The quantum elephant in the room
Here's an uncomfortable truth: most of the cryptography protecting your crypto will break when quantum computers get powerful enough.
Your Ethereum wallet's private key? Derivable from your public key with Shor's algorithm. The elliptic curve operations behind ECIES encryption? Broken. The Grumpkin curve we use for NixAddress and note encryption? Gone.
This isn't science fiction. It's math that's been understood since 1994. The only question is when the hardware catches up.
When should we actually worry?
Nobody knows exactly. Estimates range from 2030 to 2050 for "cryptographically relevant" quantum computers. IBM, Google, and a dozen startups are racing to get there.
But here's the thing: even if it's 20 years away, there's an attack called "harvest now, decrypt later." Someone captures your ECIES-encrypted transaction data today, stores it, and decrypts it in 2040 when they have a quantum computer.
For financial privacy, that matters. Your private notes from 2025 being revealed in 2045 might not be a disaster. But it might be. We'd rather not find out.
What we use today (and why it's vulnerable)
NixProtocol currently uses ECIES encryption on the Grumpkin curve. ECIES (Elliptic Curve Integrated Encryption Scheme) is how we encrypt note data for recipients and for the auditor. When someone sends you a payment, they encrypt the note details (value, salt) to your Grumpkin public key using ECIES.
The problem is ECIES relies on the elliptic curve discrete logarithm problem being hard. Quantum computers make it easy with Shor's algorithm.
We need a replacement that:
- Survives quantum computers
- Works efficiently enough for on-chain use
- Doesn't make transactions impossibly expensive
Enter lattice cryptography
The solution comes from a weird branch of math involving high-dimensional grids called lattices. Finding short vectors in these lattices is hard. Really hard. Even for quantum computers.
NIST spent years evaluating post-quantum candidates and picked:
- Kyber for encryption/key exchange
- Dilithium for signatures
These are now standards. They work. They're fast enough for real use.
The size problem
Here's the catch: post-quantum crypto is bigger. Way bigger.
| What | Current (Grumpkin/ECIES) | Post-Quantum (Kyber) |
|---|---|---|
| Public key | 32 bytes | 1,184 bytes |
| Ciphertext overhead | ~65 bytes | ~1,088 bytes |
That's roughly 15-35x larger. On a blockchain where every byte costs gas, that's painful.
But it's not as bad as it sounds. The actual computation is fast (microseconds). The main cost is data size, and we can optimize around that in various ways.
The UTXO model actually helps here
Here's some good news. Because NixProtocol uses a UTXO note model rather than encrypted on-chain balances, the migration path is cleaner than you might expect.
Note commitments are just Poseidon2 hashes. They don't depend on elliptic curves at all. The Merkle tree, the nullifiers, the core privacy pool structure? All hash-based. That stuff survives quantum computers just fine.
What needs to change is the ECIES layer: how we encrypt note data for recipients and the auditor. That's the part that relies on Grumpkin curve operations.
Options:
- Replace ECIES with Kyber-based encryption for the note data payload
- Hybrid approaches: ECIES + Kyber layered encryption (belt and suspenders)
- Post-quantum key exchange for deriving shared secrets
We're exploring all three.
Our migration plan
We're not waiting for quantum computers to arrive before we start.
Phase 1 (now): Hybrid encryption. Note data gets encrypted with both ECIES and Kyber. If quantum computers never arrive, no harm. If they do, the Kyber layer protects you.
Phase 2 (future): Once the ecosystem matures, migrate fully to lattice-based systems. Kyber for note encryption, Dilithium for any signature needs, and STARK proofs for quantum-safe ZK verification.
Phase 3: Optimize. Post-quantum crypto is improving fast. Parameters will shrink. Hardware acceleration will arrive. What's expensive today will be cheap in a few years.
What changes for NixAddress
Current NixAddress encodes a Grumpkin public key, which is vulnerable to quantum attacks.
Post-quantum version would encode a Kyber public key instead. Instead of a 32-byte public key, there's a 1,184-byte one. NixAddresses get longer. Scanning for incoming notes takes more work because decryption is heavier.
Not ideal, but manageable. And it survives the quantum apocalypse.
Practical advice
If you're building privacy tech:
Now: Abstract your cryptography. Don't hardcode a specific curve everywhere. Make it easy to swap encryption schemes.
Soon: Add hybrid encryption for long-term secrets. Anything that needs to stay private for 10+ years should have a post-quantum layer.
Watch: NIST standardization is mostly done, but IETF integration and Ethereum research are ongoing. EIP proposals for PQC precompiles would make this much cheaper on-chain.
The bottom line
We don't know when quantum computers will break current crypto. Could be 2030. Could be 2050. Could be never (but probably not).
What we do know: the transition isn't optional. Financial privacy that breaks in 15 years isn't really privacy. And the "harvest now, decrypt later" threat means the clock is already ticking on today's encrypted data.
We're building NixProtocol to survive the transition. Start with what works today (ECIES on Grumpkin, UltraHonk proofs, UTXO notes), add quantum resistance as a layer, then migrate fully when the tech matures.
Privacy that lasts.