Is Oasis Quantum Safe?
Is Oasis quantum safe? It is a question every serious ROSE holder should be asking right now, because the answer determines whether their on-chain assets survive the arrival of cryptographically relevant quantum computers. This article breaks down the exact signature schemes Oasis Network uses, explains how quantum hardware threatens them, assesses what migration paths exist for the protocol, and compares how lattice-based post-quantum wallets differ from the standard tools most ROSE holders use today. By the end, you will have a clear-eyed view of the risk and the options available to manage it.
What Cryptography Does Oasis Network Actually Use?
Oasis Network (ROSE) is a privacy-focused, layer-1 blockchain built around a separation of concerns between its consensus layer and its ParaTime execution environment. Understanding the quantum threat requires looking at both layers distinctly.
Consensus Layer Signing
The Oasis consensus layer uses Ed25519, an instance of the Edwards-curve Digital Signature Algorithm (EdDSA) built on Curve25519. Ed25519 was chosen for its speed, small signature sizes, and resistance to several classical side-channel attacks. It is the same scheme used by Solana, Cardano (for some operations), and a range of other modern chains.
Ed25519 security rests entirely on the hardness of the elliptic curve discrete logarithm problem (ECDLP). A classical computer cannot solve this in any practical timeframe for a 256-bit curve. A sufficiently powerful quantum computer running Shor's algorithm, however, can solve it in polynomial time.
ParaTime Layer and EVM Compatibility
Oasis Sapphire, the EVM-compatible confidential ParaTime, supports Ethereum-style accounts. That means secp256k1 ECDSA — the same signature scheme used by Bitcoin and Ethereum — is exposed wherever users interact with Sapphire using MetaMask or any standard EVM wallet. ECDSA on secp256k1 is equally vulnerable to Shor's algorithm as Ed25519.
Key Derivation and Hashing
Oasis also relies on SHA-512/256 for hashing and uses standard HD wallet derivation (BIP-32/BIP-44 compatible paths for some tooling). Hash functions like SHA-2 are weakened, but not broken, by quantum computers. Grover's algorithm provides a quadratic speedup, effectively halving the security bits. SHA-256 drops to roughly 128-bit quantum security — still considered adequate under current NIST guidance. The signing layer is the acute risk, not the hash functions.
---
Understanding Q-Day and Why It Matters for ROSE
"Q-Day" refers to the point at which a quantum computer becomes powerful enough to break asymmetric cryptography at practical speed. No such machine exists today. Current quantum hardware operates with noisy, error-prone qubits in the hundreds to low thousands. Breaking a 256-bit elliptic curve key with Shor's algorithm is estimated to require somewhere between 1,500 and 4,000 stable, error-corrected logical qubits depending on the architecture and the circuit optimisations applied.
The timeline is genuinely uncertain. Estimates from serious researchers range from 8 to 20 years, with some outlier scenarios shorter. What makes this a present-day concern rather than a distant abstraction is the "harvest now, decrypt later" threat vector: adversaries can record encrypted transactions and wallet public keys from today's blockchains and decrypt them retroactively once a capable machine exists.
Which Oasis Addresses Are Most at Risk?
The attack surface is not uniform. The critical distinction is between reused addresses and single-use addresses.
- Reused addresses (highest risk): When a wallet has already broadcast a transaction, its public key is exposed on-chain. A quantum attacker with sufficient hardware could derive the private key from that public key and drain the wallet. ROSE consensus addresses and any Sapphire/EVM addresses that have sent transactions fall into this category.
- Unused addresses (lower immediate risk): If an address has only ever received funds and never broadcast a transaction, only the address hash (not the public key) is publicly visible. The attacker must break the hash first — computationally harder, though not impossible with a sufficiently advanced quantum machine.
- Validator and node operator keys: These are particularly exposed because they sign blocks continuously, broadcasting their public keys repeatedly.
---
Has Oasis Published a Post-Quantum Migration Roadmap?
As of mid-2025, Oasis Network has not released a formal, timeline-bound post-quantum cryptography migration roadmap in its public documentation. This is not unique to Oasis. The vast majority of layer-1 blockchains, including Ethereum, are in early-stage research on this topic rather than active deployment.
The broader blockchain industry is effectively waiting on two things:
- NIST PQC standardisation completion — NIST finalised its first set of post-quantum standards in 2024, including CRYSTALS-Kyber (now called ML-KEM) for key encapsulation and CRYSTALS-Dilithium (ML-DSA) for digital signatures. These lattice-based schemes are now the reference point for any serious PQC migration.
- Ethereum's quantum migration signal — Because Oasis Sapphire targets EVM compatibility, any migration on the Sapphire side will likely track or depend on decisions made at the Ethereum protocol level. Ethereum researchers have discussed account abstraction (EIP-7702 and related proposals) as a possible migration path, where wallets upgrade to PQC-compatible smart contract accounts.
The honest assessment: Oasis, like most chains, has no near-term deployment plan for post-quantum signatures. Protocol-level migration is a multi-year effort requiring community governance, hard fork coordination, and wallet ecosystem upgrades.
---
Comparing Quantum Vulnerability Across Signature Schemes
The table below summarises how the cryptographic primitives relevant to Oasis and its ecosystem compare under classical and quantum threat models.
| Scheme | Used In | Classical Security | Quantum Threat (Shor's) | Post-Quantum? |
|---|---|---|---|---|
| Ed25519 (EdDSA) | Oasis consensus layer | ~128-bit | Broken at scale | No |
| secp256k1 ECDSA | Sapphire EVM, MetaMask | ~128-bit | Broken at scale | No |
| RSA-2048 | Legacy TLS, some tooling | ~112-bit | Broken at scale | No |
| ML-DSA (Dilithium) | NIST PQC standard | ~128-bit | Resistant | Yes |
| FALCON (NTRU lattice) | NIST PQC alternate | ~128-bit | Resistant | Yes |
| SPHINCS+ (hash-based) | NIST PQC alternate | ~128-bit | Resistant | Yes |
| SHA-256 (hashing) | Oasis address derivation | 256-bit | ~128-bit (Grover) | Adequate |
The core takeaway: every signature scheme currently used for live transactions on Oasis — Ed25519 and secp256k1 — is quantum-vulnerable. The hash functions are weakened but survivable.
---
What Can ROSE Holders Do Today?
Waiting for a protocol-level upgrade is not the only option. There are practical steps holders can take to reduce quantum exposure now.
Minimise Public Key Exposure
The most actionable step is to treat each wallet address as single-use where possible. After any outgoing transaction exposes a public key, consider rotating to a fresh address. This does not eliminate the risk but narrows the window of vulnerability.
Monitor NIST PQC Wallet Adoption
A small but growing category of wallets is being built specifically around NIST-standardised post-quantum algorithms. BMIC.ai, for example, is building a quantum-resistant wallet and token architecture using lattice-based cryptography aligned with NIST PQC standards, designed explicitly to protect holdings against the Q-day scenario that standard Ed25519 and ECDSA wallets cannot survive.
Watch Oasis Governance Channels
Any protocol-level PQC migration on Oasis will go through on-chain governance. Following Oasis governance forums and the Oasis Foundation GitHub gives the earliest signal of any formal migration proposal.
Diversify Custody Models
Hardware wallets add layers of physical security but do not change the underlying signature scheme. A Ledger or Trezor holding ROSE still signs with Ed25519 or secp256k1. Hardware security addresses a different threat model (malware, phishing) than the quantum threat. Recognising that distinction matters for risk assessment.
---
How Lattice-Based Post-Quantum Wallets Differ From Standard Wallets
Standard wallets derive their security from the intractability of the elliptic curve discrete logarithm problem. Lattice-based wallets replace that foundation entirely.
The Lattice Hard Problem
Lattice-based cryptography relies on the shortest vector problem (SVP) and related problems in high-dimensional integer lattices. No known algorithm, classical or quantum, solves these problems efficiently at the security parameters used in production. CRYSTALS-Dilithium, standardised as ML-DSA, uses structured lattices (module lattices, specifically) to produce signatures that are larger than Ed25519 signatures (around 2.4 KB versus 64 bytes) but are computationally intractable for quantum hardware.
Practical Differences for Users
| Feature | Ed25519 Wallet (Current Oasis) | Lattice-Based PQC Wallet |
|---|---|---|
| Signature size | 64 bytes | ~2,420 bytes (ML-DSA) |
| Public key size | 32 bytes | ~1,312 bytes (ML-DSA) |
| Key generation speed | Very fast | Fast (slightly slower) |
| Quantum resistance | None | High (SVP-hard) |
| NIST standardised | No (classical) | Yes (ML-DSA, ML-KEM) |
| Blockchain compatibility | Native to Oasis | Requires protocol support or L2 |
The size increase is the main practical trade-off. Larger signatures mean higher on-chain storage costs and slightly higher transaction fees, which is why blockchain protocols need to plan infrastructure upgrades alongside the cryptographic migration, not just swap one algorithm for another.
---
The Broader PQC Migration Challenge for Layer-1 Chains
Oasis is in the same position as virtually every other layer-1 chain: the cryptographic foundations were laid before NIST completed its PQC standards, and the migration path is technically complex. The challenges include:
- Backward compatibility: Existing wallets and addresses using Ed25519 or ECDSA keys cannot simply be "upgraded." Funds must be migrated to new address types, requiring user action.
- Governance coordination: A hard fork or soft fork introducing new address types requires supermajority agreement among validators, developers, and ecosystem participants.
- Wallet ecosystem fragmentation: Third-party wallets, exchanges, and DeFi protocols on Sapphire all need to support new address formats simultaneously or in a phased rollout.
- User inertia: History shows that even security-critical upgrades (SHA-1 deprecation in TLS, for example) take years longer than technically necessary because of adoption lag.
None of these challenges are insurmountable, but they underscore why ROSE holders should not assume a smooth, fast migration will occur before quantum hardware becomes capable. Proactive risk management at the wallet level is more reliable than waiting for protocol-level assurances that have no published timeline.
Frequently Asked Questions
Is Oasis Network (ROSE) quantum safe right now?
No. Oasis Network uses Ed25519 on its consensus layer and secp256k1 ECDSA on Sapphire (its EVM-compatible ParaTime). Both schemes are vulnerable to Shor's algorithm running on a sufficiently powerful quantum computer. No quantum computer capable of breaking these exists today, but the protocol has no published near-term migration plan to post-quantum cryptography.
What is Q-day and when might it affect ROSE holders?
Q-day is the point at which a cryptographically relevant quantum computer can break elliptic curve signatures at practical speed. Credible research estimates this is 8 to 20 years away, though timelines are uncertain. The immediate concern is 'harvest now, decrypt later' attacks, where adversaries record public keys and on-chain data today to decrypt once capable hardware exists.
Which Oasis addresses are most vulnerable to a quantum attack?
Addresses that have already broadcast an outgoing transaction are at highest risk because their public key is permanently visible on-chain. Addresses that have only ever received funds expose only a hash, which is harder (though not impossible) for a quantum attacker to exploit. Validator signing keys are particularly exposed due to continuous block-signing activity.
Does Oasis have a post-quantum upgrade roadmap?
As of mid-2025, Oasis has not published a formal, timeline-bound post-quantum migration roadmap. This is consistent with most layer-1 blockchains, which are in early research stages. Any migration would require on-chain governance approval, a protocol fork, and ecosystem-wide wallet upgrades.
What is the difference between Ed25519 and lattice-based post-quantum signatures?
Ed25519 derives security from the elliptic curve discrete logarithm problem, which Shor's algorithm can solve on a quantum computer. Lattice-based signatures like ML-DSA (CRYSTALS-Dilithium) derive security from the shortest vector problem in high-dimensional lattices, which has no known efficient quantum solution. The trade-off is larger signature sizes (roughly 2.4 KB versus 64 bytes for Ed25519).
Can a hardware wallet protect my ROSE against quantum attacks?
No, not against the quantum threat specifically. Hardware wallets protect against classical threats like malware and phishing by keeping private keys offline. However, they still sign transactions using Ed25519 or secp256k1, which are quantum-vulnerable. Protecting against Q-day requires a different underlying signature algorithm, not just a different storage method.