Is Hedera Quantum Safe?
Is Hedera quantum safe? It is a question that matters more with every incremental advance in quantum computing hardware. Hedera (HBAR) is one of the most enterprise-adopted distributed ledgers in the world, yet the cryptographic foundations underpinning its accounts rely on the same family of algorithms that quantum computers are specifically designed to break. This article dissects exactly which signature schemes Hedera uses, models what exposure looks like when a cryptographically relevant quantum computer (CRQC) arrives, surveys any migration roadmap Hedera has disclosed, and explains how lattice-based post-quantum cryptography offers a structurally different security model.
What Cryptography Does Hedera Actually Use?
Hedera's hashgraph consensus and account model support several signature algorithms. Understanding each is essential before assessing quantum risk.
ECDSA (secp256k1)
The most widely recognised option, borrowed from Bitcoin and Ethereum. ECDSA on the secp256k1 curve is the default for EVM-compatible accounts on Hedera — particularly relevant now that Hedera supports the Ethereum Virtual Machine via the Hedera Token Service and smart contracts. Private keys are 256-bit scalars; public keys are elliptic curve points. Security relies entirely on the computational hardness of the elliptic curve discrete logarithm problem (ECDLP).
EdDSA (Ed25519)
Hedera's native account type defaults to Ed25519, a variant of the Edwards-curve Digital Signature Algorithm. Ed25519 uses the twisted Edwards curve over a 255-bit prime field. It offers faster signing, smaller signatures, and better resistance to certain classical side-channel attacks compared to secp256k1 ECDSA. However, its security still rests on the discrete logarithm problem — just on a different curve.
Key Derivation and Address Format
Hedera account IDs (e.g., `0.0.12345`) are not derived by hashing public keys the way Bitcoin addresses are. An account is created on-ledger, and the public key is stored directly in the account record. This has a specific implication for quantum risk, discussed below.
---
The Quantum Threat: How Shor's Algorithm Breaks ECDSA and EdDSA
Both ECDSA and EdDSA derive their security from the difficulty of computing discrete logarithms on elliptic curves. Peter Shor's algorithm, published in 1994 and running on a sufficiently powerful quantum computer, solves the ECDLP in polynomial time rather than the sub-exponential time required classically. The practical consequence: given a public key, Shor's algorithm can recover the corresponding private key.
The "Harvest Now, Decrypt Later" Attack Vector
Adversaries do not need to wait for a CRQC to begin attacking Hedera holders. The harvest-now-decrypt-later (HNDL) strategy involves recording encrypted traffic and signed transactions today and decrypting them once quantum capability matures. For blockchains, this means:
- An attacker archives the full transaction history of the chain.
- Every public key ever exposed on-chain is stored.
- When a CRQC is available, private keys are derived from those public keys.
- The attacker can then forge signatures or drain accounts — unless keys have been rotated to quantum-resistant alternatives by that point.
Hedera's Specific Exposure Profile
Because Hedera stores public keys explicitly in account records rather than using hash-obscured address formats, every Hedera account has its public key permanently visible on the ledger. On Bitcoin, a UTXO that has never been spent does not expose its public key directly (only the hash of it), providing a marginal additional layer of obscurity. Hedera does not have this obscurity layer. Once a CRQC exists, any account whose public key is recorded on Hedera is, in principle, immediately attackable with no additional steps.
This is not a flaw unique to Hedera — it is a consequence of an explicit account model. But it does mean the quantum exposure is direct and unambiguous.
---
Q-Day: When Does This Become a Real Risk?
Timeline estimates for a cryptographically relevant quantum computer (one capable of running Shor's algorithm against 256-bit elliptic curves at scale) vary significantly across institutions and analysts.
| Institution / Report | Estimated CRQC Timeline |
|---|---|
| NIST (PQC project documentation) | 10–20 years, but preparation urged now |
| IBM Quantum Roadmap (public) | Fault-tolerant systems targeted late 2020s–2030s |
| NCSC (UK, 2023 guidance) | Migration recommended by 2035 at latest |
| Mosca's Theorem (academic framework) | Risk = security shelf-life + migration time vs. Q-day arrival |
| CISA / NSA CNSA 2.0 (2022) | Transition to PQC by 2030–2035 for critical infrastructure |
The consensus among government cybersecurity agencies is not that the threat is imminent in the next two years, but that migration timelines for large-scale infrastructure are long enough that preparation must begin now. A distributed ledger with tens of millions of accounts cannot rotate cryptographic schemes overnight.
---
Does Hedera Have a Post-Quantum Migration Plan?
As of the time of writing, Hedera's public documentation does not include a finalised, time-bound roadmap for integrating NIST-standardised post-quantum signature schemes (such as CRYSTALS-Dilithium / ML-DSA or SPHINCS+) into the core protocol. Several observations are relevant here:
What Hedera Has Acknowledged
- Hedera's governance council includes major enterprises (Google, IBM, Boeing, LG, Deutsche Telekom and others). IBM's membership is notable given that IBM is one of the leading quantum computing hardware vendors. Internal awareness of the threat is therefore high.
- The Hedera Improvement Proposal (HIP) process is the formal mechanism through which protocol-level cryptographic changes would be introduced. No HIP targeting post-quantum signature algorithms has reached a final status as of mid-2025.
- Hedera's SDK is key-algorithm-agnostic by design — it accepts arbitrary key types in account records. This is a potential migration advantage, since adding support for a new signature scheme does not necessarily require a hard fork of the consensus protocol, just a new key type registration and SDK update.
What Remains Unresolved
- Key rotation UX at scale: Migrating millions of existing accounts from Ed25519 to a PQC key type requires users to initiate key rotation transactions. This is a significant coordination problem, especially for enterprise integrations where key custody is complex.
- Signature size bloat: CRYSTALS-Dilithium (ML-DSA) signatures are roughly 2,420 bytes at the Level 2 security parameter, compared to 64 bytes for Ed25519. This has direct implications for Hedera's transaction throughput claims and storage costs.
- Multi-signature and threshold key complexity: Hedera supports complex key structures (KeyList, ThresholdKey). Migrating these to PQC equivalents is non-trivial.
- No public Q-day contingency plan: Unlike some blockchain projects that have begun PQC research tracks, Hedera has not published a specific post-quantum security whitepaper or migration schedule.
---
How Lattice-Based Post-Quantum Cryptography Differs
The NIST post-quantum cryptography standardisation process, completed in 2024, selected several algorithms for standardisation. The primary signature scheme is ML-DSA (previously CRYSTALS-Dilithium), which is based on the hardness of the Module Learning With Errors (MLWE) problem — a lattice problem for which no efficient quantum algorithm is known.
Key Structural Differences vs. ECDSA / EdDSA
| Property | ECDSA (secp256k1) | Ed25519 | ML-DSA (Dilithium L2) |
|---|---|---|---|
| Security assumption | ECDLP | ECDLP (Ed curve) | Module Learning With Errors |
| Broken by Shor's algorithm | Yes | Yes | No (no known quantum attack) |
| Public key size | 33 bytes (compressed) | 32 bytes | 1,312 bytes |
| Signature size | ~71 bytes | 64 bytes | 2,420 bytes |
| Signing speed (relative) | Fast | Very fast | Moderate |
| NIST standardised | No (legacy) | No (legacy) | Yes (FIPS 204, 2024) |
The lattice-based security assumption does not rely on any algebraic structure that Shor's algorithm exploits. Even a large-scale CRQC running Shor's algorithm gains no advantage over a classical computer when attacking MLWE-based schemes. The security reduction is to worst-case lattice problems, which are believed to be classically and quantumly hard.
Hash-Based Signatures as an Alternative
NIST also standardised SLH-DSA (SPHINCS+), a stateless hash-based signature scheme. Its security relies only on the collision resistance of hash functions, making it highly conservative from a quantum-security standpoint. The trade-off is very large signatures (up to ~49,856 bytes at Level 1), making it unsuitable for high-throughput ledger contexts without significant protocol redesign.
---
Practical Implications for HBAR Holders and Developers
If you hold HBAR or build on Hedera, the quantum timeline gives you a window to act, but that window has a hard edge.
For individual holders:
- Monitor Hedera's HIP tracker for any PQC key type proposal.
- Understand that your public key is permanently on-chain and will remain accessible to any future quantum adversary unless you migrate to a quantum-resistant key before Q-day.
- Hardware wallet vendors (Ledger, Trezor) are also yet to ship PQC firmware for Hedera accounts; this is an ecosystem-wide gap, not just a Hedera protocol issue.
For enterprise developers building on Hedera:
- Conduct a cryptographic inventory of all Hedera accounts used in production systems.
- Design key rotation procedures now, so they can be executed quickly once a PQC key type is available on Hedera.
- For long-lived smart contracts, assess whether contract addresses and associated keys could be at risk post-Q-day before contract lifecycle ends.
- Review CISA's guidance on CNSA 2.0 compliance if your application touches US federal or critical infrastructure contexts.
For those evaluating wallets and custody solutions:
Projects building with post-quantum security from the ground up, such as wallets using NIST-aligned lattice-based cryptography, represent a structurally different risk profile than existing ECDSA/EdDSA wallets. BMIC.ai, for example, is one project in the space that has architected its wallet and token infrastructure around lattice-based, NIST PQC-aligned schemes specifically to address the Q-day exposure that legacy signature algorithms carry.
---
Comparing Hedera's Quantum Posture to Other Major Networks
| Network | Default Signature Scheme | Public Key Exposed On-Chain | Known PQC Migration Plan |
|---|---|---|---|
| Hedera (HBAR) | Ed25519 / ECDSA | Yes (explicit account record) | No finalised HIP |
| Ethereum | ECDSA (secp256k1) | Only when address transacts | EIP research stage (EIP-7639 discussion) |
| Bitcoin | ECDSA / Schnorr | Only when UTXO spent | No formal plan; BIP discussions only |
| Algorand | Ed25519 | Yes (account model) | State proofs use Falcon (PQC) for bridges |
| Cardano | Ed25519 | Yes | Research phase; no protocol-level PQC yet |
Algorand is a partial exception: its state proof system uses Falcon, a NIST-standardised lattice-based signature scheme, for cross-chain bridge attestations. However, user account keys on Algorand remain Ed25519. It represents partial PQC adoption rather than end-to-end quantum resistance.
---
Summary: Is Hedera Quantum Safe?
The direct answer is no, not currently. Hedera uses Ed25519 and ECDSA, both of which are vulnerable to Shor's algorithm running on a CRQC. The explicit account model means public keys are permanently exposed on-chain, removing even the limited hash-obscurity protection that unspent Bitcoin UTXOs provide. Hedera's governance structure and SDK architecture create plausible pathways for a future PQC migration, but no concrete, time-bound plan has been published. Given that cybersecurity agencies place the migration deadline at 2030–2035, and given Hedera's enterprise scale, the absence of a published roadmap is a material gap rather than a minor oversight.
This does not make HBAR worthless or immediately threatened. Q-day is not tomorrow. But the structural exposure is real, the harvest-now-decrypt-later threat is active today, and the time to begin protocol-level migration planning is well before a CRQC is publicly demonstrated.
Frequently Asked Questions
Is Hedera (HBAR) quantum safe?
No. Hedera currently uses Ed25519 and ECDSA signatures, both of which are broken by Shor's algorithm on a cryptographically relevant quantum computer. Hedera has not published a finalised post-quantum migration plan as of mid-2025.
Why is Hedera's explicit account model a greater quantum risk than Bitcoin's UTXO model?
Hedera stores public keys directly in on-chain account records, making them permanently visible. Bitcoin UTXOs that have never been spent expose only a hash of the public key, providing one additional layer of obscurity. Once a quantum computer is available, every Hedera account's public key is immediately accessible for attack with no extra steps required.
What would a post-quantum upgrade to Hedera involve?
It would require a Hedera Improvement Proposal (HIP) to register a new PQC-compatible key type, SDK updates to generate and verify lattice-based signatures (such as ML-DSA / CRYSTALS-Dilithium), and a user-initiated key rotation process for all existing accounts. Signature size increases would also affect throughput and storage costs.
What is the 'harvest now, decrypt later' attack and does it affect HBAR holders today?
Harvest-now-decrypt-later (HNDL) means adversaries record blockchain data today, including public keys, and decrypt or forge signatures once a quantum computer is available. Because Hedera's public keys are already on-chain, HBAR holders are theoretically exposed to this attack now, even though a CRQC does not yet exist.
Which post-quantum signature algorithm would best suit Hedera?
ML-DSA (CRYSTALS-Dilithium, standardised as FIPS 204 by NIST in 2024) is the most likely candidate because it offers the best balance of signature size and security among NIST-standardised schemes. SLH-DSA (SPHINCS+) is more conservative but produces much larger signatures that would strain Hedera's throughput.
When should HBAR holders and developers start worrying about quantum risk?
Government agencies including CISA, the NSA, and the NCSC recommend completing migration to post-quantum cryptography by 2030–2035. For large-scale infrastructure like Hedera, migration planning should begin years before Q-day arrives. The harvest-now-decrypt-later threat also means some risk exists today, not only at the point a quantum computer becomes operational.