Is Monero Quantum Safe?
Is Monero quantum safe? It is one of the most important security questions facing XMR holders as quantum computing hardware accelerates toward cryptographically relevant thresholds. Monero is widely regarded as the gold standard of on-chain privacy, but privacy and quantum resistance are separate properties. This article breaks down the exact cryptographic primitives Monero relies on, maps each one to a specific quantum attack vector, examines what a "Q-day" scenario would mean for XMR balances and transaction unlinkability, reviews the state of any migration planning, and explains how lattice-based post-quantum cryptography approaches the problem differently.
What Cryptography Does Monero Actually Use?
Before assessing quantum risk, it is necessary to understand what Monero's protocol is built on. XMR is not a simple ECDSA chain. Its privacy architecture layers several distinct cryptographic constructions, each with a different quantum exposure profile.
Ed25519 for Spend and View Keys
Monero uses Ed25519, an Edwards-curve digital signature scheme built on Curve25519. Every Monero wallet generates a spend key pair and a view key pair, both Ed25519. Ed25519 is a variant of EdDSA (Edwards-curve Digital Signature Algorithm) and is considered highly efficient and secure against classical computers. Against a sufficiently powerful quantum computer, however, it shares the same fundamental vulnerability as ECDSA: Shor's algorithm can recover a private key from a public key in polynomial time.
The security of Ed25519 rests on the elliptic-curve discrete logarithm problem (ECDLP). A cryptographically relevant quantum computer (CRQC) running Shor's algorithm would reduce that problem from exponential to polynomial difficulty, making private key recovery from a public key computationally feasible.
Ring Confidential Transactions (RingCT)
Monero's signature of a transaction is produced using MLSAG (Multilayered Linkable Spontaneous Anonymous Group) signatures, later upgraded to CLSAG (Compact Linkable Spontaneous Anonymous Group) in 2020. Both are ring signature constructions that also rely on elliptic-curve mathematics over the same Curve25519 / Ed25519 family.
Ring signatures obscure the true signer among a set of decoys, providing sender anonymity. The linkability property, which prevents double-spends, is enforced by a key image derived from the private spend key using an elliptic-curve hash-to-point function. A quantum adversary able to solve ECDLP could, in principle, derive the private key and thus forge key images or identify the real signer.
Pedersen Commitments and Bulletproofs
Amounts in Monero are hidden using Pedersen commitments, a homomorphic commitment scheme. Range proofs use Bulletproofs+ (upgraded from Bulletproofs in 2022), which are based on the discrete logarithm assumption over elliptic curves rather than on any lattice or hash-based assumption.
Pedersen commitments and Bulletproofs do not directly expose private keys, but their security guarantee also collapses if ECDLP becomes tractable. An attacker who can solve ECDLP could potentially open commitments to arbitrary values, breaking amount confidentiality.
Stealth Addresses
Monero uses a dual-key stealth address protocol. The sender derives a one-time public key for each transaction using the recipient's public view key and a random scalar, combined with elliptic-curve Diffie-Hellman (ECDH). The security of ECDH over Curve25519 is again reducible to ECDLP, which Shor's algorithm attacks.
---
What Would Q-Day Mean for XMR Holders?
Q-day refers to the point at which a quantum computer reaches the scale and error-correction fidelity needed to run Shor's algorithm against real-world elliptic-curve key sizes (currently 256-bit). Current expert timelines vary widely, from 10 to 30 years in mainstream assessments, though some research groups point to earlier windows if error correction advances faster than expected.
For Monero holders, the threat model breaks down into two categories:
Threat to Funds at Rest
Unlike Bitcoin's UTXO model, Monero does not publish raw public keys on-chain for most transactions. The one-time stealth addresses mean each output has a unique public key that is not derived in a way immediately linkable to the master spend key from chain data alone. This provides a marginal additional layer of obfuscation compared to Bitcoin.
However, the view key is shared in some contexts (with auditors, exchanges, or compliance tools), and the spend key's public component is embedded in the key image derivation. A sufficiently advanced quantum adversary with full chain data and a CRQC could work backward through the ECDH derivation to identify output ownership and attempt key recovery.
Threat to Transaction Unlinkability
The ring signature construction is where Monero's quantum exposure is arguably most significant for its core value proposition. If an attacker can recover private keys from public keys, they can:
- Identify the true signer within any ring by verifying which ring member's private key produces the observed key image.
- De-anonymise the sender retroactively across all historical transactions stored on the blockchain.
- Link sender to receiver chains across the entire ledger.
This is a "harvest now, decrypt later" threat. Nation-state adversaries or well-resourced actors may already be archiving Monero's public blockchain data, waiting for quantum hardware to mature. Once a CRQC exists, stored transactions become fully traceable, even if they were broadcast years earlier.
Threat to Bulletproofs and Amount Privacy
If elliptic-curve discrete logarithm assumptions break, Bulletproofs+ range proofs become forgeable in principle. An attacker could construct transactions that commit to amounts not matching the actual values, potentially enabling inflation of XMR supply without detection. This is a severe systemic risk that goes beyond individual wallet compromise.
---
How Does Monero's Exposure Compare to Bitcoin and Ethereum?
| Property | Bitcoin (ECDSA/secp256k1) | Ethereum (ECDSA/secp256k1) | Monero (Ed25519/RingCT) |
|---|---|---|---|
| Key algorithm | ECDSA | ECDSA | EdDSA (Ed25519) |
| Quantum attack vector | Shor's on ECDLP | Shor's on ECDLP | Shor's on ECDLP |
| Public keys exposed on-chain | Yes (in P2PK/reuse cases) | Yes (from tx signatures) | Partially obscured via stealth addrs |
| Privacy layer quantum-safe? | N/A | N/A | No (RingCT uses ECC) |
| Amount hiding quantum-safe? | N/A | N/A | No (Pedersen/Bulletproofs use ECC) |
| NIST PQC migration plan | None official | None official | None official |
| Harvest-now-decrypt-later risk | High | High | High + privacy collapse risk |
The key distinction is that Monero carries an additional dimension of risk: its entire privacy model, not just fund security, is threatened by Q-day. Bitcoin holders primarily face the risk of funds being stolen; Monero holders face the additional risk of complete transaction history de-anonymisation.
---
Does Monero Have a Post-Quantum Migration Plan?
As of mid-2025, the Monero Research Lab (MRL) has no finalised post-quantum migration roadmap. Several relevant research threads exist:
- Triptych and Arcturus are next-generation ring signature constructions that have been discussed within MRL. They improve efficiency and ring size scalability but still rely on elliptic-curve assumptions. They are not post-quantum.
- Seraphis is a more substantial protocol redesign in active research, aimed at replacing the MLSAG/CLSAG framework with a more flexible and scalable transaction protocol. Seraphis improves on privacy and efficiency but does not incorporate post-quantum cryptographic primitives in its current specification.
- Community discussions on the Monero Research Lab GitHub and IRC channels have acknowledged quantum risk as a long-term concern, but no concrete timeline or chosen post-quantum primitive (e.g. lattice-based signatures, hash-based signatures) has been agreed upon.
The fundamental difficulty is that post-quantum signature schemes tend to have significantly larger key and signature sizes. For a chain like Monero, which already generates comparatively large transactions due to ring signatures and range proofs, integrating constructions like CRYSTALS-Dilithium (NIST PQC standard, lattice-based) or SPHINCS+ (hash-based) would materially increase blockchain size and transaction fees. These are engineering trade-offs the community has not yet resolved.
---
What Are Lattice-Based Post-Quantum Alternatives?
NIST completed its Post-Quantum Cryptography standardisation process in 2024, selecting the following primary algorithms:
- CRYSTALS-Kyber (now ML-KEM): Key encapsulation mechanism for key exchange, replacing ECDH.
- CRYSTALS-Dilithium (now ML-DSA): Digital signatures, replacing ECDSA/EdDSA.
- SPHINCS+ (now SLH-DSA): Hash-based signatures as a conservative backup.
- FALCON (now FN-DSA): Lattice-based signatures with smaller signatures than Dilithium.
These algorithms derive their security from mathematical problems believed to be resistant to both classical and quantum attacks. The hardness assumptions, specifically the Learning With Errors (LWE) problem and Short Integer Solution (SIS) problem for lattice schemes, are not known to be efficiently solvable by Shor's algorithm or any other known quantum algorithm.
A wallet architecture built on these NIST-standardised primitives would remain secure even after a CRQC becomes operational. This is the approach taken by purpose-built post-quantum crypto projects. BMIC.ai, for example, has built its wallet and token infrastructure from the ground up using lattice-based, NIST PQC-aligned cryptography, specifically to address the Q-day threat that projects like Monero have not yet resolved. Its presale is currently live at bmic.ai/presale for those seeking quantum-resistant exposure.
---
Practical Steps for XMR Holders Concerned About Quantum Risk
Given the current state of affairs, XMR holders who take quantum risk seriously have limited but meaningful options:
- Monitor Monero Research Lab output. The MRL GitHub and the Monero community forums are the authoritative sources for any protocol-level post-quantum research. Subscribe to release announcements and research papers.
- Avoid key reuse. While not a quantum countermeasure per se, using a fresh wallet address for each deposit reduces the surface area of publicly linked keys.
- Understand the harvest-now threat. Treat any Monero transaction broadcast today as potentially readable in a post-quantum world. If transaction-level privacy over a 20-30 year horizon is critical to your threat model, factor that in.
- Diversify cryptographic exposure. Holding assets across wallet architectures with different cryptographic assumptions reduces single-point-of-failure risk at the protocol level.
- Watch NIST PQC adoption across wallets. As hardware wallets and software wallets begin integrating ML-DSA and ML-KEM, that infrastructure will provide a more concrete migration path for users.
- Track quantum hardware milestones. IBM, Google, and IonQ publish regular roadmaps. When fault-tolerant logical qubit counts approach the thousands required for Shor's algorithm at 256-bit key sizes, timelines will compress rapidly.
---
Summary: The Honest Assessment
Monero is not quantum safe in its current form. Every cryptographic primitive it relies upon, Ed25519 signatures, ECDH-based stealth addresses, elliptic-curve ring signatures, and Bulletproofs+ range proofs, is vulnerable to Shor's algorithm on a sufficiently powerful quantum computer. The Q-day threat is not imminent in 2025, but it is not theoretical either. Hardware is advancing, and the irreversibility of blockchain data means that the harvest-now-decrypt-later attack is already possible for any adversary with the motivation to archive chain data.
What makes Monero's exposure distinct from Bitcoin or Ethereum is that Q-day would not only threaten funds but would retroactively unwind the privacy guarantees that are Monero's entire value proposition. That is a materially different risk profile and one that the project has not yet produced a concrete plan to address.
Quantum risk should be part of every serious holder's evaluation of any cryptocurrency. For XMR specifically, the honest answer is: quantum safe, no. Quantum threat imminent, not yet. Migration plan, undetermined.
Frequently Asked Questions
Is Monero quantum safe right now?
No. Monero's core cryptographic primitives, including Ed25519 signatures, ECDH stealth addresses, CLSAG ring signatures, and Bulletproofs+ range proofs, all rely on elliptic-curve discrete logarithm hardness. Shor's algorithm, running on a cryptographically relevant quantum computer, would break this assumption. Monero is not quantum safe in its current protocol design.
Does Monero's privacy protect it from quantum attacks better than Bitcoin?
Partially and temporarily. Monero's stealth address system means raw public keys are less directly exposed on-chain compared to some Bitcoin address types. However, this provides obfuscation rather than quantum resistance. The underlying elliptic-curve cryptography is equally vulnerable to Shor's algorithm. Worse, a quantum attack on Monero would also collapse its privacy model, de-anonymising transaction history, which is a risk Bitcoin does not face in the same way.
What is the harvest-now-decrypt-later threat for Monero?
Harvest-now-decrypt-later refers to the practice of recording encrypted or obfuscated data today and decrypting it once sufficient quantum computing capability is available. For Monero, this means adversaries could archive the public blockchain now and, when a cryptographically relevant quantum computer exists, use Shor's algorithm to de-anonymise historical transactions and identify true senders within ring signature sets.
Is Monero planning to upgrade to post-quantum cryptography?
As of mid-2025, there is no finalised post-quantum migration plan from the Monero Research Lab. Projects like Seraphis improve the transaction protocol's efficiency and flexibility but do not incorporate NIST PQC-standardised primitives such as CRYSTALS-Dilithium or FALCON. Quantum resistance remains an unresolved long-term research question for the Monero project.
Which NIST post-quantum algorithms would be relevant for a Monero-like system?
For digital signatures, CRYSTALS-Dilithium (ML-DSA) and FALCON (FN-DSA) are the primary NIST-standardised lattice-based candidates that could replace Ed25519 and CLSAG ring signatures. For key exchange used in stealth address derivation, ML-KEM (Kyber) could replace ECDH. The practical challenge for Monero is that these algorithms produce significantly larger keys and signatures, which would substantially increase transaction sizes on an already data-heavy chain.
When could quantum computers realistically break Monero's cryptography?
Expert estimates vary widely. Conservative mainstream assessments place a cryptographically relevant quantum computer, capable of running Shor's algorithm against 256-bit elliptic curves, at 10 to 30 years away. Some researchers argue progress in error correction could compress that timeline. The uncertainty itself is a risk factor: hardware milestones have historically surprised both optimists and pessimists, and the irreversibility of blockchain transaction history means that preparation is advisable well before any confirmed threshold is reached.