Will Quantum Computers Break Stellar?
Will quantum computers break Stellar is a question that deserves a precise, mechanism-level answer rather than speculation. Stellar uses the Ed25519 elliptic-curve signature scheme to secure every account and transaction on its network. Ed25519 is fast and elegant, but like all elliptic-curve cryptography it rests on a mathematical hardness assumption that a sufficiently powerful quantum computer running Shor's algorithm could defeat. This article unpacks exactly what that means for XLM holders, what conditions would have to be met for a real attack, where the honest timeline estimates sit today, and what concrete steps are available to reduce exposure.
How Stellar Secures Accounts Right Now
Stellar's cryptographic foundation is Ed25519, a variant of the Edwards-curve Digital Signature Algorithm built on Curve25519. Every Stellar keypair, the familiar G… public key and the private seed starting with S…, is generated and used through this scheme.
What Ed25519 Actually Does
When you sign a Stellar transaction, Ed25519 produces a signature that proves you control the private key without revealing it. Network validators check that signature against your published public key. The security assumption is that deriving a private key from a public key requires solving the elliptic-curve discrete logarithm problem (ECDLP), which is computationally infeasible for classical computers at Curve25519's 128-bit classical security level.
Where the Quantum Vulnerability Enters
Shor's algorithm, published in 1994, solves the discrete logarithm problem in polynomial time on a quantum computer. That directly breaks any ECDLP-based scheme, including Ed25519. In practical terms: a quantum adversary who observes your public key on-chain could, in principle, reverse-engineer your private key and forge transactions draining your account.
The critical nuance is *when* the public key is exposed. On Stellar, your public key is visible the moment your account is created and funded. That is different from Bitcoin's UTXO model, where a never-spent P2PKH address keeps the public key hidden until the first spend. Stellar accounts are therefore more persistently exposed to a future quantum attacker because the public key sits in the ledger state indefinitely.
---
What Would Have to Be True for an Attack to Succeed
A successful quantum attack on Stellar accounts is not a simple flip of a switch. Several preconditions must be met simultaneously.
Cryptographically Relevant Quantum Computers (CRQCs)
Current quantum hardware is noisy and limited. IBM's Osprey processor reached 433 physical qubits in 2022; Google's Willow chip, announced in late 2024, demonstrated significant error-correction progress. Impressive milestones, but breaking Ed25519 at 128-bit security is estimated to require roughly 2,330 logical qubits running Shor's algorithm with full error correction, which translates to millions of physical qubits under realistic noise assumptions using current approaches.
The gap between today's hardware and a Cryptographically Relevant Quantum Computer (CRQC) is large. Most credible engineering estimates, including those used by NIST and the UK's NCSC, put a CRQC capable of breaking 256-bit elliptic curves somewhere in the 2030–2040 window, with meaningful uncertainty in both directions. Some scenarios compress that to the late 2020s if error-correction improves faster than expected; others push it past 2050 if hardware scaling hits fundamental limits.
Network Latency vs. Attack Speed
Even with a functional CRQC, executing Shor's algorithm against a 256-bit elliptic curve takes non-trivial time per key. Early CRQCs will not instantly sweep every wallet simultaneously. The realistic early-era attack surface is high-value, static accounts where the attacker has time to compute the private key offline before submitting a forged transaction.
No Quantum-Safe Upgrade in Place
The most important precondition: the attack only succeeds if Stellar has not migrated to a post-quantum signature scheme before Q-day. That is the variable most under human control.
---
Stellar's Current Posture on Post-Quantum Cryptography
The Stellar Development Foundation (SDF) is aware of the long-term quantum threat. Stellar's protocol upgrade process runs through community consensus via Stellar Core and SCP (the Stellar Consensus Protocol). As of the time of writing, there is no finalized, production-ready post-quantum signature scheme integrated into Stellar mainnet.
NIST completed its first wave of Post-Quantum Cryptography standardization in 2024, finalizing:
- ML-KEM (CRYSTALS-Kyber) for key encapsulation
- ML-DSA (CRYSTALS-Dilithium) for digital signatures
- SLH-DSA (SPHINCS+) for hash-based signatures
- FN-DSA (FALCON) for compact lattice-based signatures
Any of these could theoretically replace or supplement Ed25519 in a future Stellar upgrade. ML-DSA and FN-DSA are the most likely candidates for a transaction-signing context because they offer a workable balance of signature size, verification speed, and key size. However, integrating a new signature scheme into a live blockchain requires validator consensus, client library updates, SDK changes, and a migration path for existing accounts. That is a multi-year engineering and governance effort.
The honest assessment: Stellar *can* migrate before a CRQC becomes operational, but only if the upgrade work begins substantially ahead of Q-day. Given the estimated timeline, that runway exists, but it is not unlimited.
---
Comparing Stellar's Quantum Exposure to Other Networks
| Network | Signature Scheme | Public Key Exposure | PQC Roadmap Status |
|---|---|---|---|
| Stellar (XLM) | Ed25519 | Persistent (account model) | Under discussion, not scheduled |
| Bitcoin (BTC) | ECDSA / Schnorr | Partial (UTXO hides key until spend) | No official PQC roadmap |
| Ethereum (ETH) | ECDSA (secp256k1) | Persistent (account model) | EIP discussions, no timeline |
| Solana (SOL) | Ed25519 | Persistent (account model) | No official PQC roadmap |
| Algorand (ALGO) | Ed25519 | Persistent; has state proofs research | Active PQC research ongoing |
| BMIC | Lattice-based (NIST PQC-aligned) | Designed for post-quantum from launch | Native, no migration required |
The table makes clear that Stellar is not uniquely exposed; it shares its risk profile with most of the major account-model chains. Bitcoin's UTXO model offers slightly more time before exposure, but is not immune either.
---
Realistic Timeline: When Should Stellar Holders Start Paying Attention?
A useful framework is the "harvest now, decrypt later" (HNDL) threat model. State-level adversaries may already be archiving encrypted blockchain data or monitoring ledger states, intending to exploit it once a CRQC is available. For signature-scheme attacks specifically, the threat is more immediate at the moment a CRQC exists rather than years before, because you need the live public key and the ability to compute in real time to forge a transaction.
Near term (now to 2027): No credible CRQC threat to Ed25519. Practical risk is negligible. The action item is awareness and tracking NIST PQC adoption curves.
Medium term (2027–2032): Hardware milestones will become clearer. If logical qubit counts and error-correction thresholds improve on the steeper trajectories, pressure to upgrade will grow. Stellar's governance process should ideally be producing a concrete PQC migration plan in this window.
Long term (2032–2040): The range where most credible estimates place meaningful CRQC probability. A Stellar network that has not completed a PQC migration by this point would carry real, non-theoretical risk for account holders.
The takeaway is not panic. It is planning. The window is open, but it closes.
---
What Stellar Holders Can Do Right Now
You do not need to wait for a protocol-level upgrade to reduce your personal exposure. Several practical steps are available today.
1. Minimise Resting Balances in Static Accounts
The highest-risk accounts are old, high-value, publicly known addresses that never rotate keys. If you hold significant XLM in an account you created years ago and rarely touch, consider whether that balance needs to sit there long-term.
2. Monitor Stellar's Protocol Upgrade Roadmap
Follow SDF announcements and Stellar Core release notes. When a PQC migration proposal reaches the SCP voting stage, you will want to understand what action, if any, is required of individual account holders. Some migration approaches require users to generate new keypairs and migrate funds explicitly.
3. Use Hardware Wallets and Strong Operational Security
In the near term, the realistic threats to Stellar accounts remain classical: phishing, private key theft, malware. Hardware wallets (Ledger supports Stellar; Trezor does not natively) protect against these attack vectors. The quantum threat is a long-horizon concern; classical security hygiene is the immediate priority.
4. Diversify Into Post-Quantum-Native Designs
If long-term quantum resistance is a priority, it is worth examining projects designed from the ground up with post-quantum cryptography rather than those that will need to retrofit it. Lattice-based signature schemes, like those standardized by NIST in 2024, provide security assumptions that Shor's algorithm does not break. Some newer wallet and token architectures, such as BMIC.ai, are built on exactly these foundations, meaning they carry no Ed25519 legacy debt and require no future migration to achieve post-quantum security.
5. Stay Literate on NIST PQC Standards
The NIST PQC standards are now finalized. Understanding the difference between ML-DSA (lattice-based), SLH-DSA (hash-based), and FN-DSA (FALCON lattice) helps you evaluate the quality of any PQC upgrade Stellar or any other network proposes. Not all PQC schemes are equal in terms of performance tradeoffs for a high-throughput payments network like Stellar.
---
What a Post-Quantum Stellar Migration Would Look Like
For completeness, here is a realistic technical sketch of how Stellar could implement a PQC migration, drawing on how similar proposals have been discussed across other layer-1 ecosystems.
Option A: Additive Signature Support
Stellar validators add support for ML-DSA or FN-DSA signatures alongside Ed25519. Users generate new post-quantum keypairs and migrate balances voluntarily. Old Ed25519 accounts continue to work until a hard-cut deprecation date. This is the least disruptive path.
Option B: Mandatory Key Migration
A protocol-level deadline is set. After a certain ledger sequence number, transactions signed with Ed25519 are rejected. All users must have migrated to PQC keypairs before that date. This is cleaner for long-term security but creates significant coordination risk.
Option C: Hybrid Signatures
Transactions carry both an Ed25519 signature and a PQC signature during a transition period. This is safe but bloats transaction size, which matters for Stellar's low-fee, high-throughput design goals.
The most likely real-world outcome is a variant of Option A with a long voluntary migration window followed by eventual deprecation. The engineering complexity is non-trivial but well within the capability of the Stellar ecosystem given sufficient lead time.
---
The Bottom Line
Quantum computers do not currently break Stellar, and they will not for years at minimum. The threat is real in the sense that Ed25519 is mathematically vulnerable to a future CRQC running Shor's algorithm, and Stellar's account model means public keys are persistently exposed. But the gap between today's quantum hardware and a credible attack is large, measured in years to decades rather than months.
The responsible framing is this: Q-day is a known, scheduled risk with a known technical solution. The question is not whether post-quantum cryptography can protect Stellar accounts but whether the network's governance will move fast enough to implement it before the threat window closes. That is an engineering and coordination challenge, not an unsolvable cryptographic one. Holders who understand the mechanism are better positioned to track that progress and make informed decisions about their own exposure.
Frequently Asked Questions
Will quantum computers break Stellar in the near future?
No. Breaking Stellar's Ed25519 signature scheme requires a Cryptographically Relevant Quantum Computer (CRQC) with millions of error-corrected physical qubits. Current hardware is orders of magnitude away from that capability. Most credible estimates place a viable CRQC in the 2030–2040 range, though timelines carry real uncertainty.
Why is Stellar more exposed than Bitcoin to quantum attacks?
Stellar uses an account model where your public key is permanently visible on the ledger from the moment your account is funded. Bitcoin's UTXO model keeps the public key hidden until the first spend, giving Bitcoin holders a slightly longer window before a CRQC attack becomes practical. That said, both are ultimately vulnerable to a sufficiently advanced quantum computer.
What signature scheme would replace Ed25519 in a post-quantum Stellar upgrade?
The most likely candidates from NIST's 2024 PQC standards are ML-DSA (CRYSTALS-Dilithium) and FN-DSA (FALCON), both lattice-based digital signature schemes. They are quantum-resistant and have been vetted through NIST's multi-year public competition. SLH-DSA (SPHINCS+) is a hash-based alternative but produces larger signatures, which is a concern for a high-throughput network like Stellar.
Does Stellar have an official post-quantum roadmap?
As of the time of writing, Stellar does not have a finalized, scheduled post-quantum migration on its public roadmap. The Stellar Development Foundation is aware of the long-term threat, and the community has discussed PQC in various forums, but no concrete upgrade timeline has been announced for mainnet.
What can I do as an XLM holder to reduce quantum risk today?
In the near term, focus on classical security hygiene: use a hardware wallet, never expose your private seed, and avoid phishing vectors. For longer-term quantum risk, monitor Stellar's protocol upgrade announcements closely, avoid leaving large balances in old, static accounts indefinitely, and consider whether any portion of your holdings should be in projects with native post-quantum cryptography rather than retrofitted schemes.
Is Ed25519 the same as ECDSA, and are both broken by quantum computers?
Ed25519 and ECDSA are different elliptic-curve signature schemes, but both are vulnerable to Shor's algorithm on a quantum computer because both rely on the elliptic-curve discrete logarithm problem. Stellar uses Ed25519; Bitcoin and Ethereum use ECDSA (or Schnorr in Bitcoin's case for Taproot). A CRQC would threaten all of them.