Will Quantum Computers Break NEAR Protocol?
Will quantum computers break NEAR Protocol? It is one of the sharper questions in long-term crypto security, and the honest answer requires separating what is technically true from what is speculative. NEAR uses Ed25519 elliptic-curve signatures, a scheme that a sufficiently powerful quantum computer running Shor's algorithm could theoretically compromise. This article explains the exact mechanism, what "sufficiently powerful" actually means in engineering terms, where the realistic timeline sits today, and what NEAR holders and developers can do to reduce exposure well before Q-day arrives.
How NEAR Protocol Secures Transactions Today
NEAR Protocol relies on Ed25519 as its primary signature scheme. Ed25519 is a variant of the Edwards-curve Digital Signature Algorithm (EdDSA) built on Curve25519. It is fast, compact, and widely regarded as one of the most secure classical cryptographic constructions available.
Every time you submit a transaction on NEAR, your private key generates a 64-byte signature. Validators verify that signature against your public key. The security guarantee rests on the elliptic curve discrete logarithm problem (ECDLP): given a public key, deriving the private key is computationally infeasible with classical hardware, even with every supercomputer on Earth working in parallel for billions of years.
NEAR also supports secp256k1 for compatibility with Ethereum-style tooling, which operates on the same mathematical assumption.
Why Ed25519 Is Excellent Against Classical Attacks
- Constant-time implementation resists timing side-channel attacks
- 128-bit classical security level
- Small key and signature sizes reduce on-chain storage costs
- No known classical algorithm breaks it in polynomial time
The problem is not classical computers. The problem is Shor's algorithm running on a fault-tolerant quantum computer.
---
The Quantum Threat: What Shor's Algorithm Actually Does
Peter Shor published his quantum algorithm in 1994. It solves the discrete logarithm problem and integer factorisation in polynomial time, meaning a quantum machine running Shor's algorithm could derive a private key from a public key far faster than any classical method.
For Ed25519 specifically, the threat works as follows:
- A NEAR public key is broadcast on-chain whenever an account is created or a transaction is submitted.
- A quantum adversary observing the chain retrieves that public key.
- Running Shor's algorithm on a fault-tolerant quantum computer, the adversary computes the corresponding private key.
- The adversary signs a malicious transaction, draining the account before the legitimate owner can respond.
The "Exposed Public Key" Window
There is a nuance worth understanding. While a public key has not yet been broadcast, funds sitting at a derived address are harder to attack, because the attacker does not yet have the public key to feed into Shor's algorithm. Once a transaction is sent, the public key is on-chain permanently and the exposure window opens indefinitely.
This means:
- Used NEAR accounts are more exposed than fresh ones.
- Address reuse compounds the risk.
- Any account that has ever sent a transaction has its public key recorded on-chain forever.
How Many Qubits Would Actually Be Required?
This is where realistic timelines begin. Cracking Ed25519 with Shor's algorithm is estimated to require roughly 2,000 to 3,000 logical qubits. Logical qubits are error-corrected qubits, not the raw physical qubits that today's machines expose in press releases.
The ratio of physical to logical qubits under current error-correction schemes (surface codes) ranges from roughly 1,000:1 to 10,000:1, depending on error rates. That means breaking Ed25519 in practice may require somewhere between 2 million and 30 million physical qubits with current hardware error rates.
| Metric | Current Best (2024) | Threshold to Break Ed25519 |
|---|---|---|
| Physical qubits (largest announced) | ~1,000–2,000 (IBM, Google) | ~2–30 million (estimated) |
| Logical qubits (error-corrected) | < 10 demonstrated reliably | ~2,000–3,000 |
| Coherence time | Microseconds to milliseconds | Hours (for full Shor's run) |
| Gate error rate | ~0.1–1% | ~0.001% or lower |
The gap between where hardware sits today and the threshold required to attack NEAR is several orders of magnitude. This is not a 2025 problem or likely a 2030 problem under most credible engineering assessments.
---
Realistic Timeline: When Could Q-Day Arrive?
"Q-day" refers to the point at which a cryptographically relevant quantum computer (CRQC) exists, capable of breaking production elliptic-curve keys in a timeframe that is operationally useful to an attacker.
Expert Consensus Range
Estimates from government agencies, academic cryptographers, and NIST broadly cluster around the following:
- Optimistic (fastest plausible): 2030–2035
- Central estimate: 2035–2045
- Conservative (significant engineering barriers): post-2050 or never at current trajectory
NIST launched its Post-Quantum Cryptography standardisation process in 2016 precisely because the window for migration is long. In 2024, NIST finalised its first set of post-quantum standards, including CRYSTALS-Kyber (key encapsulation) and CRYSTALS-Dilithium (digital signatures), both lattice-based schemes.
The "Harvest Now, Decrypt Later" Consideration
One threat that operates on a shorter timeline is harvest now, decrypt later (HNDL). A nation-state adversary could record encrypted blockchain communications or transaction data today and decrypt them once a CRQC becomes available. For most NEAR transaction content this is less critical than the key-exposure issue, but it is relevant for applications that route sensitive data through NEAR-based infrastructure.
---
What NEAR's Ecosystem Could Do to Prepare
NEAR is not standing still. The protocol's account model is notably more flexible than Bitcoin's UTXO system, which creates meaningful options for quantum migration.
Named Accounts and Modular Key Management
NEAR's account model is not address-hash-based. Accounts have human-readable names and support multiple key pairs with distinct permission levels (full-access keys and function-call keys). This architecture means:
- Key rotation is a native, relatively low-friction operation.
- A future upgrade could allow accounts to register post-quantum public keys alongside existing Ed25519 keys.
- A phased migration period could let users rotate before the old scheme is deprecated.
Protocol-Level Upgrade Path
NEAR uses a sharded proof-of-stake consensus. Protocol upgrades are voted on by validators. A migration to post-quantum signatures would require:
- A NEAR Enhancement Proposal (NEP) specifying the new signature scheme.
- Validator adoption reaching the upgrade threshold (typically two-thirds stake).
- A transaction-signing library update in wallets and SDKs.
- A sunset period for legacy Ed25519 keys.
Lattice-based schemes like Dilithium (now NIST ML-DSA) are the leading candidates, though they carry larger key and signature sizes (Dilithium signatures are ~2.4 KB versus Ed25519's 64 bytes), which would affect NEAR's throughput and storage economics and require careful benchmarking.
What Individual NEAR Holders Can Do Now
You do not need to wait for a protocol upgrade to reduce exposure:
- Minimise on-chain public key exposure: avoid unnecessary transactions from high-value accounts when not required.
- Use hardware wallets that support key rotation when post-quantum options become available.
- Monitor NEAR's NEP tracker for any post-quantum migration proposals.
- Diversify custody across multiple addresses and account structures to reduce the blast radius of any future key compromise.
- Stay current with NIST PQC standards so you understand which wallet vendors are genuinely implementing them versus marketing vaporware.
---
How Natively Post-Quantum Designs Differ
A key distinction separates retrofitting an existing chain versus building post-quantum security in from genesis. When an existing Layer-1 like NEAR migrates, it faces backward-compatibility constraints, validator coordination overhead, wallet ecosystem fragmentation during the transition period, and potential consensus edge cases.
Projects designed from the ground up around lattice-based cryptography and NIST PQC-aligned primitives avoid these transition costs entirely. BMIC.ai is one example of a wallet and token designed with post-quantum cryptography as a foundational layer rather than an afterthought, meaning its key generation and signing pipeline never relied on ECDSA or EdDSA to begin with.
The architectural difference matters practically: a native post-quantum design has no legacy key material on-chain to protect, no migration window during which old and new key schemes coexist, and no validator coordination risk during the switchover.
---
Summarising the Risk Profile for NEAR Protocol
It is worth being direct about what the evidence supports:
- NEAR's Ed25519 scheme is secure against all known classical and near-term quantum attacks.
- A cryptographically relevant quantum computer does not exist today and faces substantial engineering barriers.
- The threat is real over a decade-plus horizon and justifies active preparation now, not panic.
- NEAR's flexible account model gives it better migration ergonomics than many other Layer-1s.
- The ecosystem needs to move before Q-day, not after. Migration takes years, and Shor's algorithm attack could in principle be executed in hours once hardware is ready.
The productive posture is informed, methodical preparation: watching NIST standards, following NEAR governance, and maintaining custody hygiene, without overstating a risk that remains years from materialising.
---
Key Takeaways
- Ed25519 is NEAR's primary signature scheme, vulnerable in theory to Shor's algorithm on a fault-tolerant quantum computer.
- Breaking it requires an estimated 2,000–3,000 logical qubits, which translates to millions of physical qubits under current error-correction overhead.
- No such machine exists. The central expert estimate for a cryptographically relevant quantum computer is 2035–2045.
- NEAR's named-account and multi-key architecture provides a relatively clean migration path compared to UTXO-based chains.
- Individuals can reduce exposure through key hygiene and monitoring governance proposals for post-quantum NEPs.
- Natively post-quantum designs sidestep migration complexity entirely, because they never relied on classically vulnerable signature schemes.
Frequently Asked Questions
Does NEAR Protocol use the same cryptography as Bitcoin and Ethereum?
Not exactly. NEAR primarily uses Ed25519 (EdDSA on Curve25519) rather than the secp256k1 ECDSA used by Bitcoin and Ethereum, though NEAR does support secp256k1 for compatibility purposes. Both schemes rely on elliptic-curve discrete logarithm hardness and would be vulnerable to Shor's algorithm on a sufficiently powerful quantum computer, so the threat profile is similar in nature, if not identical in technical detail.
How many qubits are needed to break NEAR's Ed25519 keys?
Theoretical estimates put the requirement at roughly 2,000–3,000 logical (error-corrected) qubits to run Shor's algorithm against a 256-bit elliptic curve key. Because today's machines have very high physical error rates, this likely translates to tens of millions of physical qubits under current surface-code error-correction overhead. The largest machines announced in 2024 have around 1,000–2,000 physical qubits with error rates far above what is needed.
When could a quantum computer realistically threaten NEAR?
The most widely cited central estimate among cryptographers, NIST, and government security agencies places a cryptographically relevant quantum computer (CRQC) in the 2035–2045 window, though some pessimistic scenarios push it past 2050. No credible technical assessment puts NEAR at risk within the next five to seven years. The uncertainty means preparation should begin now, not urgently, but seriously.
Can NEAR Protocol upgrade to post-quantum cryptography?
Yes. NEAR's account model supports multiple key types and key rotation natively, which gives it a more practical migration path than UTXO-based chains like Bitcoin. A migration would require a NEAR Enhancement Proposal, validator consensus, wallet SDK updates, and a transition period where both old and new key schemes coexist. NIST-standardised lattice-based schemes such as ML-DSA (Dilithium) are the most likely candidates, though their larger signature sizes would need to be benchmarked against NEAR's throughput requirements.
What is 'harvest now, decrypt later' and does it affect NEAR holders?
Harvest now, decrypt later (HNDL) refers to an adversary recording encrypted data today with the intention of decrypting it once a quantum computer is available. For NEAR, the more direct quantum risk is key derivation from on-chain public keys rather than encrypted communications. HNDL is a greater concern for applications routing sensitive off-chain data through NEAR-based infrastructure, or for any signed messages that must remain confidential over a multi-decade horizon.
What can I do as a NEAR holder to reduce quantum risk right now?
Several practical steps reduce exposure without waiting for a protocol upgrade: minimise unnecessary transactions from high-value accounts to limit on-chain public key exposure; rotate keys periodically using NEAR's native multi-key account system; follow the NEAR governance forum for post-quantum NEP proposals; use reputable hardware wallets that commit to PQC roadmaps; and consider diversifying custody across multiple accounts to reduce the impact of any single key compromise.