Is Nervos Network Quantum Safe?

Whether Nervos Network is quantum safe is a question that matters more each year as quantum computing hardware edges closer to cryptographically relevant scale. Nervos Network (CKB) is architecturally flexible, running multiple signature schemes under its Cell model — but that flexibility does not automatically translate into quantum resistance. This article dissects the exact cryptographic primitives CKB uses, maps each one to its quantum-attack surface, reviews what migration paths exist, and compares the posture of standard blockchain wallets against lattice-based post-quantum alternatives.

What Cryptography Does Nervos Network Actually Use?

Nervos Network is built around a UTXO-like data model called the Cell model, where every cell contains arbitrary data and a lock script that defines spending conditions. Because lock scripts are programmable, CKB is not permanently bound to a single signature algorithm the way Bitcoin is. In practice, however, most wallets and tooling default to the same schemes that dominate the broader blockchain ecosystem.

Default Signature Schemes on CKB

The primary default lock on Nervos Network is SECP256K1/Blake2b, which uses the same elliptic curve (secp256k1) as Bitcoin and Ethereum, combined with a Blake2b hash of the public key. A second widely deployed option is SECP256R1 (NIST P-256), commonly used for hardware wallets and passkeys. A third option supported natively is Schnorr signatures over secp256k1.

All three rely on the elliptic curve discrete logarithm problem (ECDLP) for their security guarantees. That is the crux of the quantum-safety question.

Where EdDSA Fits In

Nervos also supports EdDSA (specifically Ed25519) through custom lock scripts. EdDSA is based on the Edwards-curve discrete logarithm problem, which is a variant of the same underlying hard problem as ECDSA. It offers better resistance to implementation side-channels and is faster to verify, but it is not quantum resistant. Both ECDSA and EdDSA fall to Shor's algorithm running on a sufficiently powerful quantum computer.

---

The Quantum Threat: Shor's Algorithm Explained

To understand the risk, it helps to be precise about *which* quantum attack applies.

Shor's algorithm, published in 1994, is a quantum algorithm that solves the integer factorisation problem and the discrete logarithm problem in polynomial time. On a classical computer, deriving a private key from a public key on secp256k1 would take longer than the age of the universe using the best-known classical algorithms. On a fault-tolerant quantum computer running Shor's algorithm, the same operation is estimated to take hours to days, depending on qubit count and error-correction overhead.

Harvest Now, Decrypt Later

Even before quantum computers reach that threshold, a passive attack strategy called "harvest now, decrypt later" (HNDL) is already actionable. Adversaries can record encrypted communications and blockchain transactions today, then decrypt them retrospectively once quantum hardware matures. For blockchains, this is particularly relevant because every public key ever used in a transaction is permanently on-chain. Anyone who has spent from a CKB cell has exposed their public key, and that record is immutable.

Q-Day: What the Timeline Looks Like

Analysts disagree on timing. NIST has stated that cryptographically relevant quantum computers (CRQCs) could arrive within 10 to 15 years, though some IBM and Google roadmap milestones suggest the boundary could be crossed sooner for specific problem types. The term Q-day refers to the moment a CRQC can break 256-bit elliptic curve keys at practical speed. At Q-day, every wallet address whose public key is exposed becomes a potential target.

---

CKB's Quantum Exposure: A Cell-by-Cell Assessment

The programmability of Nervos Network creates a nuanced risk profile. Not all cells carry the same exposure.

The key insight from this table: unspent cells from which funds have never been moved carry lower immediate risk because only the hash of the public key is published. Once a cell is spent, the full public key appears in the witness data and becomes permanently readable on-chain.

The Hash-Shield Window

Because CKB uses Blake2b hashing of public keys in its default lock, a cell that has never been spent benefits from the hash shield: recovering the private key would require both breaking the hash preimage (computationally infeasible classically and with Grover's algorithm only halves the effective bit security, still leaving 128 bits) *and* solving the ECDLP. This mirrors Bitcoin's P2PKH dynamic. However, the moment a cell is spent, this shield disappears entirely.

---

Does Nervos Network Have a Quantum Migration Plan?

As of the time of writing, Nervos Network does not have a formally published, protocol-level quantum migration roadmap comparable to, for example, Ethereum's stated intention to explore post-quantum signature schemes via EIP processes.

What CKB's Architecture Makes Possible

The Cell model's programmability is genuinely useful here. Because lock scripts are arbitrary programs, a developer can deploy a post-quantum lock script without a hard fork. In principle:

1. A developer writes a lock script implementing a NIST PQC-approved algorithm (e.g., CRYSTALS-Dilithium for signatures or FALCON).
2. The script is deployed as a type script or referenced lock on CKB.
3. Users migrate funds by spending from their old ECDSA cells into new post-quantum cells.

This is meaningfully more migration-friendly than Bitcoin, which would require a consensus-level soft fork to add a new address type.

What Is Missing

Architectural flexibility does not substitute for:

• Standardised PQ lock scripts that wallets can ship to users.
• Tooling and library support for lattice-based key generation in CKB SDKs.
• Protocol-level guidance or a Foundation-endorsed migration timeline.
• Audited reference implementations of NIST PQC algorithms compiled to RISC-V (the CKB-VM instruction set).

None of these currently exist at a production-ready level in the Nervos ecosystem. The community is aware of the theoretical path, but no concrete migration schedule has been published.

---

How Lattice-Based Post-Quantum Cryptography Differs

The leading post-quantum signature candidates, standardised or under standardisation by NIST, rely on mathematical problems that quantum computers do not solve efficiently.

CRYSTALS-Dilithium (ML-DSA)

Dilithium, now designated ML-DSA in FIPS 204, is based on the Module Learning With Errors (MLWE) problem. Signing and verification are fast. Key sizes are larger than ECDSA: a Dilithium Level 3 public key is roughly 1,952 bytes compared to 33 bytes for a compressed secp256k1 public key. This matters for on-chain storage costs.

FALCON

FALCON is based on NTRU lattices and produces smaller signatures than Dilithium but requires more complex implementation, particularly around floating-point arithmetic, which makes auditing harder and RISC-V implementation more involved. FALCON (now FN-DSA) is standardised in FIPS 206.

SPHINCS+ (SLH-DSA)

SPHINCS+ relies purely on hash functions rather than lattice problems, making its security assumptions conservative and well-understood. The tradeoff is large signature sizes (8–50 KB depending on parameter set), which would significantly increase the footprint of CKB witnesses.

Size and Cost Comparison

For a blockchain like CKB where witness data is included in the transaction and contributes to cycle counts and fees, the larger sizes of PQ signatures are a real engineering constraint, not merely a theoretical footnote.

---

Post-Quantum Wallets: What Genuinely Quantum-Resistant Looks Like

The gap between "a blockchain that *could* support PQ signatures" and one that ships PQ signatures to users today is significant. A genuinely quantum-resistant wallet must implement a NIST PQC-approved algorithm at the key generation layer, not merely signal intent at the protocol layer.

Projects that take this seriously are building with lattice-based key generation baked in from the ground up, so that the wallet's signing operations never touch ECDSA or SECP256K1 at any point in the key lifecycle. One example in the active presale phase is BMIC.ai, which is designed around lattice-based, NIST PQC-aligned cryptography from the wallet layer up, specifically to protect holdings against Q-day exposure that standard ECDSA wallets cannot address.

The distinction matters: a network that supports PQ lock scripts in theory is not the same as a wallet that uses them in practice for every transaction signed by every user.

---

Practical Steps for CKB Holders Concerned About Quantum Risk

If you hold CKB and want to reduce your quantum exposure today, the options are limited but real:

1. Avoid reusing addresses. Every time you spend from a cell, your public key is published. Minimising the number of spent cells reduces your on-chain public key footprint.
2. Keep large holdings in unspent cells. The hash-shield provides partial protection for cells that have never been spent from. Consider treating high-value cold storage as "spend once, migrate" when PQ options become available.
3. Watch the Nervos RFC process. Protocol changes on CKB are proposed via the RFC (Request for Comment) system. Any formal PQ lock script standard would appear there first.
4. Consider hardware with NIST PQC support. Some hardware security modules now support Dilithium and FALCON. When CKB tooling catches up, these could be used to sign PQ lock scripts.
5. Diversify across quantum-readiness tiers. Holding assets across wallets with varying quantum-readiness profiles is one risk-management approach, though it does not eliminate exposure on any individual ECDSA-based chain.