Is Movement Quantum Safe?
Is Movement quantum safe? That question matters more than most MOVE holders realise. Movement Network is built on the Move virtual machine and inherits signing schemes that, like virtually every major L1 and L2 launched before 2024, rely on elliptic-curve cryptography — a family of algorithms that sufficiently powerful quantum computers could break. This article dissects the exact cryptographic primitives Movement uses, explains what quantum exposure means in practice, reviews any migration roadmap the project has published, and compares how lattice-based post-quantum wallets address the threat that standard Move wallets cannot.
What Cryptography Does Movement Network Use?
Movement Network is a Layer 2 ecosystem built around the Move programming language, originally developed at Meta for the Diem project and subsequently adopted by Aptos and Sui. The network settles on Ethereum but executes transactions in a Move-native environment.
Signing Schemes in the Move Ecosystem
The core signing infrastructure across Move-based chains relies on two elliptic-curve schemes:
- Ed25519 — a variant of EdDSA using Curve25519. Used natively by Aptos and the original Move VM for account key pairs.
- secp256k1 / ECDSA — the same curve used by Bitcoin and Ethereum, supported for Ethereum compatibility layers and cross-chain bridges.
Movement Network, bridging Move execution with Ethereum settlement, exposes users to both schemes depending on which wallet and which interaction layer they use. A user signing a native Move transaction uses Ed25519. A user interacting through an Ethereum-compatible interface, or moving assets across the canonical bridge, is almost certainly signing with secp256k1 ECDSA.
Why This Matters for Quantum Security
Both Ed25519 and ECDSA derive their security from the discrete logarithm problem on elliptic curves. A classical computer cannot solve this in any reasonable timeframe for the key sizes in use. A cryptographically relevant quantum computer (CRQC) running Shor's algorithm can solve it in polynomial time.
The practical implication: once a CRQC of sufficient qubit scale exists, an attacker can derive a private key from any exposed public key. On blockchains, your public key is exposed the moment you sign a transaction, meaning every wallet that has ever signed on-chain is retroactively vulnerable.
---
Understanding Q-Day and the ECDSA / EdDSA Threat Model
"Q-day" is the colloquial term for the point at which a quantum computer becomes capable of breaking ECDSA or EdDSA at Bitcoin / Ethereum key sizes (256-bit elliptic curves) within a threat-relevant timeframe, typically hours to days.
Current State of Quantum Hardware
| Metric | Classical Threat Threshold | Current Best (2024) | Gap |
|---|---|---|---|
| Logical qubits needed to break secp256k1 | ~2,000–4,000 (error-corrected) | ~1,000–2,000 (noisy physical) | Large but closing |
| Error correction overhead (surface codes) | ~1,000 physical per logical | Active research | 100x–1,000x physical qubits needed |
| Time to break 256-bit EC key (post-CRQC) | Hours–days | Not yet achievable | Unknown timeline |
Sources: NIST IR 8413, IBM Quantum roadmaps, academic estimates (Webber et al. 2022).
The consensus among cryptographers is that a CRQC capable of breaking 256-bit elliptic curves requires millions of physical qubits with low error rates. Current hardware sits in the hundreds to low thousands of noisy qubits. The timeline is genuinely uncertain, with credible analyst estimates ranging from 2030 to beyond 2040. What is not uncertain is the harvest now, decrypt later threat model: adversaries can record encrypted or signed data today and decrypt it once CRQC capability exists.
How Harvest-Now-Decrypt-Later Applies to Blockchains
Blockchain data is permanently public. Every transaction Movement Network has ever processed is on-chain and accessible to anyone. An attacker with future CRQC access does not need to intercept anything in real time. They simply:
- Record all on-chain public keys and signatures (trivially easy — the data is public).
- Wait until CRQC hardware is available.
- Run Shor's algorithm against the recorded public keys.
- Derive private keys and drain the corresponding wallets.
Wallets that have never signed a transaction have some protection because the public key is not yet exposed. But the moment a user sends any transaction, their public key is permanently on-chain.
---
Does Movement Network Have a Post-Quantum Migration Plan?
As of mid-2025, Movement Network has not published a formal post-quantum cryptography (PQC) migration roadmap in its public documentation or research blogs. This is not unique to Movement — the overwhelming majority of L1 and L2 projects are in the same position.
What a PQC Migration Would Require for a Move-Based Chain
Migrating a production blockchain to post-quantum cryptography is non-trivial. The required steps would include:
- New signature scheme at the VM level. The Move VM would need to support one or more NIST PQC-standardised algorithms. The primary candidates are:
- CRYSTALS-Dilithium (ML-DSA) — lattice-based digital signatures, NIST FIPS 204.
- FALCON — compact lattice-based signatures, NIST FIPS 206.
- SPHINCS+ (SLH-DSA) — hash-based signatures, NIST FIPS 205.
- Account key migration protocol. Existing accounts must be able to rotate from Ed25519 to a PQC scheme without losing custody. Move's account model does support key rotation in principle, which is an advantage over Bitcoin's UTXO model.
- Bridge and validator upgrades. Movement's Ethereum settlement layer would require parallel upgrades to its validator set and bridge contracts.
- Wallet ecosystem updates. Every compatible wallet must implement the new signing primitives before users can migrate.
The Move account model's native support for key rotation is genuinely more PQC-friendly than Bitcoin or Ethereum's current architecture. But "friendly to eventual migration" is not the same as "quantum safe now."
Ethereum's Own PQC Timeline
Because Movement settles on Ethereum, its security is partially bounded by Ethereum's own quantum posture. The Ethereum Foundation has acknowledged PQC migration as a long-term roadmap item. Vitalik Buterin has written about a hard fork path that would involve adopting STARKs (which are already quantum-resistant for zero-knowledge proofs) and replacing ECDSA account signing with lattice-based alternatives. However, no firm EIP has been finalized for production deployment.
---
Post-Quantum Cryptography: How Lattice-Based Schemes Work
Understanding why lattice-based cryptography resists quantum attack requires a brief comparison with what it replaces.
Elliptic-Curve Security vs. Lattice Security
ECDSA / EdDSA security rests on the assumed hardness of the elliptic-curve discrete logarithm problem (ECDLP). Shor's algorithm solves ECDLP efficiently on a CRQC.
Lattice-based cryptography (e.g., CRYSTALS-Kyber for key encapsulation, CRYSTALS-Dilithium for signatures) derives security from the Learning With Errors (LWE) problem and related variants like Module-LWE (MLWE). The best known quantum algorithms, including Shor's, provide no meaningful speedup against LWE-hard problems at current parameter sizes. This is why NIST selected lattice-based algorithms as primary PQC standards in 2024.
Key Properties of NIST PQC Standards Relevant to Blockchain
| Algorithm | Type | Signature Size | Key Size | Quantum Resistant |
|---|---|---|---|---|
| Ed25519 (current) | EdDSA / EC | 64 bytes | 32 bytes | No |
| secp256k1 ECDSA (current) | EC | ~71 bytes | 32 bytes | No |
| ML-DSA / Dilithium3 | Lattice | 3,293 bytes | 1,952 bytes | Yes |
| FALCON-512 | Lattice | 666 bytes | 897 bytes | Yes |
| SLH-DSA / SPHINCS+-128 | Hash-based | 7,856 bytes | 32 bytes | Yes |
The primary practical challenge is signature and key size inflation. Lattice-based signatures are 10–100x larger than ECDSA signatures. For a high-throughput chain like Movement, which targets fast finality and low fees, larger signatures create real engineering trade-offs around block size, gas costs, and network bandwidth.
FALCON offers the best balance of signature compactness and quantum resistance among the NIST finalists, which is why it is considered the most blockchain-compatible lattice scheme. Even so, it is roughly 10x the size of an Ed25519 signature.
---
What This Means for MOVE Token Holders Today
Practical risk assessment for current MOVE holders breaks down by time horizon and threat model:
Short-term (0–5 years): Q-day is highly unlikely within this window based on current hardware trajectories. The primary risk is reputational and speculative, not operational. If credible CRQC timelines compress, market pricing of ECDSA-dependent assets could shift.
Medium-term (5–15 years): The harvest-now-decrypt-later risk becomes operationally significant. Wallets that have ever signed a Movement transaction have permanently exposed public keys on a public ledger. If CRQC hardware exists within this window, those keys are vulnerable.
Long-term (15+ years): Any chain that has not completed a PQC migration faces existential security risk to user funds. Migration complexity increases the longer it is deferred, because more accounts, more smart contracts, and more bridge infrastructure must be upgraded simultaneously.
Practical Steps for Risk-Aware MOVE Holders
- Monitor Movement's official channels for any PQC working group announcements or EIP-equivalent proposals.
- Minimise on-chain exposure of high-value signing keys where possible. Wallets that have never signed transactions keep their public keys off-chain.
- Evaluate purpose-built PQC wallets. Projects like BMIC.ai are building quantum-resistant wallet infrastructure using NIST PQC-aligned lattice-based cryptography specifically to address the gap that standard Move, Ethereum, and Bitcoin wallets leave open.
- Diversify signing infrastructure. Do not assume a single wallet or chain will solve PQC migration on a convenient timeline.
---
Comparing Movement's Quantum Posture to Other Major Chains
| Chain | Primary Signing Scheme | PQC Standard | Active Migration Plan |
|---|---|---|---|
| Bitcoin | secp256k1 ECDSA | None | No formal roadmap |
| Ethereum | secp256k1 ECDSA | None (STARK research ongoing) | Conceptual only |
| Aptos (Move) | Ed25519 | None | No formal roadmap |
| Sui (Move) | Ed25519 + secp256k1 | None | No formal roadmap |
| Movement Network | Ed25519 + secp256k1 | None | No formal roadmap |
| Algorand | Ed25519 | State proofs (partial) | Partial — state proofs are PQC |
| QRL | XMSS (hash-based) | NIST-aligned | Built-in from genesis |
Movement sits in the same position as the vast majority of the industry: modern, performant, and entirely reliant on elliptic-curve cryptography with no active PQC migration path. Algorand is a partial exception through its state proof system. QRL was purpose-built for quantum resistance from launch, accepting the performance trade-offs that entails.
---
The Broader Takeaway: Ecosystem Readiness Is the Real Risk
The honest assessment is that no major general-purpose smart contract platform is quantum safe today, and Movement is no exception. The question is not whether Movement is uniquely vulnerable, it is whether the ecosystem as a whole, including wallets, bridges, validators, and settlement layers, will complete PQC migrations before CRQC hardware becomes operationally threatening.
Given the 5–15 year threat window most credible researchers cite, the window for orderly migration exists. The risk is that blockchain governance moves slowly, coordinating hard forks across validators, wallets, DeFi protocols, and bridge operators is genuinely difficult, and the economic incentives to act early are weaker than the incentives to defer.
Holders and developers who understand this now have the advantage of time to position themselves accordingly.
Frequently Asked Questions
Is Movement Network (MOVE) quantum safe?
No. Movement Network relies on Ed25519 and secp256k1 ECDSA for transaction signing, both of which are vulnerable to Shor's algorithm running on a sufficiently powerful quantum computer. Movement has not published a post-quantum cryptography migration roadmap as of mid-2025.
What is Q-day and why does it matter for MOVE holders?
Q-day refers to the point at which a cryptographically relevant quantum computer can break elliptic-curve cryptography, such as ECDSA or EdDSA, within a practically useful timeframe. For MOVE holders, this means any wallet that has signed a transaction has its public key permanently on-chain, and that key could be used to derive the private key once CRQC hardware exists.
Could Movement migrate to post-quantum cryptography in the future?
In principle yes. The Move account model natively supports key rotation, which is an architectural advantage over Bitcoin's UTXO model. A migration would require the Move VM to support NIST PQC algorithms such as ML-DSA (Dilithium) or FALCON, plus coordinated upgrades to wallets, validators, and bridge contracts. No formal plan exists yet.
Which NIST post-quantum algorithms are most relevant for blockchain signing?
FALCON-512 is generally considered the most blockchain-compatible NIST PQC signature standard because it offers the smallest signature size among lattice-based options at 666 bytes, compared to over 3,000 bytes for ML-DSA (Dilithium3). SPHINCS+ is hash-based and quantum-resistant but produces very large signatures. All three are now NIST-standardised.
Is the harvest-now-decrypt-later attack relevant to Movement Network?
Yes. Because Movement's transaction history is permanently public, an adversary can record all on-chain public keys today and attempt to derive private keys once CRQC hardware is available. This makes wallets that have already signed transactions retroactively vulnerable, even if the actual CRQC capability is years away.
Are any blockchain platforms already quantum safe?
Very few. QRL was purpose-built with XMSS hash-based signatures from genesis. Algorand's state proof system provides partial post-quantum properties. No major general-purpose smart contract platform including Ethereum, Solana, Aptos, Sui, or Movement has completed a full PQC migration as of mid-2025.