Is Pharos Quantum Safe?
Is Pharos quantum safe? It is a question that matters more each year as quantum computing hardware closes in on the thresholds that cryptographers have warned about for decades. Pharos (PROS), like the vast majority of smart-contract platforms and their associated wallets, relies on elliptic-curve cryptography to secure accounts and sign transactions. This article breaks down exactly what cryptographic primitives Pharos uses, where those primitives become vulnerable under a quantum attack, what migration options the ecosystem could adopt, and how lattice-based post-quantum wallets represent a fundamentally different security model.
What Cryptography Does Pharos Use?
Pharos is an EVM-compatible Layer-1 blockchain. That architectural choice carries a direct cryptographic inheritance from Ethereum: accounts are derived from ECDSA (Elliptic Curve Digital Signature Algorithm) over the secp256k1 curve, and transaction signatures follow the same scheme.
In practical terms, every PROS wallet address is the last 20 bytes of the Keccak-256 hash of a public key, which is itself derived from a 256-bit private key via secp256k1 scalar multiplication. Signing a transaction means producing an ECDSA signature that proves ownership of the private key without exposing it — at least to classical computers.
Some Pharos tooling and off-chain components may additionally use EdDSA (Edwards-curve Digital Signature Algorithm), specifically Ed25519, for peer-to-peer networking or validator communications. EdDSA is faster and less prone to implementation errors than ECDSA, but it shares the same fundamental weakness under a quantum threat model.
Why secp256k1 and Ed25519 Are in the Same Threat Category
Both secp256k1 (used in ECDSA) and Curve25519 (used in EdDSA/Ed25519) derive their security from the Elliptic Curve Discrete Logarithm Problem (ECDLP). The best classical algorithm for breaking ECDLP on a 256-bit curve requires roughly 2¹²⁸ operations — computationally infeasible for any classical machine.
Shor's algorithm, running on a sufficiently powerful quantum computer, reduces this to a polynomial-time problem. For a 256-bit elliptic-curve key, credible academic estimates suggest a fault-tolerant quantum machine with approximately 2,000 to 4,000 logical qubits could break a single key in hours to days. Current leading quantum processors are in the hundreds to low thousands of physical (not logical) qubits, with error rates still far above the fault-tolerance threshold — but the trajectory is consistent and the timeline is no longer measured in decades.
---
Understanding Q-Day and What It Means for PROS Holders
"Q-day" refers to the point at which a quantum computer becomes capable of breaking live cryptographic keys in economically relevant timeframes. For ECDSA wallets, the attack surface splits into two categories:
Harvest-Now, Decrypt-Later (HNDL)
An adversary does not need to wait until Q-day to begin preparing. Blockchain transactions are public and permanent. Any PROS wallet that has ever broadcast a transaction has already exposed its public key on-chain. An adversary can harvest those public keys today and store them, then use a future quantum computer to derive the corresponding private keys and drain the wallets.
This is not a theoretical edge case. Researchers estimate that a significant fraction of all Bitcoin UTXOs — and by extension, EVM assets in reused addresses — are already in this "harvested" state. PROS holders who have signed and broadcast transactions are in the same position.
Real-Time Signing Attacks
Once a quantum computer reaches sufficient capability, an attacker could intercept a broadcast transaction (which includes the public key in the signature data) and, within the transaction's confirmation window, derive the private key and broadcast a competing transaction with a higher gas fee. This is sometimes called a "signing window attack" and is more demanding than HNDL, but it becomes feasible once quantum hardware matures further.
---
Does Pharos Have a Post-Quantum Migration Roadmap?
As of the time of writing, Pharos has not published a formal post-quantum cryptography (PQC) migration roadmap. This places it in the same position as Ethereum mainnet and the large majority of EVM-compatible chains.
The broader Ethereum ecosystem has begun exploratory work:
- EIP-7212 introduced support for the secp256r1 curve (P-256), which is a step toward hardware-backed keys but does not address quantum resistance.
- Vitalik Buterin has publicly discussed account abstraction as a potential pathway to PQC, whereby smart-contract wallets could enforce quantum-resistant signature verification without a hard fork of the base layer.
- The Ethereum Foundation's long-term roadmap mentions a migration to STARKs (Scalable Transparent Arguments of Knowledge) for certain consensus components, and STARKs rely on hash functions rather than elliptic curves, giving them a stronger post-quantum profile — but this does not protect individual account signing.
For an EVM-compatible chain like Pharos, the realistic migration options are:
| Migration Approach | Mechanism | Timeline Feasibility | Quantum Resistance |
|---|---|---|---|
| Account abstraction + PQC signer | Smart-contract wallet enforces lattice/hash-based sig | Near-term (EIP-4337 compatible) | Strong |
| Hard fork to new signature scheme | Replace secp256k1 at protocol level | Medium-term, disruptive | Strong if NIST PQC-aligned |
| STARK-based transaction proofs | ZK-proof replaces ECDSA for tx validity | Long-term research | Strong (hash-based) |
| Hybrid ECDSA + Kyber/Dilithium | Classical + PQC dual signatures | Near-term, additive | Strong (transitional) |
| No action | Status quo | N/A | None |
Until Pharos or a third-party wallet provider integrates one of these approaches, PROS holders bear the full ECDSA exposure described above.
---
How Lattice-Based Post-Quantum Wallets Work Differently
The NIST Post-Quantum Cryptography standardisation process, finalised in 2024, selected three primary algorithms:
- CRYSTALS-Kyber (now ML-KEM) for key encapsulation
- CRYSTALS-Dilithium (now ML-DSA) for digital signatures
- SPHINCS+ (now SLH-DSA) as a hash-based signature backup
All three are designed to be secure against both classical and quantum adversaries. CRYSTALS-Dilithium, the most relevant for transaction signing, is based on the Module Learning With Errors (MLWE) problem. Solving MLWE does not reduce to a polynomial-time problem under Shor's algorithm because it is a lattice problem, not a discrete logarithm or factorisation problem. Grover's algorithm, which provides a quadratic speedup on unstructured search problems, can in principle halve the effective security of symmetric keys and hash functions, but doubling key lengths (e.g., moving from AES-128 to AES-256, or from SHA-256 to SHA-512) restores that margin. Lattice-based asymmetric schemes require no such brute-force search and are therefore resistant to both Shor and Grover at appropriately chosen security parameters.
Practical Differences for a Wallet User
A lattice-based wallet such as one implementing ML-DSA (Dilithium) differs from an ECDSA wallet in several measurable ways:
- Signature size: Dilithium Level 3 signatures are approximately 3,293 bytes versus 64 bytes for a compact ECDSA signature. This has fee and block-space implications on-chain.
- Key generation: Dilithium key generation is computationally cheap and well-suited to embedded hardware, similar to Ed25519.
- Address derivation: A PQC wallet must derive addresses differently — the hash of a larger public key — requiring wallet infrastructure that understands the new format.
- Backward compatibility: A pure PQC wallet cannot natively sign Ethereum-style transactions without a compatibility layer, which is where account abstraction becomes critical.
The Role of Account Abstraction as a Bridge
ERC-4337 account abstraction allows any signature verification logic to be embedded in a smart-contract wallet, including Dilithium or SPHINCS+ verification. This means a user could, in principle, deploy a Pharos smart-contract wallet today that enforces PQC signature checks, even before any protocol-level changes. The catch is that the underlying node infrastructure and wallet UX tooling must also support the larger key and signature payloads. Projects building explicitly for post-quantum security, such as BMIC.ai, take this further by designing the entire stack — wallet generation, key storage, and signing flow — around lattice-based cryptography from the ground up rather than retrofitting ECDSA infrastructure.
---
Key Risk Factors for PROS Holders to Monitor
Understanding the threat is the first step; knowing what to watch for is the second. The following signals would indicate that the Q-day timeline is accelerating or that Pharos's exposure is increasing:
- Advances in logical qubit counts: IBM, Google, and Microsoft roadmaps target 1,000+ logical qubits within the next several years. Crossing 2,000 error-corrected logical qubits is considered a critical threshold for ECC attacks.
- NIST PQC adoption by major wallet providers: If MetaMask, Ledger, or Trezor begin rolling out PQC signing options, it signals that the hardware and UX barriers are lowering — and that chains without native PQC support will face user pressure.
- Pharos governance proposals on PQC: Watch the Pharos governance forum and GitHub for any EIPs or PRPs (Pharos Request for Proposal) that address signature scheme migration.
- Insurance and institutional custody requirements: Regulated custodians are beginning to evaluate PQC readiness as part of due diligence. Chains that cannot demonstrate a credible migration path may face institutional capital avoidance.
- Public key reuse patterns on Pharos: On-chain analytics tools can flag wallets that have broadcast their public keys. A rising proportion of exposed wallets increases systemic risk.
---
Summary: Is Pharos Quantum Safe?
The direct answer is no, not currently. Pharos inherits the standard EVM cryptographic stack, meaning all wallet security depends on ECDSA over secp256k1. This scheme is well-understood, battle-tested against classical adversaries, and entirely adequate for the current threat environment. It is not, however, resistant to a sufficiently powerful quantum computer running Shor's algorithm.
The good news is that Pharos, as an EVM-compatible chain, can leverage the account abstraction and ZK tooling that Ethereum's ecosystem is developing. A credible migration path exists technically. What is missing is a published timeline, a funded research effort, and user-facing tooling that makes quantum-resistant wallet adoption accessible to ordinary PROS holders.
For holders with long time horizons and significant positions, the prudent approach is to follow PQC developments at the protocol level, minimise unnecessary public key exposure by avoiding address reuse, and evaluate whether any portion of holdings should be held in infrastructure designed with post-quantum cryptography as a core requirement rather than a future upgrade.
Frequently Asked Questions
Is Pharos (PROS) safe from quantum computer attacks?
Not currently. Pharos uses ECDSA over the secp256k1 elliptic curve, which is the standard EVM signature scheme. A sufficiently powerful fault-tolerant quantum computer running Shor's algorithm could derive private keys from exposed public keys. Pharos has not yet published a post-quantum migration roadmap.
What is Q-day and when could it affect PROS wallets?
Q-day is the point at which a quantum computer can break elliptic-curve cryptography in a practical timeframe. Most academic estimates place this risk becoming concrete when fault-tolerant machines reach roughly 2,000 to 4,000 logical qubits. Current hardware is not there yet, but the timeline is shrinking. PROS wallets that have already broadcast transactions have exposed their public keys and are already harvestable for future attack.
What is the difference between ECDSA and a lattice-based signature scheme?
ECDSA derives its security from the Elliptic Curve Discrete Logarithm Problem, which Shor's algorithm can solve in polynomial time on a quantum computer. Lattice-based schemes like CRYSTALS-Dilithium (ML-DSA) derive security from the Module Learning With Errors problem, which has no known efficient quantum algorithm. NIST standardised Dilithium in 2024 as a primary post-quantum digital signature algorithm.
Can Pharos migrate to post-quantum cryptography without a hard fork?
Partially. Using ERC-4337 account abstraction, developers can deploy smart-contract wallets on Pharos that enforce post-quantum signature verification (such as Dilithium or SPHINCS+) at the application layer. This does not secure the base-layer consensus or legacy ECDSA wallets, but it provides a practical near-term option for users who want PQC protection today.
Does EdDSA (Ed25519) provide any quantum resistance compared to ECDSA?
No meaningful quantum resistance. EdDSA/Ed25519 is based on Curve25519, which also relies on the Elliptic Curve Discrete Logarithm Problem. While EdDSA has implementation-security advantages over ECDSA against classical attacks, both are equally vulnerable to Shor's algorithm on a quantum computer.
What should PROS holders do to reduce quantum risk right now?
Three practical steps: first, avoid address reuse, since wallets that have never signed a transaction have not yet exposed their public keys on-chain. Second, monitor Pharos governance for PQC migration proposals. Third, consider whether long-term holdings should be partially secured in wallets built on post-quantum cryptographic foundations rather than legacy ECDSA infrastructure.