Will Quantum Computers Break Tezos?
Will quantum computers break Tezos? It is a sharper question than it first appears, because Tezos uses a signature scheme that quantum hardware could, under the right conditions, undermine. This article works through the cryptographic mechanics, examines what "breaking" Tezos would actually require, maps the realistic timeline based on current quantum hardware progress, and explains the concrete steps XTZ holders and developers can take before Q-day arrives. The goal is accuracy, not alarm: the threat is real but not imminent, and the response options are better than most people realise.
How Tezos Secures Transactions Today
Tezos primarily uses Ed25519, an elliptic-curve digital signature algorithm built on Curve25519, to sign transactions. It also supports secp256k1 (the same curve Bitcoin uses) and P-256 for compatibility with hardware keys. Each of these is a form of elliptic-curve cryptography (ECC).
The security of ECC rests on the elliptic-curve discrete logarithm problem (ECDLP). In classical computing, deriving a private key from a public key requires solving ECDLP, which is computationally infeasible at current scales, even for nation-state adversaries with massive classical hardware.
What the Signature Process Actually Does
When you send XTZ, your wallet:
- Takes your private key and the transaction data.
- Produces a digital signature unique to that transaction.
- Broadcasts the transaction plus signature to the network.
- Validators verify the signature using your public key, without ever seeing the private key.
The public key is derived from the private key via elliptic-curve multiplication. Reversing that derivation classically is effectively impossible. Quantumly, it is a different story.
Where Quantum Computers Enter the Picture
Peter Shor's algorithm, published in 1994, can solve ECDLP in polynomial time on a sufficiently powerful quantum computer. That means a quantum machine with enough stable, error-corrected qubits could theoretically work backwards from a public key to recover the private key, then forge signatures and drain any wallet whose public key has been exposed on-chain.
Every blockchain that relies on ECC, including Tezos, Bitcoin, and Ethereum, shares this vulnerability in principle.
---
What "Breaking" Tezos Would Actually Require
"Breaking" is often used loosely. There are two distinct threat scenarios:
Scenario 1: Harvest Now, Decrypt Later
An adversary records public keys and signed transactions today, then decrypts them once quantum hardware is capable enough. For Tezos, this applies to any address that has already sent at least one transaction, because the act of signing reveals the public key on-chain.
- Addresses that have only received XTZ and never sent typically do not expose their full public key at the protocol level, reducing immediate risk.
- Once you broadcast even a single outgoing transaction, your public key is permanently public record.
Scenario 2: Real-Time Attack
An attacker breaks a signature in real time, during the window between transaction broadcast and block confirmation. Tezos blocks finalize in roughly 30 seconds to a few minutes. A real-time attack would require a quantum computer fast enough to solve ECDLP within that window, which demands hardware far beyond any near-term roadmap.
This scenario is much further out than the harvest-now-decrypt-later threat.
---
Realistic Timeline: When Could This Happen?
The honest answer is: not soon, but not never.
| Milestone | Current Status (2025) | Estimated Window |
|---|---|---|
| Largest quantum processors | ~1,000–2,000 physical qubits (e.g. IBM Condor-class) | Now |
| Qubits needed to break 256-bit ECC (Shor's) | ~2,000–4,000 **logical** (error-corrected) qubits | Not yet demonstrated |
| Physical-to-logical qubit ratio (current error rates) | Roughly 1,000:1 | Implies millions of physical qubits needed |
| Cryptographically relevant quantum computer (CRQC) | Not yet built | Analyst range: 2030–2050, most estimates 2035+ |
| NIST PQC standards finalised | Done (2024: ML-KEM, ML-DSA, SLH-DSA) | Completed |
The gap between today's noisy intermediate-scale quantum (NISQ) devices and a cryptographically relevant quantum computer (CRQC) is still enormous. Error correction overhead remains the primary barrier. IBM, Google, and others are making steady progress, but linear qubit counts do not translate linearly into cryptographic capability.
The most credible threat window for harvest-now-decrypt-later attacks opens when quantum hardware reaches the low thousands of logical qubits, which most research consensus places no earlier than the early-to-mid 2030s under optimistic scenarios. Conservative estimates push this to 2040 or beyond.
That window is not so distant that preparations can be deferred indefinitely, but it is not so close that current XTZ holders face immediate danger.
---
Tezos's Built-In Advantage: On-Chain Governance and Upgradability
Unlike Bitcoin, which requires near-universal miner consensus to change core protocol rules, Tezos was designed with on-chain governance as a first-class feature. The protocol can be amended through a structured amendment cycle without hard forks.
This is directly relevant to quantum resistance. Tezos developers could, in principle, propose and ratify a post-quantum signature scheme through the existing amendment process, without splitting the network.
What a Post-Quantum Migration on Tezos Could Look Like
A realistic migration path might include:
- A new key type using a NIST-standardised algorithm such as ML-DSA (formerly CRYSTALS-Dilithium) or SLH-DSA (SPHINCS+), both lattice-based or hash-based schemes resistant to Shor's algorithm.
- A transition period during which both classical and post-quantum signatures are valid, giving holders time to migrate funds to new quantum-resistant addresses.
- Deprecation of the old key types after a defined block height.
The governance machinery exists. The open question is whether the Tezos community prioritises this upgrade and when it schedules it relative to the threat horizon.
Comparison: How Major Chains Approach Quantum Readiness
| Chain | Primary Signature Scheme | On-Chain Governance for Upgrades | PQC Migration Path |
|---|---|---|---|
| Tezos (XTZ) | Ed25519 / secp256k1 / P-256 | Yes, formal amendment cycle | Possible via governance; not yet scheduled |
| Bitcoin (BTC) | secp256k1 (ECDSA / Schnorr) | No formal on-chain governance | Requires soft/hard fork; politically difficult |
| Ethereum (ETH) | secp256k1 (ECDSA) | No formal on-chain governance | Account abstraction layer being explored |
| Algorand (ALGO) | Ed25519 | Limited governance mechanism | Stateless smart contract layer explorable |
| Natively PQC designs | Lattice-based (e.g. ML-DSA) | Varies by project | Built-in from genesis |
Tezos's position is meaningfully better than Bitcoin or Ethereum in one respect: the upgrade path is cleaner. Whether that advantage translates into timely action depends on community decisions, not technical barriers.
---
What XTZ Holders Can Do Right Now
Waiting for the protocol to migrate is a valid long-term strategy, but there are practical steps holders can take independently.
Minimise Public Key Exposure
- Use each Tezos address once or sparingly. Every outgoing transaction exposes your public key. Rotating to fresh addresses after spending reduces the long-term attack surface.
- Prefer unrevealed addresses for long-term storage. An address that has only ever received XTZ and never sent has a smaller quantum attack surface, because the full public key has not been broadcast.
Store Long-Term Holdings in Hardware Wallets with Strong Key Management
Hardware wallets do not make your keys quantum-resistant, but they eliminate the far more immediate threat of classical private-key theft. Classical attacks still vastly outnumber quantum-theoretical ones in 2025. Fixing your operational security against realistic threats first is rational prioritisation.
Monitor the Tezos Amendment Cycle
Tezos improvement proposals are public. Watching for PQC-related proposals in the amendment pipeline costs nothing and gives early warning to migrate funds before any transition deadline.
Diversify Across Cryptographic Risk Profiles
Some holders choose to allocate a portion of their holdings to assets built natively on post-quantum cryptographic foundations. Projects like BMIC are designed from the ground up with lattice-based, NIST PQC-aligned cryptography, meaning they do not carry the ECDSA legacy liability that Tezos and most other chains do. This is not a replacement strategy, but a distinct risk-management consideration for those concerned about the longer timeline.
---
The Broader Context: Why This Question Matters for All of Crypto
Tezos is not uniquely vulnerable. Every major blockchain using ECC faces the same fundamental exposure. The reason this question matters specifically for Tezos is that its governance architecture makes it one of the more *tractable* problems in the space.
If Tezos successfully navigates a post-quantum migration via its amendment process, it becomes a case study for how decentralised networks handle existential cryptographic transitions. If it fails to act within the threat window, the consequences would be the same as for any other ECC-based chain: a well-resourced quantum-capable attacker could forge signatures on exposed addresses.
The lesson for the broader ecosystem is structural. Chains that hardcoded their cryptographic primitives without upgrade paths face the hardest migration problems. Tezos at least avoided that particular design mistake.
---
Summary: The Honest Risk Assessment
- Quantum computers cannot break Tezos today. Current hardware is not close to cryptographically relevant capability.
- The harvest-now-decrypt-later threat is real and applies to any address that has sent transactions on-chain. The data is already recorded.
- A cryptographically relevant quantum computer is most plausibly 10 to 20+ years away, based on current engineering progress, though the uncertainty band is wide.
- Tezos's on-chain governance gives it a cleaner migration path to post-quantum signatures than most major chains.
- Holders can reduce exposure by minimising public key revelations and monitoring upgrade proposals.
- Fear-mongering is unwarranted. Measured preparation is not.
The question is not really "will quantum computers break Tezos" in an absolute sense. It is whether Tezos's community acts within the available window. That is a governance and coordination question as much as a cryptographic one, and on that dimension, Tezos's design philosophy gives genuine reason for cautious optimism.
Frequently Asked Questions
Will quantum computers break Tezos in the near future?
No. Current quantum hardware is nowhere near capable of breaking Ed25519 or secp256k1, the signature schemes Tezos uses. Cryptographic consensus places a credible quantum threat to ECC no earlier than the early-to-mid 2030s under optimistic scenarios, with most estimates running later. The risk is real but not imminent.
Which Tezos addresses are most at risk from a future quantum attack?
Addresses that have broadcast at least one outgoing transaction are at greater risk, because the act of signing reveals the public key on-chain. Addresses that have only ever received XTZ and never sent a transaction have a smaller attack surface, since their full public key has not been publicly exposed.
Does Tezos have a plan to become quantum-resistant?
No formal post-quantum upgrade has been ratified as of mid-2025, but Tezos's on-chain governance (its amendment cycle) provides a mechanism to add new signature schemes, such as NIST-standardised ML-DSA or SLH-DSA, without a hard fork. Whether and when the community schedules such an upgrade is an open governance question.
How many qubits would a quantum computer need to break Tezos?
Breaking 256-bit elliptic-curve cryptography via Shor's algorithm requires roughly 2,000 to 4,000 logical (error-corrected) qubits. Given current physical-to-logical qubit ratios of roughly 1,000:1 due to error rates, this implies millions of physical qubits, far beyond the 1,000 to 2,000 physical qubits in today's best processors.
Is Tezos more or less vulnerable to quantum attacks than Bitcoin or Ethereum?
All three use elliptic-curve cryptography and share the same fundamental vulnerability in principle. Tezos is arguably better positioned than Bitcoin or Ethereum for one reason: its formal on-chain governance allows a post-quantum signature migration to be ratified and executed without a contentious hard fork, which is a significant practical advantage.
What can I do as an XTZ holder to reduce quantum risk today?
Three practical steps: first, minimise how often you reuse addresses, since each outgoing transaction exposes your public key permanently on-chain. Second, keep long-term holdings in addresses that have never sent a transaction. Third, monitor Tezos governance channels for any proposed post-quantum amendment so you can migrate funds before any transition deadline.