Will Quantum Computers Break Monero?

Will quantum computers break Monero? It is one of the most precise questions in crypto security because Monero's privacy architecture is meaningfully different from Bitcoin's or Ethereum's, and that difference changes the threat calculus in ways that are rarely explained clearly. This article works through the exact cryptographic primitives Monero relies on, which of them a sufficiently powerful quantum computer could attack, what "sufficiently powerful" actually means in practical terms, where the research consensus sits on timelines, and what Monero holders and developers can realistically do before Q-day arrives.

Monero's Cryptographic Stack: What Quantum Computers Would Actually Attack

Before assessing quantum risk, you need to know what you are actually defending. Monero uses several distinct cryptographic primitives, each with a different quantum exposure profile.

Elliptic Curve Cryptography: The Core Vulnerability

Monero's transaction signing relies on Ed25519, an Edwards-curve variant of the Elliptic Curve Digital Signature Algorithm (ECDSA). The security of Ed25519 rests on the elliptic curve discrete logarithm problem (ECDLP): given a public key, computing the corresponding private key is computationally infeasible for a classical computer.

A cryptographically relevant quantum computer (CRQC) running Shor's algorithm can solve the ECDLP in polynomial time. That is the same fundamental threat facing Bitcoin and Ethereum. On this dimension, Monero is equally exposed to any classical blockchain that uses elliptic curve signing.

Ring Signatures: An Added Complication

What makes Monero's exposure slightly more nuanced is its use of Ring Confidential Transactions (RingCT), which includes a ring signature scheme. Ring signatures allow a signer to prove they are a member of a set of possible signers without revealing which member. Current versions use MLSAG (Multilayered Linkable Spontaneous Anonymous Group) or the newer CLSAG (Compact Linkable Spontaneous Anonymous Group).

These ring signature constructions are also built on elliptic curve operations and are therefore vulnerable to the same Shor's algorithm attack. A CRQC could, in principle, break the ring and identify the actual signer, collapsing Monero's transaction-graph privacy in addition to stealing funds.

Stealth Addresses

Monero's stealth address system generates a one-time public key for each transaction. Linking a payment to a recipient requires the recipient's private spend key. Because stealth addresses are derived from EC key pairs, they carry the same Shor vulnerability. A CRQC that can reverse ECDLP could derive spend keys from observed stealth addresses, allowing funds to be swept.

Hash Functions: The Less Urgent Problem

Monero's proof-of-work algorithm (RandomX) and its commitment schemes use hash functions, primarily Keccak/SHA-3 derivatives. Hash functions are only weakly affected by quantum computers. Grover's algorithm provides a quadratic speedup for brute-forcing hashes, effectively halving the security level, so a 256-bit hash becomes roughly 128-bit secure. That remains well above the threshold for practical attack with any near-term or even medium-term quantum hardware. Hash-based elements of Monero are not a meaningful near-term concern.

---

What a "Cryptographically Relevant" Quantum Computer Actually Requires

The phrase "quantum computers will break crypto" circulates widely, but it elides an enormous gap between current hardware and the capability required to run Shor's algorithm against a 256-bit elliptic curve key.

Logical vs. Physical Qubits

Current leading quantum processors (IBM Heron, Google Willow, IonQ Forte) operate with physical qubits in the range of hundreds to a few thousand. Physical qubits are noisy and error-prone. Running Shor's algorithm on a 256-bit elliptic curve key requires on the order of 2,000 to 4,000 logical qubits, and each logical qubit requires hundreds to thousands of physical qubits for error correction, depending on the error rate of the hardware.

A credible 2023 estimate from researchers at University College London placed the physical qubit requirement for breaking Bitcoin's ECDSA (the same curve family) at roughly 317 million physical qubits using surface code error correction in under one hour. More optimistic architectures lower that figure, but even the most aggressive estimates land in the millions of physical qubits.

Today's best machines have around 1,000 to 5,000 physical qubits, with error rates still far too high for fault-tolerant operation at cryptographic scale. The gap is not incremental, it is multiple orders of magnitude.

Timeline Estimates

SourceEstimated Year for CRQC Threat to EC Cryptography
NIST (2022 PQC Transition Report)2030–2040 range as planning horizon
Mosca's Theorem (conservative)15–20 years from 2020
IBM Quantum Roadmap (extrapolated)No specific date; million-qubit target ~2033
NCSC (UK) Guidance"Unlikely before 2030, plan for 2035"
BSI (Germany)Recommends migration by 2030 at latest

No credible government agency or peer-reviewed paper is predicting an imminent threat. The consensus planning horizon for organizations handling sensitive data is roughly 2030 to 2035 for the earliest plausible CRQC capable of attacking 256-bit EC curves. Crypto assets present a specific concern because blockchain data is public and permanently recorded, meaning an adversary could harvest ciphertext or public keys today and decrypt later, the so-called "harvest now, decrypt later" (HNDL) attack.

---

The "Harvest Now, Decrypt Later" Risk for Monero Holders

HNDL is the most practically relevant quantum threat for Monero holders right now, even though a CRQC does not yet exist.

Every Monero transaction broadcasts a stealth address and a ring signature to the public blockchain. Those records are immutable. If a state-level adversary is archiving Monero blockchain data today with the intention of retroactively deanonymizing transactions once a CRQC is available, the privacy guarantee of historical transactions could eventually be broken.

For holders primarily concerned with fund security rather than privacy, the risk is somewhat different. Funds are only at risk at the moment a private key is used or exposed. Monero's stealth address model means that the one-time public key appears on-chain per transaction, giving an attacker a target to reverse with Shor's algorithm. Coins sitting in an unspent output are not safe by obscurity alone once a CRQC exists because the one-time public key is already visible on-chain.

---

Monero vs. Bitcoin and Ethereum: Quantum Risk Comparison

Monero is often assumed to be more quantum-resistant than Bitcoin because of its privacy features. That assumption deserves careful examination.

FeatureBitcoinEthereumMonero (XMR)
Signature schemeECDSA (secp256k1)ECDSA / EdDSAEd25519 + CLSAG ring sigs
Public key on-chainYes (after first spend)YesStealth one-time pubkeys
Quantum threat (Shor)HighHighHigh (same math)
Privacy layer protectionNoneNoneRing sigs also EC-based
Hash function exposure (Grover)Low-mediumLow-mediumLow-medium
Active PQC migration roadmapResearch phaseResearch phaseCommunity discussion only

The honest conclusion: Monero's privacy layer provides no meaningful additional quantum resistance. All the cryptographic operations that matter are built on elliptic curves. Monero is not worse than Bitcoin from a quantum standpoint, but it is not meaningfully better on the core question.

One marginal point in Monero's favor: its one-time stealth addresses mean that a given public key is used only once per output. Reused Bitcoin addresses expose a static public key indefinitely, creating a larger and more static attack surface. Monero's address model slightly reduces the window of exposure, but it does not eliminate the underlying ECDLP vulnerability.

---

What Would Have to Be True for Quantum Computers to Break Monero

Synthesizing the above, here is the specific chain of conditions required:

  1. A quantum processor achieves fault-tolerant operation at scale (millions of physical qubits with sufficiently low error rates).
  2. Shor's algorithm is implemented against a 255-bit elliptic curve (Curve25519 / Ed25519 as used in Monero).
  3. The attacker can run the algorithm fast enough, ideally within the time window a transaction is in the mempool, or can target already-recorded on-chain stealth addresses for HNDL attacks.
  4. Monero's development community has not yet deployed a post-quantum signature scheme upgrade.

All four conditions need to be true simultaneously for a catastrophic outcome. Conditions 1 and 2 are likely 10 to 20 years away by mainstream estimates. Condition 4 is the variable Monero's community controls directly.

---

What Monero Holders and the Monero Community Can Do

For Individual Holders

For the Monero Protocol

The Monero Research Lab has explored post-quantum ring signatures based on lattice cryptography. The challenge is significant: ring signatures are considerably more complex to replace than simple ECDSA, and any replacement must preserve Monero's privacy properties (unlinkability, untraceability) while also being quantum-resistant. Candidate constructions exist in academic literature, but none have been deployed in production.

A migration path would likely involve a hard fork, a significant coordination event for a privacy-focused chain with no central authority. It is technically feasible, but it requires community consensus, peer-reviewed cryptographic work, and careful implementation. The precedent of Monero's past hard forks for RingCT, CLSAG, and RandomX adoption suggests the community is capable of executing protocol-level changes when motivated.

---

How Natively Post-Quantum Designs Differ

Protocols designed from the ground up with post-quantum cryptography avoid the migration problem entirely. Projects like BMIC.ai have built their wallet and token infrastructure on lattice-based cryptography aligned with NIST's PQC standards, meaning the signature schemes they use are resistant to Shor's algorithm by design, not by retrofit.

The architectural difference matters: retrofitting post-quantum signatures onto a live protocol with billions in on-chain value, an existing user base, and privacy constraints is a fundamentally harder engineering and coordination problem than building those primitives in from the start. That is not a criticism of Monero specifically; it applies to every major chain currently in production.

---

Realistic Summary: Threat Level by Time Horizon

Time HorizonQuantum Threat to MoneroRecommended Action
Now to 2027Negligible (no CRQC exists)Monitor MRL, practice good key hygiene
2027 to 2032Low to moderate (hardware progress accelerating)Watch for protocol upgrade proposals, assess HNDL exposure
2032 to 2037Moderate to high (planning horizon for CRQCs)Active protocol migration should be underway or complete
Post-2037High if no migrationAny unmigrated EC-based chain is at serious risk

The window is real but not immediate. The right posture is informed vigilance, not panic.

Frequently Asked Questions

Will quantum computers break Monero sooner than Bitcoin?

No. Both Bitcoin and Monero rely on elliptic curve cryptography that is vulnerable to Shor's algorithm. Monero's one-time stealth addresses reduce the static attack surface slightly compared to reused Bitcoin addresses, but the underlying mathematical vulnerability is identical. Neither has a meaningful quantum-resistance advantage over the other at this stage.

Does Monero's ring signature make it quantum-resistant?

No. Monero's ring signatures (CLSAG and its predecessors) are constructed from elliptic curve operations, the same mathematical foundation that Shor's algorithm attacks. A cryptographically relevant quantum computer could break the ring to identify the real signer, in addition to deriving private spend keys from stealth addresses.

When could a quantum computer actually threaten Monero?

The mainstream consensus among NIST, the NCSC, BSI, and academic researchers places the earliest plausible cryptographically relevant quantum computer in the 2030 to 2035 range. Current quantum hardware is multiple orders of magnitude short of the millions of physical qubits required to run Shor's algorithm against 256-bit elliptic curves.

What is 'harvest now, decrypt later' and does it affect Monero holders?

Harvest now, decrypt later (HNDL) refers to adversaries archiving encrypted or public blockchain data today, intending to decrypt it once a quantum computer is available. For Monero, this means historical stealth addresses recorded on-chain could be retroactively attacked to deanonymize transactions or expose private spend keys. It is the most relevant near-term quantum risk even before a CRQC exists.

Is the Monero Research Lab working on a post-quantum upgrade?

The Monero Research Lab has published academic work exploring post-quantum ring signature constructions based on lattice cryptography. No production-ready upgrade has been deployed. Any migration would require a hard fork and broad community consensus, which is technically achievable given Monero's history of protocol upgrades, but has not yet been formally scheduled.

What should Monero holders do right now to prepare for quantum risk?

In the near term: avoid non-standard wallet configurations that might reuse addresses, follow Monero Research Lab publications for upgrade proposals, and consider diversifying cryptographic exposure across protocols with different security architectures. The threat is not imminent, but the 10-to-20-year planning horizon is close enough to warrant monitoring.