Quantum Proof Protocol POST-QUANTUM · EVM NATIVE

Your address
survives
every algorithm.

Shor's algorithm will break every ECDSA wallet on Ethereum. Not someday. On a defined timeline. QP2 is the first protocol to make EVM accounts permanently quantum-safe — without changing your address, moving your funds, or waiting for a hard fork.

ECDSA Today
  • Single static keypair
  • Pubkey exposed on-chain
  • Broken by Shor in O(log³ N)
Keys cracked · funds drained
VS
QP2 Protected
  • One-time address per tx — pubkey never broadcast
  • Hot-swap to the latest PQ verifier anytime
  • New threat? Upgrade algo in one tx — no fork
Future-proof · same address · always quantum-safe
Stay Updated Read the Threat
QUANTUM KEY EXTRACTION · SIMULATION
ETH · MAINNET DEMO CRQC STANDBY
quantum_drain_sim.eth SIMULATING
Scanning chain… · ·
0 keys cracked
0 txns broadcast
$0 stolen
0 QP2 blocked
CHAIN EVENT LOG SIM LOG
[SYS] Simulation: CRQC attacks ECDSA wallets (pubkey on-chain) · QP2 wallets stay safe (no pubkey broadcast)
0 Exposed ECDSA Keys Harvestable on Ethereum today
1–4M Qubits to Break ECDSA Shor's algorithm threshold
2027 Earliest CRQC Estimate IonQ · harvest-now-decrypt-later active
QP2 Key Lifespan One-time · never reused · PQ-safe
GOOGLE WILLOW: 105 QUBITS — 2024
IBM CONDOR: 1,121 QUBITS — 2023
NIST PQC STANDARDS FINALIZED — AUG 2024
4M+ ETHEREUM PUBLIC KEYS EXPOSED ON-CHAIN
QUBITS NEEDED TO CRACK ECDSA: 1–4 MILLION
IONCQ PROJECTS CRQC AS EARLY AS 2027
HARVEST-NOW-DECRYPT-LATER ATTACKS ALREADY UNDERWAY
ETH PQ HARD FORK TARGET: 2029 — THREE YEARS AWAY
GOOGLE WILLOW: 105 QUBITS — 2024
IBM CONDOR: 1,121 QUBITS — 2023
NIST PQC STANDARDS FINALIZED — AUG 2024
4M+ ETHEREUM PUBLIC KEYS EXPOSED ON-CHAIN
QUBITS NEEDED TO CRACK ECDSA: 1–4 MILLION
IONCQ PROJECTS CRQC AS EARLY AS 2027
HARVEST-NOW-DECRYPT-LATER ATTACKS ALREADY UNDERWAY
ETH PQ HARD FORK TARGET: 2029 — THREE YEARS AWAY

The Quantum Threat

The math that secures
every crypto wallet
has already been solved.

2,330 logical qubits
Required to crack a secp256k1 ECDSA key using Shor's algorithm. Translates to 1–4 million physical qubits with error correction. IBM's roadmap targets millions of physical qubits by the early 2030s.
O(log³n) complexity
Shor's algorithm solves the elliptic curve discrete logarithm in polynomial time — not brute force. It mathematically derives your private key directly from your public key. More qubits doesn't help ECDSA. The math is broken at the root.
~2s exposure window
Every time you send an Ethereum transaction, your public key is exposed for approximately one block (~12 seconds mainnet, ~2 seconds Base) before the transaction confirms. A future quantum computer needs hours to days. You are safe — until you're not.
4M+ addresses
Ethereum public keys already exposed on-chain and permanently harvestable. "Harvest now, decrypt later" attacks are underway. Adversaries are recording public keys today to decrypt when a cryptographically-relevant quantum computer exists.
shor_attack_simulation.py
# Shor's algorithm against secp256k1
# Input: any exposed public key
$ target_pubkey =
"0x04a1b2c3d4e5f6..." # on-chain forever
# Classical attack
$ classical_bruteforce(pubkey)
Keyspace: 2^256
At 10^12 ops/sec:
→ ~10^59 years. Safe.
# Grover's algorithm (quantum)
$ grovers_search(pubkey)
Effective keyspace: 2^128
→ ~10^21 years. Still safe.
# Shor's algorithm (quantum)
$ shors_ecdlp(pubkey)
Method: quantum phase estimation
Qubits: 2,330 logical
Gates: ~1.26 × 10^11 Toffoli
At 10MHz gate speed:
→ ~3 hours to complete.
$ result
PRIVATE KEY: 0x7f3a...9c2e
STATUS: WALLET COMPROMISED
# This is not theoretical.
# It is a solved algorithm
# waiting for hardware.
Estimated time to Q-Day

Based on Webber et al. (2022), IonQ roadmap (2025), and Google Willow breakthrough (2024) — consensus estimate: 2030–2033

07 years
:
00 months
:
000 days
:
00 hours
:
00 mins
:
00 secs

Target date: Jan 1, 2033 (mid-range consensus) · Sources: Webber et al., IonQ 2025 roadmap, Google Willow paper

Why ECDSA Cannot Be Patched

The vulnerability is mathematical,
not implementation.

The Core Break

Given public key P = k × G
Classical: finding k takes 2^128 ops
Shor's QC: finding k takes O(log³n) ops
 
Longer ECDSA keys do not help.
Shor's solves the math, not the size.
The algorithm is the vulnerability.
Now · 2026
~2,000
Safe

High-quality qubits exist but error correction is immature. Cannot run Shor's at secp256k1 scale. Gap is ~10,000× in physical qubits.

Near · 2028–2030
~100,000
Caution

Approaching threshold. Error correction improving rapidly after Google Willow's below-threshold breakthrough. Watch closely.

Danger · 2030–2033
~1,000,000
Danger

Cryptographically relevant quantum computers plausible. ECDSA keys crackable in weeks to days. Harvest-now attacks become profitable.

Critical · 2033+
~4,000,000
Critical

Keys crackable in hours. Every exposed Ethereum public key — including yours from today — is at risk. Migration window has closed.

4M+
Exposed Ethereum public keys Any address that has ever sent a transaction has its public key permanently on-chain. No deletion. No expiry. Forever harvestable.
$200B+
ETH held in exposed addresses Estimated value held in wallets whose public keys are on-chain and vulnerable to a cryptographically-relevant quantum attack.
0
Native EVM migration paths today No deployed EVM protocol today provides a live, usable, quantum-safe account system that preserves address identity. Zero.

Why Existing Solutions Are Not Enough

Every current approach has
a critical flaw.

The industry knows the quantum threat is real. Multiple teams are working on it. None of the current solutions are deployable on existing EVM chains today without requiring users to abandon their on-chain identity.

Solution
Why It Falls Short
EVM Native
Address Preserved
Ethereum EIP-8141Hegotá hard fork · H2 2026+
Requires a protocol-level hard fork. Estimated 2029 for core PQ infrastructure, full ecosystem migration well beyond that. Does not help users on Base, Arbitrum, Polygon, or any other EVM chain. Changing algorithm still requires creating a new address on legacy AA paths.
ETH Only
No
QRL 2.0 / ZondNew L1 blockchain
Entirely new chain. Users must migrate all assets, abandon existing Ethereum addresses, lose DeFi positions, ENS names, and years of on-chain history. Requires leaving the EVM ecosystem. Not a solution for existing Ethereum users.
New Chain
No
ML-DSA / FALCON on-chainPure PQ verifier in Solidity
ML-DSA verification costs ~800,000 gas in pure Solidity — approximately $0.60 per transaction on Base today, $60+ on Ethereum mainnet during congestion. No precompile exists yet. Impractical for everyday use until Hegotá ships precompiles in 2027 at the earliest.
Yes
Yes, but…
Anchor Wallet (Pauli Group)Lamport signatures · Ethereum
Uses Lamport signatures — quantum-safe, but each signature is 10–50KB. Massive calldata cost, impractical for DeFi interaction. Positioned as cold storage only. No modular verifier system, no cross-chain identity, no upgrade path to better algorithms.
Yes
Storage only
Standard ERC-4337 WalletsSafe, Biconomy, Alchemy
Key rotation is possible but not quantum-designed. No deterministic key expiry, no OTA rotation, no PQ verifier integration. The underlying authentication is still ECDSA. Changing the signing key with these wallets still exposes the old public key in the rotation transaction.
Yes
Not QP-Safe

On-chain verification cost per transaction — Base L2 (June 2026 gas prices)

QP2 OTA Verifier
~33K gas · $0.0000003
Normal ECDSA (baseline)
~21K gas · baseline
FALCON-512 (Solidity)
~400K gas · $0.000004
ML-DSA-44 (Solidity)
~800K gas · $0.000007
Lamport (Anchor Wallet)
~1.2M+ gas · $0.00001+

The QP2 Solution

One architectural inversion
changes everything.

Traditional EVM: address = f(ECDSA_pubkey) — your identity IS your key. Quantum breaks the key, breaks your identity.

QP2: address = contract_address — permanent. The key is a swappable storage slot. Quantum can crack the slot. The address survives.

01
Generate a one-time address

Your wallet derives addr_n from your master seed: keccak256(masterSeed || n || chainId || proxyAddr). This address has never signed anything. Its public key is hidden behind a hash. Quantum-safe until it signs.

02
Deploy your permanent proxy

The QP2Factory deploys your proxy via CREATE2. The proxy address is deterministic — the same on Ethereum, Base, Arbitrum, Polygon, and every future EVM chain. Your address is permanent and chain-agnostic from day one.

03
Sign once, rotate forever

Each transaction is signed by the current addr_n and simultaneously registers addr_n+1 as the next authority. After signing, addr_n is retired permanently. A quantum computer cracking addr_n finds a key that controls nothing.

04
Upgrade algorithm anytime

The proxy stores an IQP2Verifier module — a swappable plugin. When ML-DSA precompiles land, when FALCON gets cheaper, when a new NIST standard emerges — you call switchVerifier() with one transaction. Same proxy address. Zero fund movement.

05
High-value vault mode

For critical accounts, enable SHA256VaultVerifier: a two-transaction commit-reveal scheme. Phase 1 commits sha256(txn_data + key + nonce) without revealing it. Phase 2 reveals and executes. Even if a quantum computer cracks the signing key, it cannot execute without knowing the committed preimage — which is never published until after the transaction is protected.

OTA Key Rotation — Per Transaction

masterSeed (stored in secure enclave)
├─ derive addr_0 ← current auth
├─ derive addr_1 ← next auth
└─ derive addr_2 ← future
TXN 1: execute(target, data, addr_1, sig_0)
├─ ecrecover(sig_0) == addr_0
├─ execute call to target
└─ store addr_1 as new auth
addr_0 pubkey now exposed (~2 sec)
Quantum attack on addr_0: hours-days
addr_0 already retired. Controls nothing.
TXN 2: execute(target, data, addr_2, sig_1)
└─ addr_1 now retired, addr_2 active
Proxy address: 0xABCD... NEVER CHANGES
keccak(factory, salt, initcode)
same on all EVM chains

Modular Verifier System

The algorithm is a plugin.
Your address is the product.

QP2 treats cryptographic algorithms as swappable modules. The proxy stores a verifier address — one switchVerifier() call changes it. When NIST publishes a new standard in 2030, QP2 registers a new verifier. Your address migrates with one transaction.

Spec v1.0
OTA Verifier
One-Time Address · ECDSA key rotation

Uses Ethereum's native ECDSA infrastructure with one-time addresses. Each address signs exactly once then is permanently retired. Quantum-safe because the attack window (hours) exceeds the key exposure window (~2 seconds). Zero new primitives. Works today on every EVM chain.

Gas overhead~33,000 gas
Sig size65 bytes
Txns per action1
New primitivesNone
Spec v1.0
SHA256 Vault
Hash commitment · Double quantum protection

Two-transaction scheme for high-value accounts. Phase 1 commits sha256(txn_data) without revealing it. Phase 2 reveals and executes. Two independent quantum-resistant layers must both be broken simultaneously — mathematically impossible even for a future quantum computer.

Gas overhead~55,000 gas total
Sig size85 bytes + 32 bytes
Txns per action2
Security layers2 independent
Coming — Phase 2
ML-DSA-44
NIST FIPS 204 · Module Lattice

NIST-standardized post-quantum signature scheme. Based on the hardness of Module Learning With Errors (MLWE) — no known quantum speedup, no known classical attack. When Ethereum's Hegotá precompiles ship, gas drops from ~800K to ~30K.

Pubkey size1,312 bytes
Sig size2,420 bytes
PQ security128-bit
StandardNIST FIPS 204
Coming — Phase 2
FALCON-512
NTRU Lattice · Smallest PQ signatures

Smallest post-quantum signatures of any NIST-standardized algorithm. 666 bytes per signature versus 2,420 for ML-DSA. Based on NTRU lattice hardness. Complex implementation requires careful timing-safe key generation, but offers the lowest calldata cost of all PQ schemes.

Pubkey size897 bytes
Sig size666 bytes
PQ security128-bit
StandardNIST Round 3
Coming — Phase 3
SLH-DSA
NIST FIPS 205 · Hash-based only

The most conservative post-quantum algorithm. Security assumption reduces entirely to SHA-256 being a secure hash function — the most battle-tested assumption in all of cryptography. No lattice math, no algebraic structure. If SHA-256 holds, SLH-DSA holds.

Pubkey size32 bytes
Sig size7,856 bytes
PQ security128-bit
StandardNIST FIPS 205
Governed by $QP2
Future Algos
NIST Round 2 · Unknown 2030+

NIST is already working on next-generation post-quantum standards. When they are published, QP2 token holders vote on adding new verifiers to the registry. Your proxy address migrates with one transaction. The protocol outlives any algorithm.

Governance$QP2 token vote
Audit requiredYes, mandatory
Migration1 transaction
Address changeNever
QP2VerifierRegistry.sol — on-chain verifier registry Governed by $QP2
algoId 10 0x1a2b... OTAVerifier // ACTIVE
algoId 11 0x3c4d... SHA256VaultVerifier // ACTIVE
algoId 1 0x5e6f... FALCONVerifier // PENDING AUDIT
algoId 2 0x7a8b... MLDSAVerifier44 // PENDING PRECOMPILE
algoId 5 0x9c0d... SLHDSAVerifier // PHASE 3
algoId ? 0x???? [Next NIST Standard] // TOKEN VOTE WHEN READY

Security Analysis

Why the math
actually works.

// OTA Security

The Exposure Window Argument

When addr_n signs a transaction, its public key is visible in the mempool for approximately 2 seconds on Base before the block confirms. A cryptographically-relevant quantum computer running Shor's algorithm needs an estimated 3–28 hours to crack a secp256k1 key (Webber et al., 2022). The attack window is 5,400× smaller than the crack time. By the time the key is cracked, addr_n has been retired for hours — and controls nothing.

// SHA256 Vault Security

Double Layer Protection

SHA256 Vault adds a second independent security layer. Breaking the vault requires breaking both simultaneously: (1) crack the OTA ECDSA key with a quantum computer — hours to days — AND (2) reverse the SHA256 preimage to learn the committed transaction data — computationally equivalent to 2^128 operations even with Grover's algorithm. The second layer is provably infeasible regardless of quantum hardware.

// Attack Math

Formal Attack Analysis

Against OTA alone

Attack window: ~2 sec
Shor's min time: ~3 hours
// 2033 optimistic QC estimate
Ratio: 1 : 5,400
// attacker always arrives late
addr_n cracked → controls nothing

Against SHA256 Vault

Layer 1: crack ECDSA key
→ hours (QC, possible)
Layer 2: reverse SHA256
→ 2^128 ops (Grover's)
→ age of universe × 10^6
Both required: impossible

Hash function quantum safety: Keccak-256 (used for Ethereum addresses) and SHA-256 (used in QP2's vault) are only vulnerable to Grover's algorithm — which provides a quadratic speedup reducing 256-bit security to 128-bit effective security. 2^128 operations remain computationally infeasible on any quantum computer, now or in any foreseeable future. The address layer of QP2 (derived via CREATE2 with Keccak-256) is permanently quantum-safe with no action required.

// Cross-Chain Replay

Replay Attack Prevention

Every QP2 digest includes address(proxy), block.chainid, and nonce. A signature valid on Base cannot be replayed on Ethereum. A signature valid in transaction 47 cannot be used for transaction 48. The domain separation is enforced at the cryptographic layer — it cannot be bypassed by a relayer or bundler.

// Protocol Sovereignty

Protocol Cannot Override User

The QP2 multisig controls the VerifierRegistry — it can add new verifiers and deprecate old ones. It cannot execute transactions on behalf of users, cannot migrate user accounts, cannot access user funds, and cannot change the active verifier without a valid proof from the user's current key. The registry is an upgrade menu, not a backdoor.

The time to
prepare is now.

The quantum threat is not a theoretical concern. It is a solved mathematical problem waiting for hardware. The harvest-now-decrypt-later attack is already underway. Every transaction you've ever sent has permanently exposed your public key. QP2 is designing the only protocol that lets you protect your existing EVM identity — same address, quantum-safe, without migrating.

Contact Us Follow on X
info@qp2.org · @Qp2org
~$0 Gas per transaction on Base today
1 txn to upgrade algorithm, same address
Algorithm upgrades without moving funds
0 Existing protocols you need to abandon
TARGET EVM CHAINS
BasechainId 8453
Ethereum MainnetchainId 1
Arbitrum OnechainId 42161
PolygonchainId 137
BNB ChainchainId 56
Any EVM Chainsame proxy address