Is Hermez Network Quantum Safe?
Is Hermez Network quantum safe? That question matters more than most HEZ holders realise. Hermez Network, now integrated into the Polygon ecosystem as Polygon Hermez, is a zk-rollup scaling solution built on Ethereum. It inherits Ethereum's cryptographic assumptions, which means it relies on elliptic-curve cryptography that a sufficiently powerful quantum computer could break. This article examines exactly which cryptographic primitives HEZ uses, what Q-day exposure looks like in practice, what migration paths exist, and how lattice-based post-quantum wallets offer a structurally different security model.
What Cryptography Does Hermez Network Actually Use?
Hermez Network is a Layer 2 zk-rollup that settles on Ethereum mainnet. Understanding its quantum exposure requires separating two distinct cryptographic layers: the account and signature layer and the proof system layer.
Account and Signature Layer: ECDSA on secp256k1
Like every Ethereum-compatible network, Hermez uses ECDSA (Elliptic Curve Digital Signature Algorithm) on the secp256k1 curve for wallet key pairs and transaction authorisation. When a user signs a transaction to move HEZ tokens or interact with the Hermez smart contracts, the signature is produced using a private key derived from a 256-bit elliptic-curve scalar.
The security of ECDSA on secp256k1 rests on the elliptic-curve discrete logarithm problem (ECDLP). Classical computers cannot solve ECDLP in feasible time for a 256-bit curve. A quantum computer running Shor's algorithm, however, can solve it in polynomial time. That is the core quantum threat.
The zk-SNARK Proof System: Groth16 and BLS12-381
Hermez's rollup proofs are generated using Groth16, a zk-SNARK construction. Groth16 relies on bilinear pairings over the BLS12-381 elliptic curve. The security assumptions here are:
- Discrete logarithm hardness on BLS12-381 (also broken by Shor's algorithm on a quantum computer)
- Knowledge-of-exponent assumptions, which are algebraically related to DLOG
This means the proof system itself, not just the wallet layer, is theoretically vulnerable to a cryptographically relevant quantum computer (CRQC).
Hash Functions: Poseidon and Keccak-256
Hermez uses Poseidon, a ZK-friendly hash function, inside circuits, and Keccak-256 (Ethereum's native hash) at the smart-contract layer. Hash functions require roughly doubling the output size to maintain security against Grover's algorithm, which provides a quadratic quantum speedup. A 256-bit hash like Keccak-256 offers approximately 128-bit post-quantum security, which most security frameworks consider adequate for the near term. Hash functions are therefore the least urgent quantum concern for Hermez.
---
Understanding Q-Day: Why It Matters for HEZ Holders
Q-day refers to the point at which a quantum computer becomes powerful enough to break ECDSA or RSA encryption at cryptographically relevant scale. Current estimates from NIST, the NSA, and academic research place Q-day somewhere in the 2030s, though the timeline is genuinely uncertain.
The "Harvest Now, Decrypt Later" Risk
The more immediate threat is not a quantum computer breaking your wallet today. It is the harvest now, decrypt later (HNDL) attack strategy. Nation-state or well-resourced adversaries can:
- Record all public blockchain transactions now, including Hermez state roots and on-chain calldata.
- Archive the associated public keys exposed in those transactions.
- Wait until a CRQC is available.
- Retroactively derive private keys from the public keys and drain any wallets that still hold balances under the same address.
For HEZ holders who reuse addresses (the default behaviour in most wallets), every on-chain public key is already archived and potentially waiting for a quantum computer to process it.
Exposed vs. Unexposed Public Keys
Not all Ethereum addresses carry equal quantum risk right now:
| Address State | Quantum Risk Level | Reason |
|---|---|---|
| Funded, never transacted | Lower (near term) | Public key not yet revealed on-chain |
| Has sent at least one tx | High | Public key exposed in signature |
| Contract wallet (multisig) | High | Public keys exposed in deployment/calls |
| Reused across multiple txs | High | Public key permanently on-chain |
This distinction matters for HEZ: users who have interacted with the Hermez bridge, staked HEZ, or voted in governance have exposed their public keys on Ethereum mainnet.
---
Does Hermez Network Have a Quantum Migration Plan?
As of the time of writing, neither the original Hermez roadmap nor Polygon's successor documentation (Polygon zkEVM, which supersedes Polygon Hermez) includes a concrete, scheduled migration to post-quantum cryptography.
What Polygon's Roadmap Does Address
Polygon's broader research agenda includes:
- Continued optimisation of zk-SNARK and zk-STARK proving systems.
- Exploration of recursive proofs and proof aggregation for scalability.
- General cryptographic agility within the zkEVM architecture.
zk-STARKs are worth noting here. Unlike Groth16 zk-SNARKs, zk-STARKs rely only on hash function collision resistance and do not use elliptic-curve pairings. A STARK-based proof system would eliminate the pairing-based quantum exposure at the proof layer. However, Polygon zkEVM's current proving stack remains pairing-based, and no public timeline for a STARK migration has been announced.
NIST PQC Standards: The Baseline for Any Migration
In 2024, NIST finalised its first set of post-quantum cryptography (PQC) standards, including:
- ML-KEM (formerly CRYSTALS-Kyber) for key encapsulation
- ML-DSA (formerly CRYSTALS-Dilithium) for digital signatures
- SLH-DSA (formerly SPHINCS+) for hash-based signatures
- FN-DSA (formerly FALCON) for compact lattice-based signatures
Any credible quantum migration for a network like Hermez would need to replace ECDSA with one of these standardised algorithms at the wallet and transaction-signing layer. Replacing the proof system's pairing-based assumptions would require a separate, more complex engineering effort.
---
How Lattice-Based Post-Quantum Wallets Differ
The structural difference between a standard Ethereum-compatible wallet and a post-quantum wallet comes down to the mathematical hardness problem underlying the key pair.
ECDSA vs. Lattice-Based Signatures
| Property | ECDSA (secp256k1) | Lattice-Based (e.g., ML-DSA) |
|---|---|---|
| Hardness assumption | Elliptic-curve DLOG | Learning With Errors (LWE) / Module-LWE |
| Broken by Shor's algorithm | Yes | No |
| Signature size | ~64 bytes | ~2.4 KB (Dilithium3) |
| Key generation speed | Very fast | Fast |
| NIST standardised | No (pre-quantum) | Yes (2024) |
| Deployed at scale | Yes (Ethereum, Bitcoin) | Emerging |
Lattice-based schemes derive their security from the Learning With Errors (LWE) problem, which asks an adversary to distinguish a system of noisy linear equations from random. No known quantum algorithm, including Shor's and Grover's, provides a meaningful speedup against LWE. This is why NIST selected lattice-based constructions as its primary PQC signature standards.
The Signature Size Trade-off
The main practical cost of lattice-based signatures is size. An ML-DSA signature is roughly 35 to 40 times larger than an ECDSA signature. For a rollup like Hermez, where calldata compression is central to the cost model, adopting lattice-based signatures at the transaction layer would increase per-transaction data costs unless the rollup's data availability and compression layers are redesigned alongside the cryptographic upgrade.
This is not an insurmountable engineering problem, but it illustrates why post-quantum migration for a zk-rollup is more complex than simply swapping signature algorithms.
Hash-Based Alternatives
SLH-DSA (SPHINCS+) offers an alternative: it relies only on hash function security, making it conservative and well-understood. The trade-off is larger signatures still (roughly 8 to 50 KB depending on parameter set) and slower signing. For blockchain applications where transaction throughput and data costs matter, lattice-based schemes are generally preferred over hash-based ones.
---
What Should HEZ Holders Do Now?
While waiting for protocol-level quantum migration, individual holders can take practical steps to reduce their personal exposure.
Practical Steps for HEZ / Polygon Holders
- Avoid address reuse. Generate a fresh address for each significant transaction. This limits public key exposure.
- Migrate balances from long-dormant addresses. If you hold HEZ on an address that has sent transactions, consider moving funds to a fresh address whose public key has not yet been exposed.
- Monitor NIST PQC adoption in Ethereum tooling. The Ethereum Foundation has published research on account abstraction (EIP-4337) as a potential pathway for integrating alternative signature schemes without a hard fork.
- Consider quantum-resistant custody for high-value holdings. Projects building on NIST-standardised lattice cryptography offer meaningful protection against Q-day. BMIC.ai, for example, is a post-quantum wallet designed specifically around lattice-based cryptography and NIST PQC alignment, built for holders who want forward-looking protection before Q-day arrives.
- Watch Ethereum's quantum roadmap. Ethereum co-founder Vitalik Buterin has publicly discussed post-quantum account abstraction as a hard-fork path. Any such upgrade would benefit Hermez/Polygon users indirectly.
---
The Broader Ecosystem Risk: Not Just Hermez
Hermez does not exist in isolation. Its quantum risk profile is shared by virtually every EVM-compatible chain:
- Ethereum mainnet uses ECDSA on secp256k1.
- Polygon PoS uses the same.
- Arbitrum, Optimism, Base all use the same wallet-layer cryptography.
- Bitcoin uses ECDSA and Schnorr signatures, both vulnerable to Shor's algorithm.
What distinguishes chains from one another in a post-quantum threat model is primarily governance agility (can the network coordinate a migration?) and proof system design (STARK-based systems have less pairing-based exposure). Hermez, now absorbed into the Polygon ecosystem, benefits from Polygon's research resources, but the absence of a public PQC roadmap is a gap that serious holders should track.
---
Summary: Is Hermez Network Quantum Safe?
The direct answer is no, not currently. Hermez Network uses ECDSA at the wallet layer and pairing-based zk-SNARKs at the proof layer. Both are vulnerable to a cryptographically relevant quantum computer. Hash functions used within the stack are relatively more resilient. There is no publicly announced, scheduled migration to post-quantum cryptography for the Hermez or Polygon zkEVM stack.
The timeline to Q-day remains uncertain, and the near-term risk to most retail holders is low. However, the harvest-now-decrypt-later threat is real and already in play for anyone who has exposed their public key on-chain. The prudent approach is to treat quantum migration as a known, scheduled engineering problem, not a speculative concern, and to monitor both Ethereum's account abstraction roadmap and NIST's evolving PQC standards for the signals that will define the migration window.
Frequently Asked Questions
Is Hermez Network quantum safe right now?
No. Hermez Network uses ECDSA on secp256k1 for transaction signing and pairing-based zk-SNARKs (Groth16 over BLS12-381) for its proof system. Both are vulnerable to Shor's algorithm running on a sufficiently powerful quantum computer. There is no currently announced post-quantum migration plan for the Hermez or Polygon zkEVM stack.
What is the biggest quantum threat to HEZ holders specifically?
The biggest near-term threat is 'harvest now, decrypt later.' Any HEZ holder who has sent transactions from an address has already exposed their public key on Ethereum mainnet. A future quantum computer could use that public key to derive the private key and drain the wallet. Holders who reuse addresses are most exposed.
Are zk-SNARKs quantum resistant?
Standard zk-SNARKs like Groth16 rely on bilinear pairings over elliptic curves. The discrete logarithm assumptions underlying those pairings are broken by Shor's algorithm. zk-STARKs, which rely only on hash function security, are considered more quantum-resistant, but Hermez/Polygon zkEVM currently uses a pairing-based proving stack.
What cryptographic algorithms are considered post-quantum safe?
NIST finalised its first post-quantum cryptography standards in 2024. These include ML-DSA (Dilithium) and FN-DSA (FALCON) for digital signatures, ML-KEM (Kyber) for key encapsulation, and SLH-DSA (SPHINCS+) for hash-based signatures. All are resistant to known quantum attacks, including Shor's and Grover's algorithms.
Could Ethereum's account abstraction roadmap help Hermez users?
Potentially yes. EIP-4337 and related account abstraction proposals allow wallets to use custom signature verification logic, which could include post-quantum signature schemes without requiring an Ethereum hard fork at the base layer. If adopted broadly, this would benefit all EVM-compatible chains including Polygon Hermez indirectly.
How does a lattice-based wallet differ from a standard Ethereum wallet?
A standard Ethereum wallet uses ECDSA, whose security rests on the elliptic-curve discrete logarithm problem, broken by Shor's algorithm. A lattice-based wallet uses algorithms like ML-DSA, whose security rests on the Learning With Errors problem, which has no known efficient quantum solution. The trade-off is larger signature sizes (roughly 2.4 KB vs. 64 bytes), but the quantum security guarantee is structurally different.