Will Quantum Computers Break Monero?
Will quantum computers break Monero? It is one of the most technically nuanced questions in crypto security, and it deserves a precise answer rather than a headline. Monero's privacy architecture uses several cryptographic primitives, some of which are more quantum-resistant than others. This article breaks down exactly how Monero's signature scheme works, which components a sufficiently powerful quantum computer could attack, what would actually have to be true for that attack to succeed, what the realistic timeline looks like, and what XMR holders can do in the meantime.
How Monero's Cryptography Works
To answer whether quantum computers threaten Monero, you first have to understand what cryptographic primitives Monero actually uses. Monero is not a simple ECDSA chain like Bitcoin. Its privacy stack is a layered system:
Ring Signatures (MLSAG / CLSAG)
Monero uses Multilayer Linkable Spontaneous Anonymous Group (MLSAG) signatures, later upgraded to Compact Linkable Spontaneous Anonymous Group (CLSAG) signatures as of late 2020. These are built on the Ed25519 elliptic curve, specifically Curve25519 (the Edwards form). Like all elliptic-curve schemes, Ed25519 security rests on the hardness of the Elliptic Curve Discrete Logarithm Problem (ECDLP). A large-scale quantum computer running Shor's algorithm can solve ECDLP in polynomial time, which means it could, in principle, derive a private key from a public key.
Stealth Addresses
Every Monero transaction generates a one-time stealth address derived via Diffie-Hellman key exchange using Curve25519 keys. Stealth addresses are a form of public-key cryptography and are therefore susceptible to the same Shor's algorithm attack. However, the attack surface here is narrower than it looks, because stealth addresses are single-use and the on-chain data required to reconstruct them is limited.
Pedersen Commitments and Bulletproofs
Monero's amount-hiding layer uses Pedersen commitments and Bulletproofs (range proofs). These rely on the discrete logarithm assumption over elliptic curves for binding, and on the collision resistance of hash functions for soundness. A quantum adversary using Grover's algorithm could reduce the effective security of hash functions by half, turning a 256-bit hash into roughly 128-bit quantum security. That is inconvenient but not catastrophic, and it applies equally to Bitcoin, Ethereum, and nearly every other blockchain.
---
Which Parts Are Genuinely Vulnerable?
Not every layer is equally exposed. Here is a structured breakdown:
| Component | Classical Security | Quantum Attack | Quantum Algorithm | Severity |
|---|---|---|---|---|
| CLSAG ring signatures (Ed25519) | ~128-bit | Private key derivable from public key | Shor's algorithm | **High** |
| Stealth address key exchange | ~128-bit | Sender/receiver linkable if keys exposed | Shor's algorithm | **Moderate** |
| Pedersen commitments (binding) | ~128-bit | Commitment openable (ECC basis) | Shor's algorithm | **High** |
| Bulletproof range proofs (hash soundness) | ~256-bit hash | Grover halves effective security | Grover's algorithm | **Low–Moderate** |
| RingCT decoy selection (privacy layer) | No crypto assumption | Not a cryptographic attack target | N/A | **Not applicable** |
The honest conclusion: Monero's signature and key-agreement layers share the same fundamental vulnerability as Bitcoin and Ethereum at Q-day. Ring signatures add meaningful privacy against classical adversaries, but they do not add quantum resistance. A quantum computer that can break ECDSA on Bitcoin can also break Ed25519 on Monero.
What Monero's Ring Signatures Do Not Protect Against
A common misconception is that ring signatures make the sender's public key invisible, implying a quantum attacker cannot find a key to attack. In practice, the signer's key image and the ring members' public keys are all visible on-chain. A quantum adversary with enough power could run Shor's algorithm against all ring members, identify which one produced the valid signature, and thereby deanonymize the transaction. This is a privacy failure as much as a security failure.
---
What Would Actually Have to Be True for This Attack to Succeed?
Fear-mongering about quantum threats often skips over the engineering realities. For a quantum computer to break Monero's signatures, the following must hold simultaneously:
- A fault-tolerant quantum computer with millions of physical qubits must exist. Current state-of-the-art machines (IBM Heron, Google Willow) have hundreds to low thousands of physical qubits with error rates far too high for Shor's algorithm to run against 256-bit elliptic curves at any practical scale.
- Logical qubit overhead must be solved. Breaking a 256-bit elliptic curve key requires roughly 2,330 logical qubits under optimistic estimates (Roetteler et al., 2017). With current error correction codes, each logical qubit requires somewhere between 1,000 and 10,000 physical qubits depending on error rates. That implies between 2.3 million and 23 million physical qubits — a scale that does not exist in any roadmap within the next decade with high confidence.
- The attack must complete before the exposed key is rotated or the network forks. For Monero, keys used in stealth addresses are single-use by design, which provides partial time-based protection. However, view keys and spend keys associated with wallets are long-lived and would be the primary target.
- The Monero network has not yet hard-forked to a post-quantum signature scheme. Monero's development community is active and has a track record of upgrading cryptographic primitives via scheduled hard forks. If quantum timelines become more concrete, a fork is a plausible response.
None of this means the threat is fictional. It means the attack is not imminent, but it is also not far enough away to ignore during the design of long-lived systems.
---
Realistic Quantum Timeline: Scenario Analysis
Analysts and research institutions differ sharply on when a cryptographically relevant quantum computer (CRQC) will arrive. Here is a condensed view of published positions:
- Near-term pessimists (2030–2035): Some national security agencies, including guidance from the U.S. NSA and NIST, advise migrating systems by the early 2030s, implying a threat could emerge within a decade.
- Mid-range consensus (2035–2045): The majority of academic quantum computing researchers place a CRQC capable of breaking 256-bit ECC at 15 to 25 years out, conditional on sustained engineering progress.
- Long-range optimists (2050+): Several quantum hardware researchers argue that the physical qubit counts and error correction requirements mean a CRQC for ECC-256 is more than 30 years away.
What this means practically: there is no near-term emergency for Monero holders, but there is a design-level concern for wallets and infrastructure intended to be secure across multi-decade time horizons.
NIST completed its first post-quantum cryptography (PQC) standardization round in 2024, publishing standards for CRYSTALS-Kyber (key encapsulation), CRYSTALS-Dilithium, FALCON, and SPHINCS+ (signatures). These lattice-based and hash-based schemes are designed to resist Shor's algorithm. No major Layer-1 blockchain has yet migrated its core signature scheme to any of these standards, Monero included.
---
What Monero Holders Can Do Right Now
Waiting for a network-level fix is one option, but individual holders have several practical steps available today:
Minimize Long-Lived Key Exposure
- Rotate wallets periodically. Generate new Monero addresses and move funds. This limits the window during which a key pair is observable on-chain before any future quantum threat materialises.
- Avoid reusing addresses. Monero's stealth address system already discourages reuse, but manually maintaining good hygiene reinforces this.
- Do not publish view keys unless necessary. Selective disclosure of view keys for auditing exposes long-lived key material.
Monitor Protocol Development
- Track the Monero Research Lab (MRL) — the group that designs and reviews Monero's cryptographic upgrades. MRL has published exploratory work on post-quantum signatures, including discussions of Triptych (a more efficient ring signature scheme) and separate threads on PQC migration paths.
- Watch for any Monero hard fork announcements that incorporate PQC signature schemes. Monero hard forks approximately every six months and has historically been willing to adopt improved cryptographic primitives.
Diversify Across Architectures
Holders concerned about multi-decade quantum risk can consider diversifying into infrastructure that was designed from the ground up with post-quantum cryptography. Projects like BMIC are building wallets using lattice-based cryptographic schemes aligned with NIST's PQC standards, directly targeting the Q-day problem that Monero and every other ECC-based chain currently faces.
---
How Natively Post-Quantum Designs Differ
The fundamental difference between retrofitting post-quantum security onto an existing chain and building a natively post-quantum system comes down to key generation, storage, and signing architecture.
Retrofitting vs. Native PQC
Retrofitting a chain like Monero would require:
- Replacing the Ed25519 signing scheme with a NIST PQC-approved alternative (e.g., Dilithium or FALCON)
- Updating ring signature constructions to work with lattice-based or hash-based keys, which is non-trivial because existing ring signature schemes assume specific algebraic structures in ECC
- Migrating existing wallet key material, which is impossible to force without breaking backward compatibility
- Coordinating a hard fork across a decentralized, privacy-focused community with no formal governance structure
Natively post-quantum wallets and tokens, designed with PQC from day one, sidestep most of these issues. They have no legacy key material to migrate, no ECC assumptions baked into their signing logic, and no retrofit coordination problem. The tradeoff is that they lack Monero's battle-tested seven-year track record in production under adversarial conditions.
Signature Size and Performance
One practical cost of post-quantum signatures is size. Dilithium signatures are roughly 2,420 bytes compared to Ed25519's 64 bytes. FALCON offers smaller signatures (~666 bytes) but at greater implementation complexity. Any PQC migration for Monero would increase transaction sizes and therefore fees and block propagation times, requiring careful protocol engineering.
---
Summary: The Honest Assessment
Quantum computers will not break Monero in the near term. The hardware engineering required to run Shor's algorithm against a 256-bit elliptic curve at scale does not exist and is unlikely to exist within the next decade by most credible estimates.
However, Monero is not quantum-resistant by design. Its signature scheme (CLSAG on Ed25519), stealth address key exchange, and Pedersen commitment binding all rest on the same ECDLP hardness assumption that Shor's algorithm invalidates at sufficient qubit scale. The privacy guarantees of ring signatures offer no meaningful protection against a quantum adversary who can invert elliptic curve operations.
The appropriate response is calibrated: holders should practice good key hygiene now, monitor MRL's PQC research, and, for long-horizon holdings, consider whether architectures built natively on post-quantum cryptographic primitives better match their risk tolerance.
Frequently Asked Questions
Will quantum computers break Monero's ring signature privacy?
Yes, if a cryptographically relevant quantum computer (CRQC) emerges. Monero's ring signatures (CLSAG) are built on Ed25519 elliptic curve cryptography. A quantum computer running Shor's algorithm could derive private keys from public keys visible on-chain, potentially deanonymizing signers. Ring signatures add strong classical privacy but do not provide quantum resistance.
Is Monero more quantum-resistant than Bitcoin or Ethereum?
Not in any fundamental sense. All three use elliptic curve cryptography for their core signing operations. Bitcoin uses ECDSA on secp256k1, Ethereum uses ECDSA on secp256k1, and Monero uses CLSAG on Ed25519. All are vulnerable to Shor's algorithm at sufficient qubit scale. Monero's stealth addresses add a degree of single-use key structure, but this is a practical privacy tool rather than a quantum security mechanism.
When could a quantum computer realistically break Monero?
Most academic researchers and national security agencies place the arrival of a cryptographically relevant quantum computer capable of breaking 256-bit elliptic curve keys somewhere between 2035 and 2050, with significant uncertainty. Current machines are many orders of magnitude away from the qubit counts and error correction levels required. NIST and NSA guidance recommends migrating critical systems to post-quantum cryptography by the early 2030s as a precaution.
Can Monero upgrade to post-quantum cryptography?
Technically yes, but it is a significant engineering challenge. Monero would need to replace Ed25519-based ring signatures with a post-quantum scheme compatible with its privacy architecture, migrate wallet key material, and coordinate a network-wide hard fork. The Monero Research Lab has explored PQC options, but no concrete migration plan has been finalized. Monero's history of regular hard forks suggests it could make such an upgrade if the timeline became urgent.
What should Monero holders do about the quantum threat right now?
Practical steps include rotating wallet addresses periodically, avoiding reuse of long-lived keys, limiting disclosure of view keys, and monitoring Monero Research Lab updates on PQC progress. Holders with a very long investment horizon may also want to diversify into infrastructure architectures that were designed natively with post-quantum cryptographic standards from the outset.
What is the difference between Grover's algorithm and Shor's algorithm in the context of Monero?
Shor's algorithm threatens asymmetric cryptography (elliptic curve keys, RSA) by solving the discrete logarithm and integer factorization problems efficiently. It is the primary threat to Monero's signature and key-exchange layers. Grover's algorithm provides a quadratic speedup for searching unstructured data, which effectively halves the security of symmetric cryptography and hash functions. For Monero's Bulletproof range proofs, Grover reduces effective hash security from 256 bits to roughly 128 bits, which is inconvenient but not immediately catastrophic.