Will Quantum Computers Break NEAR Protocol?

Will quantum computers break NEAR Protocol? It is one of the sharper questions in long-term crypto security, and the honest answer requires separating what is technically true from what is speculative. NEAR uses Ed25519 elliptic-curve signatures, a scheme that a sufficiently powerful quantum computer running Shor's algorithm could theoretically compromise. This article explains the exact mechanism, what "sufficiently powerful" actually means in engineering terms, where the realistic timeline sits today, and what NEAR holders and developers can do to reduce exposure well before Q-day arrives.

How NEAR Protocol Secures Transactions Today

NEAR Protocol relies on Ed25519 as its primary signature scheme. Ed25519 is a variant of the Edwards-curve Digital Signature Algorithm (EdDSA) built on Curve25519. It is fast, compact, and widely regarded as one of the most secure classical cryptographic constructions available.

Every time you submit a transaction on NEAR, your private key generates a 64-byte signature. Validators verify that signature against your public key. The security guarantee rests on the elliptic curve discrete logarithm problem (ECDLP): given a public key, deriving the private key is computationally infeasible with classical hardware, even with every supercomputer on Earth working in parallel for billions of years.

NEAR also supports secp256k1 for compatibility with Ethereum-style tooling, which operates on the same mathematical assumption.

Why Ed25519 Is Excellent Against Classical Attacks

The problem is not classical computers. The problem is Shor's algorithm running on a fault-tolerant quantum computer.

---

The Quantum Threat: What Shor's Algorithm Actually Does

Peter Shor published his quantum algorithm in 1994. It solves the discrete logarithm problem and integer factorisation in polynomial time, meaning a quantum machine running Shor's algorithm could derive a private key from a public key far faster than any classical method.

For Ed25519 specifically, the threat works as follows:

  1. A NEAR public key is broadcast on-chain whenever an account is created or a transaction is submitted.
  2. A quantum adversary observing the chain retrieves that public key.
  3. Running Shor's algorithm on a fault-tolerant quantum computer, the adversary computes the corresponding private key.
  4. The adversary signs a malicious transaction, draining the account before the legitimate owner can respond.

The "Exposed Public Key" Window

There is a nuance worth understanding. While a public key has not yet been broadcast, funds sitting at a derived address are harder to attack, because the attacker does not yet have the public key to feed into Shor's algorithm. Once a transaction is sent, the public key is on-chain permanently and the exposure window opens indefinitely.

This means:

How Many Qubits Would Actually Be Required?

This is where realistic timelines begin. Cracking Ed25519 with Shor's algorithm is estimated to require roughly 2,000 to 3,000 logical qubits. Logical qubits are error-corrected qubits, not the raw physical qubits that today's machines expose in press releases.

The ratio of physical to logical qubits under current error-correction schemes (surface codes) ranges from roughly 1,000:1 to 10,000:1, depending on error rates. That means breaking Ed25519 in practice may require somewhere between 2 million and 30 million physical qubits with current hardware error rates.

MetricCurrent Best (2024)Threshold to Break Ed25519
Physical qubits (largest announced)~1,000–2,000 (IBM, Google)~2–30 million (estimated)
Logical qubits (error-corrected)< 10 demonstrated reliably~2,000–3,000
Coherence timeMicroseconds to millisecondsHours (for full Shor's run)
Gate error rate~0.1–1%~0.001% or lower

The gap between where hardware sits today and the threshold required to attack NEAR is several orders of magnitude. This is not a 2025 problem or likely a 2030 problem under most credible engineering assessments.

---

Realistic Timeline: When Could Q-Day Arrive?

"Q-day" refers to the point at which a cryptographically relevant quantum computer (CRQC) exists, capable of breaking production elliptic-curve keys in a timeframe that is operationally useful to an attacker.

Expert Consensus Range

Estimates from government agencies, academic cryptographers, and NIST broadly cluster around the following:

NIST launched its Post-Quantum Cryptography standardisation process in 2016 precisely because the window for migration is long. In 2024, NIST finalised its first set of post-quantum standards, including CRYSTALS-Kyber (key encapsulation) and CRYSTALS-Dilithium (digital signatures), both lattice-based schemes.

The "Harvest Now, Decrypt Later" Consideration

One threat that operates on a shorter timeline is harvest now, decrypt later (HNDL). A nation-state adversary could record encrypted blockchain communications or transaction data today and decrypt them once a CRQC becomes available. For most NEAR transaction content this is less critical than the key-exposure issue, but it is relevant for applications that route sensitive data through NEAR-based infrastructure.

---

What NEAR's Ecosystem Could Do to Prepare

NEAR is not standing still. The protocol's account model is notably more flexible than Bitcoin's UTXO system, which creates meaningful options for quantum migration.

Named Accounts and Modular Key Management

NEAR's account model is not address-hash-based. Accounts have human-readable names and support multiple key pairs with distinct permission levels (full-access keys and function-call keys). This architecture means:

Protocol-Level Upgrade Path

NEAR uses a sharded proof-of-stake consensus. Protocol upgrades are voted on by validators. A migration to post-quantum signatures would require:

  1. A NEAR Enhancement Proposal (NEP) specifying the new signature scheme.
  2. Validator adoption reaching the upgrade threshold (typically two-thirds stake).
  3. A transaction-signing library update in wallets and SDKs.
  4. A sunset period for legacy Ed25519 keys.

Lattice-based schemes like Dilithium (now NIST ML-DSA) are the leading candidates, though they carry larger key and signature sizes (Dilithium signatures are ~2.4 KB versus Ed25519's 64 bytes), which would affect NEAR's throughput and storage economics and require careful benchmarking.

What Individual NEAR Holders Can Do Now

You do not need to wait for a protocol upgrade to reduce exposure:

---

How Natively Post-Quantum Designs Differ

A key distinction separates retrofitting an existing chain versus building post-quantum security in from genesis. When an existing Layer-1 like NEAR migrates, it faces backward-compatibility constraints, validator coordination overhead, wallet ecosystem fragmentation during the transition period, and potential consensus edge cases.

Projects designed from the ground up around lattice-based cryptography and NIST PQC-aligned primitives avoid these transition costs entirely. BMIC.ai is one example of a wallet and token designed with post-quantum cryptography as a foundational layer rather than an afterthought, meaning its key generation and signing pipeline never relied on ECDSA or EdDSA to begin with.

The architectural difference matters practically: a native post-quantum design has no legacy key material on-chain to protect, no migration window during which old and new key schemes coexist, and no validator coordination risk during the switchover.

---

Summarising the Risk Profile for NEAR Protocol

It is worth being direct about what the evidence supports:

The productive posture is informed, methodical preparation: watching NIST standards, following NEAR governance, and maintaining custody hygiene, without overstating a risk that remains years from materialising.

---

Key Takeaways

Frequently Asked Questions

Does NEAR Protocol use the same cryptography as Bitcoin and Ethereum?

Not exactly. NEAR primarily uses Ed25519 (EdDSA on Curve25519) rather than the secp256k1 ECDSA used by Bitcoin and Ethereum, though NEAR does support secp256k1 for compatibility purposes. Both schemes rely on elliptic-curve discrete logarithm hardness and would be vulnerable to Shor's algorithm on a sufficiently powerful quantum computer, so the threat profile is similar in nature, if not identical in technical detail.

How many qubits are needed to break NEAR's Ed25519 keys?

Theoretical estimates put the requirement at roughly 2,000–3,000 logical (error-corrected) qubits to run Shor's algorithm against a 256-bit elliptic curve key. Because today's machines have very high physical error rates, this likely translates to tens of millions of physical qubits under current surface-code error-correction overhead. The largest machines announced in 2024 have around 1,000–2,000 physical qubits with error rates far above what is needed.

When could a quantum computer realistically threaten NEAR?

The most widely cited central estimate among cryptographers, NIST, and government security agencies places a cryptographically relevant quantum computer (CRQC) in the 2035–2045 window, though some pessimistic scenarios push it past 2050. No credible technical assessment puts NEAR at risk within the next five to seven years. The uncertainty means preparation should begin now, not urgently, but seriously.

Can NEAR Protocol upgrade to post-quantum cryptography?

Yes. NEAR's account model supports multiple key types and key rotation natively, which gives it a more practical migration path than UTXO-based chains like Bitcoin. A migration would require a NEAR Enhancement Proposal, validator consensus, wallet SDK updates, and a transition period where both old and new key schemes coexist. NIST-standardised lattice-based schemes such as ML-DSA (Dilithium) are the most likely candidates, though their larger signature sizes would need to be benchmarked against NEAR's throughput requirements.

What is 'harvest now, decrypt later' and does it affect NEAR holders?

Harvest now, decrypt later (HNDL) refers to an adversary recording encrypted data today with the intention of decrypting it once a quantum computer is available. For NEAR, the more direct quantum risk is key derivation from on-chain public keys rather than encrypted communications. HNDL is a greater concern for applications routing sensitive off-chain data through NEAR-based infrastructure, or for any signed messages that must remain confidential over a multi-decade horizon.

What can I do as a NEAR holder to reduce quantum risk right now?

Several practical steps reduce exposure without waiting for a protocol upgrade: minimise unnecessary transactions from high-value accounts to limit on-chain public key exposure; rotate keys periodically using NEAR's native multi-key account system; follow the NEAR governance forum for post-quantum NEP proposals; use reputable hardware wallets that commit to PQC roadmaps; and consider diversifying custody across multiple accounts to reduce the impact of any single key compromise.