Will Quantum Computers Break Canton Network?

Will quantum computers break Canton Network? It is a question that applies to almost every major blockchain, and Canton is no exception. Canton is a privacy-focused, enterprise-grade distributed ledger built on the Daml smart-contract language. Like most production blockchains, it relies on elliptic-curve cryptography for transaction signing. That dependency creates a well-understood theoretical exposure to sufficiently powerful quantum computers. This article examines the mechanics of that risk, what would have to be true for it to materialise, the most credible timelines, and the concrete steps Canton participants can take right now.

How Canton Secures Transactions Today

Canton Network is developed by Digital Asset and is designed for regulated financial institutions. It uses a permissioned ledger model where participants retain data privacy through sub-transaction pruning and a "need-to-know" synchronisation protocol. What it shares with public blockchains is the cryptographic primitive at the core of identity and authorisation: elliptic-curve digital signature algorithms (ECDSA/EdDSA), typically over the secp256k1 or Ed25519 curves.

When a Canton participant submits a transaction, their private key generates a digital signature. Every other node on the network can verify that signature using only the corresponding public key. The security guarantee rests on the elliptic-curve discrete logarithm problem (ECDLP): deriving a private key from a public key is computationally infeasible for classical computers, requiring work in the order of 2¹²⁸ operations.

Why Public Keys Are the Attack Surface

The most important detail for quantum risk assessment is *when* the public key is exposed. In many Canton deployments, public keys are registered on-chain or in directory services at account creation. That means an attacker who recorded those public keys today could, in principle, attempt to derive private keys later, once a powerful enough quantum computer exists. This "harvest now, decrypt later" strategy is the primary threat model for long-lived institutional assets.

Hash Functions and Symmetric Keys: Lower Quantum Risk

Not all of Canton's cryptography is equally exposed. SHA-256 and similar hash functions used for content addressing and Merkle proofs are weakened by quantum algorithms (Grover's algorithm roughly halves their effective security), but the mitigation is straightforward: move to SHA-512 or SHA-3, which retain acceptable security margins even under Grover. Symmetric encryption keys face a similar, manageable degradation. The acute risk sits firmly with asymmetric signature schemes.

---

The Quantum Threat Explained: Shor's Algorithm

The mechanism that could break Canton's signature scheme is Shor's algorithm, published by Peter Shor in 1994. Running on a fault-tolerant quantum computer with enough logical qubits, Shor's algorithm solves the ECDLP in polynomial time, collapsing the security of ECDSA and EdDSA from "computationally infeasible" to "tractable in hours."

The key parameters researchers track are:

None of this means the risk is imaginary. It means it is not imminent.

---

Realistic Timeline: When Could This Actually Happen?

Timelines for cryptographically relevant quantum computers (CRQCs) vary widely. Below is a synthesis of credible institutional estimates.

SourceEstimated Year for CRQC Threat to ECCConfidence
NIST (PQC project documentation)2030–2040Moderate
NCSC (UK)2030s, possibly laterLow-to-moderate
IBM Quantum Roadmap (extrapolated)Mid-2030s at earliestLow
BSI (Germany)2030–2040Moderate
McKinsey Global Institute (2023)2030–2035 for narrow use casesSpeculative

The consistent message: the 2020s are likely safe, the 2030s are uncertain, and anything beyond is genuinely unknown. For a financial institution holding Canton-based assets over multi-decade time horizons, "uncertain" is not the same as "safe." NIST has already finalised its first set of post-quantum cryptographic standards (FIPS 203/204/205, published August 2024), precisely because migration timelines for critical infrastructure are measured in years, not months.

The "Harvest Now, Decrypt Later" Window

For Canton specifically, the more pressing concern is not real-time transaction forgery. It is retroactive compromise. An adversary, state-level or otherwise, could be archiving Canton transaction data and public keys today. If a CRQC becomes available in 2035, data encrypted or signed in 2024 may be fully exposed. Financial contracts, settlement records, and identity bindings that were assumed confidential for 10-15 years could be retrospectively compromised.

---

What Would Have to Be True for Quantum Computers to Break Canton?

To move from theoretical risk to practical attack, several conditions must hold simultaneously:

  1. A fault-tolerant quantum computer with millions of physical qubits must exist. No such machine exists as of 2024. The largest publicly demonstrated processors are in the low thousands of physical qubits with insufficient error correction.
  2. The machine must sustain coherence long enough to run the full Shor's algorithm circuit. This requires advances in error correction codes (surface codes, etc.) that are active research problems.
  3. The attacker must have access to Canton public keys. In a permissioned network, key directories may be partially restricted, but keys used in verifiable transactions are inherently shared with counterparties.
  4. Canton Network must not have migrated to post-quantum signature schemes before the attacker operates. This is the controllable variable, and it is the one that deserves the most attention.

The conclusion is not "Canton is safe forever." It is: there is a window of several years, possibly a decade or more, in which migration is achievable before the threat materialises. Using that window wisely is the strategic imperative.

---

What Canton Holders and Operators Can Do Right Now

Waiting for a CRQC to appear before acting is the wrong posture for any institutional participant. The following steps are practical and actionable today.

1. Audit Key Exposure

Identify which public keys are registered in Canton directories, on-chain, or in counterparty records. Assess whether those keys are associated with long-lived assets or contracts. High-value, long-duration positions carry more risk than short-cycle settlement flows.

2. Implement Crypto-Agility

Crypto-agility means designing systems so that the underlying cryptographic algorithm can be swapped without re-architecting the entire stack. Digital Asset's Daml platform and Canton's modular design are reasonably well-suited for this. Operators should ensure that signature scheme selection is parameterised rather than hardcoded.

3. Monitor NIST PQC Migration

NIST's newly standardised algorithms, particularly CRYSTALS-Kyber (now ML-KEM) for key encapsulation and CRYSTALS-Dilithium (now ML-DSA) for digital signatures, are the leading candidates for blockchain migration. Both are lattice-based, meaning their security rests on mathematical problems believed to be hard for both classical and quantum computers. Canton operators should track Digital Asset's roadmap for PQC integration and engage with their infrastructure vendors about timeline commitments.

4. Use Hybrid Signature Schemes as a Bridge

Several blockchain ecosystems are experimenting with hybrid signatures that combine a classical scheme (e.g., Ed25519) with a post-quantum scheme (e.g., Dilithium). The combined signature is valid only if both are valid, meaning security is maintained even if one scheme is later broken. This is a practical transitional measure that does not require abandoning existing key infrastructure immediately.

5. Shorten Key Lifetimes Where Possible

Rotating keys more frequently reduces the window of retroactive exposure. A key registered in 2024 and rotated in 2026 is a narrower target than a key active for 15 years. Where Canton workflows permit it, building key rotation into operational procedures is a low-cost risk reduction measure.

6. Engage Digital Asset Directly

Canton is a permissioned, enterprise network. Unlike a public blockchain where protocol changes require decentralised governance, Digital Asset can and should be planning a PQC migration roadmap. Institutional participants have direct relationships and leverage. Asking for a published timeline and technical specification for PQC migration is entirely reasonable and advisable.

---

How Natively Post-Quantum Designs Differ

The distinction between a classical blockchain migrating to PQC and one built with post-quantum cryptography from the ground up is significant. Migration projects inherit technical debt: legacy keys, tooling built for ECDSA, wallet compatibility layers, and the coordination cost of deprecating old schemes across a live network.

Projects designed with lattice-based or other NIST-approved PQC primitives at layer zero do not carry that debt. For example, BMIC.ai was built with quantum-resistant, lattice-based cryptography as a core design principle, not a retrofit. That architectural difference means its key infrastructure does not face the retroactive exposure window that classical-signature blockchains do.

For Canton operators evaluating their long-term cryptographic posture, this contrast is instructive. The question is not only "when will Canton migrate?" but "what is the cost and risk of migration versus systems that never had the vulnerability?"

---

Summary: Should Canton Participants Be Worried?

The honest answer is: not urgently, but not dismissively either. Canton's current cryptographic foundations are secure against every known classical attack. The quantum threat is real, theoretically well-understood, and not imminent based on current hardware progress. However:

The productive frame is not fear. It is managed transition. Audit exposure, demand a roadmap from Digital Asset, adopt crypto-agility principles, and watch the NIST migration guidance for financial institutions, expected to be updated through 2025-2026.

Frequently Asked Questions

Will quantum computers break Canton Network's security?

Not with current hardware. Canton uses elliptic-curve digital signatures (ECDSA/EdDSA), which are vulnerable to Shor's algorithm on a fault-tolerant quantum computer. No such machine exists in 2024. The threat is credible over a multi-decade horizon, but Canton has time to migrate if planning begins now.

What cryptographic algorithm does Canton Network use?

Canton relies on elliptic-curve digital signature schemes, primarily Ed25519 and secp256k1-based ECDSA, for transaction signing and participant identity. These are standard across most production blockchains but are not quantum-resistant.

What is the 'harvest now, decrypt later' threat and does it apply to Canton?

Harvest now, decrypt later refers to an adversary recording encrypted data or public keys today, then decrypting or reversing them once a sufficiently powerful quantum computer exists. It applies to Canton because public keys used in verifiable transactions are shared with counterparties and potentially stored in directories, creating a data archive that could be targeted in the future.

What is the realistic timeline for a quantum computer to break elliptic-curve cryptography?

Major institutions including NIST, the UK NCSC, and Germany's BSI estimate the 2030–2040 range as the window of concern. This is not a precise prediction; it depends on breakthroughs in error correction and qubit coherence that remain unsolved research problems. The uncertainty itself is a reason to begin migration planning now.

What post-quantum algorithms should Canton consider migrating to?

NIST standardised ML-DSA (formerly CRYSTALS-Dilithium) for digital signatures and ML-KEM (formerly CRYSTALS-Kyber) for key encapsulation in August 2024. Both are lattice-based and are the primary candidates for blockchain PQC migration. Hybrid signature schemes combining Ed25519 with ML-DSA are also a viable transitional approach.

What can Canton operators do to reduce quantum risk today?

Practical steps include auditing which public keys are long-lived and high-value, implementing crypto-agility in system design, rotating keys more frequently, engaging Digital Asset for a published PQC migration roadmap, and monitoring NIST guidance for financial infrastructure. These steps are achievable without waiting for a quantum computer to appear.