Will Quantum Computers Break Arweave?
Will quantum computers break Arweave is one of the more technically precise questions circulating in the permaweb community, and it deserves a precise answer. Arweave uses RSA-4096 for its wallet signatures, making it an outlier among Layer-1 networks, most of which rely on ECDSA. That choice has real implications for quantum resilience. This article walks through the exact cryptographic exposure, what a credible quantum threat actually requires, realistic timelines from the research community, and what AR holders and developers can do before that window closes.
How Arweave's Cryptography Actually Works
Most Layer-1 blockchains, including Bitcoin and Ethereum, use Elliptic Curve Digital Signature Algorithm (ECDSA) over the secp256k1 curve. Arweave took a different path. Its native wallet format uses RSA-4096 with SHA-256, implemented via the Web Crypto API and encoded in base64url. Transactions are signed with RSA-PSS, and wallet addresses are derived from the SHA-256 hash of the RSA public key modulus.
This is relevant because RSA and ECDSA have different quantum attack surfaces.
RSA vs. ECDSA: The Quantum Attack Comparison
Both algorithms are vulnerable to Shor's algorithm, the quantum routine that can solve the integer factorisation problem (RSA) and the discrete logarithm problem (ECDSA) in polynomial time on a sufficiently powerful quantum computer.
The critical difference is the key size required to achieve equivalent classical security:
| Algorithm | Classical Key Size | Equivalent Quantum Threat Qubits (est.) |
|---|---|---|
| ECDSA secp256k1 | 256-bit | ~2,330 logical qubits |
| RSA-2048 | 2048-bit | ~4,000 logical qubits |
| RSA-4096 (Arweave) | 4096-bit | ~8,000+ logical qubits |
Estimates vary across research papers, but the consistent finding is that breaking RSA-4096 requires roughly twice the logical qubit count of breaking RSA-2048, and significantly more than breaking secp256k1 ECDSA. In that narrow sense, Arweave's choice of RSA-4096 provides a larger quantum security margin than the Bitcoin or Ethereum wallet format, not because RSA is quantum-safe, but because it demands more quantum resources to attack.
That is a timing advantage, not immunity.
What "Logical Qubits" Actually Means
Raw qubit counts in press releases are misleading. Today's physical qubits are noisy and error-prone. Fault-tolerant quantum computing requires error correction, meaning each logical qubit needs hundreds or thousands of physical qubits to maintain coherence long enough to run Shor's algorithm at scale.
IBM's 2024 roadmap targets utility-scale machines. Google's Willow chip demonstrated important error-correction milestones in late 2024. Neither machine is anywhere near the thousands of stable logical qubits needed to threaten RSA-4096. The gap between current physical qubit counts and the error-corrected logical qubits required for cryptographically relevant attacks remains large.
---
What Would Have to Be True for Quantum Computers to Break Arweave
For a quantum attack on Arweave wallets to be practical, several conditions must converge:
- Fault-tolerant quantum hardware at scale. A machine with thousands of stable logical qubits, not raw physical qubits, capable of running Shor's algorithm on 4096-bit integers without decoherence.
- Efficient implementation of Shor's for RSA-4096. The algorithmic overhead for large key sizes is non-trivial. Resource estimates for RSA-4096 attacks are significantly higher than for RSA-2048.
- Access and attack window. The attacker must obtain a wallet's public key. For Arweave, the public key is embedded in every signed transaction. Any address that has ever broadcast a transaction has an exposed public key on-chain. Addresses that have received AR but never signed a transaction expose only the SHA-256 hash of the public key, which is not directly reversible by Shor's algorithm.
- Speed sufficient to act before network confirmation. In the "harvest now, decrypt later" model, the attacker already has the ciphertext or signed data. For live transaction interception, the quantum computer would need to derive the private key before a transaction is confirmed, which adds a severe time constraint.
Conditions 1 and 2 are the binding constraints for the foreseeable future.
---
Realistic Timelines from the Research Community
Quantum computing timelines have historically been optimistic. A survey of peer-reviewed estimates provides a more grounded picture:
- NIST finalised its first post-quantum cryptography standards in August 2024 (FIPS 203, 204, 205), signalling that standardisation is done and migration should begin, not that attacks are imminent.
- IBM projects utility-scale fault-tolerant machines in the 2029-2033 range, though "utility-scale" is not synonymous with "cryptographically relevant."
- A 2022 Chinese research paper claimed an approach to break RSA-2048 with 372 physical qubits. Independent cryptographers broadly considered the approach flawed or unscalable. Peer review matters.
- Mosca's Theorem offers a useful framing: if the time to migrate a system (x years) plus the time adversaries need to decrypt harvested data (y years) exceeds the time until a quantum computer capable of breaking current encryption exists (z years), migration should start now. For long-lived data storage, Arweave's core value proposition, y is potentially very large.
The consensus among cryptographers is that RSA-4096 faces a credible but not imminent threat, with a plausible risk window opening sometime in the 2030s under optimistic hardware scenarios. Some researchers put it later. Few serious analysts put it within five years.
The concern is not tomorrow. The concern is that permaweb data stored on Arweave today is intended to persist for centuries. Cryptography that is adequate in 2025 may not be adequate in 2035 or 2045.
---
The Harvest-Now-Decrypt-Later Problem for Permanent Storage
This is where Arweave's specific use case creates a sharper exposure than a typical payment blockchain.
Arweave's architectural promise is permanent, immutable storage. Data uploaded today is intended to be retrievable indefinitely. That means:
- Encrypted data stored on Arweave with today's classical encryption is potentially vulnerable to adversaries who harvest it now and wait for quantum capability to decrypt it later.
- Signed transactions and exposed public keys remain on-chain permanently. There is no "delete" function.
- Applications building on Arweave for document notarisation, archival, or identity verification should treat this as a planning variable, particularly if the data has multi-decade sensitivity.
This is not an argument against using Arweave. It is an argument for thinking carefully about what you encrypt with what, and for watching how the Arweave protocol and its tooling ecosystem evolve in response to post-quantum standardisation.
---
What Arweave Holders and Developers Can Do Now
For Holders of AR Tokens
- Understand your exposure level. If your wallet address has signed and broadcast transactions, your RSA-4096 public key is already on-chain. This is normal and does not create immediate risk. It does mean that if a sufficiently powerful quantum computer becomes available, the private key could theoretically be derived from that public key.
- Monitor protocol-level developments. The Arweave community and core team are aware of long-term cryptographic threats. Watch for discussions in the Arweave Discord, governance forums, and research repositories about signature scheme migration.
- Diversify storage of sensitive private keys. Hardware wallets reduce the attack surface for classical threats. Quantum threats operate at the algorithm level, not the device level, so hardware wallet security is a separate axis from post-quantum security.
For Developers Building on Arweave
- Apply post-quantum encryption at the application layer for sensitive data. NIST's finalised algorithms, CRYSTALS-Kyber (ML-KEM, FIPS 203) for key encapsulation and CRYSTALS-Dilithium (ML-DSA, FIPS 204) for digital signatures, can be used in application code today, independent of Arweave's native signature scheme.
- Avoid long-lived RSA or ECDSA-encrypted payloads stored on-chain if the data has multi-decade sensitivity. Treat data confidentiality and data integrity as separate layers.
- Plan for signature scheme agility. If the Arweave protocol introduces a post-quantum signature option, applications that have built-in migration logic will adapt more cleanly than those hardcoded to a single scheme.
For the Arweave Protocol
Arweave's use of RSA-4096 was a deliberate engineering choice that does provide more quantum headroom than ECDSA-based chains. However, RSA-4096 is not on NIST's post-quantum safe list. A future protocol upgrade to a lattice-based or hash-based signature scheme would be the definitive answer to the quantum question. This is a governance and engineering challenge, not a trivial swap, given Arweave's immutability guarantees and existing transaction history.
---
How Natively Post-Quantum Designs Differ
Most existing blockchains are retrofitting quantum resistance onto architectures built around ECDSA or RSA. That migration path is technically complex and carries backward-compatibility risks.
A contrasting approach is to build post-quantum cryptography into the wallet and signing layer from the outset. Projects that align with NIST PQC standards at the protocol level, using lattice-based cryptographic primitives rather than adapting classical schemes, eliminate the migration problem by design. BMIC.ai is one example of a project taking this approach, building its wallet infrastructure on lattice-based cryptography from the ground up rather than inheriting ECDSA exposure.
The distinction matters because "post-quantum upgrade planned" and "post-quantum by design" carry very different risk profiles over a 10-to-20-year horizon.
---
Summary: The Honest Answer
Will quantum computers break Arweave? The technically accurate answer is: not with any existing or near-term hardware, but the theoretical vulnerability is real and the permanent-storage use case makes long-horizon planning more urgent than for typical payment chains.
Arweave's RSA-4096 choice gives it more quantum headroom than Bitcoin or Ethereum wallets. That headroom is meaningful in the short term. It is not a permanent solution. The harvest-now-decrypt-later threat is more pressing for archival applications than for spot transactions, and developers working with sensitive long-lived data should layer post-quantum encryption at the application level now, using NIST-standardised algorithms, rather than waiting for protocol-level changes.
The threat is real, the timeline is uncertain, and the appropriate response is methodical preparation, not panic.
Frequently Asked Questions
Does Arweave use a quantum-vulnerable signature scheme?
Yes. Arweave uses RSA-4096 with SHA-256 for wallet signatures. RSA is vulnerable to Shor's algorithm on a sufficiently powerful quantum computer. RSA-4096 requires more quantum resources to attack than the ECDSA used by Bitcoin and Ethereum, but it is not quantum-safe by NIST standards.
How many qubits would be needed to break Arweave's RSA-4096?
Peer-reviewed estimates suggest that breaking RSA-4096 with Shor's algorithm would require roughly 8,000 or more error-corrected logical qubits. Today's best quantum computers have hundreds or thousands of noisy physical qubits, which translate to far fewer stable logical qubits. The gap between current capability and this threshold remains very large.
Is my AR wallet address at risk right now?
Not in practical terms. No existing quantum computer can run Shor's algorithm at the scale needed to attack RSA-4096. If your wallet has signed a transaction, your public key is on-chain, which is the long-run exposure. Addresses that have never broadcast a transaction expose only a SHA-256 hash, which adds another layer of protection.
What is the harvest-now-decrypt-later threat for Arweave?
Because Arweave is designed for permanent storage, data uploaded today remains accessible indefinitely. An adversary could copy encrypted data stored on Arweave now and wait until a capable quantum computer exists to decrypt it. For data with multi-decade sensitivity, this is a meaningful planning consideration, even if the attack is not feasible today.
What can developers building on Arweave do about quantum risk?
Developers can apply NIST-standardised post-quantum encryption, such as ML-KEM (CRYSTALS-Kyber) for key encapsulation and ML-DSA (CRYSTALS-Dilithium) for signatures, at the application layer today. This protects data confidentiality independently of Arweave's native RSA-4096 scheme and does not require waiting for a protocol-level upgrade.
When might quantum computers pose a real threat to RSA-4096?
Mainstream cryptographic opinion puts a credible risk window for RSA-4096 somewhere in the 2030s under optimistic quantum hardware scenarios, with many researchers placing it later. NIST finalised its post-quantum standards in 2024 precisely to give organisations time to migrate before that window arrives. No credible researcher puts the threat within the next few years.