Is Eitherway Quantum Safe?

Is Eitherway quantum safe? That question matters more with every incremental advance in quantum computing hardware. EITHER, the native token of the Eitherway protocol, relies on the same elliptic-curve signature schemes underpinning most of the broader crypto ecosystem — schemes that a sufficiently powerful quantum computer could break. This article examines exactly which cryptographic primitives Eitherway uses, how quantum attacks would realistically unfold, what migration paths exist for the protocol, and how lattice-based post-quantum alternatives are already being deployed by a small number of projects.

What Cryptography Does Eitherway Currently Use?

Like the vast majority of EVM-compatible or Ethereum-adjacent protocols, Eitherway relies on ECDSA (Elliptic Curve Digital Signature Algorithm) for transaction signing, specifically over the secp256k1 curve — the same curve used by Bitcoin and Ethereum mainnet. Some newer protocol components may also incorporate EdDSA (Edwards-curve Digital Signature Algorithm) variants such as Ed25519, chosen for faster verification and cleaner implementation.

Both schemes share a common mathematical foundation: their security rests on the hardness of the Elliptic Curve Discrete Logarithm Problem (ECDLP). Given a public key, it is computationally infeasible for a classical computer to derive the corresponding private key because solving ECDLP requires exponential time. With a 256-bit curve, the classical attack complexity is roughly 2¹²⁸ operations — beyond any realistic classical adversary.

How Key Derivation and Signing Work

When a user generates a wallet, a random 256-bit private key `k` is chosen. The corresponding public key `K` is computed as `K = k × G`, where `G` is the generator point on the curve. This multiplication is one-way classically. The address visible on-chain is a hash of `K`. Every time a transaction is signed, a signature `(r, s)` is produced using `k` and the transaction hash. Validators confirm the signature is consistent with `K` without ever seeing `k`.

Where Hashing Fits In

Beyond signatures, Eitherway (like Ethereum) uses Keccak-256 for address derivation and block commitments. Keccak is a SHA-3 family function. Quantum attacks against hash functions are less catastrophic — Grover's algorithm provides only a quadratic speedup, reducing 256-bit security to an effective 128-bit security level. That remains adequate for the foreseeable quantum timeframe, which is why hashing is considered the lesser concern.

---

The Quantum Threat: How ECDSA Gets Broken

The mechanism is Shor's algorithm, published in 1994 and proven to solve both integer factorisation and discrete logarithm problems in polynomial time on a sufficiently large quantum computer. Applied to secp256k1, Shor's algorithm could derive a private key from a known public key in hours or minutes, given enough stable qubits.

Harvest Now, Decrypt Later

The most immediate practical threat is "harvest now, decrypt later" (HNDL). Nation-state adversaries with the resources to invest in quantum hardware may already be archiving encrypted blockchain data and signed transactions. Once a cryptographically relevant quantum computer (CRQC) reaches operational capability, they can retroactively extract private keys from any public key that has been broadcast on-chain.

On most UTXO and account-based chains, your public key is revealed the moment you sign a transaction. For EITHER holders who have ever sent a transaction, their public key is permanently recorded on the ledger.

Exposed vs. Unexposed Addresses

Address State	Public Key Exposed?	Quantum Risk Level
Funded, never spent (fresh address)	No — only address hash visible	Lower (Grover only, 128-bit effective)
Has sent at least one transaction	Yes — public key on-chain	High — Shor's can derive private key
Reused address, multiple transactions	Yes — multiple signatures visible	High + timing correlation risk
Multi-sig with legacy scheme	Yes — all co-signer keys exposed	High

This table illustrates a critical nuance: address reuse dramatically increases exposure. Best practice today — use fresh addresses — is useful but not a long-term solution, since any transaction permanently exposes the sender's public key.

Q-Day Timeline: Analyst Scenarios

No credible consensus exists on when a CRQC capable of breaking 256-bit ECDSA will arrive. Analyst scenarios generally cluster around three positions:

Optimistic (status quo camp): 15-25 years away; engineering obstacles around qubit coherence and error correction remain severe.
Mid-range (mainstream estimate): 10-15 years; progress on topological qubits and error-correction codes is accelerating faster than expected.
Pessimistic (security-first camp): 5-10 years; classified government investment and recent IBM/Google milestones suggest the public timeline is lagging reality.

For a long-lived protocol, even the optimistic scenario means migration planning should begin immediately. Cryptographic infrastructure takes years to design, audit, and deploy at network scale.

---

Does Eitherway Have a Post-Quantum Migration Plan?

As of the time of writing, Eitherway has not published a formal post-quantum cryptography (PQC) roadmap. This is consistent with the majority of layer-1 and layer-2 protocols, most of which have also not addressed PQC in their public documentation. The absence of a roadmap is not unusual, but it does mean EITHER holders carry unmitigated quantum risk.

What a Migration Would Require

Transitioning a live blockchain to post-quantum signatures is a non-trivial engineering and governance challenge. The key steps any protocol would need to work through include:

Algorithm selection: Choose a NIST-standardised PQC algorithm. The 2024 NIST PQC finalisation process standardised ML-DSA (CRYSTALS-Dilithium) for digital signatures and ML-KEM (CRYSTALS-Kyber) for key encapsulation.
Signature size trade-offs: Lattice-based signatures are significantly larger than ECDSA. A Dilithium-3 signature is approximately 3.3 KB versus 64 bytes for an ECDSA signature. This affects block space, gas costs, and node storage requirements.
Key migration mechanism: Existing wallets must migrate funds to PQC-secured addresses before Q-day. This requires broad user coordination and likely a hard fork or upgrade mechanism.
Wallet and tooling updates: Every wallet, hardware device, exchange integration, and dApp interface must be updated to generate and verify PQC signatures.
Governance approval: A contentious hard fork could split the community if not carefully managed.
Transition period: A dual-signature period (accepting both ECDSA and PQC signatures) may be necessary to allow gradual migration without freezing funds.

Any protocol that begins this process today has a meaningful head start. Protocols that wait until quantum threats are imminent face a compressed, chaotic migration under adversarial conditions.

---

Post-Quantum Cryptographic Approaches: How They Differ

To understand what a quantum-safe Eitherway would look like, it helps to understand the main PQC signature families now standardised or in late-stage evaluation.

Lattice-Based Schemes (ML-DSA / Dilithium)

Lattice problems — specifically the Learning With Errors (LWE) and Module LWE problems — are believed to be hard for both classical and quantum computers. CRYSTALS-Dilithium, standardised by NIST as ML-DSA, is the leading candidate for blockchain signature replacement. Its security does not rely on ECDLP or integer factorisation, so Shor's algorithm provides no advantage.

Trade-offs:

Signature size: ~2.4 KB (Dilithium-2) to ~4.6 KB (Dilithium-5)
Public key size: ~1.3 KB to ~2.6 KB
Verification speed: Fast, comparable to or faster than ECDSA on modern hardware
Security assumption: Well-studied, widely reviewed

Hash-Based Schemes (SPHINCS+)

SPHINCS+ is a stateless hash-based signature scheme also standardised by NIST (as SLH-DSA). Its security relies entirely on hash function properties, which makes it extremely conservative and trustworthy. However, signatures are very large (8-50 KB depending on parameter set), making it impractical for high-throughput blockchains.

Code-Based Schemes

Code-based cryptography (e.g., Classic McEliece) has large public keys in the megabyte range, which effectively rules it out for on-chain use cases where every byte has a cost.

Comparison: ECDSA vs. Leading PQC Signature Schemes

Scheme	Quantum Safe	Sig Size	Public Key Size	Standardised
ECDSA (secp256k1)	No	64 bytes	33 bytes	De facto standard
EdDSA (Ed25519)	No	64 bytes	32 bytes	RFC 8032
ML-DSA / Dilithium-3	Yes	~3.3 KB	~1.9 KB	NIST FIPS 204
SPHINCS+-SHA2-128s	Yes	~7.8 KB	32 bytes	NIST FIPS 205
Falcon-512	Yes	~666 bytes	~897 bytes	NIST (Round 4)

Falcon-512 is notable for producing much smaller signatures than Dilithium, making it a realistic option for space-constrained blockchain environments, though its implementation complexity (requiring careful floating-point handling) introduces additional audit burden.

---

What EITHER Holders Can Do Right Now

While the Eitherway protocol itself has not shipped a PQC solution, individual token holders can take steps to reduce their personal exposure profile.

Minimise address reuse. Use a fresh receiving address for every transaction. Wallets that support HD (hierarchical deterministic) derivation paths make this straightforward.
Limit on-chain public key exposure. The fewer signed transactions from a given address, the lower the exposure window. Large long-term holdings ideally sit in addresses that have never signed an outbound transaction.
Monitor the Eitherway governance forums. PQC migration discussions will surface there first. Early governance participants can shape the design of any migration mechanism.
Diversify custody across custody models. Consider allocating a portion of holdings to wallets that have already implemented post-quantum key generation at the software layer.
Watch NIST PQC adoption signals. As ML-DSA and ML-KEM achieve broad library support (already happening in OpenSSL, BoringSSL, and others), expect protocol-level integrations to accelerate across the industry.

Projects building quantum resistance into their architecture from the ground up — rather than retrofitting it — have a structural advantage. BMIC.ai, for instance, is designed around lattice-based, NIST PQC-aligned cryptography, offering a reference point for what native post-quantum wallet infrastructure looks like in practice.

---

The Broader Industry Context

Eitherway is far from alone in its current posture. As of 2024, no major layer-1 blockchain has completed a full PQC migration. Ethereum's research community has discussed PQC in the context of account abstraction (EIP-7702 and related proposals), and the Ethereum Foundation has acknowledged that PQC transitions will eventually be necessary. The Bitcoin community has had similar conversations, with proposals like P2QRH (Pay to Quantum Resistant Hash) circulating in the BIP process.

The industry consensus is that urgency is real but not yet acute. That window, however, is narrowing. The protocols and wallets that begin credible PQC engineering work in 2024-2025 will be positioned to execute clean migrations. Those that defer face the prospect of emergency forks under adversarial conditions if Q-day arrives ahead of the optimistic timeline.

For EITHER specifically, the question is whether the protocol's development team and governance community treat quantum resistance as a roadmap priority or a distant theoretical concern. The cryptographic evidence suggests it deserves to be in the former category.

Frequently Asked Questions

Is Eitherway (EITHER) quantum safe right now?

No. Eitherway currently uses ECDSA over the secp256k1 elliptic curve, the same signature scheme used by Bitcoin and Ethereum. ECDSA is broken in polynomial time by Shor's algorithm on a sufficiently powerful quantum computer. Until the protocol migrates to a NIST-standardised post-quantum algorithm such as ML-DSA (Dilithium), EITHER wallets carry quantum exposure.

When would a quantum computer actually be able to break EITHER wallets?

Analyst estimates range from roughly 5 to 25 years for a cryptographically relevant quantum computer (CRQC) capable of breaking 256-bit ECDSA. The wide range reflects genuine uncertainty about engineering timelines. The harvest-now, decrypt-later threat is considered active regardless of that timeline, since adversaries may archive signed transaction data today for later decryption.

Which EITHER addresses are most at risk from quantum attack?

Addresses that have already signed and broadcast at least one outbound transaction are most at risk, because the public key is permanently recorded on-chain. Fresh addresses that have only received funds — with the public key never revealed — face a lower (though not zero) risk, since Grover's algorithm still reduces hash security from 256-bit to an effective 128-bit level.

What post-quantum algorithms would Eitherway need to adopt?

The most practical options are ML-DSA (CRYSTALS-Dilithium, standardised as NIST FIPS 204) and Falcon-512. ML-DSA is the more conservatively reviewed option; Falcon produces smaller signatures but is more complex to implement correctly. Both are lattice-based and resist attacks from Shor's algorithm. Hash-based SPHINCS+ is theoretically robust but produces very large signatures impractical for high-throughput blockchains.

Has Eitherway published a post-quantum migration roadmap?

No public post-quantum cryptography roadmap has been released by the Eitherway team as of the time of writing. This is consistent with most crypto protocols at this stage, but it does mean holders cannot yet rely on a protocol-level solution. Monitoring official governance channels is the best way to track any future announcements.

What can EITHER holders do to reduce quantum risk today?

Practical steps include avoiding address reuse, using HD wallets to generate fresh receiving addresses, keeping large long-term holdings in addresses that have never signed an outbound transaction, and monitoring Eitherway governance for any PQC migration proposals. At the custody level, considering wallets that natively implement post-quantum key generation provides an additional layer of protection.