Is Keep Network Quantum Safe?
Is Keep Network quantum safe? That question is no longer theoretical. Keep Network relies on threshold ECDSA signatures and elliptic-curve cryptography to secure its tBTC bridge and private-data containers. Both primitives are mathematically vulnerable to Shor's algorithm running on a sufficiently powerful quantum computer. This article dissects exactly how Keep Network's cryptographic stack is constructed, where the attack surface sits, what a Q-day scenario would mean for KEEP holders and tBTC depositors, whether the protocol has any migration roadmap, and how lattice-based post-quantum alternatives compare.
How Keep Network's Cryptography Actually Works
Keep Network was designed to solve a specific problem: allow private data and off-chain secrets to be managed trustlessly on a public blockchain. Its two flagship products — the Keep protocol itself and the tBTC Bitcoin bridge — both depend on threshold cryptography to eliminate single points of failure.
Threshold ECDSA: The Core Primitive
The backbone of Keep Network is a multi-party computation (MPC) protocol that implements threshold ECDSA (Elliptic Curve Digital Signature Algorithm). In simple terms, a group of signers collectively holds a private key without any single participant ever seeing the whole key. A signing quorum (for example, 3-of-5 nodes) must cooperate to produce a valid signature.
This design is architecturally elegant. It removes custodial trust and enables the tBTC bridge to mint 1:1 Bitcoin-backed tokens on Ethereum without a centralised custodian holding the BTC. The ECDSA operations run over the secp256k1 curve, the same curve used by Bitcoin and Ethereum.
The Random Beacon and BLS Signatures
Keep's random beacon, which provides verifiable randomness for signer selection, uses BLS (Boneh-Lynn-Shacham) signatures over the BN256 pairing-friendly elliptic curve. BLS is valued for its signature aggregation properties and its ability to produce compact threshold signatures. However, BN256 is still an elliptic-curve construction, meaning it shares the same class of quantum vulnerability as secp256k1.
t-ECDSA Wallets and Ethereum Keys
Every Keep node operator runs an Ethereum node and signs on-chain transactions with a standard secp256k1 ECDSA key pair. Operator bonds, rewards, and slashing all flow through these standard Ethereum addresses. This creates a third layer of elliptic-curve dependency layered on top of the protocol-level threshold keys.
---
What Is Q-Day and Why It Matters for KEEP
Q-Day refers to the point in time when quantum computers can run Shor's algorithm at sufficient scale to factor large integers and solve the elliptic-curve discrete logarithm problem (ECDLP) efficiently. Current classical computers cannot break ECDSA in practical time. A cryptographically relevant quantum computer (CRQC) could derive a private key from a public key in polynomial time.
The Elliptic-Curve Discrete Logarithm Exposure
ECDSA security rests entirely on the hardness of the ECDLP. Shor's algorithm reduces this to a tractable computation given enough stable qubits. Estimates for the qubit count required to break secp256k1 range from roughly 2,000 to 4,000 logical qubits (accounting for error correction overhead). IBM, Google, and various national programmes are scaling toward this range, though timelines remain debated. NIST's own post-quantum standardisation documentation acknowledges a credible threat window within 10 to 15 years.
For Keep Network, the exposure is multi-layered:
- tBTC signers' threshold keys: derived via MPC but ultimately rooted in secp256k1.
- Random beacon BLS keys: based on BN256 elliptic curves, vulnerable to quantum ECDLP attacks.
- Node operator Ethereum addresses: standard secp256k1 keys.
- Smart contract interactions: signed with Ethereum's standard ECDSA scheme.
A CRQC capable of attacking secp256k1 would not need to break the MPC protocol directly. It could instead harvest public keys from on-chain data (all public keys are visible on a public blockchain) and derive the corresponding private keys offline, then act as a rogue signer or steal bonded ETH.
The Public-Key Exposure Window
A crucial aggravating factor is that any address that has ever broadcast a transaction has its public key permanently exposed on-chain. This is true for every node operator address on Keep Network. An attacker with a CRQC could retroactively compromise those keys. Addresses that have never signed a transaction expose only the hash of the public key, offering marginally more time, but once a signing event occurs, the window closes and the address is permanently on the quantum attack surface.
---
Does Keep Network Have a Post-Quantum Migration Plan?
As of the latest publicly available information, Keep Network (now operating primarily through the tBTC v2 system and the broader Threshold Network merger with NuCypher) has not published a formal post-quantum cryptography migration roadmap.
Threshold Network's Current Stance
The Threshold Network focuses on MPC-based security models, which are robust against classical adversaries but do not inherently confer quantum resistance. The protocol's security assumptions reference computational hardness of ECDLP. Neither the tBTC technical documentation nor the Threshold DAO governance forum contains a formal proposal for transitioning to NIST-standardised post-quantum algorithms such as CRYSTALS-Kyber (key encapsulation) or CRYSTALS-Dilithium (digital signatures).
This is not unusual. Most DeFi protocols are in a similar position. The Ethereum Foundation itself has a long-term roadmap element called Ethereum's quantum resistance transition, but it is earmarked for a future hard fork, likely after the adoption of EIP-7693 or equivalent proposals. Until Ethereum itself transitions, most protocols built on it inherit the base layer's ECDSA dependency regardless of their own upgrade efforts.
What a Migration Would Require
A post-quantum migration for Keep/Threshold would be technically complex:
- Replace threshold ECDSA with a threshold post-quantum signature scheme. Lattice-based threshold signatures exist in academic literature but have not been deployed at production DeFi scale.
- Replace BLS over BN256 with a quantum-safe equivalent. Hash-based signature schemes (SPHINCS+) or lattice-based schemes could substitute, but signature aggregation properties would need re-engineering.
- Coordinate node operator key rotation. Every operator would need to migrate to new key material without interrupting the liveness of the signing groups.
- Upgrade smart contracts. Solidity contracts verifying ECDSA signatures would need new verification logic, requiring audits, DAO votes, and a coordinated upgrade cycle.
This is a multi-year programme for any major protocol.
---
Comparing Keep Network's Cryptographic Exposure to Post-Quantum Alternatives
The table below provides a side-by-side comparison of the cryptographic primitives in use across Keep/Threshold versus NIST-standardised post-quantum alternatives.
| Primitive | Keep / Threshold Network | NIST PQC Standard Alternative | Quantum Safe? |
|---|---|---|---|
| Signing (base layer) | ECDSA (secp256k1) | CRYSTALS-Dilithium (lattice) | No / Yes |
| Threshold signing | t-ECDSA (MPC) | Threshold Dilithium (research) | No / Partial |
| Randomness / aggregation | BLS over BN256 | SPHINCS+ or Hash-based | No / Yes |
| Key encapsulation | ECDH (implicit) | CRYSTALS-Kyber | No / Yes |
| Node operator keys | secp256k1 ECDSA | Lattice or hash-based | No / Yes |
The picture is clear: the current Keep/Threshold stack is entirely built on elliptic-curve primitives. None of them are quantum safe by the definitions adopted in NIST's 2024 finalised PQC standards.
---
Lattice-Based Post-Quantum Cryptography: How It Differs
Lattice-based cryptography derives its security from the hardness of problems like Learning With Errors (LWE) and Short Integer Solution (SIS). These problems are believed to be resistant to both classical and quantum attacks. Shor's algorithm does not apply, and no quantum algorithm is known to solve LWE efficiently.
Why Lattice Beats Elliptic Curves at Q-Day
- Security foundation: hardness of high-dimensional lattice problems, not discrete logarithms.
- Quantum attack resistance: Grover's algorithm provides only a quadratic speedup against symmetric primitives; lattice problems remain hard even under quantum adversaries.
- NIST endorsement: CRYSTALS-Dilithium (now ML-DSA) and CRYSTALS-Kyber (now ML-KEM) were finalised as standards in August 2024.
- Key and signature sizes: larger than ECDSA keys, but within practical bounds for wallet and transaction use.
Threshold Lattice Signatures: The Frontier
Combining lattice-based signatures with MPC-style threshold constructions is an active research area. Schemes like EAGLE and Raccoon propose threshold variants of lattice signatures. These are not yet production-ready for DeFi, but they represent the credible migration path for protocols like Keep/Threshold that depend on threshold signing as a core architectural feature.
Quantum-Resistant Wallets in Practice
While protocol-layer migration is years away for most DeFi ecosystems, individual holders can act now at the wallet layer. Projects implementing NIST PQC-aligned, lattice-based cryptography, such as BMIC.ai, demonstrate that quantum-resistant key management is achievable today. Protecting the wallet that interacts with protocols like Keep Network is a concrete, available hedge against Q-day risk, even while the underlying protocol remains classically secured.
---
Practical Risk Assessment for KEEP Holders and tBTC Users
Short-Term (0 to 5 Years)
Quantum computers capable of breaking secp256k1 do not exist today. The risk is low in absolute terms. However, harvest now, decrypt later attacks are already plausible: adversaries can record all on-chain public keys and signed transactions today, intending to decrypt them when CRQCs become available. For long-term KEEP node operators with static addresses, this is a non-trivial consideration.
Medium-Term (5 to 15 Years)
This is the credible threat window identified by NIST, ETSI, and various national cybersecurity agencies. If Threshold Network has not migrated its cryptographic stack within this window, tBTC deposits and operator bonds could be at systemic risk. The bridge's MPC model provides no inherent quantum defence.
Mitigation Steps Available Today
- Rotate operator keys regularly to limit the exposure window of any single public key.
- Use fresh addresses for each signing round where protocol architecture permits.
- Monitor NIST and Ethereum Foundation PQC roadmaps and participate in Threshold DAO governance to push for migration planning.
- Diversify custody using quantum-resistant wallet infrastructure for holdings not actively staked.
---
Summary: Key Findings
- Keep Network and the Threshold Network use threshold ECDSA, BLS over BN256, and standard secp256k1 ECDSA. All are quantum-vulnerable.
- There is no published post-quantum migration roadmap for Keep/Threshold as of current documentation.
- A CRQC running Shor's algorithm could derive private keys from harvested on-chain public keys, compromising signer groups and node operator bonds.
- NIST-finalised lattice-based standards (ML-DSA, ML-KEM) offer a credible migration target, but threshold variants remain in early research stages.
- Individual holders can adopt quantum-resistant wallet solutions today while the protocol ecosystem catches up.
Frequently Asked Questions
Is Keep Network quantum safe?
No. Keep Network and its successor Threshold Network rely on threshold ECDSA over secp256k1 and BLS signatures over BN256, both of which are vulnerable to Shor's algorithm running on a sufficiently powerful quantum computer. Neither primitive meets NIST post-quantum cryptography standards.
What cryptography does Keep Network use?
Keep Network uses threshold ECDSA (multi-party computation over the secp256k1 curve) for its tBTC signing groups and BLS signatures over the BN256 pairing curve for its random beacon. Node operators also use standard Ethereum secp256k1 ECDSA key pairs.
What is Q-day and when could it affect Keep Network?
Q-day is the point when quantum computers running Shor's algorithm can break elliptic-curve cryptography. NIST and ETSI identify a credible threat window of 10 to 15 years. At that point, any on-chain public key associated with Keep/Threshold node operators or signing groups could be used to derive private keys, enabling theft or rogue signing.
Does Keep Network have a plan to become post-quantum secure?
As of the latest publicly available documentation, Threshold Network has not published a formal post-quantum migration roadmap. A migration would require replacing threshold ECDSA with a lattice-based threshold scheme, upgrading smart contracts, and coordinating a network-wide key rotation, which is a multi-year effort.
What are the NIST post-quantum alternatives to ECDSA?
NIST finalised ML-DSA (based on CRYSTALS-Dilithium) for digital signatures and ML-KEM (based on CRYSTALS-Kyber) for key encapsulation in August 2024. Both are lattice-based and considered resistant to quantum attacks. SPHINCS+, a hash-based signature scheme, was also standardised as a stateless alternative.
Can tBTC deposits be stolen by a quantum computer?
In principle, yes, if a cryptographically relevant quantum computer becomes available before Threshold Network migrates its signing infrastructure. A quantum attacker could derive private keys for signing group members from their on-chain public keys, then forge signatures to redirect or steal Bitcoin held in the bridge. This is a long-term systemic risk, not an immediate threat.