Is Usual USD Quantum Safe?

Is Usual USD quantum safe? That question matters more than most stablecoin holders realise. Usual USD (USD0) is a collateralised stablecoin running on Ethereum, secured by the same ECDSA elliptic-curve cryptography underpinning every standard EVM wallet. When sufficiently powerful quantum computers arrive, ECDSA private keys become mathematically reconstructable from public keys alone, exposing every on-chain address that has ever signed a transaction. This article breaks down exactly what cryptographic assumptions USD0 relies on, where the real exposure sits, what migration options exist, and what a genuinely quantum-resistant alternative looks like.

What Is Usual USD (USD0)?

Usual USD, ticker USD0, is a permissionless, fully collateralised stablecoin issued by the Usual protocol on Ethereum. Its design differs from algorithmic stablecoins: every USD0 in circulation is backed 1:1 by short-duration, real-world assets, primarily US Treasury bill tokens such as USYC and M (by M^0). The collateral is held in on-chain vaults, and the mint/redeem logic is enforced by Solidity smart contracts deployed on Ethereum mainnet.

From a financial-engineering standpoint, USD0 is conservative. It avoids fractional-reserve mechanics and complex algorithmic stabilisation loops. The risk profile is closer to a tokenised money-market fund than to an undercollateralised algorithmic dollar. That is a reasonable design choice for a stablecoin.

The cryptographic risk profile, however, is a different question entirely.

How USD0 Is Secured On-Chain

Like every ERC-20 token, USD0 balances are stored in Ethereum's global state trie. Ownership is asserted by ECDSA signatures produced with secp256k1 private keys. When you send USD0, your wallet signs a transaction with that key. Ethereum nodes verify the signature and update the state. The security of your holdings therefore reduces to two questions:

1. Can an attacker forge a valid secp256k1 ECDSA signature without knowing your private key?
2. Can an attacker derive your private key from your public key or from a signature you have already broadcast?

On classical computers, both attacks are computationally infeasible. On a sufficiently powerful quantum computer, question 2 has a clear answer: yes, using Shor's algorithm.

---

The Quantum Threat to ECDSA: A Technical Summary

Shor's algorithm, published in 1994, solves the discrete logarithm problem on a quantum computer in polynomial time. Secp256k1, the curve Ethereum uses, is an instance of elliptic-curve discrete logarithm. The implication is direct: a large-scale quantum computer could recover a secp256k1 private key from the corresponding public key.

What "Q-Day" Means for Stablecoin Holders

Q-day refers to the point at which a cryptographically relevant quantum computer (CRQC) becomes operational, capable of running Shor's algorithm against real 256-bit elliptic-curve keys within a practical time window. Current consensus among cryptographers and agencies such as NIST, CISA, and the NSA places the risk horizon somewhere between 2030 and 2040, though estimates vary and the timeline could compress if hardware progress accelerates.

For stablecoin holders the threat is concrete:

• Exposed public keys. Every Ethereum address that has sent at least one outbound transaction has its public key permanently recorded on-chain. That public key is sufficient input for Shor's algorithm.
• Harvest-now, decrypt-later (HNDL) attacks. Adversaries can record signed transactions and on-chain data today. Once a CRQC exists, they process the archive retrospectively. Long-lived addresses accumulate exposure over time.
• Smart contract governance keys. Protocol admin keys and multisig signers that control USD0's vault contracts, fee parameters, and upgradeability are also ECDSA-based. A compromised governance key could drain collateral or freeze the peg mechanism.

Is USD0 Specifically More Exposed Than Other Stablecoins?

Not uniquely, but not less either. USDC, USDT, DAI, and virtually every other ERC-20 stablecoin carry identical ECDSA exposure because they all run on Ethereum's current consensus and signature infrastructure. USD0 is neither safer nor more vulnerable than its peers on this dimension. The exposure is systemic to the EVM layer, not specific to Usual's design.

Where USD0's collateral model does introduce a nuance: if quantum attackers compromise the custody addresses holding the T-bill backing, the 1:1 collateral guarantee becomes fictional. A stablecoin whose collateral has been silently drained is no longer stable.

---

Ethereum's Post-Quantum Roadmap

Ethereum core developers and researchers are aware of the quantum threat. The relevant work sits under the broader account abstraction and cryptographic agility initiatives.

EIP-7560 and Account Abstraction

EIP-7560 (native account abstraction) is designed to allow users to replace ECDSA as the signature scheme for transaction authorisation. In a post-quantum world, this would allow wallets to use lattice-based signatures such as CRYSTALS-Dilithium or hash-based schemes like SPHINCS+, both of which are NIST PQC-standardised. The EIP is under active development but has not been deployed to mainnet.

The Address Re-Use Problem

Even after a quantum-resistant signature scheme is available at the protocol level, addresses that have already exposed their public keys remain vulnerable until funds are migrated. Ethereum's address is a hash of the public key, so a fresh address with no outbound history does not expose its public key. Migration requires users to actively move funds to new, never-used addresses protected by post-quantum keys, a process that requires both wallet software upgrades and user action.

Timeline Uncertainty

Ethereum's roadmap is iterative and consensus-driven. There is no firm deployment date for post-quantum signature support. Given that Ethereum's full post-quantum migration is likely to take years after a CRQC emerges, the window between Q-day and full protocol safety could be non-trivial.

---

Does Usual USD Have Any Quantum Migration Plan?

As of the time of writing, the Usual protocol has not published a dedicated post-quantum migration roadmap. This is not unusual: the vast majority of ERC-20 protocols have not done so either. Post-quantum planning at the application layer is largely deferred to Ethereum's base-layer upgrade path.

What this means practically:

• USD0 holders inherit Ethereum's quantum exposure timeline with no additional protocol-level mitigation.
• Usual's governance multisig keys carry the same ECDSA exposure as any other Ethereum multisig.
• Collateral custodians holding T-bill tokens in Ethereum addresses face the same risk if those addresses have broadcast signed transactions.

This is not a criticism specific to Usual. It is an accurate description of the current state of the EVM ecosystem. Holding any ERC-20 asset without a post-quantum wallet strategy is, at present, an unmitigated quantum risk that simply has an unknown time horizon.

---

Comparing Cryptographic Security Models

The table below contrasts the cryptographic foundations relevant to USD0 and the broader EVM ecosystem against post-quantum alternatives.

The performance gap between ECDSA and lattice-based schemes is closing rapidly as implementations mature. The main practical barrier to adoption on Ethereum is infrastructure, not mathematics.

---

How Post-Quantum Wallets Differ From Standard Wallets

A post-quantum wallet replaces the ECDSA key pair at its core with a key pair generated under a quantum-resistant algorithm. The user experience can be made nearly identical to standard wallets, but the underlying cryptographic machinery is fundamentally different.

Lattice-Based Key Generation

Lattice-based schemes such as CRYSTALS-Dilithium derive their security from the hardness of finding short vectors in high-dimensional lattices. The Learning With Errors (LWE) problem that underpins them has no known efficient quantum algorithm. NIST finalised ML-DSA (the standardised version of Dilithium) as FIPS 204 in August 2024.

Key Storage and Seed Phrases

Post-quantum private keys are larger than ECDSA keys. A Dilithium Level 3 private key is approximately 4 KB versus 32 bytes for secp256k1. Hardware wallet firmware and seed-phrase derivation standards will need to accommodate this. Projects building quantum-resistant custody infrastructure now, before Q-day, avoid the rushed migration problem.

Hybrid Schemes During the Transition Period

The recommended migration approach is a hybrid model: sign transactions with both a classical ECDSA key and a post-quantum key simultaneously. Verifiers accept the transaction only if both signatures are valid. This preserves compatibility with existing Ethereum infrastructure while adding quantum resistance as a second layer. It is the approach endorsed by NIST and several national cybersecurity agencies for the transition period.

One example of a project addressing this architecture directly is BMIC.ai, which is building a quantum-resistant wallet using lattice-based, NIST PQC-aligned cryptography, specifically designed to protect digital asset holdings against Q-day exposure.

---

Practical Steps USD0 Holders Can Take Now

Waiting for Ethereum's base layer to solve post-quantum security is a passive strategy with an uncertain timeline. Holders who want to reduce exposure can act at the wallet layer today.

1. Audit address exposure. Check whether your primary holding addresses have ever broadcast a signed transaction. If yes, the public key is permanently on-chain. Consider migrating to a fresh address.
2. Minimise address reuse. Every outbound transaction from an address exposes its public key. Using different receive addresses reduces the surface area.
3. Monitor Ethereum PQC developments. Track EIP-7560 and related EIPs for mainnet deployment signals. Set a personal threshold for when you will upgrade wallet infrastructure.
4. Evaluate quantum-resistant custody options. Hardware wallets and software wallets that implement NIST PQC standards are beginning to emerge. Evaluate them on the basis of FIPS 204/205 compliance and open-source auditability.
5. Consider collateral exposure separately. For large USD0 positions, consider the risk that governance or custodial addresses are compromised at Q-day, not just your own wallet key.
6. Stay current on CRQC progress. IBM, Google, and national labs publish roadmaps for qubit counts and error-correction milestones. A meaningful step-change in those numbers is an early warning signal.

---

Summary: The Honest Assessment

USD0 is cryptographically exposed to Q-day in exactly the same way every other ERC-20 asset is. The stablecoin's collateral model is sound by conventional financial standards, but it is built entirely on an ECDSA signature foundation that Shor's algorithm will eventually break. Usual has not published a post-quantum migration plan, which is consistent with the broader EVM ecosystem but does not reduce the underlying risk.

The question "is Usual USD quantum safe?" has a clear answer: no, not currently. The follow-up question, "does it matter right now?", depends entirely on your view of the Q-day timeline, your position size, and your personal risk tolerance. For institutional or long-duration holders, the harvest-now, decrypt-later threat makes the risk present-tense, not hypothetical.