Is Everscale Quantum Safe?
Is Everscale quantum safe? It is a question that serious holders of EVER tokens should be asking right now, before quantum computing reaches the threshold that cryptographers call "Q-day." This article breaks down exactly what cryptographic primitives Everscale relies on, where those primitives become vulnerable when sufficiently powerful quantum computers arrive, what the Everscale ecosystem has publicly communicated about migration, and how lattice-based post-quantum alternatives differ in practice. The goal is an honest technical assessment, not reassurance.
What Cryptography Does Everscale Actually Use?
Everscale is the rebranded evolution of the Free TON network, itself forked from the original Telegram Open Network (TON) codebase. Its cryptographic foundations reflect the design choices made in 2017 to 2019, when post-quantum threats were considered a distant academic concern rather than an engineering priority.
Signature Scheme: Ed25519
Everscale wallets and validator nodes rely on Ed25519, an Edwards-curve digital signature algorithm built over Curve25519. Ed25519 is a variant of EdDSA (Edwards-curve Digital Signature Algorithm). It is fast, compact (64-byte signatures), and resistant to several classical attack vectors that weaken older ECDSA implementations over the secp256k1 or NIST P-256 curves.
However, Ed25519's security ultimately rests on the hardness of the discrete logarithm problem on an elliptic curve. That hardness assumption collapses under Shor's algorithm running on a sufficiently large fault-tolerant quantum computer.
Key Derivation and Hashing
Everscale uses SHA-256 and, in certain contract contexts, Keccak-256 for hashing. Hash functions are considered more resilient to quantum attack than asymmetric schemes. Grover's algorithm reduces the effective security of a 256-bit hash from 256 bits to roughly 128 bits of quantum security, which most cryptographers regard as still acceptable. The acute risk lies squarely with the signature scheme, not the hash function.
Smart Contract VM: TVM
The Threaded Virtual Machine (TVM) processes contract logic. TVM itself does not introduce cryptographic primitives beyond what the underlying node software provides. However, because Everscale contracts can call signature-verification opcodes, any contract that verifies user-controlled keys inherits the same Ed25519 exposure.
---
Understanding the Q-Day Threat to Ed25519
"Q-day" refers to the point at which a quantum computer powerful enough to run Shor's algorithm against real-world elliptic curve parameters becomes operational. Current estimates from NIST, IBM, and academic groups place meaningful Q-day risk somewhere between 2030 and 2040, though some scenarios compress this timeline.
How Shor's Algorithm Breaks Ed25519
Shor's algorithm solves the discrete logarithm problem in polynomial time on a quantum computer. For Ed25519 operating over Curve25519 (approximately 128-bit classical security), breaking a single key pair would require a quantum computer with roughly 2,000 to 4,000 logical (error-corrected) qubits. Physical qubit counts run far higher once error correction overhead is applied, which is why current machines with hundreds of noisy physical qubits remain insufficient. But the trajectory is clearly upward.
The attack vector is specific: an adversary who observes a signed transaction on-chain obtains the public key. From that public key, a Shor-capable machine can derive the corresponding private key offline. The attacker then controls the wallet. Funds at addresses that have never signed a transaction are somewhat safer because the public key may not yet be exposed, but the moment any transaction is broadcast the exposure window opens.
Reused Addresses Amplify Risk
Unlike Bitcoin, which encourages single-use addresses, Everscale wallets are persistent smart contract accounts. Users frequently reuse the same address, meaning their Ed25519 public key is permanently on-chain from the first transaction. This is a structural amplifier of quantum exposure: there is no "move to a fresh address" mitigation once a key has signed.
---
Has Everscale Published Any Post-Quantum Migration Plan?
As of mid-2024, the Everscale Foundation and the broader developer community have not released a formal, ratified post-quantum cryptography (PQC) roadmap. There are community forum discussions referencing the NIST PQC standardisation process, and some validator operators have expressed awareness of the issue. But awareness is not engineering.
What Would a Credible Migration Look Like?
For context, a credible PQC migration on a live blockchain typically requires:
- Algorithm selection aligned with NIST-finalised standards (CRYSTALS-Dilithium for signatures, CRYSTALS-Kyber for key encapsulation are the 2024 benchmarks).
- Consensus-layer changes to support new signature types in block validation.
- Wallet software upgrades so that user-facing clients can generate, store, and broadcast PQC-signed transactions.
- Smart contract VM extensions to expose PQC verification opcodes to on-chain logic.
- A migration period during which both old Ed25519 keys and new PQC keys are accepted, with sunset dates.
None of these phases appear in Everscale's published technical documentation as of this writing. The absence is not unique to Everscale — the vast majority of proof-of-stake chains are in an identical position — but it is worth stating plainly.
---
Comparing Everscale's Quantum Posture to Other Networks
The table below summarises the quantum-cryptography posture of Everscale alongside several comparable networks. "PQC roadmap" means a formally published, developer-ratified migration plan.
| Network | Primary Signature Scheme | Quantum Vulnerable? | Formal PQC Roadmap |
|---|---|---|---|
| Everscale (EVER) | Ed25519 | Yes (Shor's) | No |
| Ethereum | ECDSA (secp256k1) | Yes (Shor's) | Discussed, not ratified |
| Solana | Ed25519 | Yes (Shor's) | No |
| Algorand | Ed25519 | Yes (Shor's) | No |
| Bitcoin | ECDSA (secp256k1) | Yes (Shor's) | No |
| BMIC | Lattice-based (NIST PQC-aligned) | Designed to resist | Native, by design |
The pattern is consistent: virtually every major network built before 2022 relies on pre-quantum asymmetric cryptography. The distinction that matters is whether a project is engineering a migration path now, while the window is open, or waiting until Q-day pressure becomes acute.
---
How Post-Quantum (Lattice-Based) Cryptography Differs
Lattice-based cryptography, the dominant family behind NIST's 2024 PQC standards, derives its hardness from mathematical problems that are believed to resist both classical and quantum attack. The two most relevant problems are:
- Learning With Errors (LWE): Finding a secret vector given noisy linear equations over a lattice. No known quantum algorithm solves LWE faster than exponential time.
- Module-LWE (MLWE): A structured variant offering better performance; the basis for CRYSTALS-Dilithium (signatures) and CRYSTALS-Kyber (key encapsulation).
Signature Size Trade-offs
Lattice signatures are larger than Ed25519 signatures. CRYSTALS-Dilithium at security level 2 produces signatures of approximately 2,420 bytes compared to Ed25519's 64 bytes. This has real consequences for on-chain storage costs and transaction throughput. Any chain migrating to PQC must budget for this overhead in its block size and fee model.
Key Generation and Verification Speed
Lattice schemes are computationally heavier than curve-based schemes on constrained hardware. However, benchmarks on modern server-grade CPUs show Dilithium signing and verification running in microseconds, well within the latency budgets of most blockchain consensus rounds. The performance gap is manageable; the engineering lift of migration is the larger challenge.
What This Means for Wallet Holders
For an individual holding EVER today, the practical implication is straightforward: your wallet's private key security depends entirely on Ed25519, and no currently available Everscale wallet client offers a post-quantum alternative. If Q-day arrives before Everscale completes a migration, funds in wallets with exposed public keys would be at risk from an adversary with access to a sufficiently capable quantum machine.
A wallet built natively on lattice-based primitives, by contrast, generates key pairs whose security does not rely on discrete logarithm hardness. One example in the market is BMIC.ai, which is built ground-up on NIST PQC-aligned, lattice-based cryptography specifically to address this gap, with its presale currently live.
---
Practical Risk Scenarios for EVER Holders
It is useful to think in scenarios rather than certainties, because Q-day timing is genuinely uncertain.
Scenario 1: Q-Day Arrives Before Migration (Adverse Case)
A large-scale quantum computer becomes operational by, say, 2031. Everscale has not completed its PQC migration. Adversaries begin harvesting private keys from exposed Ed25519 public keys on-chain. Wallets that have ever signed a transaction are immediately at risk. Validator node keys, many of which are long-lived, are particularly exposed.
Scenario 2: Everscale Migrates in Time (Base Case with Caveats)
The Everscale developer community executes a phased migration to Dilithium-based signatures ahead of a credible Q-day estimate. Users who actively rotate to new PQC keys are protected. Users who do not migrate (e.g., lost-access wallets, dormant holders) retain Ed25519 keys and remain exposed even after network-level migration.
Scenario 3: Q-Day Is Delayed Beyond 2040 (Optimistic Case)
Engineering challenges in fault-tolerant quantum computing prove harder than current projections. Major blockchain networks, including Everscale, complete PQC migrations at a measured pace. The risk window closes without incident. This scenario is possible, but building a security posture around optimism about adversary timelines is not sound risk management.
---
What EVER Holders Should Monitor
If you hold EVER and are concerned about quantum risk, the following signals are worth tracking:
- Everscale governance proposals referencing PQC, Dilithium, or NIST standards. The absence of such proposals is itself a data point.
- Validator software releases that mention cryptographic upgrades in changelogs.
- Cross-chain precedents: If Ethereum or Solana ratifies a PQC transition plan, Everscale's developer community will face renewed pressure to follow.
- NIST PQC standard finalisation updates: NIST published final standards for CRYSTALS-Dilithium (now FIPS 204) and CRYSTALS-Kyber (FIPS 203) in 2024. This removes "waiting for standardisation" as a reason for delay.
- Hardware security module (HSM) support: Enterprise validators will require HSM vendors to support PQC schemes before migrating. Watch for announcements from major HSM providers like Thales and Utimaco.
The honest answer to whether Everscale is quantum safe is: no, not currently, and no credible migration timeline has been published. That does not make EVER uniquely dangerous relative to most other networks, but it does mean the risk is real and unmitigated at the protocol level today.
Frequently Asked Questions
Is Everscale quantum safe right now?
No. Everscale uses Ed25519 signatures, which are vulnerable to Shor's algorithm on a sufficiently powerful quantum computer. As of mid-2024, no formal post-quantum cryptography migration roadmap has been ratified by the Everscale developer community.
What signature scheme does Everscale use?
Everscale uses Ed25519, an Edwards-curve digital signature algorithm based on Curve25519. Its security relies on the hardness of the elliptic curve discrete logarithm problem, which Shor's algorithm can solve in polynomial time on a large-scale quantum computer.
When is Q-day expected to arrive?
Estimates vary. NIST and leading academic groups currently place credible Q-day risk in the 2030 to 2040 range, though some scenarios compress this timeline. The uncertainty itself is a reason to act on migration planning now rather than waiting for consensus.
Are EVER tokens at risk even if the Everscale network itself is not attacked?
Yes. Individual wallets are at risk independently of the network. Any wallet that has broadcast at least one signed transaction has its Ed25519 public key permanently on-chain. A quantum adversary could derive the private key from that public key and drain the wallet without attacking the network as a whole.
What would a post-quantum upgrade to Everscale require?
A full migration would require: selecting NIST-standardised algorithms (such as CRYSTALS-Dilithium for signatures), updating consensus-layer signature verification, extending TVM opcodes for PQC verification, upgrading wallet clients, and running a parallel-acceptance period before deprecating Ed25519 keys. This is a multi-year engineering effort.
How do lattice-based wallets protect against quantum attacks?
Lattice-based cryptography relies on mathematical problems, specifically Learning With Errors (LWE) and its variants, for which no efficient quantum algorithm is known. Wallets built on NIST PQC-aligned lattice schemes generate key pairs whose security does not depend on discrete logarithm hardness, meaning Shor's algorithm offers no advantage to an attacker.