Is Diem Quantum Safe?
Is Diem quantum safe? That question is becoming more urgent as quantum computing milestones accelerate and cryptographers model the precise point, widely called Q-day, at which a sufficiently powerful quantum computer could break the elliptic-curve and RSA primitives that underpin virtually every major blockchain. This article dissects the cryptographic stack that Diem (DIEM) was built on, quantifies the exposure those primitives carry under quantum attack, examines what migration paths exist, and contrasts standard blockchain wallets with post-quantum alternatives, so you can form a clear, evidence-based view of where DIEM stands.
What Cryptography Does Diem Actually Use?
Diem, originally launched as Facebook's Libra project before rebranding, was designed as a permissioned blockchain using the Move smart-contract language. Its cryptographic foundations were documented in the Diem whitepaper and associated technical specifications. Understanding those foundations is the starting point for any quantum-threat analysis.
Signature Schemes
Diem's primary transaction-authentication mechanism relies on Ed25519, a specific implementation of EdDSA (Edwards-curve Digital Signature Algorithm) over Curve25519. Ed25519 was chosen deliberately over ECDSA (used by Bitcoin and Ethereum) for several sound reasons in a classical computing environment:
- Faster signature generation and verification
- Smaller signature sizes (64 bytes) relative to comparable security levels
- Resistance to certain implementation side-channel attacks
- Deterministic signing (no random nonce required, eliminating a class of ECDSA vulnerabilities)
However, none of these advantages provide any protection against quantum attacks. Both ECDSA and EdDSA are fundamentally vulnerable to the same underlying mathematical attack.
Key Derivation and Hashing
Diem also uses:
- SHA-3 / BLAKE2 for hashing (Merkle trees, address derivation, transaction IDs)
- BLS12-381 in some validator consensus contexts for aggregate signatures
- X25519 for key exchange in authenticated channels between nodes
Hash functions have a different and relatively more favourable quantum threat profile. Grover's algorithm can theoretically halve the effective security of a hash function, reducing SHA-3-256 from ~128 bits of classical security to ~64 bits of quantum security. That is a meaningful reduction but still not immediately catastrophic for most use cases. The real danger lies in the signature schemes.
---
Why EdDSA and ECDSA Are Vulnerable at Q-Day
EdDSA and ECDSA are both predicated on the elliptic-curve discrete logarithm problem (ECDLP). In a classical computing environment, solving the ECDLP for a 256-bit curve requires on the order of 2^128 operations, a number so large it is computationally infeasible.
Shor's algorithm, developed by Peter Shor in 1994, changes this picture entirely. Running on a sufficiently large fault-tolerant quantum computer, Shor's algorithm can solve the ECDLP in polynomial time. Practically, this means:
- A quantum attacker observes a public key broadcast on-chain (which happens whenever a wallet sends a transaction).
- Shor's algorithm derives the corresponding private key from that public key within hours or minutes, depending on qubit count and error-correction overhead.
- The attacker forges a signature, redirecting funds to an address they control.
This is not a theoretical edge case. Every on-chain transaction that exposes a public key becomes a retroactively attackable record once Q-day arrives.
The "Harvest Now, Decrypt Later" Vector
A subtler threat that is already operational today is the harvest-now-decrypt-later (HNDL) strategy. Nation-state actors and sophisticated threat actors are known to be archiving encrypted traffic and blockchain transaction data now, with the intent of decrypting it once quantum hardware matures. For blockchains this matters less than for encrypted communications, but any wallet address that has ever sent a transaction has already exposed its public key permanently to this future attack.
Timeline Estimates
Precise Q-day estimates vary significantly across institutions:
| Source | Estimated Q-Day Range |
|---|---|
| NIST (2022 PQC context) | 2030–2040 (plausible threat horizon) |
| IBM Quantum Roadmap | Fault-tolerant systems by ~2033 |
| MOSCA's Theorem framework | Recommends migration starting now for 10-year security horizons |
| NSA CNSA 2.0 (2022) | Mandates PQC migration by 2030–2035 for national security systems |
| UK NCSC | Encourages PQC planning for critical infrastructure now |
The range is wide, but the consensus direction is unambiguous: Q-day is a matter of "when," not "if," and organisations securing assets over a decade-long horizon need to act before it arrives, not after.
---
Diem's Quantum Migration Plans: What the Record Shows
Diem's project was effectively shut down in early 2022 when the Divi project and associated assets were sold and the Diem Association was wound down. As a result, there is no active development roadmap for quantum-resistant upgrades to the original Diem codebase.
This creates a specific kind of risk profile:
- No active maintainers are working on a PQC migration layer for the canonical Diem protocol.
- Forks and derivative projects that built on Diem's Move language, most notably Aptos and Sui, have their own cryptographic roadmaps. Aptos has announced interest in post-quantum signature research, but as of the time of writing, neither Aptos nor Sui has shipped a live PQC signature scheme on mainnet.
- Validator key exposure remains a concern for any network using Ed25519 validator signatures without a rotation or migration mechanism.
What a Genuine PQC Migration Would Require
For any EdDSA-based blockchain to achieve meaningful quantum resistance, a migration would need to address several layers:
- Signature scheme replacement at the transaction layer, swapping Ed25519 for a NIST-approved post-quantum algorithm such as ML-DSA (formerly CRYSTALS-Dilithium) or FALCON.
- Key encapsulation mechanism (KEM) upgrade for any encrypted peer-to-peer channels, replacing X25519 with ML-KEM (formerly CRYSTALS-Kyber).
- Wallet-level key migration, prompting all users to generate new PQC keypairs and move funds to PQC-secured addresses.
- Consensus-layer validator key rotation, ensuring validator signatures cannot be forged by a quantum attacker to mount a consensus attack.
- Backward compatibility handling, since legacy addresses (using ECDLP-based keys) would remain permanently vulnerable unless funds are explicitly migrated.
Step 3 is frequently underestimated. Even if a protocol ships PQC support, users who never migrate their keys remain exposed, and the historical public keys of those addresses remain on-chain as permanent attack targets.
---
NIST PQC Standards: The Benchmark for Quantum-Safe Cryptography
In 2024, NIST finalised its first post-quantum cryptography standards after an eight-year selection process. These are the benchmarks against which any claim of "quantum safety" should be evaluated.
The Finalised NIST PQC Algorithms
| Algorithm | Type | Based On | Primary Use |
|---|---|---|---|
| ML-KEM (CRYSTALS-Kyber) | Key Encapsulation | Module lattices | Key exchange, encryption |
| ML-DSA (CRYSTALS-Dilithium) | Digital Signature | Module lattices | Transaction signing |
| FALCON | Digital Signature | NTRU lattices | Compact signatures |
| SLH-DSA (SPHINCS+) | Digital Signature | Hash functions | Stateless signing |
All four are considered resistant to attacks by both classical and quantum computers under current cryptanalytic knowledge. Lattice-based schemes (ML-KEM, ML-DSA, FALCON) are generally preferred for blockchain applications because their signature and key sizes, while larger than Ed25519, are manageable in on-chain contexts. SLH-DSA offers hash-based security with no algebraic structure to attack, but its signature sizes are substantially larger.
Why Lattice-Based Cryptography Is Particularly Relevant for Wallets
Lattice-based schemes derive their security from the hardness of problems such as Learning With Errors (LWE) and Short Integer Solution (SIS). These problems have no known polynomial-time solution on either classical or quantum computers. This is a qualitatively different security foundation from the ECDLP: rather than relying on a problem that Shor's algorithm directly targets, lattice problems appear to require exponential time even for quantum adversaries.
For wallet applications specifically, this means:
- A user's private key cannot be derived from their public key, even by a quantum attacker running Shor's algorithm.
- Signatures generated by lattice-based schemes remain unforgeable under the same conditions.
- The security does not degrade when the public key is exposed on-chain (as it inevitably is during any transaction).
Projects building quantum-resistant infrastructure, such as BMIC.ai, which combines a post-quantum wallet with NIST PQC-aligned lattice-based cryptography, represent the architectural direction that any serious long-term crypto holding strategy should evaluate when assessing exposure to Q-day risk.
---
Comparing Standard Blockchain Wallets vs. Post-Quantum Wallets
| Feature | Standard Wallet (Ed25519 / ECDSA) | Post-Quantum Wallet (Lattice-Based) |
|---|---|---|
| Private key derivable from public key? | Yes, via Shor's algorithm at Q-day | No, under current quantum cryptanalysis |
| Signature forgeability at Q-day | High risk | Negligible under NIST PQC standards |
| Key/signature size | Small (32–64 bytes) | Larger (1–5 KB depending on algorithm) |
| NIST standardised | No (for quantum resistance) | Yes (ML-DSA, ML-KEM, FALCON, SLH-DSA) |
| Migration urgency | High for long-term holdings | Not applicable — natively resistant |
| Historical address exposure | Permanent once a tx is broadcast | Addressed by design if never using ECDLP keys |
| Current blockchain adoption | Universal | Early-stage but growing |
The size trade-off is real but manageable. ML-DSA signatures are roughly 2.4 KB versus Ed25519's 64 bytes. For on-chain transaction throughput this increases bandwidth and storage requirements, but hardware and protocol optimisations continue to narrow the gap.
---
Practical Implications for DIEM Holders and Move Ecosystem Participants
Given that the original Diem project is defunct and its successor Move-based chains (Aptos, Sui) have not yet shipped production-grade PQC, what should holders and developers take away?
For Long-Term Holders
- Addresses that have already broadcast transactions have exposed public keys. These are permanently vulnerable once Q-day arrives, regardless of which chain they exist on.
- Funds held in addresses whose public keys have never been broadcast (i.e., the address has only received, never sent) have a degree of protection, since the public key is not yet public. However, this is a fragile and passive form of protection, not a genuine cryptographic guarantee.
- Moving funds to a wallet built on NIST PQC-aligned cryptography, before Q-day, is the only durable mitigation.
For Developers Building on Move
- Aptos and Sui both support the Move language and have larger active development communities. Both projects have explored PQC research but have not yet standardised on a production algorithm.
- Any smart-contract application that relies on on-chain signature verification will need to be re-architected if and when the underlying chain migrates to PQC, since verification logic must change to accommodate new signature formats.
- Building PQC key management into application architecture now, even if the underlying chain is not yet PQC-native, reduces future migration costs.
---
Summary: Where Does Diem Stand on Quantum Safety?
The honest answer is that Diem, as a canonical protocol, is not quantum safe. Its Ed25519 signature scheme is fully vulnerable to Shor's algorithm on a sufficiently powerful quantum computer. The project's closure means there is no active roadmap to address this. The Move-language successor chains are not yet quantum safe either, though they are live, maintained, and theoretically capable of implementing PQC if the development community prioritises it.
For anyone evaluating DIEM or Move-ecosystem assets with a multi-year holding horizon, quantum risk is not a hypothetical addendum. It is a structural vulnerability embedded in the cryptographic stack, one that requires active migration to resolve.
Frequently Asked Questions
Is Diem quantum safe?
No. Diem uses Ed25519 (EdDSA) for transaction signing, which is vulnerable to Shor's algorithm running on a sufficiently powerful fault-tolerant quantum computer. The original Diem project is also defunct, meaning there is no active development roadmap to introduce post-quantum cryptography.
What is Q-day and why does it matter for Diem?
Q-day refers to the future point at which quantum computers become powerful enough to break elliptic-curve and RSA cryptography. At that point, any blockchain using EdDSA or ECDSA, including the Diem architecture, would be vulnerable to private-key derivation from publicly visible keys, enabling fund theft and signature forgery.
Does Shor's algorithm threaten EdDSA the same way it threatens ECDSA?
Yes. Both EdDSA and ECDSA rely on the elliptic-curve discrete logarithm problem (ECDLP), which Shor's algorithm can solve in polynomial time on a quantum computer. The implementation differences between the two schemes provide no protection against this quantum attack.
Are Aptos or Sui, which use the Move language like Diem, quantum safe?
Not as of the current state of their mainnets. Both Aptos and Sui use Ed25519-based signature schemes and have not yet deployed a NIST-standardised post-quantum signature algorithm in production. Both projects have expressed interest in PQC research, but no production-grade quantum-resistant signing is available on either chain yet.
What cryptographic algorithms would make a blockchain genuinely quantum safe?
NIST finalised four post-quantum cryptography standards in 2024: ML-KEM (for key encapsulation), ML-DSA and FALCON (for digital signatures, both lattice-based), and SLH-DSA (a hash-based signature scheme). A blockchain would need to replace its EdDSA or ECDSA signing with one of these to be considered quantum resistant.
If my Diem or Move-ecosystem wallet address has only received funds and never sent, is it safer?
Marginally, but not reliably. An address that has never broadcast a transaction has not exposed its public key on-chain, which means a quantum attacker cannot currently derive the private key. However, this is a passive and fragile form of protection. The moment funds are moved, the public key is revealed, and any historical record of that broadcast becomes a permanent attack surface once quantum hardware matures.