The short version
Receiving is post-quantum. Spending is not. Yet. More precisely:| Layer | Crypto used | Quantum status |
|---|---|---|
| Recipient discovery (scanning) | ML-KEM-768 | Post-quantum safe |
| Shared secret derivation | ML-KEM-768 | Post-quantum safe |
| View tag computation | SHAKE-256 | Post-quantum safe |
| Stealth address derivation | SHAKE-256 + keccak256 | Post-quantum safe |
| Spending the funds | secp256k1 | Classical (not PQ) |
Why receiving is stronger
When a sender creates a payment, the shared secret comes from ML-KEM encapsulation. The ciphertext published in the announcement is quantum-resistant. A future attacker with a quantum computer cannot:- Recover the shared secret from the ciphertext
- Determine which recipient the announcement is for
- Link the stealth address back to the meta-address
Where the classical gap is
The wallet-compatible spend path converts the ML-KEM shared secret into a secp256k1 private key. This is a deliberate compatibility choice: existing Ethereum wallets only understand secp256k1 signatures. What this means in practice: The receiving privacy is quantum-safe. Nobody can determine you received a payment. The spending transaction uses a classical signature. A quantum attacker could theoretically derive the private key from the on-chain public key after you spend. But at that point, the funds are already moved.Why this split is acceptable (for now)
The spend-side vulnerability requires:- A cryptographically relevant quantum computer (estimated 10-15 years away)
- Attacking the spending key after the stealth address is already known
- The funds are typically already spent by the time an attacker would try
- Announcement data is permanent and public
- Harvest-now-decrypt-later is a real threat vector
- Privacy once broken cannot be restored
What could go wrong?
Can an observer link payments to me?
Can an observer link payments to me?
Not without your viewing key. The ML-KEM ciphertext in the announcement is quantum-resistant. The stealth address has no mathematical link to your meta-address that an observer can compute.
Can a quantum attacker break my receiving privacy?
Can a quantum attacker break my receiving privacy?
Not with any known algorithm. ML-KEM-768 provides NIST Category 3 security (AES-192 equivalent against quantum). No polynomial-time quantum attack on MLWE is known.
Can a quantum attacker steal my funds?
Can a quantum attacker steal my funds?
Only if the funds are sitting unspent at a stealth address and the public key is exposed on-chain. This is the same risk every Ethereum address faces, not specific to SPECTER. Spending promptly reduces this window.
What about the secp256k1 spend key?
What about the secp256k1 spend key?
It’s classical. If you’re concerned about quantum attacks on the spending side, the path forward is smart account wallets (see below). For now, the spend-side risk is the same as any normal Ethereum wallet.
The path to fully post-quantum spending
Path 1: ERC-4337 Smart Accounts
ERC-4337 smart accounts can use any signature verification logic. A SPECTER smart account could verify ML-DSA (post-quantum signatures) instead of ECDSA insidevalidateUserOp.
This is the most practical route available today.
Path 2: EIP-8141 Frame Transactions
EIP-8141 (Draft, January 2026) lets accounts define transaction validity with arbitrary cryptographic systems. Strong long-term fit for native PQ transaction validation.Path 3: Hybrid migration
- Keep ML-KEM for receive/discovery (already done)
- Route spending through smart-account validation
- Swap ECDSA verification for a PQ signature scheme when infrastructure is ready
ERC Proposal
The formal specification for post-quantum stealth addresses on Ethereum.
PQ crypto explainer
What post-quantum cryptography actually means and why it matters.