Is Tezos Quantum Safe?
Is Tezos quantum safe? It is a question that more institutional holders and long-term XTZ stakers are starting to ask as quantum computing milestones accelerate. Tezos uses elliptic-curve cryptography to secure accounts and sign transactions, and while it has some architectural advantages over older blockchains, it shares the same fundamental vulnerability every classical public-key system faces: a sufficiently powerful quantum computer running Shor's algorithm could derive private keys from public keys. This article explains exactly how Tezos handles cryptography, where the exposure sits, what the development roadmap says, and what quantum-resistant alternatives look like in practice.
What Cryptography Does Tezos Actually Use?
Tezos supports three signature schemes natively, which is unusual among Layer-1 blockchains and gives it more cryptographic flexibility than Bitcoin or Ethereum.
The Three Supported Signature Schemes
| Scheme | Curve / Algorithm | Address Prefix | Quantum Vulnerable? |
|---|---|---|---|
| Ed25519 | Edwards-curve DSA (EdDSA) | tz1 | Yes (Shor's algorithm) |
| Secp256k1 | ECDSA (Bitcoin-compatible) | tz2 | Yes (Shor's algorithm) |
| P-256 (Secp256r1) | ECDSA / NIST curve | tz3 | Yes (Shor's algorithm) |
| BLS12-381 | BLS signature scheme | tz4 | Yes (Shor's algorithm) |
Every active address type on Tezos relies on elliptic-curve discrete logarithm hardness. That hardness holds against classical computers but collapses against a cryptographically relevant quantum computer (CRQC). The tz1 Ed25519 scheme is the most commonly used by bakers and delegators. Ed25519 is faster and considered safer than secp256k1 against classical attacks, but it offers no structural advantage against quantum attacks. Shor's algorithm solves the discrete logarithm problem on any elliptic curve in polynomial time regardless of the specific curve chosen.
How Tezos Key Derivation Works
When you create a Tezos wallet, a private key is generated, a public key is derived from it, and a public key hash (the address) is derived from the public key. The chain only exposes your address on-chain until you make your first outgoing transaction. At that point, your full public key is broadcast to the network. This is the critical exposure window in a quantum threat model: once your public key is revealed, a CRQC could theoretically reverse it to your private key.
Tezos does not embed the public key in the address at account creation, which means dormant accounts that have only received funds but never signed a transaction have a marginally smaller attack surface. The address is a hash of the public key, so an attacker would need to invert a cryptographic hash (SHA-256 / BLAKE2b) and then solve the elliptic-curve discrete logarithm, a two-step problem. That said, every account that has ever sent a transaction has already revealed its public key on-chain, and those accounts are directly vulnerable once a CRQC exists.
---
Understanding Q-Day and Why It Matters for XTZ
Q-day refers to the point at which a quantum computer becomes capable of breaking production-grade elliptic-curve keys within a practically useful timeframe, typically hours or days rather than millions of years.
Current Quantum Computing Trajectory
As of 2024-2025, IBM, Google, and several nation-state programmes have demonstrated quantum processors in the hundreds to low thousands of physical qubits. Breaking a 256-bit elliptic-curve key requires an estimated 2,000 to 4,000 logical (error-corrected) qubits, which in turn may require millions of physical qubits given current error rates. Most sober analyst estimates place a CRQC capable of attacking ECC at somewhere between 2030 and 2040, though some classified programmes could accelerate that timeline.
The relevant risk for XTZ holders is not solely the arrival of Q-day itself. It is the harvest-now, decrypt-later (HNDL) attack model: adversaries can record all public blockchain data today and decrypt private keys retroactively once a CRQC exists. Every public key ever broadcast on Tezos is permanently stored on-chain and cannot be deleted.
The "Sleeping Coins" Problem
Tezos has a significant amount of XTZ held in accounts that have been active in the past and therefore have exposed public keys. Bakers in particular broadcast thousands of signatures per cycle as part of consensus. Every endorsement and block attestation signature is on-chain. Any baker running a standard Ed25519 or BLS key has a complete public-key trail that a future CRQC could exploit.
---
Does Tezos Have a Post-Quantum Migration Plan?
Tezos has a legitimate advantage over most blockchains: its on-chain self-amendment protocol. The network can upgrade itself through governance votes without hard forks. This is relevant to quantum resistance because a post-quantum signature scheme could, in theory, be introduced as a new amendment and deployed network-wide without splitting the chain.
What the Tezos Roadmap Actually Says
As of the most recent publicly available Tezos roadmap information, there is no scheduled or deployed post-quantum signature scheme upgrade. The Tezos core development teams (Nomadic Labs, TriliTech, Marigold, Oxhead Alpha) have not published a finalised post-quantum migration timeline. Research-stage work on post-quantum cryptography exists within the broader Tezos ecosystem, but it has not reached the amendment proposal stage.
The self-amendment mechanism is a meaningful structural advantage. It means that when a post-quantum scheme is introduced, a governance vote can mandate migration over a defined period, and non-migrated keys could in principle be flagged or restricted. However, "can upgrade" is categorically different from "has upgraded." The same applies to Ethereum's planned account abstraction-based quantum migration, which also remains in research.
NIST Post-Quantum Candidates Relevant to Blockchain
NIST finalised its first set of post-quantum cryptographic standards in 2024. The most relevant to blockchain signature use cases are:
- CRYSTALS-Dilithium (ML-DSA): Lattice-based digital signature scheme, selected as the primary NIST PQC signature standard. Offers reasonable signature sizes (~2.4 KB) and strong security assumptions.
- FALCON: Lattice-based, more compact signatures (~0.7 KB), but more complex to implement securely.
- SPHINCS+ (SLH-DSA): Hash-based, no lattice assumptions, very conservative security, but large signatures (~8-50 KB).
Any future Tezos post-quantum amendment would most likely target one of these schemes, given NIST standardisation. Lattice-based schemes are the leading candidate because signature and key sizes are more practical for on-chain use than hash-based schemes.
---
How Lattice-Based Post-Quantum Wallets Differ From Tezos Today
The core difference between a classical EdDSA wallet and a post-quantum lattice-based wallet is the mathematical hardness assumption underpinning key security.
Classical vs. Post-Quantum: The Mechanism
Classical elliptic-curve security rests on the difficulty of the elliptic-curve discrete logarithm problem (ECDLP). Lattice-based security rests on problems such as Learning With Errors (LWE) or Module-LWE, which are believed to be hard for both classical and quantum computers. No quantum algorithm analogous to Shor's has been demonstrated to efficiently solve lattice problems.
In practical terms, a user holding funds in a wallet secured by ML-DSA (CRYSTALS-Dilithium) does not need to fear that broadcasting a public key during a transaction exposes them to a retroactive CRQC attack. The key pair is generated from a different mathematical structure that resists quantum inversion.
Trade-Offs to Understand
Post-quantum schemes are not cost-free. The trade-offs compared to Ed25519 include:
- Larger key and signature sizes. A Dilithium signature is roughly 12x larger than an Ed25519 signature. This increases transaction size and, on most networks, fee costs.
- Different performance profiles. Key generation and verification times differ. Falcon is fast but has implementation complexity that has historically led to subtle security vulnerabilities when not implemented carefully.
- Ecosystem immaturity. Hardware wallet support, software library coverage, and wallet UX for post-quantum schemes lag significantly behind classical alternatives.
Projects designed from the ground up around post-quantum security, such as BMIC.ai, which uses lattice-based cryptography aligned with NIST PQC standards to secure wallet keys, address these trade-offs at the architecture level rather than trying to retrofit them onto a classical base.
---
What Should XTZ Holders Do Right Now?
There is no actionable Q-day threat today. However, prudent risk management for long-term XTZ holders involves several practical considerations.
Practical Steps for Tezos Security
- Minimise unnecessary public key exposure. Avoid reusing addresses for repeated small transactions where fresh addresses would reduce your on-chain public key trail.
- Monitor Tezos governance proposals. Subscribe to Tezos Agora and the major developer blogs. A post-quantum amendment proposal, when it comes, will require community participation to pass.
- Diversify custody architecture. Consider whether concentrating large XTZ balances in a single key type (especially tz1 Ed25519) is appropriate given a 10-15 year investment horizon.
- Understand baker key exposure. If you operate a Tezos baker, you produce thousands of signatures per cycle, creating an extensive on-chain public-key record. Future bakers may want to monitor post-quantum signing options as they mature.
- Track NIST PQC integration progress. As hardware wallets (Ledger, Trezor) begin integrating NIST PQC standards, their support for Tezos-compatible post-quantum addresses will become relevant.
- Assess the broader portfolio. Tezos is not uniquely vulnerable. Every major blockchain using classical cryptography carries the same Q-day exposure. Portfolio-level quantum risk assessment is more useful than single-asset focus.
---
Tezos vs. Other Blockchains on Quantum Readiness
To contextualise Tezos's position, it helps to compare it against other major networks on the quantum-readiness dimension.
| Blockchain | Signature Scheme | On-Chain PQC Amendment Mechanism | Active PQC Migration Plan | Self-Amendment? |
|---|---|---|---|---|
| Bitcoin | ECDSA / Schnorr (secp256k1) | Soft fork (slow, contentious) | Research only | No |
| Ethereum | ECDSA (secp256k1) | Hard fork / EIP | EIP-7560 (early research) | No |
| Tezos | Ed25519, secp256k1, P-256, BLS | On-chain amendment vote | No finalised plan | Yes |
| Algorand | Ed25519 | Protocol upgrade | Research stage | Partial |
| QRL | XMSS (hash-based) | N/A, PQC by design | Already post-quantum | Yes |
Tezos ranks above Bitcoin and Ethereum in terms of upgrade mechanics, but ranks below purpose-built post-quantum networks in terms of actual cryptographic protection today. The on-chain governance system is a genuine advantage, but it only matters when a concrete proposal is submitted and passed.
---
Summary: The Honest Assessment
Tezos is not quantum safe today. No major general-purpose blockchain is. The EdDSA and ECDSA schemes securing all four Tezos address types are vulnerable to Shor's algorithm on a sufficiently capable quantum computer. The network's self-amendment governance model gives it a credible path to a post-quantum upgrade without a contentious hard fork, which is a structural advantage. However, that path has not been activated, and no concrete timeline exists as of current public information.
For holders with a multi-decade outlook, the relevant questions are: how quickly will quantum computing advance, will the Tezos governance community act proactively before Q-day, and what does a sensible diversification strategy look like across assets and custody methods? Those are questions worth tracking now rather than after the threat becomes imminent.
Frequently Asked Questions
Is Tezos quantum safe right now?
No. Tezos currently uses EdDSA (Ed25519), ECDSA (secp256k1, P-256), and BLS signature schemes, all of which are vulnerable to Shor's algorithm on a cryptographically relevant quantum computer. The network is not quantum safe today, though its on-chain self-amendment governance provides a credible upgrade mechanism for the future.
Which Tezos address types are most exposed to quantum attacks?
All four address types, tz1 (Ed25519), tz2 (secp256k1), tz3 (P-256), and tz4 (BLS), rely on elliptic-curve cryptography and are equally vulnerable at a fundamental level. Accounts that have signed at least one outgoing transaction have their public key stored on-chain permanently, making them directly targetable by a CRQC. Dormant receive-only addresses have slightly reduced exposure because only the key hash is public.
Does Tezos have a plan to upgrade to post-quantum cryptography?
No finalised post-quantum migration plan has been published by the major Tezos development organisations as of current information. Research-stage work exists, and Tezos's on-chain self-amendment protocol means an upgrade could be deployed via governance vote without a hard fork. However, no proposal has reached the amendment stage, and no timeline has been announced.
What is Q-day and when might it affect Tezos holders?
Q-day refers to the point at which a quantum computer can break elliptic-curve private keys in a practically useful timeframe. Most analyst estimates place this between 2030 and 2040, though the timeline carries significant uncertainty. The more immediate concern is the harvest-now, decrypt-later threat model, where on-chain public keys are recorded today for future decryption.
What post-quantum signature schemes could Tezos adopt?
The most likely candidates are NIST-standardised lattice-based schemes: CRYSTALS-Dilithium (ML-DSA) and FALCON. Both offer practical signature sizes for blockchain use. Hash-based SPHINCS+ (SLH-DSA) is also a NIST standard but produces significantly larger signatures, which would increase transaction costs. A Tezos amendment would need to balance security, performance, and on-chain storage costs.
How do lattice-based post-quantum wallets protect against Q-day compared to Tezos today?
Lattice-based wallets secure private keys using mathematical problems, such as Learning With Errors, that no known quantum algorithm can solve efficiently. Unlike elliptic-curve keys, a lattice-based private key cannot be derived from its public key by Shor's algorithm. This means broadcasting a public key during a transaction does not create retroactive quantum exposure, which is the fundamental difference from all current Tezos address types.