Is IOST Quantum Safe?
Is IOST quantum safe? That question is no longer academic. IOST uses the same family of elliptic-curve cryptographic primitives that power most proof-of-stake networks, and those primitives face a well-documented structural threat from sufficiently powerful quantum computers. This article maps exactly which cryptographic schemes IOST relies on, explains how a quantum adversary could exploit them, surveys the migration options that exist at the protocol level, and benchmarks those options against the lattice-based post-quantum standards that NIST finalised in 2024.
What Cryptography Does IOST Actually Use?
IOST (Internet of Services Token) is a high-throughput layer-1 blockchain designed around its Proof-of-Believability (PoB) consensus mechanism. Like virtually every major smart-contract chain launched before 2023, it inherits its key-management layer from established elliptic-curve cryptography.
Signature Schemes in IOST
IOST's core protocol supports two signature algorithms:
- Secp256k1 ECDSA — the same curve used by Bitcoin and Ethereum. Private keys are 256-bit scalars; public keys are points on the Secp256k1 curve.
- Ed25519 (EdDSA) — a Schnorr-variant scheme built on Curve25519, offering faster verification and resistance to certain implementation-level side-channel attacks compared with classic ECDSA.
Both are standard choices for performance-oriented blockchains. Both are, however, vulnerable to Shor's algorithm running on a cryptographically relevant quantum computer (CRQC).
Key Derivation and Hashing
IOST uses SHA-3 (Keccak-256) for address derivation and transaction hashing. Hash functions are comparatively resilient to quantum attack: Grover's algorithm cuts effective security from 256 bits to roughly 128 bits, which most cryptographers consider an acceptable margin for the foreseeable quantum timeline. The critical weak point is not the hash function. It is the public-key cryptography layer.
---
What Is Q-Day and Why Does It Matter for IOST Holders?
Q-Day is the colloquial term for the point in time when a quantum computer becomes capable of running Shor's algorithm at scale against 256-bit elliptic-curve keys within a practically useful timeframe, perhaps hours or days rather than millennia.
How Shor's Algorithm Breaks ECDSA and EdDSA
Shor's algorithm solves the discrete logarithm problem on elliptic curves in polynomial time. In plain terms:
- An attacker observes your public key on-chain (every time you sign a transaction, your public key is broadcast to the network).
- The attacker feeds that public key into a CRQC running Shor's algorithm.
- The CRQC derives your private key from the public key in feasible time.
- The attacker signs fraudulent transactions, draining your wallet before you can react.
This attack vector is sometimes called the "harvest now, decrypt later" threat. Adversaries can record public keys from the blockchain today and decrypt them the moment a CRQC becomes available.
IOST-Specific Exposure
Because IOST supports both Secp256k1 and Ed25519, every address on the network is potentially exposed regardless of which signing method its owner chose. Ed25519 is often marketed as more secure than ECDSA because of its cleaner design, but "more secure" refers to classical adversaries and implementation robustness, not quantum resistance. Curve25519 is still an elliptic curve, and Shor's algorithm breaks it just as efficiently as Secp256k1.
Addresses that have never broadcast a transaction enjoy one layer of practical obscurity: the public key has not been revealed, so an attacker cannot yet run the inversion. Once any outgoing transaction is signed, however, that protection evaporates entirely.
---
IOST's Current Quantum Migration Roadmap
As of mid-2025, IOST has not published a formal post-quantum cryptography (PQC) migration roadmap in its public documentation or governance forums. This is not unusual. The overwhelming majority of major layer-1 networks, including Ethereum, Solana, and Avalanche, also lack finalised PQC upgrade timelines.
What a Credible Migration Would Require
For IOST to become genuinely quantum safe, it would need to address at least the following layers:
| Layer | Current State | PQC Requirement |
|---|---|---|
| Transaction signatures | ECDSA / Ed25519 | Replace with CRYSTALS-Dilithium, FALCON, or SPHINCS+ |
| Address format | Derived from EC public key | Re-derive from PQC public key; requires user migration |
| Consensus (PoB validator signatures) | Ed25519 | Upgrade validator signing keys to PQC scheme |
| Smart-contract key ops (e.g. ecrecover-equivalent) | EC-based | New PQC-compatible precompiles |
| Wallet and SDK layer | Standard EC libraries | New PQC key generation and signing libraries |
A full migration involves a coordinated hard fork, extended transition window during which old and new addresses coexist, and significant SDK changes for every dApp and exchange integration. Ethereum's own researchers estimate such a migration would take multiple years after a decision is made. IOST, with a smaller developer ecosystem, could move faster in theory, but governance coordination remains the binding constraint.
NIST PQC Standards: The Benchmark
In August 2024, NIST finalised three post-quantum standards:
- CRYSTALS-Dilithium (ML-DSA) — lattice-based digital signature, primary recommendation for general use.
- FALCON (FN-DSA) — lattice-based, smaller signatures, suited for bandwidth-constrained environments.
- SPHINCS+ (SLH-DSA) — hash-based, conservative security assumptions, larger signature size.
Any credible blockchain PQC upgrade would be expected to align with one or more of these standards. Lattice-based schemes (Dilithium, FALCON) are the leading candidates for transaction-level signatures because their signature sizes and verification speeds are practical for high-throughput chains.
---
Comparing Quantum Exposure Across Major Layer-1 Networks
IOST is not uniquely vulnerable. The table below places it in context.
| Network | Signature Scheme | Hash Function | Formal PQC Roadmap? | Notes |
|---|---|---|---|---|
| IOST | Secp256k1 / Ed25519 | Keccak-256 | No | Both curves broken by Shor's |
| Ethereum | Secp256k1 | Keccak-256 | Research stage only | EIP-7560 touches AA; no PQC timeline |
| Solana | Ed25519 | SHA-256 | No | Same Ed25519 exposure |
| Cardano | Ed25519 | Blake2b | No | Actively researching, no schedule |
| Bitcoin | Secp256k1 | SHA-256 / RIPEMD-160 | No | P2PKH offers address-level obscurity |
| QRL | XMSS (hash-based) | SHA-256 | Native PQC | Built from scratch for PQC |
The honest conclusion is that IOST's quantum exposure profile is comparable to Ethereum and Solana: meaningful, unmitigated at the protocol level, and dependent on a future hard fork that has not been scheduled.
---
How Lattice-Based Post-Quantum Wallets Differ
The distinction between a standard IOST wallet and a lattice-based post-quantum wallet is not merely cosmetic. It reflects a fundamental difference in the mathematical hardness assumption underlying key security.
Classical EC Wallets
Security rests on the elliptic-curve discrete logarithm problem (ECDLP). For classical computers, this is computationally infeasible at 256 bits. For a CRQC, Shor's algorithm reduces it to polynomial time.
Lattice-Based PQC Wallets
Security rests on the Learning With Errors (LWE) problem or its ring variant (RLWE). No known quantum algorithm, including Shor's or Grover's, solves LWE in polynomial time. The best known quantum attacks offer only modest speedups, leaving security margins intact even against CRQCs.
Concretely, a wallet implementing CRYSTALS-Dilithium for signing:
- Generates a key pair using structured lattice operations rather than elliptic-curve scalar multiplication.
- Produces signatures of roughly 2.4 KB (Dilithium3), compared with 64-72 bytes for an Ed25519 signature. This is the main practical tradeoff.
- Remains secure against both classical and quantum adversaries under current cryptanalysis.
Projects building PQC-native infrastructure today, such as BMIC.ai with its NIST-aligned lattice-based wallet, are establishing the architecture that standard chains will eventually need to retrofit at far greater cost and coordination complexity.
The Signature Size Tradeoff
The larger signature footprint of lattice-based schemes is a real engineering concern for a throughput-focused chain like IOST, which targets thousands of transactions per second. Two mitigations exist:
- FALCON produces signatures of approximately 690 bytes, significantly smaller than Dilithium, at the cost of more complex signing operations.
- Signature aggregation techniques can batch PQC signatures, partially offsetting the per-transaction overhead.
Neither solution is trivial to implement, which partly explains why no high-throughput chain has completed the migration. It is an engineering problem with a known solution, not an unsolvable one.
---
Practical Risk Assessment for IOST Token Holders
Quantum risk for retail IOST holders can be stratified by behaviour:
Lower Near-Term Risk Profiles
- Address reuse avoidance: Users who generate a fresh address for every transaction limit public-key exposure, though this only delays rather than eliminates risk once a CRQC exists.
- Cold storage with no outgoing transactions: If the public key has never been broadcast, the attack surface is limited to hash pre-image attacks, which remain practically infeasible even with Grover's.
Higher Near-Term Risk Profiles
- Active DeFi users: Every on-chain interaction broadcasts a signature and thus the public key. Wallets with long public transaction histories have fully exposed public keys.
- Exchange-held IOST: Custodians typically reuse addresses, meaning large pools of IOST on exchanges have exposed public keys. The exchange rather than the individual bears key-management responsibility, but concentrated pools are high-value targets.
- Smart-contract interactions: Contracts that store or verify EC public keys on-chain compound exposure.
Timeline Considerations
Estimates for when a CRQC capable of breaking 256-bit EC keys will exist range widely: optimistic projections from some research groups suggest the 2030s; mainstream cryptographic consensus places it further out but with significant uncertainty. The prudent frame is not "when will this happen?" but "what is the cost of being wrong?" For large holdings, that cost is total loss.
---
What Should IOST Do Next? Migration Options Ranked
If IOST's core development team were to prioritise quantum safety, the most credible sequence would be:
- Adopt CRYSTALS-Dilithium or FALCON as a supported signature scheme in a soft-fork-compatible layer, allowing new addresses to use PQC keys without immediately deprecating EC keys.
- Define a sunset window for EC-based addresses, giving users 12-24 months to migrate holdings to PQC addresses.
- Upgrade validator signing to PQC in a coordinated hard fork.
- Release updated SDKs for all major languages (JavaScript, Go, Java) with PQC key generation built in.
- Engage NIST-aligned audit firms to certify the implementation against ML-DSA and FN-DSA test vectors.
This is a multi-year programme. Starting later compresses the safety window and increases the probability of a disorderly migration under adversarial conditions.
---
Summary
IOST is not quantum safe. It uses Secp256k1 ECDSA and Ed25519, both of which are broken by Shor's algorithm on a CRQC. Its hashing layer (Keccak-256) offers acceptable quantum resistance, but that does not protect the key infrastructure. No public PQC migration roadmap exists as of mid-2025. The risk is not immediate but is structural and cannot be resolved by user behaviour alone: it requires a protocol-level hard fork aligned with NIST PQC standards. Holders with significant IOST exposure should monitor governance discussions for any PQC upgrade proposals and weigh custodial versus self-custody key exposure accordingly.
Frequently Asked Questions
Is IOST quantum safe right now?
No. IOST relies on Secp256k1 ECDSA and Ed25519, both of which are vulnerable to Shor's algorithm running on a cryptographically relevant quantum computer. There is no finalised protocol-level PQC upgrade as of mid-2025.
Does Ed25519 offer any quantum protection compared with ECDSA?
Not meaningfully. Ed25519 is more robust against classical implementation attacks and certain side-channel exploits, but it is still an elliptic-curve scheme. Shor's algorithm solves the discrete logarithm problem on Curve25519 just as efficiently as on Secp256k1.
What post-quantum signature schemes would IOST need to adopt?
The NIST-finalised options are CRYSTALS-Dilithium (ML-DSA), FALCON (FN-DSA), and SPHINCS+ (SLH-DSA). Dilithium and FALCON are lattice-based and the most practical for high-throughput transaction signing. SPHINCS+ uses a hash-based approach with larger signature sizes.
Can I protect my IOST holdings from quantum attack today?
You can reduce exposure by avoiding address reuse and keeping assets in cold storage with no outgoing transactions, which prevents your public key from being broadcast. However, these are delay tactics. Full protection requires a protocol-level migration to post-quantum cryptography.
How does Q-day timing affect the urgency for IOST?
Mainstream cryptographic consensus places a CRQC capable of breaking 256-bit EC keys in the 2030s or later, though estimates vary. The 'harvest now, decrypt later' threat means public keys recorded from the blockchain today could be decrypted retroactively once such a machine exists, so migration should precede Q-day by a meaningful margin.
Which blockchains are already quantum safe?
Very few. QRL (Quantum Resistant Ledger) was built from the ground up using XMSS, a hash-based post-quantum signature scheme. Most major layer-1 networks, including Ethereum, Solana, Cardano, and IOST, have not completed PQC migrations and remain vulnerable to a sufficiently powerful quantum computer.