Is Prom Quantum Safe?
Is Prom quantum safe? It is a question that matters more with every benchmark milestone quantum hardware achieves. Prom (PROM) inherits the same cryptographic stack used by most EVM-compatible chains, which means its security rests on the same assumptions that quantum computers are systematically eroding. This article breaks down the exact algorithms protecting PROM wallets today, models the risk at Q-day, examines whether any migration roadmap exists for the underlying infrastructure, and compares standard wallet cryptography to lattice-based post-quantum alternatives now entering the market.
What Cryptography Does Prom Use?
Prom is an EVM-compatible Layer 2 network built on Polygon CDK technology. Like every chain in the EVM ecosystem, Prom relies on Elliptic Curve Digital Signature Algorithm (ECDSA) over the secp256k1 curve for wallet key-pairs and transaction signing. A second algorithm, Keccak-256, is used for address derivation and data hashing.
ECDSA on secp256k1: How It Works
ECDSA generates a private key, derives a corresponding public key via elliptic-curve point multiplication, and produces signatures that prove ownership without exposing the private key. The security guarantee rests on the Elliptic Curve Discrete Logarithm Problem (ECDLP): given a public key point *Q* and generator *G*, computing the scalar *k* such that *Q = kG* is computationally infeasible for classical computers.
The curve secp256k1 uses a 256-bit key, which provides roughly 128 bits of classical security. That has been sufficient against every classical attack known. The problem is that 128 bits of classical security translates to approximately 64 qubits of effective quantum security under Shor's algorithm, and that number collapses to near zero once a sufficiently large, fault-tolerant quantum computer is available.
Keccak-256 and Quantum Resistance
Keccak-256 (SHA-3 family) is used to hash public keys into Ethereum-style addresses. Hash functions are not broken by Shor's algorithm. Grover's algorithm provides a quadratic speedup against hashes, reducing 256-bit security to roughly 128 bits of quantum security, which is considered acceptable by most cryptographers. The hash layer of Prom's design is therefore relatively quantum-resistant. The signature layer is not.
---
Understanding Q-Day and Why It Matters for PROM Holders
Q-day refers to the moment a fault-tolerant quantum computer reaches sufficient qubit count and error-correction quality to run Shor's algorithm against live blockchain key-pairs at practical speed.
The Attack Vector Against PROM Wallets
The specific threat is a harvest-now, decrypt-later strategy combined with a live key-extraction attack:
- Public key exposure. Every time a PROM wallet signs a transaction, the public key is broadcast to the network. On EVM chains, the public key is also derivable from any signed transaction stored in history. An attacker with a quantum computer could reconstruct the private key from the public key using Shor's algorithm.
- Address-only wallets. Wallets that have never signed a transaction expose only the hashed address, not the raw public key. These are marginally safer because the attacker must also reverse Keccak-256, which Grover's cannot do efficiently. Once the wallet signs even one transaction, however, the public key is on-chain permanently.
- Time window at Q-day. If a quantum computer can derive a private key within the time it takes to confirm a block (roughly 2–15 seconds on most EVM chains), an attacker could intercept a pending transaction, derive the private key from the broadcast public key, and drain the wallet before the original transaction confirms. This is the most acute near-term risk.
Timeline Estimates
Analyst views on Q-day range widely. IBM's quantum roadmap targets millions of physical qubits by the early 2030s; Google's error-correction breakthroughs in 2024 and 2025 accelerated consensus timelines. A frequently cited academic estimate (Webber et al., 2022) suggested that breaking a 256-bit elliptic curve key in one hour would require approximately 317 million physical qubits with current error rates. As error rates drop, that threshold falls. The consensus is that Q-day is not imminent, but the decade-long window to migrate is shorter than it appears because blockchain migration requires ecosystem-wide coordination, which moves slowly.
---
Does Prom Have a Quantum Migration Roadmap?
As of mid-2025, Prom has not published a dedicated post-quantum cryptography migration roadmap. This is not unique to Prom. The vast majority of EVM Layer 2 networks have no published PQC transition plan because the base assumption is that Ethereum itself would migrate first and L2s would inherit the fix.
Ethereum's PQC Position
Ethereum's long-term roadmap does acknowledge quantum risk. Vitalik Buterin has written that Ethereum accounts could in principle migrate to Winternitz one-time signatures or STARKs-based authentication. The practical path most discussed involves:
- Account abstraction (ERC-4337): Allows smart contract wallets to define custom signature schemes, meaning a post-quantum signing algorithm could be plugged in without a base-layer hard fork.
- Verkle trees and stateless clients: Indirectly relevant because Verkle proofs rely on polynomial commitments, not ECDSA, improving the path toward PQC-compatible state proofs.
- Potential future hard fork: A full migration of EOA (externally owned account) key schemes would require a hard fork and a migration window during which users move funds to new PQC-secure addresses.
Because Prom is EVM-compatible, it would benefit from any Ethereum-level migration. But Ethereum's migration has no confirmed timeline, and L2s like Prom add an additional coordination layer on top.
What PROM Holders Can Do Now
Waiting for protocol-level migration is passive risk management. Active steps holders can take include:
- Minimise on-chain public key exposure. Use each address only once for signing. Generate a fresh address for receiving funds wherever possible.
- Prefer hardware wallets with firmware update paths. Hardware wallet vendors are more likely to roll out PQC firmware as standards mature.
- Monitor NIST PQC standards adoption. NIST finalised its first PQC standards in 2024 (FIPS 203/204/205), covering CRYSTALS-Kyber (ML-KEM) for key encapsulation and CRYSTALS-Dilithium (ML-DSA) for digital signatures. Wallet and protocol support for these will follow.
- Consider post-quantum-native custody solutions for significant holdings. The infrastructure gap between current EVM wallets and PQC-native wallets is closing.
---
Lattice-Based Post-Quantum Cryptography: How It Differs
The NIST-standardised PQC algorithms rely primarily on lattice-based hardness assumptions, specifically the Learning With Errors (LWE) and Module Learning With Errors (MLWE) problems. These are believed to be hard for both classical and quantum computers.
ECDSA vs. Lattice-Based Signatures: A Comparison
| Property | ECDSA (secp256k1) | ML-DSA (CRYSTALS-Dilithium) |
|---|---|---|
| Underlying hard problem | ECDLP | MLWE (Module Learning With Errors) |
| Quantum vulnerability | High (Shor's algorithm breaks it) | None known; NIST-standardised |
| Signature size | ~71 bytes | ~2,420–4,595 bytes (mode-dependent) |
| Public key size | 33 bytes (compressed) | ~1,312–1,952 bytes |
| Key generation speed | Very fast | Fast (slightly slower than ECDSA) |
| NIST standardised | No (not a NIST standard) | Yes (FIPS 204, August 2024) |
| Current blockchain adoption | Universal (EVM, Bitcoin, Solana variants) | Emerging (specialised chains, PQC wallets) |
The trade-off is clear: lattice-based schemes offer quantum resistance at the cost of larger key and signature sizes. For blockchain applications, larger signatures mean higher transaction data costs unless the protocol is specifically designed to accommodate them. This is why PQC migration is not as simple as swapping one library for another; it touches fee markets, block size assumptions, and mempool design.
Hash-Based Alternatives
Hash-based signature schemes such as XMSS and SPHINCS+ (now standardised as FIPS 205) avoid the lattice construction entirely and rely only on the collision-resistance of hash functions. They are considered the most conservative PQC choice. The trade-off is very large signatures (8–50 KB depending on parameters) and, in XMSS's case, stateful key management that is operationally complex for self-custody users.
---
How Post-Quantum Wallets Approach This Problem
Purpose-built post-quantum crypto wallets take a fundamentally different architecture approach compared to standard EVM wallets. Rather than generating ECDSA key-pairs, they generate key-pairs under lattice-based or hash-based schemes from the outset, meaning the private key never has a corresponding ECDSA public key that can be targeted by Shor's algorithm.
One project in this space is BMIC.ai, which has built a quantum-resistant wallet using lattice-based, NIST PQC-aligned cryptography specifically to protect holdings against Q-day. The design targets the core vulnerability described above: that standard wallets, including those holding PROM or any other EVM token, expose a mathematically breakable public key every time they sign a transaction. A lattice-based wallet eliminates that exposure at the key-generation layer rather than relying on ecosystem migration that may be years away. BMIC's presale is currently live at https://bmic.ai/presale for those researching PQC-native custody options.
---
Risk Summary: Where Does PROM Stand?
Breaking down the quantum risk by component gives a clearer picture:
| Component | Algorithm | Quantum Risk | Notes |
|---|---|---|---|
| Wallet private key security | ECDSA / secp256k1 | **High** | Broken by Shor's algorithm |
| Transaction signing | ECDSA | **High** | Public key broadcast on every tx |
| Address derivation | Keccak-256 | Low | Grover's gives quadratic speedup only |
| State proofs / ZK layer | Polygon CDK (STARK/SNARK based) | Low–Medium | ZK proof systems have some PQC properties |
| Smart contract logic | EVM opcodes | Neutral | Not directly cryptographically exposed |
The ZK-proof layer used in Polygon CDK infrastructure deserves a note. STARK proofs rely on hash functions and field arithmetic rather than elliptic curve pairings (which are used in SNARKs). STARKs are considered more quantum-resistant than pairing-based SNARKs, which is a mild structural advantage for Prom's architecture. But this does not protect individual wallet key-pairs; it only applies to the validity proof system for the rollup itself.
---
Practical Takeaways for PROM Holders
- Your wallet's ECDSA key-pair is the primary risk vector, not the chain itself. The chain can upgrade; your existing key-pair cannot retroactively become quantum-safe.
- Address reuse amplifies risk. Every signed transaction permanently records your public key on-chain. Fresh addresses for each interaction reduce but do not eliminate exposure.
- Protocol-level migration is years away at minimum. Ethereum has no confirmed PQC hard fork date. Prom inherits Ethereum's timeline.
- NIST standards are now final. FIPS 203, 204, and 205 (published August 2024) give wallet developers clear targets. Adoption will accelerate over the next 12–24 months.
- The harvest-now, decrypt-later threat is active today. Adversaries can store signed transactions and encrypted data now, then decrypt them when quantum hardware matures. High-value long-term holdings carry the greatest exposure.
- Evaluate PQC-native custody for significant positions. Waiting for every wallet to upgrade is a reasonable posture for small holdings; it is a higher-stakes decision for material positions.
Frequently Asked Questions
Is Prom (PROM) quantum safe right now?
No. Prom relies on ECDSA over secp256k1, the same signature scheme used by Ethereum and most EVM chains. ECDSA is broken by Shor's algorithm on a sufficiently powerful quantum computer. The chain's ZK-proof layer (STARK-based) has better quantum properties, but individual wallet key-pairs remain vulnerable.
When could quantum computers actually threaten PROM wallets?
Most credible estimates place a practical Q-day threat in the 2030s, though this depends heavily on progress in quantum error correction. The risk is not immediate, but blockchain migration requires years of coordination, so the safe window to act is shorter than the raw timeline suggests.
What is Shor's algorithm and why does it matter for crypto?
Shor's algorithm is a quantum algorithm that solves the discrete logarithm and integer factorisation problems in polynomial time. These problems underpin ECDSA, RSA, and similar schemes. A fault-tolerant quantum computer running Shor's algorithm could derive a private key from a public key, compromising any wallet that has ever signed a transaction.
Does Prom have a post-quantum cryptography migration plan?
As of mid-2025, Prom has not published a dedicated PQC migration roadmap. Like most EVM Layer 2s, it depends on Ethereum's base-layer direction. Ethereum's account abstraction framework (ERC-4337) is the most likely migration path, as it allows custom signature schemes without an immediate hard fork.
What can PROM holders do to reduce quantum risk today?
Key steps include minimising address reuse (each signed transaction exposes your public key permanently), using hardware wallets with updatable firmware, monitoring NIST PQC standard adoption (FIPS 203/204/205 were finalised in 2024), and evaluating post-quantum-native custody solutions for significant holdings.
How do lattice-based wallets differ from standard ECDSA wallets?
Lattice-based wallets generate key-pairs using algorithms like CRYSTALS-Dilithium (ML-DSA), whose security rests on the Module Learning With Errors problem rather than the elliptic curve discrete logarithm. This problem is not known to be solvable by quantum computers, meaning the wallet's public key cannot be reversed by Shor's algorithm. The trade-off is larger key and signature sizes compared to ECDSA.