Will Quantum Computers Break Stellar (XLM)?
Will quantum computers break Stellar (XLM)? It is a fair and pressing question: Stellar relies on the same family of elliptic-curve cryptography that secures most public blockchains, and that family has a well-documented quantum vulnerability. This article explains exactly how Stellar's signature scheme works, what conditions would have to be true for a quantum attack to succeed, where credible research places the timeline, and what practical steps XLM holders can take right now. No fear-mongering, no vague warnings — just the mechanism, the maths, and the options.
How Stellar Secures Transactions Today
Stellar uses Ed25519 as its default signature scheme. Ed25519 is an instance of the Edwards-curve Digital Signature Algorithm (EdDSA) built on Curve25519, which is itself a 255-bit twisted Edwards curve. Every Stellar account is a public key derived from a private scalar via elliptic-curve point multiplication, and every transaction is authorised by producing a valid Ed25519 signature.
Why Ed25519 Was Chosen
Ed25519 was adopted across many modern protocols for good reasons:
- Speed. Signing and verification are extremely fast, which matters for a network processing thousands of transactions per second.
- Small key and signature sizes. Public keys are 32 bytes; signatures are 64 bytes. This keeps transaction payloads compact.
- Resistance to implementation side-channels. Unlike ECDSA, Ed25519 is deterministic and avoids the random nonce pitfalls that famously leaked private keys on early Bitcoin hardware wallets.
- Broad audit history. The scheme has been reviewed by cryptographers for over a decade and has no known classical weaknesses.
None of those properties, however, addresses quantum adversaries. The security of Ed25519 rests on the hardness of the elliptic-curve discrete logarithm problem (ECDLP): given a public key *Q* and the base point *G*, find the scalar *k* such that *Q = k·G*. For a classical computer, this is computationally infeasible at 255-bit security. For a sufficiently powerful quantum computer running Shor's algorithm, it is polynomial-time.
---
What Would Have to Be True for a Quantum Attack to Succeed
The theoretical vulnerability is real, but several demanding conditions must be met before any actual Stellar wallet is at risk.
Condition 1: A Cryptographically Relevant Quantum Computer (CRQC)
Current quantum hardware is noisy and limited. IBM's largest publicly announced processors operate in the hundreds to low thousands of physical qubits. Breaking a 256-bit elliptic-curve key with Shor's algorithm requires roughly 2,000 to 4,000 logical qubits, which — after error correction overhead — translates to estimates ranging from 1 million to 4 million physical qubits depending on the error rates and architecture assumed. No machine close to that scale exists today.
Condition 2: The Public Key Must Be Exposed
Ed25519 is used in a "key-reuse" model on Stellar: your public key is your account address. This means every Stellar address permanently exposes its public key to anyone watching the ledger. In contrast, some Bitcoin address formats (Pay-to-Public-Key-Hash) hide the public key until the moment of spending, giving a narrow window of protection.
For Stellar specifically, because the public key is always visible, a CRQC operator would not need to observe a live transaction to collect a target. They could harvest public keys from historical ledger data and attempt offline key recovery at leisure once the necessary hardware exists.
Condition 3: Enough Time to Compute Before the Transaction Confirms
Even with a CRQC, the attacker must derive the private key faster than the network confirms the transaction — or steal funds from dormant addresses before the owner notices. Stellar's ledger closes in roughly 3 to 5 seconds. Early-generation CRQCs are expected to require hours or days per key derivation. That window narrows as hardware matures.
---
Realistic Timeline: When Could This Become a Practical Threat?
Consensus in the cryptographic research community points to 2030 as the earliest plausible date for a CRQC capable of threatening 256-bit elliptic-curve keys, with many estimates clustering between 2035 and 2050. The US National Institute of Standards and Technology (NIST) completed its first round of post-quantum cryptography (PQC) standards in 2024 precisely because migrating large systems takes a decade or more, and governments want infrastructure moved well before Q-day.
| Timeline Scenario | Estimated CRQC Capability | Stellar Exposure |
|---|---|---|
| Optimistic (hardware stalls) | Never or post-2060 | Low, migration achievable in normal upgrade cycle |
| Base case (steady progress) | ~2035–2045 | Moderate, Stellar would need protocol-level PQC migration |
| Accelerated (breakthrough) | ~2030–2035 | High, immediate action on dormant high-value addresses warranted |
| Harvest-now, decrypt-later | Already ongoing (classified) | Data collected today could be decrypted at Q-day |
The "harvest-now, decrypt-later" row is worth emphasising. Nation-state actors are plausibly archiving encrypted communications and, in theory, public blockchain data today. On a public ledger like Stellar, all transaction data is already unencrypted — but private-key derivation from public keys could be attempted retroactively. High-value dormant accounts are the most attractive targets.
---
Stellar's Protocol-Level Response Options
Stellar Development Foundation has not published a finalised PQC migration roadmap as of mid-2025, but the options available to any EdDSA-based blockchain are well understood.
Option A: Hybrid Signature Schemes
A hybrid scheme pairs an existing classical algorithm (Ed25519) with a NIST-standardised PQC algorithm such as CRYSTALS-Dilithium (ML-DSA) or FALCON (FN-DSA). Transactions require both signatures to be valid. This provides defence-in-depth: if the quantum algorithm has an undiscovered flaw, the classical signature still protects the account, and vice versa.
Option B: Hash-Based Address Migration
Accounts could be migrated to a model where the public key is hashed behind a quantum-resistant commitment scheme. Users would generate a new PQC keypair and submit a migration transaction signed by both the old Ed25519 key and the new PQC key. After migration, only the hash is stored on-chain; the PQC public key is revealed only at signing time.
Option C: Full Algorithm Replacement
The most disruptive but cleanest path: replace Ed25519 entirely with a NIST PQC standard across the entire Stellar protocol. This requires a coordinated hard or soft fork, wallet software updates, and a migration window for all existing accounts. The complexity is comparable to Ethereum's Merge in terms of coordination effort.
None of these options is trivial. The Stellar network's strength — its speed and low cost — depends partly on the compactness and efficiency of Ed25519. Lattice-based signatures like ML-DSA produce signatures of roughly 2.4 KB compared to Ed25519's 64 bytes, which would meaningfully increase transaction payloads and storage requirements.
---
What XLM Holders Can Do Right Now
Waiting for a protocol-level fix is not the only action available to individual holders. Several practical steps reduce exposure today.
- Avoid key reuse and dormant high-value balances. Because Stellar exposes public keys permanently, spreading large holdings across multiple accounts and keeping active transaction history adds no quantum protection, but consolidating enormous balances in a single dormant account creates the most attractive target for a future CRQC operator.
- Monitor NIST PQC developments. NIST finalised ML-KEM (Kyber), ML-DSA (Dilithium), and SLH-DSA (SPHINCS+) in 2024. When wallets and custodians begin integrating these standards, migrating should be treated as a routine security hygiene step, not an emergency.
- Use custodians with active quantum-security roadmaps. Ask your exchange or custodian what their PQC migration plan is. If they have no answer, that is itself information.
- Understand the harvest-now risk for long-duration holdings. If you intend to hold XLM for 10 to 20 years without transacting, the probability that a CRQC will exist by the time you spend is non-trivial on a base-case timeline. This is not a reason to sell; it is a reason to stay informed.
- Explore natively post-quantum custody options for large positions. Some newer wallet protocols are being engineered from the ground up with lattice-based cryptography, bypassing the retrofitting problem entirely. For example, BMIC is a quantum-resistant wallet and token built on NIST PQC-aligned lattice-based cryptography — it does not rely on Ed25519 or ECDSA at any layer, meaning the Q-day threat vector that applies to Stellar simply does not exist in the same way for assets custodied there.
- Keep wallet software updated. When Stellar client software incorporates hybrid or PQC signature support, update promptly. Delayed migration is the most common source of residual exposure after a protocol upgrade is available.
---
How Natively Post-Quantum Designs Differ
The fundamental difference between a retrofitted PQC migration and a natively post-quantum design is architectural debt. Stellar, like Bitcoin and Ethereum, was built when post-quantum security was a theoretical concern confined to academic papers. Adding PQC to an existing protocol means:
- Carrying legacy Ed25519 infrastructure for backward compatibility during migration windows.
- Negotiating consensus across a diverse validator set and ecosystem of wallets, exchanges, and developers.
- Accepting interim periods where some accounts are migrated and some are not, creating a two-tier security landscape.
A system designed from the outset around lattice-based or hash-based primitives has no such legacy layer. The security model is coherent from account creation to transaction signing. There is no "migration window" during which old-scheme accounts remain exposed alongside new-scheme accounts.
This architectural gap is not a criticism of Stellar specifically. It applies equally to every major blockchain launched before roughly 2022. It is simply a consequence of building on the best available cryptography at the time.
---
Summary: Threat Is Real, Timeline Is Not Imminent, Action Is Warranted
The quantum threat to Stellar's Ed25519 signature scheme is cryptographically sound — Shor's algorithm does break ECDLP in polynomial time on a sufficiently powerful quantum computer. What is not imminent is the hardware. The most credible research places a cryptographically relevant quantum computer at least a decade away under a base-case scenario, though the uncertainty range is wide.
For Stellar holders, the practical priority is:
- Understand that public keys are permanently exposed on Stellar's ledger.
- Monitor both Stellar's PQC roadmap and NIST standards adoption.
- Act early when migration tools become available rather than waiting.
- Consider the harvest-now, decrypt-later risk if holding positions for a decade or more.
The absence of imminent danger does not mean the concern is speculative. NIST, the NSA, and the European Union Agency for Cybersecurity (ENISA) have all issued guidance treating post-quantum migration as an urgent infrastructure priority. The blockchain ecosystem is catching up, but the pace of that catch-up matters enormously for long-term holders.
Frequently Asked Questions
Will quantum computers break Stellar (XLM) soon?
Not soon by most credible estimates. Breaking Stellar's Ed25519 signature scheme requires a cryptographically relevant quantum computer (CRQC) with millions of physical qubits after error correction. Most research consensus places that milestone between 2035 and 2050 under a base-case scenario, though the range is uncertain. The risk is real in principle but not imminent in practice.
Why is Stellar more exposed than some Bitcoin addresses?
Stellar's account model permanently exposes the Ed25519 public key as the account address. Some Bitcoin address formats (P2PKH) hide the public key until spending, giving a brief window of protection. On Stellar, the public key is always visible on the ledger, so a future CRQC could attempt offline key recovery from historical data without needing to observe a live transaction.
What is the harvest-now, decrypt-later threat?
Harvest-now, decrypt-later refers to adversaries collecting public keys (or encrypted data) today with the intention of deriving private keys once a sufficiently powerful quantum computer exists. Because Stellar's ledger is fully public, all account public keys are already archived and accessible. This matters most for holders planning to keep large positions dormant for a decade or more.
What post-quantum algorithms could Stellar adopt?
The most likely candidates are NIST-standardised schemes: ML-DSA (CRYSTALS-Dilithium) and FN-DSA (FALCON) for digital signatures, both of which are lattice-based. A hybrid approach pairing Ed25519 with one of these algorithms is considered the safest near-term transition strategy, as it preserves classical security while adding quantum resistance.
What can an XLM holder do right now to reduce quantum risk?
Practical steps include: monitoring Stellar's PQC migration roadmap; updating wallet software promptly when hybrid or post-quantum signature support is released; choosing custodians with clear quantum-security plans; avoiding large dormant balances if you plan to hold for a decade or longer; and exploring natively post-quantum custody options for significant positions.
Is Ed25519 safer than ECDSA against quantum attacks?
Against a sufficiently powerful quantum computer running Shor's algorithm, Ed25519 and ECDSA are similarly vulnerable — both rely on the hardness of the elliptic-curve discrete logarithm problem. Ed25519 has advantages over ECDSA in classical security (no random nonce, deterministic), but those advantages do not extend to the quantum threat model.