Is Walrus Quantum Safe?
Is Walrus quantum safe? It is a pressing question for anyone holding WAL tokens or building on the Walrus decentralised storage protocol, because the answer today is: not yet, and not by design. Like virtually every major blockchain project launched before 2024, Walrus inherits its cryptographic assumptions from classical elliptic-curve schemes that a sufficiently powerful quantum computer could break. This article unpacks exactly which algorithms are at risk, what Q-day means for WAL holders, whether the Walrus roadmap addresses post-quantum migration, and what protection options currently exist.
What Cryptography Does Walrus Use?
Walrus is a decentralised blob-storage network built on top of the Sui blockchain. Understanding its quantum exposure starts with understanding the cryptographic stack it inherits.
Sui's Signature Schemes
Sui supports multiple signature algorithms, including:
- Ed25519 (Edwards-curve Digital Signature Algorithm over Curve25519)
- ECDSA over secp256k1 (the same curve used by Bitcoin)
- ECDSA over secp256r1 (used for WebAuthn / Passkeys)
- BLS12-381 (for aggregated multi-signatures)
When a Walrus user holds WAL tokens in a Sui wallet, the private key securing those tokens relies on one of these schemes. The most common for regular users is Ed25519, which is fast, small, and well-audited. None of them are quantum-resistant.
EdDSA vs ECDSA: Are They Different Threats?
Ed25519 and ECDSA are both elliptic-curve constructions. While Ed25519 has several advantages over secp256k1 ECDSA in classical security (better resistance to side-channel attacks, deterministic nonces), both schemes share the same fundamental vulnerability to quantum attack: their security rests on the hardness of the elliptic curve discrete logarithm problem (ECDLP).
A large-scale quantum computer running Shor's algorithm can solve ECDLP in polynomial time. That reduces breaking a 256-bit elliptic-curve key to a tractable computation, rather than the astronomically hard problem it is for classical hardware.
In short: Ed25519 is not safer than secp256k1 ECDSA against a quantum adversary. Both fall to the same algorithmic attack.
---
Understanding Q-Day and Why It Matters for WAL
Q-Day is the colloquial term for the point at which quantum computers become capable of breaking widely deployed public-key cryptography at practical speed. Estimates from NIST, NCSC, and academic researchers vary, but the range most frequently cited places Q-Day somewhere between 2030 and 2040, with some scenarios placing a narrow-capability breakthrough earlier.
The "Harvest Now, Decrypt Later" Vector
One threat does not require waiting for Q-Day. State-level and well-resourced adversaries can already harvest encrypted traffic and signed transaction data today, storing it for decryption once quantum hardware is available. For WAL holders, the immediate relevance is narrower (signed blockchain transactions are public by design, and the attacker needs to derive private keys, not just decrypt messages), but the principle matters for custodians, bridges, and any off-chain communication layer touching the Walrus stack.
The On-Chain Exposure Window
The more direct risk at Q-Day is address exposure. On Sui-based systems, a public key is revealed when an account first signs a transaction. At that moment, the public key is permanently on-chain. A quantum adversary with access to a cryptographically capable machine could:
- Scan the chain for exposed public keys.
- Run Shor's algorithm to derive corresponding private keys.
- Drain wallets before owners can move funds.
Walrus staking contracts, governance addresses, and any WAL wallet that has ever signed a transaction are all in scope for this attack vector once Q-Day arrives.
---
Does Walrus Have a Post-Quantum Migration Plan?
As of mid-2025, neither the Walrus whitepaper nor the Sui cryptography roadmap publicly commits to a concrete timeline for post-quantum signature migration. This is not unusual: the majority of production blockchain networks are in the same position.
What Sui Has Said
Sui's cryptography team has acknowledged awareness of post-quantum concerns and has noted the modularity of its signature architecture as an enabler of future upgrades. Sui's multi-scheme support, where different signature types can coexist at the address level, is genuinely useful infrastructure for an eventual migration. But awareness and modularity are not the same as a shipped solution.
What a Migration Would Require
A credible post-quantum migration for a Walrus/Sui-based wallet would involve several steps:
- Adopting a NIST PQC-standardised algorithm. NIST finalised its first post-quantum standards in 2024: ML-KEM (formerly CRYSTALS-Kyber, for key encapsulation) and ML-DSA (formerly CRYSTALS-Dilithium, for digital signatures). A third standard, SLH-DSA (SPHINCS+, hash-based), was also ratified.
- Updating the Sui Move VM to recognise and validate post-quantum signature formats.
- Migrating user keys via a transition period where both classical and PQC signatures are accepted.
- Updating wallet software across every Sui-compatible wallet that holds WAL.
Each step requires ecosystem-wide coordination. The longer the ecosystem waits, the larger the installed base of classical-key addresses that need migration.
Comparison: Walrus vs Other Networks on PQC Readiness
| Network / Protocol | Signature Schemes | NIST PQC Adopted | Public PQC Roadmap |
|---|---|---|---|
| Walrus (Sui) | Ed25519, secp256k1/r1, BLS12-381 | No | No |
| Ethereum | secp256k1 ECDSA | No | Research stage (EIP discussions) |
| Bitcoin | secp256k1 ECDSA | No | No formal plan |
| Algorand | Ed25519 | No | Partial (research) |
| QRL | XMSS (hash-based) | Yes (hash-based family) | Shipped |
| BMIC.ai | Lattice-based (ML-DSA aligned) | Yes | Shipped in wallet layer |
The table illustrates a consistent pattern: most established networks have not yet shipped post-quantum signature support at the protocol level. BMIC.ai is a notable exception, having built lattice-based, NIST PQC-aligned cryptography directly into its wallet architecture, making it one of the few production-ready options for users who want quantum-resistant custody today.
---
How Lattice-Based Post-Quantum Cryptography Works
For readers unfamiliar with post-quantum cryptography, a brief primer on why lattice schemes resist quantum attack is useful context.
The Hardness Problem
Classical elliptic-curve schemes depend on ECDLP. Lattice-based schemes depend on problems like Learning With Errors (LWE) or its ring variant (RLWE). These problems involve finding a short vector in a high-dimensional geometric lattice, a task for which no efficient quantum algorithm is known. Shor's algorithm, which demolishes ECDLP, provides no meaningful speedup against LWE-class problems.
ML-DSA (CRYSTALS-Dilithium) in Practice
ML-DSA is the lattice-based digital signature standard most relevant to wallet security:
- Key sizes: Public keys are approximately 1.3 KB; signatures are approximately 2.4 KB (compared to 32-byte public keys and 64-byte signatures in Ed25519).
- Security levels: Three parameter sets target NIST security levels 2, 3, and 5 (equivalent to AES-128, AES-192, and AES-256 classical security).
- Performance: Signing and verification are fast enough for practical use on consumer hardware.
The size increase over Ed25519 is real, but for wallet signing operations (not high-frequency data streaming), it is operationally acceptable.
Hash-Based Alternatives: SLH-DSA
SLH-DSA (SPHINCS+) is a stateless hash-based signature scheme. Its security relies only on the collision resistance of the underlying hash function, making it one of the most conservative and well-understood post-quantum options. The tradeoff is larger signature sizes (8–50 KB depending on parameters) and slower signing. For blockchain use cases requiring compact on-chain data, lattice-based ML-DSA is generally preferred.
---
Practical Steps for WAL Holders Concerned About Quantum Risk
Waiting for Walrus or Sui to ship a native PQC upgrade may not be the right risk posture for every holder. Several practical mitigations are available now.
1. Use Addresses That Have Not Yet Signed
An address whose public key has never been broadcast to the chain is harder to target at Q-Day, because the attacker cannot derive the private key without the public key. This is sometimes called a "zero-exposure" address strategy. It is a deferral tactic, not a fix, but it reduces the harvest-now-attack-later surface.
2. Monitor NIST PQC Integration on Sui
Watch Sui's GitHub and SIP (Sui Improvement Proposals) tracker for any proposals adding ML-DSA or SLH-DSA signature support. When such a SIP reaches testnet, it signals that migration infrastructure is approaching.
3. Use a Quantum-Resistant Custody Layer for High-Value Holdings
For significant WAL positions, some holders route custody through wallets that already implement post-quantum cryptography at the key-management layer. This does not make the on-chain address quantum-safe (the Sui address is still ECDSA/EdDSA-derived), but it protects the private key storage and signing environment from quantum-assisted compromise of the custody infrastructure itself.
4. Diversify Into Natively PQC-Protected Assets
Holders with meaningful crypto exposure may consider allocating a portion of their portfolio to assets whose base layer already uses post-quantum signatures. This hedges against a scenario where Q-Day arrives before major networks complete migration.
---
What Q-Day Scenarios Look Like for Walrus Specifically
It is worth stress-testing specific scenarios rather than speaking about quantum risk in the abstract.
Scenario A: Gradual Q-Day (2035+, Public Announcement)
If quantum capability develops slowly and is publicly announced well in advance (the most optimistic scenario), Sui will likely have shipped a PQC migration pathway by that point. WAL holders with active addresses would have time to migrate to new PQC-secured keys. This is the outcome the ecosystem is implicitly relying on.
Scenario B: Sudden or Undisclosed Capability
If a state actor achieves cryptographically relevant quantum computing without public announcement, the harvest-now-decrypt-later attack becomes active. Wallets that have ever signed a transaction on Sui (including WAL wallets) would be at risk. There would be no warning period for migration.
Scenario C: Narrow-Capability Attack (High-Value Targets Only)
A machine capable of breaking elliptic-curve keys in, say, hours rather than minutes would still be sufficient to target the highest-value addresses on any chain. Walrus treasury addresses, staking contracts holding large WAL balances, and major validator wallets would be priority targets in this scenario.
Analysts covering quantum risk tend to treat Scenario C as the most plausible near-term threat, and it is the scenario for which "migrate when there's a public announcement" is least effective as a defence.
---
Summary: The Honest State of Walrus Quantum Safety
Walrus is not quantum safe in its current form. Its cryptographic dependency on Ed25519 and secp256k1/r1 ECDSA means all WAL-holding addresses are theoretically vulnerable to a quantum adversary capable of running Shor's algorithm at scale. No production post-quantum migration has been announced for Sui or Walrus as of mid-2025.
This does not make Walrus uniquely risky relative to its peers: Bitcoin, Ethereum, and most other major networks share the same exposure. But "everyone has the problem" is not the same as "the problem does not exist."
The actionable takeaways for WAL holders are:
- Understand the timeline: Q-Day is a probability distribution, not a scheduled event. The risk is real but not immediate for most holders.
- Watch for SIPs and Sui roadmap updates that signal PQC migration work.
- Consider address hygiene: Minimise the number of public keys you have exposed on-chain for high-value positions.
- Evaluate PQC-native custody options for any holdings where quantum risk is unacceptable at current probability estimates.
The broader lesson from this analysis is that post-quantum readiness is a design decision, not a feature that can be bolted on at the last minute. Networks and wallets that are building PQC in now will be significantly better positioned when the quantum threat transitions from theoretical to operational.
Frequently Asked Questions
Is Walrus (WAL) quantum safe right now?
No. Walrus operates on the Sui blockchain, which uses classical elliptic-curve signature schemes including Ed25519 and secp256k1/r1 ECDSA. Both are vulnerable to Shor's algorithm running on a sufficiently large quantum computer. As of mid-2025, no post-quantum migration has been shipped or formally scheduled for Sui or Walrus.
Is Ed25519 safer than ECDSA against quantum attacks?
Not meaningfully. While Ed25519 has classical security advantages over secp256k1 ECDSA (deterministic nonces, resistance to certain side-channel attacks), both rely on the hardness of the elliptic curve discrete logarithm problem. Shor's algorithm breaks ECDLP efficiently regardless of which elliptic curve is used, so Ed25519 offers no additional protection at Q-Day.
When is Q-Day expected to happen?
Estimates from NIST, NCSC, and academic researchers most commonly cite a range of 2030 to 2040 for a cryptographically relevant quantum computer capable of breaking 256-bit elliptic-curve keys. Some scenarios place a narrow-capability breakthrough earlier. There is genuine uncertainty; Q-Day is a probability distribution rather than a fixed date.
What NIST post-quantum standards are relevant to blockchain wallets?
The most relevant is ML-DSA (formerly CRYSTALS-Dilithium), a lattice-based digital signature standard finalised by NIST in 2024. SLH-DSA (SPHINCS+), a hash-based scheme, was also standardised and is more conservative but produces larger signatures. ML-KEM (formerly CRYSTALS-Kyber) covers key encapsulation and is relevant to encrypted communication layers rather than on-chain signing.
Can I protect my WAL holdings from quantum risk today?
Fully protecting on-chain WAL addresses requires Sui to implement post-quantum signature support at the protocol level, which has not happened yet. In the meantime, practical mitigations include minimising the number of public keys exposed on-chain, monitoring Sui Improvement Proposals for PQC roadmap progress, and using quantum-resistant custody infrastructure for signing operations on high-value positions.
Does the 'harvest now, decrypt later' attack affect WAL holders?
The primary harvest-now-decrypt-later risk for blockchain users involves deriving private keys from public keys that are already on-chain. Any Sui address that has ever signed a transaction has its public key permanently recorded on-chain, making it a candidate for retrospective quantum attack once capable hardware exists. High-value or long-dormant addresses with on-chain transaction history carry the most exposure.