Is Siacoin Quantum Safe?
Is Siacoin quantum safe? That question matters for any long-term holder of SC tokens or anyone relying on Sia's decentralised storage network. Siacoin uses elliptic-curve cryptography to secure wallets and sign transactions, and that approach faces a well-documented structural threat from sufficiently powerful quantum computers. This article breaks down exactly which cryptographic primitives Siacoin depends on, what a quantum adversary could do to them, what the Sia development team has said about migration, and how lattice-based post-quantum wallet designs compare to the current model.
What Cryptography Does Siacoin Use?
Siacoin's underlying protocol, maintained by the Sia Foundation, is built on a stack of well-established but classically oriented cryptographic primitives.
Ed25519 Signatures
Siacoin does not use the secp256k1 ECDSA curve common to Bitcoin and early Ethereum. Instead, it relies on Ed25519, a variant of the Edwards-curve Digital Signature Algorithm (EdDSA) operating over Curve25519. Ed25519 was chosen deliberately for speed and implementation safety over ECDSA, and for most threat models it is an excellent choice.
Key properties of Ed25519 relevant here:
- Security level: approximately 128 bits of classical security.
- Key size: 32-byte private key, 32-byte public key.
- Signing: deterministic (no random nonce required), which eliminates the nonce-reuse vulnerabilities that have drained ECDSA wallets in the past.
- Verification speed: roughly 2x faster than comparable ECDSA operations.
For classical adversaries, Ed25519 is robust. The problem arises when the adversary is quantum.
Blake2b Hashing
Siacoin uses Blake2b for transaction and block hashing. Hash functions are significantly more resistant to quantum attacks than signature schemes. Grover's algorithm theoretically halves the effective bit-security of any hash function, reducing Blake2b's 256-bit output to roughly 128-bit quantum security. That is considered acceptable under current projections, though some post-quantum standards call for 256-bit quantum security to be safe.
Storage Contract Cryptography
Sia's file contracts use Merkle proofs for storage verification, also backed by Blake2b. The Merkle tree construction does not introduce additional public-key operations, so the quantum exposure here mirrors the hash-function analysis above, not the signature analysis.
---
The Quantum Threat to Ed25519: How Real Is It?
Shor's algorithm, published in 1994, can solve the discrete logarithm problem on elliptic curves in polynomial time on a sufficiently large quantum computer. Ed25519 security rests entirely on the hardness of the elliptic curve discrete logarithm problem (ECDLP). A quantum computer running Shor's algorithm would reduce the work to break a 256-bit elliptic curve key from approximately 2^128 classical operations to roughly 2^20 to 2^30 quantum gate operations, depending on the implementation.
Q-day is the colloquial term for the point when a cryptographically relevant quantum computer (CRQC) can execute this attack at scale. Estimates from NIST, CISA, and academic groups cluster between 2030 and 2040, though the timeline remains genuinely uncertain. IBM's quantum roadmap targets fault-tolerant systems in the early 2030s. The UK National Cyber Security Centre formally recommends that organisations with long-lived assets begin migration planning now.
Harvest Now, Decrypt Later
One attack vector is operational before Q-day. Adversaries can record encrypted blockchain traffic and signed transactions today, then decrypt or exploit them once quantum hardware matures. For most blockchain transactions this is less damaging than for communications, because the transaction itself is public. However, any unspent output (UTXO) or balance associated with a re-used public key is already exposed in the sense that the public key is on-chain and available to a future quantum attacker.
Ed25519 public keys are exposed the moment a user broadcasts their first transaction from a wallet address. This is the same structural problem that affects Bitcoin's P2PK outputs and any Ethereum address that has ever sent a transaction.
The Address Reuse Problem
Sia wallet addresses are derived from the Ed25519 public key via hashing. As long as an address has never signed a transaction, the public key is not revealed and a quantum adversary cannot use Shor's algorithm to recover the private key. Once a single outbound transaction is signed, the public key is on-chain. Any remaining balance at that address is then exposed to a quantum attacker post-Q-day.
Fresh address generation per transaction mitigates but does not eliminate the risk. If a user consolidates funds to a single address, that address is the single point of failure.
---
Has the Sia Foundation Addressed Quantum Resistance?
The Sia Foundation has been focused primarily on the Sia v2 (Renterd) infrastructure upgrade, which introduced significant protocol changes to the storage and contract layers. As of mid-2025, there is no formal published roadmap item from the Sia Foundation specifically targeting post-quantum signature migration.
This is not unique to Sia. The vast majority of layer-1 blockchains, including Bitcoin and Ethereum, have not completed a migration to post-quantum signature schemes. Ethereum's Vitalik Buterin published a recovery mechanism proposal in 2024 involving hash-based signatures for emergency post-quantum recovery, but that is not yet implemented.
Potential Migration Paths for Siacoin
Should the Sia Foundation or community decide to address quantum resistance, the realistic options are:
| Approach | Algorithm Family | NIST Status | Trade-offs |
|---|---|---|---|
| Hash-based signatures | XMSS, SPHINCS+ | NIST selected (SPHINCS+) | Large signature sizes (~8–50 KB); stateful variants complex to manage |
| Lattice-based signatures | CRYSTALS-Dilithium (ML-DSA) | NIST selected (FIPS 204) | Larger keys than Ed25519 but manageable; fast verification |
| Code-based signatures | Classic McEliece | NIST selected | Very large public keys (~1 MB); impractical for most chain designs |
| Hybrid schemes | Ed25519 + Dilithium | Proposed in drafts | Larger footprint; backward-compatible; favoured by transition-period designs |
CRYSTALS-Dilithium (standardised as ML-DSA under FIPS 204) is the most operationally practical drop-in replacement for Ed25519 at the protocol level. Its keys are larger (1,312 bytes for public key at security level 2 vs. 32 bytes for Ed25519), but the performance overhead is acceptable on modern hardware and does not fundamentally break blockchain throughput.
A hard fork would be required to adopt any of these schemes. The coordination cost, replay-protection design, and wallet ecosystem migration are non-trivial but have precedents in other protocol upgrades.
---
What Post-Quantum Wallets Actually Do Differently
Understanding why some wallets claim quantum resistance requires a clear look at what changes at the cryptographic layer.
Classical Wallet Architecture
A standard Siacoin wallet, like most crypto wallets, generates a seed phrase, derives a private key using a key-derivation function, and produces Ed25519 key pairs for each address. The private key signs transactions; the public key (or its hash) forms the address. Security depends entirely on the hardness of reversing the elliptic curve operation, which is classical-hard but quantum-easy.
Post-Quantum Wallet Architecture
A post-quantum wallet replaces the signature scheme at the lowest layer. Instead of Ed25519 or ECDSA, it uses a NIST-standardised algorithm such as ML-DSA (Dilithium) or SPHINCS+. The seed derivation, UX, and broad structure remain similar, but the mathematical hardness assumption shifts from elliptic curve discrete logarithm (broken by Shor's algorithm) to lattice problems such as Module Learning With Errors (MLWE), which have no known efficient quantum algorithm.
BMIC.ai, for example, is a post-quantum cryptocurrency wallet built on lattice-based cryptography aligned with NIST PQC standards, designed specifically so that wallet security does not degrade when quantum hardware matures.
The critical distinction for holders of any asset, including SC, is that a post-quantum wallet protects the keys themselves. It does not, by itself, change the quantum vulnerability of the underlying chain's signature scheme. Full quantum resistance requires both the wallet layer and the protocol layer to be upgraded.
---
Practical Risk Assessment for Siacoin Holders
The quantum threat to Siacoin is real but not imminent. A structured risk assessment looks like this:
Low near-term risk (2025 to 2028)
No quantum computer demonstrated to date has broken even 32-bit elliptic curve keys in a meaningful attack. Current IBM and Google systems are in the range of hundreds to thousands of physical qubits, far short of the millions of fault-tolerant logical qubits needed for Shor's algorithm at Bitcoin-scale key sizes.
Medium risk horizon (2028 to 2033)
Fault-tolerant quantum computing is expected to become technically feasible. Assets held at re-used addresses with exposed public keys accumulate risk. Long-term storage contracts on Sia may span this window.
High risk if migration does not occur (post-2033)
Any chain still using Ed25519 or ECDSA with no upgrade path would face a structural security failure. Balances at exposed addresses would be vulnerable to key recovery attacks.
Steps Siacoin Holders Can Take Now
- Use a fresh address for each receive operation. Sia wallet software generally supports HD wallet derivation, making this straightforward.
- Avoid leaving large balances at addresses that have signed outbound transactions. The public key for those addresses is on-chain.
- Monitor Sia Foundation release notes for any mention of a post-quantum signature roadmap in the Sia v2 or future protocol versions.
- Diversify long-duration storage across assets and chains that are actively developing post-quantum migration paths.
- Follow NIST PQC updates. The completion of FIPS 203, 204, and 205 in 2024 means standardised algorithms are available and chains have no technical excuse to delay planning.
---
How Siacoin Compares to Other Chains on Quantum Readiness
| Chain | Signature Scheme | Quantum Migration Plan | Status |
|---|---|---|---|
| Bitcoin | secp256k1 ECDSA | BIP proposals discussed; no formal roadmap | No active plan |
| Ethereum | secp256k1 ECDSA | Vitalik emergency recovery proposal (2024) | Research phase |
| Siacoin (SC) | Ed25519 | None published as of mid-2025 | No active plan |
| Algorand | Ed25519 + state proofs | Post-quantum state proofs live on mainnet | Partial (state layer only) |
| QRL | XMSS (hash-based) | Built post-quantum from genesis | Complete at protocol level |
| IOTA | Winternitz / Lamport | Chrysalis update changed approach; Stardust uses Ed25519 | Regressed on PQ |
Siacoin sits alongside Bitcoin and Ethereum in the "no active plan" category, which is the honest assessment. That does not mean Sia is negligent. Most chains are in the same position. It does mean holders who want quantum-resistant security today must look at the wallet and key management layer while waiting for protocol-level solutions to mature across the industry.
---
Conclusion: Is Siacoin Quantum Safe?
The direct answer is no, not currently. Siacoin's reliance on Ed25519 signatures means that a sufficiently powerful quantum computer running Shor's algorithm could derive private keys from exposed public keys. The chain's Blake2b hashing is more resilient but not fully quantum-secure by the most conservative 256-bit quantum security standard. There is no published post-quantum migration roadmap from the Sia Foundation as of this writing.
The risk is not immediate, and Siacoin is far from alone in this position. But "not alone" is not the same as "safe." The 2030s represent a plausible and increasingly well-supported timeline for cryptographically relevant quantum computing. Projects that begin migration planning now, rather than when the threat is acute, will be in a considerably better position. Holders, developers, and the Sia Foundation itself all have roles to play in ensuring SC's long-term cryptographic integrity.
Frequently Asked Questions
Does Siacoin use ECDSA or Ed25519?
Siacoin uses Ed25519, a variant of EdDSA based on Curve25519, rather than the secp256k1 ECDSA curve used by Bitcoin. Ed25519 is faster and avoids nonce-reuse vulnerabilities, but like all elliptic-curve schemes it is vulnerable to Shor's algorithm on a sufficiently powerful quantum computer.
When could a quantum computer realistically break Siacoin's cryptography?
The consensus estimate for a cryptographically relevant quantum computer (CRQC) capable of running Shor's algorithm at this key size is broadly between 2030 and 2040. The timeline is uncertain and depends on progress in fault-tolerant qubit development. Near-term systems are far too small to pose a practical threat.
What is the 'harvest now, decrypt later' threat for Siacoin holders?
Adversaries can record on-chain data and signed transactions today, then use future quantum hardware to extract private keys from exposed public keys. For Siacoin, any address that has ever sent a transaction has its public key on-chain, making the remaining balance at that address a long-term target. Moving funds to a fresh, never-signed address reduces, but does not eliminate, this risk.
Has the Sia Foundation published a post-quantum upgrade plan?
As of mid-2025, the Sia Foundation has not published a formal roadmap for migrating to post-quantum signature schemes. The v2 (Renterd) upgrade focused on storage and contract infrastructure. This places Siacoin alongside Bitcoin and Ethereum, which are also without completed migration plans.
Which post-quantum signature algorithm would best replace Ed25519 in Siacoin?
CRYSTALS-Dilithium, now standardised as ML-DSA under NIST FIPS 204, is the most operationally practical replacement. It uses lattice-based cryptography with no known efficient quantum attack, has reasonable key and signature sizes compared to alternatives like Classic McEliece, and achieves fast verification suitable for blockchain throughput requirements.
Does switching to a post-quantum wallet protect my Siacoin?
A post-quantum wallet protects your private keys at the key-management layer, but it does not change the signature scheme used by the Siacoin protocol itself. Full quantum resistance requires both the wallet software and the underlying chain to use post-quantum cryptography. Using a post-quantum wallet is a meaningful step, but it is not a complete solution until the protocol migrates as well.