 Curve
Ethereum uses the Elliptic Curve Digital Signature Algorithm (ECDSA) over the secp256k1 curve to generate key pairs and sign transactions. A private key is a 256-bit integer. The corresponding public key is derived by multiplying a generator point on the curve by that integer, an operation that is computationally trivial to perform in one direction and, on classical hardware, practically impossible to reverse.
When you sign a transaction, you prove ownership of the private key without revealing it. The network verifies the signature against your public key. No one learns your private key from watching your transactions.
This security assumption rests entirely on the hardness of the Elliptic Curve Discrete Logarithm Problem (ECDLP). Classical computers cannot solve ECDLP at the scale Ethereum uses in any practical timeframe. A 256-bit elliptic curve key would require computational resources measured in orders of magnitude beyond anything available today, on classical hardware.
Why Quantum Computers Change the Equation
Quantum computers operate on fundamentally different principles. Rather than processing bits that are either 0 or 1, they use qubits that can exist in superpositions. Shor's algorithm, published in 1994, demonstrated that a sufficiently powerful quantum computer could solve ECDLP in polynomial time, collapsing the security of ECDSA entirely.
The critical word is "sufficiently." Current quantum computers, including IBM's Condor chip at 1,121 qubits and Google's Willow processor, are not yet capable of running Shor's algorithm at the scale needed to crack 256-bit elliptic curve keys. Estimates from academic researchers suggest that breaking a 256-bit ECDSA key would require a fault-tolerant quantum computer with somewhere between 1,500 and 4,000 logical (error-corrected) qubits, which translates to millions of physical qubits given current error rates.
That threshold is not here today. But the trajectory of quantum hardware development, and the strategic investments being made by governments and private labs, makes Q-day, the point at which quantum computers can break ECDSA at scale, a plausible scenario within a 10-to-20 year window by many analyst estimates.
---
ConstitutionDAO's Specific Quantum Exposure
PEOPLE Is an ERC-20 Token: Inherited Risk
ConstitutionDAO did not build its own blockchain. PEOPLE is a standard ERC-20 token on Ethereum mainnet, which means it inherits Ethereum's cryptographic assumptions wholesale. The DAO never issued a whitepaper addressing quantum security, nor did it implement any non-standard cryptographic scheme. It is, from a cryptographic standpoint, entirely conventional.
This matters for three reasons:
- Public key exposure. Once a wallet address sends a transaction, its public key becomes visible on-chain. An attacker with a capable quantum computer could run Shor's algorithm against that exposed public key to derive the private key, drain the wallet, and move the funds before the legitimate owner could react.
- Dormant address risk. Many PEOPLE holders who did not claim refunds have addresses that received tokens but have never sent a transaction. Technically, their public keys may not be exposed (Ethereum addresses are a hash of the public key, providing one layer of indirection). However, any address that has ever signed an outgoing transaction has a fully exposed public key on-chain.
- No quantum-resistant upgrade path from the DAO. ConstitutionDAO is, for practical purposes, a legacy project. There is no active core development team publishing roadmaps, and no governance mechanism that has credibly addressed quantum migration.
The "Exposed Address" Problem in Detail
It is worth being precise here because the nuance matters. A fresh Ethereum address, one that has only received funds and never sent a transaction, is protected by one additional layer: the address itself is the Keccak-256 hash of the public key. A quantum attacker cannot easily reverse a hash; they would need to brute-force address space rather than run Shor's algorithm directly. This provides limited additional protection.
However, once that address sends a transaction, the full uncompressed public key is broadcast to the network and permanently recorded on-chain. From that point forward, a sufficiently powerful quantum computer running Shor's algorithm could, in theory, derive the corresponding private key and take control of all assets at that address.
For PEOPLE holders, this means the relevant question is not "is my token quantum-safe?" but "has my wallet address ever sent a transaction?" If yes, the public key is already public in the truest sense.
---
Is There Any Quantum Migration Plan for ConstitutionDAO?
The short answer is no, there is no active quantum migration plan specific to ConstitutionDAO or the PEOPLE token.
The longer answer requires separating PEOPLE's fate from Ethereum's fate, because the two are linked.
Ethereum's Own Quantum Roadmap
Ethereum's long-term roadmap does include quantum resistance as a goal, primarily through a transition away from ECDSA. Ethereum co-founder Vitalik Buterin has written publicly about the threat, and Ethereum Improvement Proposals have touched on the topic at various stages. The most concrete proposal circulating among Ethereum researchers is a migration toward STARK-based account abstraction, which could allow wallets to use quantum-resistant signature schemes.
The Ethereum Foundation's "Splurge" phase of the roadmap, which follows the Merge, Surge, Scourge, Verge, and Purge phases, includes provisions for account abstraction improvements (EIP-7702 and ERC-4337 are stepping stones). A full quantum-resistant signature scheme for all Ethereum accounts would require a hard fork and broad ecosystem adoption.
Realistic timelines, according to statements from Ethereum researchers, place this kind of migration in the latter half of the 2020s at the earliest, and that assumes smooth technical execution and governance consensus.
What PEOPLE Holders Can Do Now
While the protocol-level solution remains a work in progress, individual holders have limited but meaningful options:
- Move holdings to a new address before any public-key-exposing transaction. If your existing PEOPLE wallet has already sent transactions, this does not fully help because the old address's public key is already exposed. But it establishes hygiene for future holdings.
- Use hardware wallets with strong key generation. This does not solve the quantum threat to ECDSA, but it eliminates far more common threats like software key compromise.
- Monitor Ethereum's EIP pipeline. When a quantum-resistant signature scheme is formally introduced and activated on mainnet, migrating early is materially safer than waiting.
- Evaluate post-quantum wallet infrastructure. Projects building lattice-based or hash-based signature schemes into their wallet architecture represent the most direct hedge against Q-day for crypto holders. BMIC.ai, for example, is building a quantum-resistant wallet using NIST PQC-aligned lattice-based cryptography specifically designed to protect digital asset holdings against the threat Shor's algorithm poses to ECDSA.
---
Lattice-Based Cryptography vs ECDSA: What the Difference Means in Practice
| Property | ECDSA (secp256k1) | Lattice-Based (e.g. CRYSTALS-Dilithium) |
|---|---|---|
| Security basis | Elliptic Curve Discrete Log Problem | Hardness of Learning With Errors (LWE) |
| Quantum vulnerability | Broken by Shor's algorithm | No known quantum algorithm breaks LWE efficiently |
| NIST PQC status | Not included | CRYSTALS-Dilithium standardised (FIPS 204) |
| Signature size | ~71 bytes | ~2,420 bytes (Dilithium2) |
| Key generation speed | Very fast | Fast, marginal overhead |
| Current blockchain adoption | Near-universal | Emerging, not yet on Ethereum mainnet |
| Practical deployment | Production, decades old | Production in TLS, early-stage in crypto wallets |
The core insight from this table is that lattice-based schemes do not rely on problems that Shor's algorithm can solve. The Learning With Errors (LWE) problem and its variants remain hard for both classical and quantum computers under current mathematical understanding. NIST completed its first round of PQC standardisation in 2024, formally publishing CRYSTALS-Dilithium as FIPS 204, CRYSTALS-Kyber as FIPS 203, and SPHINCS+ as FIPS 205.
The trade-off is signature size. A Dilithium signature is roughly 34 times larger than an ECDSA signature. For a blockchain like Ethereum where every byte of calldata costs gas, this is a non-trivial engineering challenge. It is one reason why Ethereum's quantum migration is a multi-year undertaking rather than a simple parameter swap.
---
Assessing the Risk: Scenarios for PEOPLE Holders
Analyst consensus on Q-day ranges from "never" (if quantum error correction proves intractable) to "within 15 years" (if hardware follows an optimistic scaling path). Below are three scenarios worth thinking through:
Scenario A: Q-day does not arrive within 20 years. Ethereum completes its quantum-resistant upgrade at its own pace. PEOPLE holders who maintain standard operational security face no quantum-specific loss. The token's value continues to be driven by speculative and cultural demand rather than any utility consideration.
Scenario B: Q-day arrives with warning, Ethereum migrates in time. Research labs publish credible demonstrations of ECDSA vulnerability, governments and standards bodies accelerate timelines, and Ethereum executes a coordinated migration. Holders who actively move funds to new post-quantum addresses during the migration window are protected. Those who hold dormant, already-exposed addresses face a race condition.
Scenario C: Q-day arrives faster than expected or without adequate warning. This is the adversarial scenario. State-level actors may develop quantum capability and keep it classified. The first public indication of Q-day may come in the form of unexplained large-scale wallet drains rather than a press release. In this scenario, holders of any ECDSA-secured asset, including PEOPLE, ETH, and BTC, face retroactive exposure of every previously broadcast public key.
The asymmetric nature of Scenario C is precisely why quantum-resistant infrastructure is attracting serious investment even while mainstream commentary dismisses Q-day as remote.
---
Summary: What the Analysis Tells Us
ConstitutionDAO, as a project, is not quantum-safe. The PEOPLE token is an ERC-20 asset on Ethereum and inherits the full ECDSA exposure that entails. There is no DAO-level quantum migration plan, and the broader Ethereum protocol migration is a multi-year effort at best.
This does not make PEOPLE uniquely vulnerable compared to other ERC-20 tokens. Every non-quantum-resistant token faces the same structural exposure. What makes it worth examining specifically is that PEOPLE has a large, dispersed holder base, many of whom have not interacted with their wallets since 2021, meaning their public keys are already on-chain.
For holders with significant exposure, the practical steps are clear: understand your public key exposure status, follow Ethereum's EIP roadmap for quantum-resistant signature schemes, and consider how post-quantum wallet infrastructure fits into your broader custody strategy as that technology matures.
Frequently Asked Questions
Is ConstitutionDAO quantum safe?
No. ConstitutionDAO's PEOPLE token is a standard ERC-20 token on Ethereum, which uses ECDSA over the secp256k1 curve. ECDSA is vulnerable to Shor's algorithm on a sufficiently powerful quantum computer. There is no DAO-level quantum migration plan in place.
What is Q-day and how does it affect PEOPLE token holders?
Q-day refers to the future point at which a quantum computer becomes powerful enough to run Shor's algorithm and break ECDSA encryption at scale. For PEOPLE holders, this means any wallet address that has previously sent a transaction, and therefore broadcast its public key on-chain, could have its private key derived by a quantum attacker, giving them full control over the funds at that address.
Does Ethereum have a plan to become quantum-resistant?
Yes, but it is a long-term roadmap item. Ethereum researchers, including Vitalik Buterin, have acknowledged the quantum threat. Proposals such as STARK-based account abstraction and quantum-resistant signature schemes are under discussion. A full migration would require a hard fork and broad ecosystem adoption, with realistic timelines placing it in the latter half of the 2020s at the earliest.
Are fresh, never-used Ethereum addresses safer against quantum attacks?
Somewhat. An address that has only received funds and never sent a transaction exposes only the Keccak-256 hash of the public key, not the public key itself. Reversing a hash is harder than running Shor's algorithm against an exposed public key. However, this provides limited protection, and any outgoing transaction immediately exposes the full public key on-chain.
What is lattice-based cryptography and why is it quantum-resistant?
Lattice-based cryptography relies on the mathematical hardness of problems like Learning With Errors (LWE), for which no efficient quantum algorithm is known. This is fundamentally different from ECDSA, which relies on the Elliptic Curve Discrete Logarithm Problem, a problem Shor's algorithm can solve efficiently. NIST standardised CRYSTALS-Dilithium, a lattice-based signature scheme, in 2024 (FIPS 204).
What can PEOPLE token holders do to protect themselves against the quantum threat?
Practical steps include: auditing whether your wallet address has ever sent a transaction (which exposes your public key); migrating holdings to a new address before making any further transactions from an exposed address; using hardware wallets for key security against current threats; monitoring Ethereum's EIP pipeline for a quantum-resistant signature migration; and evaluating post-quantum wallet infrastructure that implements NIST PQC-aligned schemes for long-term custody.