Is Irys Quantum Safe?
Is Irys quantum safe? It is a question every serious IRYS holder should be asking, because the answer determines whether holdings could be exposed when fault-tolerant quantum computers arrive. This article breaks down the cryptographic primitives Irys currently relies on, explains exactly how ECDSA and EdDSA signatures fail under quantum attack, maps out what a realistic Q-day scenario looks like for on-chain assets, and compares the migration paths that layer-1 and layer-2 networks are exploring. By the end, you will have a clear analyst-level view of the risk.
What Cryptography Does Irys Actually Use?
Irys (formerly Bundlr Network) is a programmable datachain built on top of Arweave's permanent storage layer, with its own execution environment and a native IRYS token. Understanding its quantum exposure starts with identifying the signature schemes in its stack.
Secp256k1 and EdDSA in the Irys Stack
Irys inherits a dual-signature architecture because it is designed for multi-chain interoperability. At the protocol level it accepts transactions signed with:
- Secp256k1 / ECDSA — the same elliptic curve used by Bitcoin and Ethereum. Wallets from those ecosystems can sign Irys transactions natively.
- Ed25519 / EdDSA — the Edwards-curve variant favoured by Solana and Arweave itself. Arweave actually uses 4096-bit RSA by default, but Irys bundles also accept Ed25519-signed items.
- RSA-4096 — used for Arweave-native signing paths that Irys inherits when interacting directly with the Arweave base layer.
This multi-signature support is a feature, not a flaw, but it means IRYS holders and node operators are exposed to *every* quantum vulnerability present across those three schemes.
Why Elliptic Curve Signatures Are Vulnerable
Both ECDSA (secp256k1) and EdDSA (Ed25519) derive their security from the elliptic curve discrete logarithm problem (ECDLP). A classical computer cannot solve ECDLP in polynomial time. Shor's algorithm, running on a sufficiently large fault-tolerant quantum computer, can. The practical consequence:
- A quantum adversary observes a public key (which is visible on-chain the moment a wallet has ever signed a transaction).
- Shor's algorithm derives the corresponding private key from that public key.
- The adversary signs and broadcasts a malicious transaction before the legitimate owner can respond.
The critical nuance is that public keys are exposed at first spend. Any address that has already sent a transaction — meaning the vast majority of active IRYS wallets — has a visible public key. Unused addresses whose public keys have never been broadcast retain some protection, but the moment you interact with the Irys network, that protection is gone.
RSA-4096, used in Arweave-native paths, also falls to Shor's algorithm, though the quantum resources required are larger than for 256-bit elliptic curves. It buys time, not immunity.
---
What Is Q-Day and How Close Is It?
Q-day refers to the threshold at which a quantum computer can run Shor's algorithm against 256-bit elliptic curve keys in a timeframe short enough to be operationally useful for an attacker. Researchers disagree on the timeline, but several estimates are worth mapping:
| Estimate Source | Projected Q-Day Range | Methodology |
|---|---|---|
| NIST PQC programme (2022 standardisation driver) | "Decades away to under 10 years" | Policy-conservative framing |
| Google Quantum AI (2023 roadmap) | Fault-tolerant milestone: late 2020s | Hardware error-correction milestones |
| ODNI / NSA CNSA 2.0 (2022) | Mandates PQC migration by 2030–2035 | Threat-informed policy |
| IBM Quantum roadmap | 100,000-qubit system targeted by 2033 | Physical qubit scaling |
| Academic consensus (e.g., Mosca's theorem) | ~30% probability of Q-day before 2030 | Probabilistic risk modelling |
The honest answer is that no one knows the exact date. What is known is that harvest-now, decrypt-later (HNDL) attacks are already theoretically viable: adversaries can record signed transactions today and break them once quantum hardware matures. Long-lived data stored permanently on Arweave, and the IRYS tokens associated with those wallets, could be at risk from data harvested right now.
---
Is Irys Doing Anything About Quantum Security?
As of the most recent public documentation and roadmap disclosures, Irys has not published a formal post-quantum cryptography migration plan. That is not unique to Irys. The overwhelming majority of blockchain protocols built on secp256k1 or Ed25519 have not yet committed to a concrete PQC timeline.
What Would a Migration Require?
A credible quantum-migration path for a network like Irys would involve at minimum:
- Algorithm selection — choosing from NIST-standardised post-quantum schemes. The 2024 NIST PQC standards include ML-KEM (CRYSTALS-Kyber, for key encapsulation) and ML-DSA (CRYSTALS-Dilithium, for digital signatures). FALCON and SPHINCS+ are also standardised signature options.
- Signature size trade-offs — lattice-based signatures (Dilithium, FALCON) are significantly larger than ECDSA signatures. Dilithium level-3 produces ~3,293-byte signatures versus ~71 bytes for a compact ECDSA signature. For a permanent-storage network like Arweave/Irys, this is a non-trivial cost issue.
- Address migration mechanism — existing wallets would need a migration window in which users move funds to newly generated PQC addresses before the old addresses become vulnerable.
- Arweave base-layer coordination — because Irys settles on Arweave, any deep cryptographic change would require upstream coordination with the Arweave core team.
- Multi-chain signer compatibility — Irys's multi-signature architecture means EVM wallets, Solana wallets, and Arweave wallets would each need separate migration paths.
None of these steps are trivial, and the coordination burden grows with the network's maturity and the amount of value already locked in legacy addresses.
The Arweave RSA Situation
Arweave's choice of RSA-4096 for its native address scheme has sometimes been positioned as "more quantum resistant" than 256-bit elliptic curves because breaking RSA-4096 with Shor's algorithm requires roughly 6,000–8,000 logical qubits (estimates vary), while cracking secp256k1 may require as few as 2,330 logical qubits in optimistic analyses. In practice, both are vulnerable to the same algorithm. RSA-4096 offers a larger safety margin in terms of required quantum hardware, but it is not post-quantum safe. Larger margin is not immunity.
---
ECDSA vs. Post-Quantum Signature Schemes: A Technical Comparison
Understanding what a genuine post-quantum upgrade entails requires comparing the underlying mathematical problems.
| Property | ECDSA (secp256k1) | EdDSA (Ed25519) | ML-DSA / Dilithium | FALCON |
|---|---|---|---|---|
| Security assumption | ECDLP | ECDLP (Edwards curve) | Module Learning With Errors (MLWE) | NTRU lattice (SIS) |
| Broken by Shor's algorithm? | Yes | Yes | No | No |
| Signature size | ~71 bytes | ~64 bytes | ~2,420–3,293 bytes | ~666–1,280 bytes |
| Public key size | 33 bytes (compressed) | 32 bytes | ~1,312–1,952 bytes | ~897–1,793 bytes |
| NIST PQC standardised? | No | No | Yes (FIPS 204, 2024) | Yes (FIPS 206, 2024) |
| Key generation speed | Fast | Fast | Fast | Slower (Gaussian sampling) |
| Suitable for blockchain use? | Current standard | Current standard | Emerging — size overhead challenge | Emerging — smaller than Dilithium |
The Learning With Errors (LWE) problem and its variants are believed to be hard even for quantum computers running Grover's algorithm. Grover's algorithm provides only a quadratic speedup against symmetric and hash-based schemes, meaning a doubling of key/parameter sizes restores classical security levels. Shor's algorithm, by contrast, provides an *exponential* speedup against number-theoretic problems like ECDLP and integer factorisation, which is why the gap between "quantum-resistant" and "not quantum-resistant" is so stark.
---
How Lattice-Based Post-Quantum Wallets Differ From Standard Crypto Wallets
Most hardware and software wallets in use today (Ledger, MetaMask, Phantom, ArConnect) generate key pairs using secp256k1 or Ed25519. The private key secures ECDLP-based operations. A post-quantum wallet built on lattice cryptography works differently at every layer:
Key Generation
Instead of selecting a random integer on an elliptic curve, a lattice-based wallet generates keys from structured lattice problems. For ML-DSA, the private key is a pair of short polynomial vectors; the public key is a matrix-vector product. The relationship is easy to compute forward but, under MLWE hardness assumptions, computationally infeasible to invert even with quantum hardware.
Signing
Lattice signatures use a rejection-sampling procedure to ensure signatures do not leak information about the private key. This is why they are slightly slower to generate than ECDSA but remain practical for on-chain use.
Wallet UX Impact
The larger key and signature sizes mean:
- Seed phrases and derivation paths must be redesigned (BIP-32/BIP-39 was built for elliptic curves).
- Transaction payloads are heavier, increasing fees on networks that charge per byte (directly relevant for Arweave/Irys, which prices storage).
- Hardware wallet secure elements must be updated to support new algorithms.
Projects building natively with post-quantum cryptography from the ground up, rather than retrofitting it, avoid much of this technical debt. BMIC.ai is one example of a project building a quantum-resistant wallet using NIST PQC-aligned, lattice-based cryptography from inception, rather than waiting for legacy infrastructure to migrate.
---
Practical Risk Assessment for IRYS Holders
Framing this as a risk matrix helps prioritise action:
| Scenario | Probability (analyst view) | IRYS Impact |
|---|---|---|
| Q-day arrives before Irys migrates | Low-to-medium (10-year horizon) | High: exposed public keys at risk |
| HNDL attack on archived Arweave/Irys data | Medium (data already harvestable) | Medium: historical transactions compromised |
| Irys announces PQC roadmap pre-Q-day | Medium | Mitigates long-term risk significantly |
| No migration; Irys forks to new PQC addresses | Low (disruptive) | Moderate: holders must act in migration window |
| Q-day delayed beyond 2040 | Medium-high (based on current hardware curves) | Low near-term risk, allows gradual migration |
The asymmetry here is important. The cost of preparing for Q-day is moderate and mostly logistical. The cost of *not* preparing, if quantum timelines accelerate, is potentially total loss of cryptographic security for any address that has signed a transaction.
---
What Should IRYS Holders Do Now?
Concrete steps an IRYS holder can take within the constraints of current infrastructure:
- Minimise reuse of signed addresses. Every transaction you sign exposes your public key. Using fresh addresses for receiving reduces your attack surface, though this is imperfect given current wallet tooling.
- Monitor Arweave and Irys governance channels for any PQC roadmap announcements. The Arweave core team's position will be the upstream determinant.
- Diversify custody models. Cold storage in a hardware wallet reduces online attack exposure, even if it does not address the quantum threat directly.
- Track NIST PQC implementation progress in blockchain infrastructure. Ethereum's Ethereum Improvement Proposals (EIPs) around account abstraction and alternative signature schemes are the bellwether for the broader EVM ecosystem that Irys interacts with.
- Consider the total quantum exposure of your portfolio. IRYS is not uniquely exposed. Every asset in a secp256k1 or Ed25519 wallet carries the same cryptographic risk profile.
The quantum threat to Irys is real, unmitigated by any current roadmap, and time-sensitive in a "harvest-now" context even if Q-day itself is years away. That is not a reason to panic, but it is a reason to stay informed and diversified.
Frequently Asked Questions
Is Irys (IRYS) quantum safe right now?
No. Irys relies on ECDSA (secp256k1) and EdDSA (Ed25519) signature schemes, both of which are vulnerable to Shor's algorithm running on a sufficiently powerful fault-tolerant quantum computer. As of mid-2025, Irys has not published a formal post-quantum cryptography migration plan.
What cryptographic algorithm does Irys use to secure transactions?
Irys uses secp256k1/ECDSA for Ethereum-compatible signers, Ed25519/EdDSA for Solana and Arweave-compatible signers, and RSA-4096 for native Arweave signing paths. All three are vulnerable to quantum attack via Shor's algorithm, though the quantum hardware resources required differ between schemes.
What is a 'harvest-now, decrypt-later' attack and does it affect IRYS?
A harvest-now, decrypt-later (HNDL) attack means an adversary records signed transactions or public keys today and stores them, planning to break the encryption once quantum hardware matures. Because Arweave permanently stores data and Irys transactions are on-chain, the signed data is already archived and theoretically harvestable. This means the risk is not purely future-dated — it begins the moment a transaction is broadcast.
How does a post-quantum lattice-based signature differ from ECDSA?
ECDSA security rests on the elliptic curve discrete logarithm problem, which Shor's algorithm can solve exponentially faster than classical computers. Lattice-based schemes like CRYSTALS-Dilithium (ML-DSA) rely on the Module Learning With Errors problem, which has no known quantum speedup beyond Grover's quadratic improvement. The trade-off is larger signature and key sizes — Dilithium signatures are roughly 40x larger than compact ECDSA signatures.
What would Irys need to do to become quantum resistant?
A credible migration would require: selecting a NIST-standardised post-quantum signature algorithm (ML-DSA, FALCON, or SPHINCS+); coordinating with the Arweave base layer on protocol-level changes; designing an address migration mechanism so holders can move funds to PQC-secured addresses; updating wallet integrations across EVM, Solana, and Arweave signers; and managing the storage-cost implications of larger lattice-based signatures on a permanent-storage network.
Should I sell IRYS because of the quantum threat?
The quantum threat is a structural long-term risk for all ECDSA/EdDSA-based networks, not a unique IRYS problem. Most major blockchains, including Bitcoin and Ethereum, share the same exposure. The relevant question is whether the protocol migrates before Q-day arrives. Analyst views suggest Q-day is likely at least several years away, but the harvest-now attack vector is live today. Position sizing, custody hygiene, and monitoring protocol governance are more proportionate responses than wholesale divestment.