Is Starknet Quantum Safe?

Is Starknet quantum safe? It is a question more developers and long-term holders are asking as quantum computing benchmarks advance faster than most roadmaps anticipated. Starknet's architecture is genuinely innovative, combining STARK-based validity proofs with an account-abstraction model that gives it flexibility most L2s lack. But innovative zero-knowledge proofs are only part of the security picture. The cryptographic primitives that protect individual accounts and transaction signing are a separate layer, and that layer carries real exposure. This article unpacks exactly where the risk sits, what migration paths exist, and how the broader industry is responding.

How Starknet's Cryptographic Stack Actually Works

Starknet is an Ethereum Layer 2 validity rollup built by StarkWare. Its headline feature is the use of STARK proofs, which allow a sequencer to batch thousands of transactions, generate a succinct cryptographic proof of their correctness, and post that proof to Ethereum L1 for verification. Understanding what STARK proofs do, and what they do not do, is essential to answering the quantum-safety question.

What STARK Proofs Protect

STARK proofs (Scalable Transparent ARguments of Knowledge) are based on hash functions and polynomial commitments, not on elliptic-curve discrete logarithm assumptions. Hash-function security is generally considered quantum-resistant: Grover's algorithm provides only a quadratic speedup against symmetric primitives, meaning a 256-bit hash retains roughly 128-bit security against a quantum adversary. That is currently considered acceptable.

So the validity proof system itself is not the weak point. Starknet's proof layer would survive Q-day in reasonable shape.

Where Elliptic-Curve Cryptography Enters

The vulnerability sits at the account layer. Every Starknet account, whether a default OpenZeppelin account, an Argent X wallet, or a Braavos smart-contract wallet, requires a signing key to authorise transactions. By default, Starknet uses the STARK curve, a custom elliptic curve over a 252-bit prime field. Transaction signatures are produced using ECDSA (Elliptic Curve Digital Signature Algorithm) or, in some newer implementations, Schnorr variants over the same curve family.

Both ECDSA and Schnorr on elliptic curves rely on the hardness of the Elliptic Curve Discrete Logarithm Problem (ECDLP). A sufficiently powerful quantum computer running Shor's algorithm can solve ECDLP in polynomial time, recovering the private key from the public key. That is the core threat. The proof layer being quantum-resistant provides no protection if an attacker can forge the signature that authorises the transaction in the first place.

---

Understanding Q-Day and Why It Matters for STRK Holders

Q-Day refers to the point at which a cryptographically relevant quantum computer (CRQC) becomes operational, one capable of running Shor's algorithm at scale against the key sizes used by real-world blockchains. Current estimates from analysts at organisations including the Global Risk Institute and the UK's National Cyber Security Centre range from the mid-2030s to the early 2040s, though some hardware trajectories suggest earlier timelines are possible.

The Harvest-Now, Decrypt-Later Threat

A subtler risk is already active. Adversaries with sufficient resources can record encrypted or signed data today and decrypt it once quantum hardware matures. For blockchain, the equivalent is recording all publicly broadcast transaction data, including public keys exposed when a wallet signs a transaction, and later deriving private keys. Any address that has ever sent a transaction has already exposed its public key on-chain. Every one of those addresses is theoretically susceptible to a harvest-now, decrypt-later attack on ECDSA-secured chains.

How Much STRK Is at Risk?

There is no public on-chain analytics tool that precisely segments Starknet addresses by whether they have exposed their public key, but the general pattern seen on Ethereum and Bitcoin applies: most active wallets that have sent at least one transaction have exposed public keys. On Starknet, the account-abstraction model means a contract deployment transaction also reveals the public key associated with the signer. The practical conclusion is that the majority of economically significant STRK holdings sit in addresses with exposed public keys.

---

Starknet's Account Abstraction: A Double-Edged Sword

Starknet's native account abstraction (AA) is one of the most interesting features in the rollup ecosystem. Unlike Ethereum's EOA model, every Starknet account is a smart contract. This means the signing logic is programmable and upgradeable without a protocol-level hard fork.

Why AA Could Accelerate a Quantum Migration

Because account logic is on-chain code rather than a fixed protocol rule, wallet developers can, in principle, redeploy or upgrade account contracts to use post-quantum signature schemes without waiting for StarkWare or the Starknet governance process to push a network upgrade. If a post-quantum signature library becomes available and audited in Cairo (Starknet's native language), a wallet provider could offer users a migration path.

Why AA Alone Does Not Solve the Problem

Account abstraction changes the upgrade mechanics but does not change the underlying cryptography. Until post-quantum signature schemes are integrated into wallet software and users actively migrate their keys and assets, the exposure remains. AA is an enabling feature, not a cure. Most current Starknet account contracts use the STARK curve ECDSA scheme by default, and migration requires deliberate action at the wallet and user level.

Braavos and Hardware-Signer Approaches

Braavos wallet has experimented with hardware-signer integrations that use passkey-style authentication, shifting some signing to device-level secure enclaves. This improves security against classical adversaries but does not address quantum threats, because the underlying elliptic-curve operations still occur, just inside different hardware.

---

Post-Quantum Cryptography: What the Alternatives Look Like

NIST completed its first round of Post-Quantum Cryptography (PQC) standardisation in 2024, publishing final standards for several algorithm families. The two most relevant to blockchain signing are:

The table illustrates the central trade-off: post-quantum signatures are larger and, in most cases, slower to verify than ECDSA. For a high-throughput rollup like Starknet, larger signature sizes mean higher data costs when posting to L1. That is a real engineering constraint, not a hypothetical one.

Lattice-based schemes (Dilithium, FALCON) are generally viewed as the most practical for blockchain contexts because their signature and key sizes are manageable and their security assumptions are well-studied. Hash-based schemes like SPHINCS+ offer a more conservative security basis but produce very large signatures that would materially increase rollup costs.

---

Has StarkWare Published a Quantum-Resistance Roadmap?

As of mid-2025, StarkWare has not published a formal quantum-resistance roadmap for Starknet. The project's public documentation and research blog focus primarily on proof system improvements (recursive STARKs, Stwo prover performance), Cairo language upgrades, and decentralisation of the sequencer and prover layers.

This is not unique to Starknet. Ethereum itself, on which Starknet settles, also has no finalised post-quantum signature migration plan, though Ethereum researchers have discussed the topic in the context of account abstraction and EIP proposals for STARK-based transaction signatures at L1. The Ethereum roadmap item sometimes called "quantum resistance" is loosely scoped and multi-year.

For STRK holders, the absence of a published roadmap does not mean the risk is ignored internally, but it does mean there is no committed timeline for users to plan around.

---

What Quantum-Resistant Wallets Are Doing Differently

The gap between current Starknet wallet security and post-quantum security is where hardware and software wallet projects focusing on lattice-based cryptography become relevant. Wallets built with NIST PQC-aligned schemes, specifically lattice-based signature algorithms, replace the ECDSA signing step entirely. The private key, the public key, and the signature are all generated using mathematical structures where Shor's algorithm provides no meaningful advantage.

One project building in this space is BMIC.ai, which is developing a quantum-resistant wallet and token using lattice-based post-quantum cryptography aligned with the NIST PQC standards. For holders evaluating long-term custody risk, comparing the cryptographic foundation of their current wallet against PQC-native alternatives is a reasonable due-diligence step, particularly if their horizon extends into the 2030s and beyond.

The practical migration question for any asset, whether held on Starknet or another chain, comes down to: when will wallet software you use sign transactions with a post-quantum algorithm, and what happens to assets secured by exposed ECDSA keys in the interval?

---

Analyst Scenarios: What Could Happen at Different Quantum Milestones

It is useful to think in scenario bands rather than single-point predictions.

Scenario A: Gradual Quantum Advancement (2035–2042 CRQC)

This is the central scenario in most institutional forecasts. In this band, the blockchain industry has a decade or more to implement post-quantum migrations. Chains with programmable account logic (like Starknet) are better positioned than chains with fixed signing schemes, because migrations can be deployed incrementally. STRK holders who migrate to PQC wallets before a CRQC becomes operational face minimal disruption.

Scenario B: Accelerated Quantum Advancement (pre-2033 CRQC)

Some analysts assign non-trivial probability to this scenario given recent progress in error-corrected qubit counts. In this band, chains without active migration programs face significant disruption. Harvest-now, decrypt-later attacks on previously broadcast public keys become actionable. Assets in unprotected addresses are at risk of theft rather than merely theoretical exposure.

Scenario C: Quantum Winter (no CRQC by 2050)

If progress on fault-tolerant quantum computing stalls, current ECDSA-based security remains adequate for the foreseeable future, and the cost of migrating to heavier PQC signature schemes may not be justified by near-term risk. Most cryptographers consider this the least likely scenario given current hardware trajectories, but it is not impossible.

---

Practical Steps for Starknet Users Concerned About Quantum Risk

1. Audit your key exposure. Any Starknet address that has signed at least one transaction has a public key on-chain. Treat those addresses as having elevated long-term quantum risk.
2. Monitor wallet provider roadmaps. Argent X and Braavos are the dominant Starknet wallets. Watch for announcements about post-quantum signature support in their upgrade pipelines.
3. Follow NIST PQC integration discussions in the Cairo ecosystem. The Cairo language is Turing-complete and can, in principle, implement Dilithium or FALCON. Community proposals or StarkWare research updates on this topic are worth tracking.
4. Consider diversifying custody. For holdings with long-term horizons, evaluating wallets that already implement PQC-native signing is a reasonable risk-management measure, separate from any view on the underlying asset's price performance.
5. Stay informed on Ethereum L1 quantum plans. Starknet settles to Ethereum. If Ethereum adopts quantum-resistant transaction formats at L1, that will create upstream pressure and potentially enablement for Starknet to follow suit more quickly.