Will Quantum Computers Break Monero?
Will quantum computers break Monero? It is one of the most precise questions in crypto security because Monero's privacy architecture is meaningfully different from Bitcoin's or Ethereum's, and that difference changes the threat calculus in ways that are rarely explained clearly. This article works through the exact cryptographic primitives Monero relies on, which of them a sufficiently powerful quantum computer could attack, what "sufficiently powerful" actually means in practical terms, where the research consensus sits on timelines, and what Monero holders and developers can realistically do before Q-day arrives.
Monero's Cryptographic Stack: What Quantum Computers Would Actually Attack
Before assessing quantum risk, you need to know what you are actually defending. Monero uses several distinct cryptographic primitives, each with a different quantum exposure profile.
Elliptic Curve Cryptography: The Core Vulnerability
Monero's transaction signing relies on Ed25519, an Edwards-curve variant of the Elliptic Curve Digital Signature Algorithm (ECDSA). The security of Ed25519 rests on the elliptic curve discrete logarithm problem (ECDLP): given a public key, computing the corresponding private key is computationally infeasible for a classical computer.
A cryptographically relevant quantum computer (CRQC) running Shor's algorithm can solve the ECDLP in polynomial time. That is the same fundamental threat facing Bitcoin and Ethereum. On this dimension, Monero is equally exposed to any classical blockchain that uses elliptic curve signing.
Ring Signatures: An Added Complication
What makes Monero's exposure slightly more nuanced is its use of Ring Confidential Transactions (RingCT), which includes a ring signature scheme. Ring signatures allow a signer to prove they are a member of a set of possible signers without revealing which member. Current versions use MLSAG (Multilayered Linkable Spontaneous Anonymous Group) or the newer CLSAG (Compact Linkable Spontaneous Anonymous Group).
These ring signature constructions are also built on elliptic curve operations and are therefore vulnerable to the same Shor's algorithm attack. A CRQC could, in principle, break the ring and identify the actual signer, collapsing Monero's transaction-graph privacy in addition to stealing funds.
Stealth Addresses
Monero's stealth address system generates a one-time public key for each transaction. Linking a payment to a recipient requires the recipient's private spend key. Because stealth addresses are derived from EC key pairs, they carry the same Shor vulnerability. A CRQC that can reverse ECDLP could derive spend keys from observed stealth addresses, allowing funds to be swept.
Hash Functions: The Less Urgent Problem
Monero's proof-of-work algorithm (RandomX) and its commitment schemes use hash functions, primarily Keccak/SHA-3 derivatives. Hash functions are only weakly affected by quantum computers. Grover's algorithm provides a quadratic speedup for brute-forcing hashes, effectively halving the security level, so a 256-bit hash becomes roughly 128-bit secure. That remains well above the threshold for practical attack with any near-term or even medium-term quantum hardware. Hash-based elements of Monero are not a meaningful near-term concern.
---
What a "Cryptographically Relevant" Quantum Computer Actually Requires
The phrase "quantum computers will break crypto" circulates widely, but it elides an enormous gap between current hardware and the capability required to run Shor's algorithm against a 256-bit elliptic curve key.
Logical vs. Physical Qubits
Current leading quantum processors (IBM Heron, Google Willow, IonQ Forte) operate with physical qubits in the range of hundreds to a few thousand. Physical qubits are noisy and error-prone. Running Shor's algorithm on a 256-bit elliptic curve key requires on the order of 2,000 to 4,000 logical qubits, and each logical qubit requires hundreds to thousands of physical qubits for error correction, depending on the error rate of the hardware.
A credible 2023 estimate from researchers at University College London placed the physical qubit requirement for breaking Bitcoin's ECDSA (the same curve family) at roughly 317 million physical qubits using surface code error correction in under one hour. More optimistic architectures lower that figure, but even the most aggressive estimates land in the millions of physical qubits.
Today's best machines have around 1,000 to 5,000 physical qubits, with error rates still far too high for fault-tolerant operation at cryptographic scale. The gap is not incremental, it is multiple orders of magnitude.
Timeline Estimates
| Source | Estimated Year for CRQC Threat to EC Cryptography |
|---|---|
| NIST (2022 PQC Transition Report) | 2030–2040 range as planning horizon |
| Mosca's Theorem (conservative) | 15–20 years from 2020 |
| IBM Quantum Roadmap (extrapolated) | No specific date; million-qubit target ~2033 |
| NCSC (UK) Guidance | "Unlikely before 2030, plan for 2035" |
| BSI (Germany) | Recommends migration by 2030 at latest |
No credible government agency or peer-reviewed paper is predicting an imminent threat. The consensus planning horizon for organizations handling sensitive data is roughly 2030 to 2035 for the earliest plausible CRQC capable of attacking 256-bit EC curves. Crypto assets present a specific concern because blockchain data is public and permanently recorded, meaning an adversary could harvest ciphertext or public keys today and decrypt later, the so-called "harvest now, decrypt later" (HNDL) attack.
---
The "Harvest Now, Decrypt Later" Risk for Monero Holders
HNDL is the most practically relevant quantum threat for Monero holders right now, even though a CRQC does not yet exist.
Every Monero transaction broadcasts a stealth address and a ring signature to the public blockchain. Those records are immutable. If a state-level adversary is archiving Monero blockchain data today with the intention of retroactively deanonymizing transactions once a CRQC is available, the privacy guarantee of historical transactions could eventually be broken.
For holders primarily concerned with fund security rather than privacy, the risk is somewhat different. Funds are only at risk at the moment a private key is used or exposed. Monero's stealth address model means that the one-time public key appears on-chain per transaction, giving an attacker a target to reverse with Shor's algorithm. Coins sitting in an unspent output are not safe by obscurity alone once a CRQC exists because the one-time public key is already visible on-chain.
---
Monero vs. Bitcoin and Ethereum: Quantum Risk Comparison
Monero is often assumed to be more quantum-resistant than Bitcoin because of its privacy features. That assumption deserves careful examination.
| Feature | Bitcoin | Ethereum | Monero (XMR) |
|---|---|---|---|
| Signature scheme | ECDSA (secp256k1) | ECDSA / EdDSA | Ed25519 + CLSAG ring sigs |
| Public key on-chain | Yes (after first spend) | Yes | Stealth one-time pubkeys |
| Quantum threat (Shor) | High | High | High (same math) |
| Privacy layer protection | None | None | Ring sigs also EC-based |
| Hash function exposure (Grover) | Low-medium | Low-medium | Low-medium |
| Active PQC migration roadmap | Research phase | Research phase | Community discussion only |
The honest conclusion: Monero's privacy layer provides no meaningful additional quantum resistance. All the cryptographic operations that matter are built on elliptic curves. Monero is not worse than Bitcoin from a quantum standpoint, but it is not meaningfully better on the core question.
One marginal point in Monero's favor: its one-time stealth addresses mean that a given public key is used only once per output. Reused Bitcoin addresses expose a static public key indefinitely, creating a larger and more static attack surface. Monero's address model slightly reduces the window of exposure, but it does not eliminate the underlying ECDLP vulnerability.
---
What Would Have to Be True for Quantum Computers to Break Monero
Synthesizing the above, here is the specific chain of conditions required:
- A quantum processor achieves fault-tolerant operation at scale (millions of physical qubits with sufficiently low error rates).
- Shor's algorithm is implemented against a 255-bit elliptic curve (Curve25519 / Ed25519 as used in Monero).
- The attacker can run the algorithm fast enough, ideally within the time window a transaction is in the mempool, or can target already-recorded on-chain stealth addresses for HNDL attacks.
- Monero's development community has not yet deployed a post-quantum signature scheme upgrade.
All four conditions need to be true simultaneously for a catastrophic outcome. Conditions 1 and 2 are likely 10 to 20 years away by mainstream estimates. Condition 4 is the variable Monero's community controls directly.
---
What Monero Holders and the Monero Community Can Do
For Individual Holders
- Do not reuse addresses. Monero's architecture generates new stealth addresses automatically, which is correct behavior. Avoid any wallet configuration that deviates from this.
- Monitor the Monero Research Lab (MRL) output. The MRL has published academic work on post-quantum ring signatures. Staying informed about proposed protocol changes costs nothing.
- Diversify cryptographic exposure. Holding assets across protocols with different security architectures distributes risk, particularly as the quantum timeline becomes clearer.
- Be skeptical of "quantum-proof" marketing claims for any asset unless the underlying signature scheme is explicitly named and peer-reviewed. NIST's Post-Quantum Cryptography standardization process (finalizing standards in 2024) provides a reference point: look for lattice-based schemes like CRYSTALS-Dilithium or CRYSTALS-Kyber.
For the Monero Protocol
The Monero Research Lab has explored post-quantum ring signatures based on lattice cryptography. The challenge is significant: ring signatures are considerably more complex to replace than simple ECDSA, and any replacement must preserve Monero's privacy properties (unlinkability, untraceability) while also being quantum-resistant. Candidate constructions exist in academic literature, but none have been deployed in production.
A migration path would likely involve a hard fork, a significant coordination event for a privacy-focused chain with no central authority. It is technically feasible, but it requires community consensus, peer-reviewed cryptographic work, and careful implementation. The precedent of Monero's past hard forks for RingCT, CLSAG, and RandomX adoption suggests the community is capable of executing protocol-level changes when motivated.
---
How Natively Post-Quantum Designs Differ
Protocols designed from the ground up with post-quantum cryptography avoid the migration problem entirely. Projects like BMIC.ai have built their wallet and token infrastructure on lattice-based cryptography aligned with NIST's PQC standards, meaning the signature schemes they use are resistant to Shor's algorithm by design, not by retrofit.
The architectural difference matters: retrofitting post-quantum signatures onto a live protocol with billions in on-chain value, an existing user base, and privacy constraints is a fundamentally harder engineering and coordination problem than building those primitives in from the start. That is not a criticism of Monero specifically; it applies to every major chain currently in production.
---
Realistic Summary: Threat Level by Time Horizon
| Time Horizon | Quantum Threat to Monero | Recommended Action |
|---|---|---|
| Now to 2027 | Negligible (no CRQC exists) | Monitor MRL, practice good key hygiene |
| 2027 to 2032 | Low to moderate (hardware progress accelerating) | Watch for protocol upgrade proposals, assess HNDL exposure |
| 2032 to 2037 | Moderate to high (planning horizon for CRQCs) | Active protocol migration should be underway or complete |
| Post-2037 | High if no migration | Any unmigrated EC-based chain is at serious risk |
The window is real but not immediate. The right posture is informed vigilance, not panic.
Frequently Asked Questions
Will quantum computers break Monero sooner than Bitcoin?
No. Both Bitcoin and Monero rely on elliptic curve cryptography that is vulnerable to Shor's algorithm. Monero's one-time stealth addresses reduce the static attack surface slightly compared to reused Bitcoin addresses, but the underlying mathematical vulnerability is identical. Neither has a meaningful quantum-resistance advantage over the other at this stage.
Does Monero's ring signature make it quantum-resistant?
No. Monero's ring signatures (CLSAG and its predecessors) are constructed from elliptic curve operations, the same mathematical foundation that Shor's algorithm attacks. A cryptographically relevant quantum computer could break the ring to identify the real signer, in addition to deriving private spend keys from stealth addresses.
When could a quantum computer actually threaten Monero?
The mainstream consensus among NIST, the NCSC, BSI, and academic researchers places the earliest plausible cryptographically relevant quantum computer in the 2030 to 2035 range. Current quantum hardware is multiple orders of magnitude short of the millions of physical qubits required to run Shor's algorithm against 256-bit elliptic curves.
What is 'harvest now, decrypt later' and does it affect Monero holders?
Harvest now, decrypt later (HNDL) refers to adversaries archiving encrypted or public blockchain data today, intending to decrypt it once a quantum computer is available. For Monero, this means historical stealth addresses recorded on-chain could be retroactively attacked to deanonymize transactions or expose private spend keys. It is the most relevant near-term quantum risk even before a CRQC exists.
Is the Monero Research Lab working on a post-quantum upgrade?
The Monero Research Lab has published academic work exploring post-quantum ring signature constructions based on lattice cryptography. No production-ready upgrade has been deployed. Any migration would require a hard fork and broad community consensus, which is technically achievable given Monero's history of protocol upgrades, but has not yet been formally scheduled.
What should Monero holders do right now to prepare for quantum risk?
In the near term: avoid non-standard wallet configurations that might reuse addresses, follow Monero Research Lab publications for upgrade proposals, and consider diversifying cryptographic exposure across protocols with different security architectures. The threat is not imminent, but the 10-to-20-year planning horizon is close enough to warrant monitoring.