Will Quantum Computers Break Stellar?

Will quantum computers break Stellar? It is a precise, answerable question, and the honest answer is: yes, under a sufficiently powerful quantum computer, the cryptographic scheme securing every standard Stellar account would be vulnerable. That does not mean an attack is imminent, but the mechanism is real, the timeline is narrowing, and Stellar holders deserve a clear-eyed explanation rather than either panic or dismissal. This article walks through how Stellar's signatures work, what a quantum adversary would actually need to do, where the realistic threat window sits, and what practical steps holders can take right now.

How Stellar Secures Accounts Today

Stellar uses Ed25519, a high-performance elliptic-curve digital signature algorithm built on Curve25519. Every Stellar account is a public/private key pair derived from this curve. When you sign a transaction, you prove ownership of the private key without revealing it, thanks to the mathematical hardness of the elliptic-curve discrete logarithm problem (ECDLP).

Ed25519 is an excellent classical cryptographic choice. It is faster and more compact than older RSA or secp256k1 schemes, and it is the default signature algorithm for the Stellar network protocol (SEP standards, Horizon API, Stellar Core). Multisig on Stellar is simply a threshold of Ed25519 keys, so the same underlying vulnerability applies there.

What Makes Ed25519 Classically Strong

On a classical computer, breaking Ed25519 would require solving the ECDLP on a 255-bit curve. The best known classical algorithms run in sub-exponential but still astronomically large time. A 128-bit classical security level is generally accepted for Curve25519, which means a classical attacker would need roughly 2^128 operations — more than the estimated number of atoms in the observable universe could compute in any practical timeframe.

Where the Quantum Threat Enters

The picture changes when you introduce Shor's algorithm, a quantum algorithm published in 1994. Shor's algorithm solves the ECDLP in polynomial time on a sufficiently large quantum computer. For Ed25519 specifically, estimates suggest a cryptographically relevant quantum computer (CRQC) would need roughly 2,330 to 3,000 logical qubits to break a 256-bit elliptic-curve key in hours, according to resource estimates published in academic literature (Roetteler et al., 2017; Webber et al., 2022). Logical qubits must be error-corrected, so the physical qubit overhead multiplies this by anywhere from 1,000 to 10,000 depending on the error-correction code used.

---

The Attack Surface: Two Distinct Threat Models

Not all quantum attacks on Stellar are equivalent. It is important to distinguish between two scenarios, because they carry very different urgency levels.

Threat Model 1 — Harvest Now, Decrypt Later (HNDL)

A quantum adversary with sufficient capability could today record all signed Stellar transactions broadcast on the public ledger. Once a CRQC exists, those recorded signatures can be retroactively analysed. For Stellar specifically, HNDL is less catastrophic than for some other systems because:

The practical implication: Stellar addresses that have ever broadcast a transaction have an exposed public key and are theoretically vulnerable to a future HNDL attack. Accounts that have never signed a transaction on-chain have not revealed their public key in a usable form.

Threat Model 2 — Real-Time Transaction Forgery

A CRQC could, in theory, intercept a transaction in flight, derive the private key from the broadcast public key, and forge a competing transaction before the original confirms. Stellar's median ledger close time is roughly 5 seconds. That window is currently far too narrow for any quantum hardware in existence or on the near-term roadmap, but the attack becomes conceivable once CRQCs can solve ECDLP in seconds rather than hours.

---

What Would Actually Have to Be True for Stellar to Be "Broken"

Breaking Stellar's cryptography is not a single event. It requires a convergence of several conditions:

  1. A fault-tolerant CRQC exists with millions of physical qubits running reliable error correction.
  2. The attack is economically viable — running a CRQC is expensive; targeted attacks on high-value accounts are more likely than mass sweeps.
  3. Stellar has not upgraded its signature scheme before that point.
  4. Users have not migrated to quantum-resistant keys or fresh addresses.

All four conditions must be true simultaneously for a successful attack on a specific account.

---

Realistic Timeline: When Could This Happen?

Quantum hardware is advancing rapidly, but the gap between current capability and a CRQC remains large. Here is a calibrated view of where things stand:

MilestoneCurrent Status (2024–2025)Estimated Timeframe
Largest publicly known quantum processors~1,000–2,000 physical qubits (IBM Condor, Google Willow)Present
Logical qubit demonstrationsEarly error-correction prototypes2025–2028
~1 million physical qubits (needed for fault tolerance)Not yet achieved2028–2035 (analyst range)
CRQC capable of breaking 256-bit ECC in hoursTheoretical target2030–2040+ (wide uncertainty)
Real-time ECC break under 5 seconds (Stellar window)Far beyond current roadmapsPost-2040, highly speculative

Sources: NIST IR 8547 (2024), Mosca threat model, various academic roadmaps.

The important takeaway is that the threat is not immediate, but the development cycle for post-quantum migrations in large distributed networks is long. The Stellar Development Foundation, like most blockchain projects, will need years to research, propose, test, and deploy a protocol-level upgrade. Waiting until a CRQC is confirmed operational is waiting too long.

---

What Stellar Would Need to Do to Become Quantum-Resistant

Upgrading Stellar's signature scheme is technically possible but non-trivial. The process would involve:

1. Adopting NIST PQC-Standardised Algorithms

NIST finalised its first post-quantum cryptography standards in August 2024, including ML-DSA (formerly CRYSTALS-Dilithium, a lattice-based signature scheme) and SLH-DSA (a stateless hash-based scheme). Either could replace Ed25519 as Stellar's signature layer.

2. Protocol-Level Hard Fork or Soft Migration

Stellar's consensus mechanism (the Stellar Consensus Protocol, SCP) and its transaction format would need updates to accommodate larger signature sizes. ML-DSA signatures are roughly 2.5 KB compared to Ed25519's 64 bytes, a 40x size increase that has real implications for ledger throughput and storage.

3. User-Side Key Migration

Even after a protocol upgrade, users would need to migrate existing accounts to new quantum-resistant keys. Accounts that remain on legacy Ed25519 keys would retain exposure.

4. Anchor and Ecosystem Coordination

Stellar's ecosystem includes payment anchors, institutional remittance corridors, and bridges to other networks. Each integration point would require its own migration work.

---

What Stellar Holders Can Do Right Now

Waiting for a protocol upgrade is not the only option. Holders can take pragmatic steps today:

---

How Natively Post-Quantum Designs Differ

Projects built from the ground up with post-quantum cryptography differ from retrofit approaches in one critical respect: they do not carry legacy key infrastructure debt. A protocol that launches with lattice-based or hash-based signatures, aligned to NIST's finalised PQC standards, does not need a disruptive hard fork when Q-day approaches. The security model is designed for the post-CRQC environment from day one.

BMIC.ai, for example, is a quantum-resistant wallet and token that uses lattice-based cryptography aligned to NIST's PQC standards, meaning its key infrastructure is not vulnerable to Shor's algorithm in the way that Ed25519-based accounts are. That architectural difference matters because migration windows in live networks with billions in value at stake are unpredictable, and "upgrade later" carries real risk when the adversary's timeline is uncertain.

The contrast is not about dismissing established networks like Stellar, which have strong teams and a clear upgrade path available. It is about recognising that post-quantum security is far easier to design in at genesis than to bolt on after the fact.

---

Summing Up: Measured Risk, Not Panic

The honest answer to "will quantum computers break Stellar?" is: the cryptographic vulnerability is real, the timeline is uncertain but not distant enough to ignore, and the outcome depends heavily on how quickly both the Stellar ecosystem and individual holders act.

Ed25519 is secure today and will likely remain secure for at least another decade. But blockchain addresses are permanent, funds are long-lived, and protocol migrations take years. The prudent posture is to treat post-quantum readiness as a planning horizon item now, not an emergency and not something to defer indefinitely.

Holders who understand the mechanism, monitor migration developments, and diversify into quantum-resistant infrastructure where available are better positioned than those who assume the status quo will hold indefinitely.

Frequently Asked Questions

Does Stellar use a quantum-vulnerable signature scheme?

Yes. Stellar uses Ed25519, an elliptic-curve digital signature algorithm. Shor's algorithm, running on a sufficiently large fault-tolerant quantum computer, can solve the elliptic-curve discrete logarithm problem and recover a private key from a public key. Ed25519 is not designed to resist this attack.

How many qubits would a quantum computer need to break a Stellar account?

Academic resource estimates suggest roughly 2,330 to 3,000 logical qubits to break a 256-bit elliptic-curve key, which is the size used by Ed25519. Logical qubits require substantial physical qubit overhead for error correction, placing the total physical qubit requirement in the millions with current error-correction codes. No computer close to this specification exists today.

Is my Stellar account already at risk from current quantum computers?

No. Current quantum processors are far below the threshold needed to run Shor's algorithm against 256-bit elliptic curves. The risk is forward-looking, tied to the eventual arrival of a cryptographically relevant quantum computer, which most expert timelines place no earlier than the late 2030s.

Can Stellar upgrade to post-quantum cryptography?

Yes, technically. NIST standardised post-quantum signature schemes including ML-DSA (lattice-based) and SLH-DSA (hash-based) in 2024. Stellar's protocol could be updated to use one of these algorithms, but it would require a coordinated protocol upgrade, larger transaction sizes, and a user-side key migration — all of which take considerable time and ecosystem coordination.

What is the 'harvest now, decrypt later' threat and does it apply to Stellar?

Harvest now, decrypt later (HNDL) means an adversary records public network data today and decrypts it once a CRQC is available. For Stellar, any address that has ever broadcast a transaction has exposed its public key on the ledger. A future CRQC could use that data to reconstruct the private key and drain accounts that still hold funds at the same address.

What can I do now to reduce quantum exposure on my Stellar holdings?

Practical steps include minimising address reuse (each transaction exposes your public key), keeping private keys in offline storage, monitoring the Stellar Development Foundation's roadmap for post-quantum migration announcements, and considering diversification into wallets built on NIST PQC-compliant cryptographic schemes for long-term holdings.