Quantum resistance
isn’t a checkbox.

Most projects answer “are you quantum-safe?” with a yes or a no. Both are lies — a blockchain isn’t one cryptographic thing, it’s a stack of them. The honest answer is a map, not a label. Here’s ours, including the parts that aren’t there yet.

What Breaks

Shor catastrophic · Grover survivable

Shor’s algorithm is the catastrophe. It breaks elliptic-curve and discrete-log cryptography outright — not “weakens,” breaks. Every ECDSA signature, every RSA key, every classical Diffie-Hellman exchange falls.

Grover’s algorithm is survivable. Against hash functions it offers only a quadratic speedup — effectively halving the security level. A 256-bit hash drops to 128 bits, still far beyond reach.

So the rule for the rest of this page: anything resting on elliptic curves dies; anything resting on hashes survives.

The Map

Stealth, component by component

✅ post-quantum · ◐ weakened but safe · ✗ classical, Shor-vulnerable.

Component	Primitive	Standing
✅ Shielded proof system	zk-STARKs · FRI	Hash-based, no elliptic curves, no trusted setup. Quantum-resistant by construction; Grover only halves the hash margin and the parameters carry the headroom.
✗ Shielded note encryption	Hides amounts & recipients	Classical elliptic-curve key agreement — the kind Shor breaks. The validity of a private tx is post-quantum; the confidentiality of its contents is not yet. Isolated behind one module so a PQ KEM can replace it.
◐ All hashing	txids · Merkle · feework	Grover halves effective security; output sizes and existing margins keep every one safe.
✗ Transparent (XST) signatures	secp256k1 ECDSA	Shor-broken. The base layer that’s existed since launch.
✗ Junaeth consensus signatures	secp256k1 ECDSA	“Quantum” in qPoS names the consensus design — not the signature scheme. The keys are classical.
◐ Addresses (Hash160)	Unspent & never reused	An address never spent from hides its public key behind a hash. Spend or reuse and the key is exposed, and harvestable.

The takeaway isn’t “Stealth is quantum-safe” or “isn’t.” It’s that the part that proves your privacy is post-quantum today, the part that encrypts it isn’t yet, and the transparent base layer carries the same classical signatures as every other UTXO chain.

Why Now

Harvest-now, decrypt-later

The threat isn’t a quantum computer existing someday. It’s harvest-now, decrypt-later. An adversary need only record the chain today — every exposed public key, every shielded note ciphertext — and wait. When a cryptographically-relevant quantum computer arrives, they decrypt and forge retroactively.

On a value-bearing privacy chain this cuts twice: exposed signature keys can be forged to move funds, and recorded note ciphertexts can be decrypted to unmask the transactions you shielded. Privacy that depends on classical encryption has an expiry date you don’t control.

The Privacy Layer

How it gets there

Soundness

Already post-quantum

Every private transaction is proven with zk-STARKs — security resting entirely on hash functions and FRI, with no elliptic curves and no trusted setup ceremony anywhere.

Rests on · hashes · FRI

Confidentiality

The isolated seam

Note transport uses classical key agreement, deliberately isolated behind a single module so a post-quantum KEM can take its place without touching the proof system.

Swap · drop-in PQ KEM

Stealth’s shielded layer proves what it claims without curves and without a ceremony — soundness is post-quantum today. The remaining piece is how a recipient privately receives a note, and it’s carved off into one module precisely so sealing confidentiality is a swap, not a rewrite.

The General Picture

True of every chain

Proofs and commitments: yes. Built on hashes, they’re post-quantum today. The cost is proof size and prover time, not security.
Signatures: yes, at a price. PQ schemes exist and are being standardized — but a PQ signature can be tens to hundreds of times larger than ECDSA’s ~72 bytes, straining block space, storage, and bandwidth.
Hashes: already essentially fine. Grover halves their security; doubling output sizes or existing margins restores it.
Key agreement / encryption: needs a dedicated fix. Classical ECDH dies to Shor. The replacement is a post-quantum KEM — a different primitive from signatures, requiring its own swap.

And the hard limit no one escapes: coins locked to a legacy elliptic-curve address cannot be retrofitted. The only path is owners moving their funds to new post-quantum addresses — a voluntary migration no protocol upgrade can perform for them. Any project claiming it will make your existing coins quantum-safe automatically is misrepresenting how this works.

Direction

Where Stealth is headed

The transparent base layer uses the same ECDSA signatures it has since launch, and those are not quantum-resistant. We’re not going to hide that behind the privacy layer’s strengths.

The direction is a base layer where the signature scheme is a parameter, not a constant — so a post-quantum scheme can be switched on by a network upgrade rather than a second rewrite. The Rust reimplementation of the node is where that groundwork is laid.

We’re deliberately not naming a scheme or a date. The right choice depends on a size-and-bandwidth analysis we’d rather finish honestly than announce prematurely — and a post-quantum activation is a one-way, consensus-level change that deserves its own audit. When it’s real, it’ll be on this page, mapped component by component, with the same honesty as everything above.

Read the cryptography.

Soundness first, confidentiality next, transparent-signature migration after.

For developers → Home

Quantum resistanceisn’t a checkbox.