Is PAW Quantum Safe?

Is PAW quantum safe? That question is increasingly relevant as cryptographers, governments, and institutional investors begin treating Q-day, the point at which a sufficiently powerful quantum computer can break today's public-key cryptography, as a planning assumption rather than science fiction. PAW is a featherweight, fee-free cryptocurrency built on the Open Representative Voting (ORV) protocol. This article examines the exact cryptographic primitives PAW relies on, how those primitives fare against a Cryptographically Relevant Quantum Computer (CRQC), whether any migration roadmap exists, and what genuinely quantum-resistant alternatives look like.

What Cryptography Does PAW Actually Use?

PAW is a fork of the Nano protocol, which itself is a directed acyclic graph (DAG)-based ledger using a block-lattice architecture. Understanding the quantum-safety question requires pinning down exactly which cryptographic algorithms underpin PAW's security model.

Signature Scheme: Ed25519

PAW uses Ed25519, an instance of the Edwards-curve Digital Signature Algorithm (EdDSA) operating over Curve25519. Ed25519 was designed by Daniel J. Bernstein and colleagues and is widely regarded as one of the most efficient and secure classical signature schemes available. It offers:

128-bit classical security level
Fast signature generation and verification
Compact 64-byte signatures and 32-byte public keys
Resistance to several classical side-channel attacks

Ed25519 is not the same as the older ECDSA used by Bitcoin and Ethereum, but it shares the same fundamental mathematical vulnerability: its security ultimately rests on the hardness of the elliptic curve discrete logarithm problem (ECDLP).

Hashing: Blake2b

PAW uses Blake2b for block hashing and proof-of-work. Blake2b is a cryptographic hash function. Hash functions are generally considered quantum-resistant at sufficient output lengths, because Grover's algorithm provides only a quadratic speedup against them, reducing effective security from 256 bits to roughly 128 bits, which remains computationally infeasible to brute-force even with near-term quantum hardware.

Key Derivation: BIP-39 / BIP-44

Like most consumer-facing wallets, PAW wallets derive keys deterministically from a mnemonic seed using BIP-39 and a hierarchical path. The seed itself is protected by hashing (SHA-512 via HMAC), which retains reasonable quantum resistance. The derived keys, however, are Ed25519 key pairs, so the quantum vulnerability lives at the signature layer, not the seed layer.

---

The Quantum Threat to Ed25519: How Real Is It?

The honest answer is nuanced: Ed25519 is not currently broken by any existing quantum computer, and it will not be broken by any quantum hardware available in 2025. The risk is forward-looking.

Shor's Algorithm and Elliptic Curves

In 1994, Peter Shor published a quantum algorithm that solves the integer factorisation problem and the discrete logarithm problem in polynomial time on a sufficiently powerful quantum computer. Both RSA and all elliptic-curve schemes, including ECDSA and Ed25519, rely on the hardness of these problems. A CRQC running Shor's algorithm could:

Observe a public key broadcast in a transaction
Derive the corresponding private key
Forge a valid signature to redirect funds

For PAW specifically, this means that any address that has already sent a transaction has exposed its public key on-chain. An attacker with a CRQC could reconstruct the private key for that address and drain any remaining balance.

Addresses that have only received funds and never signed a transaction have not exposed their public key. Their funds are protected until the moment they attempt to spend, at which point the public key is revealed in the signature process.

Harvest Now, Decrypt Later

A more near-term concern is the "harvest now, decrypt later" (HNDL) strategy. Adversaries with sufficient storage capacity can record today's network traffic and signed transactions, then decrypt or forge signatures retroactively once a CRQC becomes available. For a public ledger like PAW's, every historical transaction is already permanently archived. Nothing needs to be harvested; it is already public. This accelerates the timeline of meaningful risk for any address with an exposed public key.

The Q-Day Timeline: Analyst Views

Estimates vary significantly. The US National Security Agency (NSA) has stated its intent to migrate to post-quantum cryptography by 2035. IBM's quantum roadmap targets error-corrected logical qubits within this decade. A 2022 paper by Mark Webber et al. estimated that breaking 256-bit elliptic curve keys would require approximately 317 × 10⁶ physical qubits running for about an hour, far beyond today's largest systems (which number in the thousands of noisy physical qubits). However, qubit counts and error-correction techniques are advancing rapidly. Most credible analyst scenarios place meaningful CRQC capability in the 2030–2040 window, with some outlier scenarios as early as 2029.

For a long-lived asset or a wallet holding funds over that horizon, the cryptographic risk is real and warrants planning.

---

PAW vs. Other Protocols: Quantum Exposure Comparison

Protocol	Signature Scheme	Hash Function	Quantum Vulnerable?	Known PQC Migration Plan?
PAW	Ed25519 (EdDSA)	Blake2b	Yes (signature layer)	No public roadmap
Bitcoin	ECDSA (secp256k1)	SHA-256 / RIPEMD-160	Yes (signature layer)	No consensus roadmap
Ethereum	ECDSA (secp256k1)	Keccak-256	Yes (signature layer)	EIP-7693 (research stage)
Solana	Ed25519	SHA-256	Yes (signature layer)	No public roadmap
Nano	Ed25519	Blake2b	Yes (signature layer)	No public roadmap
BMIC	Lattice-based (NIST PQC-aligned)	Post-quantum hash	No	Native by design

The table illustrates a consistent pattern: virtually every major cryptocurrency in production today uses classical elliptic-curve or discrete-log-based signature schemes. PAW is not uniquely exposed; it shares this vulnerability with the vast majority of the crypto ecosystem. The meaningful differentiator is whether a project has a credible migration path.

---

Does PAW Have a Post-Quantum Migration Roadmap?

As of the most recent public information, PAW does not have a published post-quantum cryptography migration roadmap. This is not unusual, but it is a gap worth understanding.

Why Migration Is Non-Trivial

Replacing a signature scheme in an active cryptocurrency protocol is one of the most technically complex upgrades imaginable. It requires:

Consensus among node operators to adopt a hard fork
Wallet software updates across every user-facing application
A key migration mechanism that allows existing addresses to declare a new post-quantum public key before Q-day arrives
Handling of dormant or lost wallets whose owners cannot migrate their keys

The Nano ecosystem (from which PAW derives) has similarly not published a PQC migration plan. The broader challenge is that smaller ecosystems with more limited developer resources face a steeper climb: the engineering effort of a PQC migration is comparable in scope to adding a new consensus mechanism.

What a Credible Migration Would Require

If PAW's development community were to pursue post-quantum security, a credible roadmap would need to include:

Selection of a NIST-standardised PQC algorithm. NIST finalised its first post-quantum standards in August 2024, including CRYSTALS-Dilithium (now ML-DSA) for signatures and CRYSTALS-Kyber (now ML-KEM) for key encapsulation.
A dual-signature transition period where both Ed25519 and the new PQC scheme are accepted, giving users time to migrate.
Address deprecation timeline, after which unmigrated addresses are frozen or flagged as at-risk.
Audit and testing of the new cryptographic library against the DAG ledger architecture.

Without a funded, developer-committed roadmap, users holding PAW over a multi-decade horizon are implicitly accepting this migration uncertainty.

---

What Post-Quantum Cryptography Actually Looks Like

Not all "quantum-resistant" claims are equal. It is worth understanding what genuine post-quantum security requires.

NIST PQC Standardisation

The US National Institute of Standards and Technology (NIST) ran a multi-year competition to identify cryptographic algorithms resistant to both classical and quantum attacks. The 2024 standards are:

ML-DSA (CRYSTALS-Dilithium): A lattice-based digital signature scheme. Signatures are larger than Ed25519 (roughly 2.4 KB vs. 64 bytes) but remain computationally infeasible to break even with Shor's algorithm.
ML-KEM (CRYSTALS-Kyber): A key encapsulation mechanism for secure key exchange.
SLH-DSA (SPHINCS+): A hash-based signature scheme with conservative security assumptions, at the cost of larger signature sizes.
FALCON: A more compact lattice-based signature scheme also standardised for applications where bandwidth matters.

Lattice-Based Cryptography: The Mechanism

Lattice-based schemes derive their security from the Learning With Errors (LWE) problem or its structured variants (Ring-LWE, Module-LWE). The core idea: given a matrix of numbers with small random errors added, recovering the original secret is computationally hard even for quantum computers because no known quantum algorithm solves LWE in polynomial time. Shor's algorithm does not apply, and Grover's algorithm provides only a modest speedup that is defeated by choosing sufficiently large parameters.

This is why projects designed from the ground up with post-quantum cryptography, such as BMIC.ai, which uses lattice-based, NIST PQC-aligned cryptography in its wallet architecture, represent a structurally different security posture from retrofitting quantum resistance onto an existing ECDSA or EdDSA system.

Trade-offs to Understand

Property	Ed25519	ML-DSA (Dilithium)
Signature size	64 bytes	~2,420 bytes
Public key size	32 bytes	~1,312 bytes
Security vs. classical computers	128-bit	128-bit
Security vs. quantum computers	Broken by Shor's	Secure (LWE hardness)
NIST standardised	No (classical)	Yes (2024)
Maturity / deployment	Widely deployed	Emerging

The larger key and signature sizes of post-quantum schemes have real implications for a DAG ledger like PAW, where transaction throughput and block size are design priorities. This is not an insurmountable problem, but it does mean a PAW PQC migration would require careful protocol re-engineering, not a simple library swap.

---

Practical Risk Assessment for PAW Holders

For someone holding PAW today, the quantum risk can be framed in three scenarios:

Scenario A: Q-Day Arrives Before PAW Migrates (High Impact)

If a CRQC becomes available while PAW still uses Ed25519, every address that has ever sent a transaction has its private key derivable from the public ledger. Funds in those addresses are at immediate risk of theft. Addresses that have only received and never spent are safer until the owner tries to move funds.

Practical implication: If you hold PAW in an address you have already transacted from, migration to a fresh address (before any quantum capability emerges) is the only available hedge with today's tools. Even that is a temporary measure, not a structural fix.

Scenario B: PAW Migrates Before Q-Day (Manageable)

The community coordinates a hard fork adopting ML-DSA or an equivalent NIST-standardised scheme. Users migrate keys during a transition window. The protocol survives Q-day intact.

Practical implication: This requires community coordination, developer resources, and time. Smaller ecosystems have historically struggled with coordinated hard forks.

Scenario C: Q-Day Is Delayed Beyond Most Holding Horizons (Lower Near-Term Risk)

Quantum hardware progress stalls. CRQCs capable of running Shor's algorithm at cryptographically relevant scales remain a decade or more away. The risk exists but is not immediately actionable.

Practical implication: Most individual retail holders are not directly threatened in the next two to three years. Institutional holders with longer time horizons face a different calculus.

---

Key Takeaways

PAW uses Ed25519, an elliptic-curve signature scheme that is not quantum safe against a sufficiently powerful CRQC running Shor's algorithm.
The Blake2b hash function used for block hashing is substantially more quantum-resistant, but the signature layer is the critical vulnerability.
Addresses with an exposed public key (any address that has previously signed a transaction) are at greater risk than receive-only addresses.
PAW has no published post-quantum migration roadmap as of current public information.
NIST finalised post-quantum standards in 2024. A credible migration requires a coordinated hard fork, dual-signature transition, and significant engineering effort.
Holders with long time horizons should monitor both quantum computing progress and any official PAW protocol announcements regarding cryptographic upgrades.

Frequently Asked Questions

Is PAW (PAW) quantum safe?

No. PAW uses Ed25519, an Edwards-curve digital signature algorithm whose security depends on the hardness of the elliptic curve discrete logarithm problem. A sufficiently powerful quantum computer running Shor's algorithm could derive private keys from exposed public keys, breaking the signature scheme. The protocol's hashing layer (Blake2b) is substantially more resistant to quantum attack, but the signature layer is the critical vulnerability.

What is Q-day and why does it matter for PAW holders?

Q-day refers to the point at which a Cryptographically Relevant Quantum Computer (CRQC) becomes capable of running Shor's algorithm at a scale sufficient to break elliptic-curve and RSA-based cryptography. For PAW holders, Q-day matters because the Ed25519 signatures used to authorise transactions would no longer be secure, allowing attackers to forge signatures or derive private keys from public information already recorded on the PAW ledger.

Which PAW addresses are most at risk from a quantum attack?

Addresses that have already signed and broadcast at least one outgoing transaction are at higher risk, because the public key has been permanently exposed on the ledger. An attacker with a CRQC could derive the private key from that public key. Addresses that have only ever received funds and never signed a transaction have not yet exposed their public key, making them temporarily safer, but the public key is revealed the moment the owner attempts to spend.

Does PAW have a plan to become quantum resistant?

As of current public information, PAW does not have a published post-quantum cryptography migration roadmap. A credible migration would require selecting a NIST-standardised algorithm (such as ML-DSA/CRYSTALS-Dilithium), coordinating a network hard fork, updating all wallet software, and providing a key migration window for existing users. This is a significant engineering undertaking that has not been formally announced by the PAW development community.

What cryptographic algorithms are considered genuinely post-quantum safe?

NIST finalised its first post-quantum cryptography standards in August 2024. The primary signature standard is ML-DSA (formerly CRYSTALS-Dilithium), a lattice-based scheme whose security rests on the hardness of the Learning With Errors (LWE) problem, which is not known to be solvable in polynomial time by any quantum algorithm. FALCON and SLH-DSA (SPHINCS+) are also standardised. For key encapsulation, ML-KEM (formerly CRYSTALS-Kyber) is the primary standard.

When is Q-day expected to arrive?

Credible analyst estimates place meaningful quantum computing capability, sufficient to break 256-bit elliptic-curve cryptography, in the 2030 to 2040 range, with some outlier scenarios as early as 2029. The US NSA has targeted 2035 as its internal deadline for migrating to post-quantum standards. Current quantum hardware operates in the thousands of noisy physical qubits, far short of the hundreds of millions of error-corrected logical qubits that most estimates require for a cryptographically relevant attack.