Quantum Computing
Traditional computers, from smartphones to powerful supercomputers, process information in bits, values that can be either 0 or 1. Quantum computers, on the other hand, use quantum bits, or qubits, which can exist in multiple states simultaneously.
Imagine a coin spinning in the air. While spinning, it can be seen as neither heads nor tails — it’s both at once. Qubits work this way, representing both 0 and 1 at the same time. When multiple qubits are linked through a quantum property called entanglement, they can be used to build quantum computers that, for some problems, are able to explore many possible solutions at the same time.
There is an important complication, though, beyond this simple spinning-coin mental model. Unlike the spinning coin, which we just think of as existing in both states because we don’t know how it will land, a qubit really exists in both states at the same time. This is fundamental — it’s not just that we don’t know. And the weights given to the 0 and 1 values for a qubit are not traditional probability numbers, but rather complex numbers that harbor wave-like properties. These factors give quantum computers both their strengths and their limitations.
Because of the limitations, for many computing tasks quantum computers using these qubits offer no known advantage. But for certain problems, including some of the mathematics that protect PIVX, future quantum computers using large numbers of qubits could be breathtakingly effective.
When discussing qubits, a distinction must be made between physical qubits and logical qubits. A physical qubit is a physical device (based on phenomena such as superconducting loops, electron spin, or photon polarization) that acts like a qubit but is noisy and error prone. Multiple physical qubits can be combined through error- correction techniques to create a logical qubit that behaves close enough to the mathematical ideal required for quantum computation. It’s estimated that perhaps thousands of physical qubits will be needed to produce each logical qubit.
Recent Breakthroughs
The past few years have seen great progress in quantum computing. Big companies, governments, and startups are building better and better quantum systems with more physical and more logical qubits. The field has seen what some call “doubly exponential growth” — progress growing at an exponential rate that itself is exponentially growing. This transcendent growth behavior has been named Neven’s Law.
Prominent figures have issued warnings that breakthroughs are coming. Scott Aaronson, a leading quantum computing researcher, stated in late 2025:
“[G]iven the current staggering rate of hardware progress, I now think it’s a live possibility that we’ll have a fault-tolerant quantum computer running Shor’s algorithm before the next US presidential election.”
He later clarified that he meant any fault-tolerant Shor demonstration (even over small numbers) and a “live possibility” means he’s not confident it won’t happen. (Source)
Similarly, on November 19, 2025, Ethereum co-founder Vitalik Buterin spoke at the Devconnect conference in Buenos Aires, asserting that Elliptic Curve Cryptography (ECC) could be cracked before the 2028 U.S. presidential election. He urged Ethereum to upgrade to quantum resistance within four years. (Source)
Threats to Cryptocurrency
The security of virtually all cryptocurrencies rests on mathematical problems that are easy to verify but hard to solve. For PIVX, relevant cryptographic technologies are Elliptic Curve Cryptography (ECC) and Cryptographic Hashing. Defeating either of these traditionally is considered exponentially hard in the number of bits involved, meaning the computational time required to break them grows something like XN, for some number X>1 and N equal to the number of bits. An exponential is extremely fast growing — for big enough N, faster than any polynomial (like, say, N100).
Shor’s Algorithm: The Existential Threat
In 1994, Peter Shor developed a quantum algorithm to solve the mathematical problems underlying ECC with non-exponential growth in the compute time required. What would take a classical computer longer than the age of the universe could potentially be accomplished by a sufficiently powerful quantum computer in hours or days using his technique. (Source)
The future moment when a quantum computer can break ECC in a material way has been dubbed Q-Day. Experts estimate that about 2,000–2,500 logical qubits will be needed for Q-Day. Current estimates for when this might occur range credibly from the late 2020s to the 2040s. The range is large because the rapid pace of progress makes precise predictions difficult.
Grover’s Algorithm: A Lesser Threat
Another quantum algorithm, Grover’s Algorithm, threatens the cryptographic hash functions that cryptocurrencies like PIVX use for purposes like hiding public keys when
making an address. Unlike Shor’s exponential speedup, Grover’s provides a square-root- type speedup — significant, but not always catastrophic. (Source)
In practical terms, Grover’s Algorithm effectively halves the bit-security of a cryptographic hash, plus, say, about 10 bits of overhead. So a 256-bit key becomes roughly as secure as a 138-bit key today — still very strong, but weaker than the original.
Example Application to PIVX Keys
Many cryptocurrencies, like PIVX, have public and private keys, where a public key is used to receive funds and a private key is used to send funds. A public key is usually used in a cryptographic process to calculate an address, while the private key is used in a cryptographic process to spend. Knowledge of a private key defines ownership of the cryptocurrency controlled by it.
As an example, Shor’s and Grover’s algorithms are applicable to transparent PIVX keys in the following way: Shor’s can be used to derive a private key from a public key, giving the attacker the ability to spend funds. Grover’s can be used to derive a public key from an address, giving the attacker the ability to then apply Shor’s. More details on these vulnerabilities are given later in this article.
Long-Range vs. Short-Range Attacks
Quantum threats come in two varieties:
Long-range attacks have unlimited time to work. If your address’s public key is exposed today, an attacker could take years to apply Shor’s to crack it and get the private key if the funds are not moved during that time.
Short-range attacks have limited time — for example, the small window between when a spend transaction is broadcast, necessarily exposing a public key, and when it’s confirmed on the blockchain. For transparent address use on PIVX, the available time would be on the order of one minute, PIVX’s block time (ignoring factors like propagation time).
Vulnerability of Other Coins
Before examining PIVX in detail, it is helpful to look at some other cryptocurrencies first. Different cryptocurrencies have different levels of exposure to quantum attacks, and PIVX can be explained by analogy to these.
Bitcoin
Many Bitcoin addresses that have never been used to send transactions only expose the hash of the public key, not the key itself. These “pristine” addresses are vulnerable only to short-range attacks upon spending using Shor’s Algorithm (for Bitcoin, the time window is nominally about 10 minutes — Bitcoin’s block time) or long-range attacks using Grover’s (which would, using the logic discussed earlier, reduce security from 160 bits to roughly 90 bits — still intractable) followed by Shor’s. However, reused addresses — as well as Taproot and some early legacy addresses not relevant to PIVX — expose public keys and are vulnerable to long-range Shor’s attacks, a greater weakness.
Ethereum
Most Ethereum addresses are vulnerable to long-range attacks because Ethereum accounts post the public key the first time they send a transaction, even if just for interacting with contracts, and addresses are commonly reused. This is likely in part why Vitalik Buterin has been vocal about the need for quantum-resistant upgrades.
Privacy Coins
Privacy-focused cryptocurrencies face an additional concern: quantum computers could potentially de-anonymize transactions, revealing senders, receivers, and amounts even if they can’t steal funds. Monero is considered vulnerable in this regard. (Source) Zcash offers better protection when used correctly — specifically when funds are sent between shielded addresses without exposing either address to attackers.
As Zooko Wilcox, founder of Zcash, noted in August 2021:
“I think Zcash is actually resistant to quantum computers … as long as the attacker doesn’t know your z-address!” (Source)
PIVX
PIVX combines transparent transactions similar to Bitcoin with shielded transactions using technology from Zcash. This dual nature gives PIVX users flexibility but also creates a nuanced quantum vulnerability profile. (Source)
PIVX’s Four Address Types
PIVX supports four address types, each with different quantum vulnerability profiles:
Cold Staking
PIVX cold staking involves a two-key system that allows coin owners to keep their spending power in an offline "cold wallet" while delegating block creation and security to an online "hot wallet." Here are the two keys:
Owner key (typically for a D... address): Controls the actual spending of delegated coins
Staker key (for an S... address): Controls only the ability to stake and sign blocks for those coins
From a quantum perspective, compromising the staker key would only allow an attacker to stake on your behalf—not steal your funds. The owner private key that controls spending, which if known would allow stealing of funds, is not shared with the staker.
The cold-staking process reveals the two public keys at different stages. To start staking, only hashes of both the staker and owner public keys are exposed. The staker public key is then directly exposed during block production, while the owner public key is ultimately exposed when the owner claims funds (either the original staked amount or rewards). This is important because public key exposure, when made, opens the private key to the risk of a long-range Shor’s attack. (Source)
Masternode Creation
PIVX Masternodes vote on PIVX treasury spending and support the integrity of the network, receiving regular rewards in exchange. Creating a Masternode requires locking 10,000 PIVX units (PIV) as collateral in a single transaction output (UTXO). Masternodes use a single D... address to both commit the locked funds and receive rewards. A Masternode address always holds at least the 10,000 PIV collateral, and may hold more through accumulated rewards.
From a quantum perspective, the collateral address's public key is exposed in two ways: first through the Masternode broadcast message at registration that is propagated network-wide but not stored on-chain (Source), and subsequently on-chain whenever the owner moves rewards (regularly moving rewards is typical behavior). This exposure opens funds to the risk of a long-range Shor’s attack.
Quantum Vulnerability Profile
PIVX's vulnerability picture is complex because of the multiple address types and how each of those types might be used, as well as the fact that both privacy and security are a concern.
Transparent Address Security: Bitcoin-Like Exposure
PIVX's transparent addresses (D..., S..., and EXM...) use the same cryptographic library as Bitcoin, libsecp256k1, for transaction authentication. (Developer Notes) (secp256k1 Library)
This means transparent PIVX addresses share Bitcoin's vulnerability model: pristine (never used to send or commit) addresses expose only a hash of the public key and are resistant to long-range Shor’s attacks, while addresses that have sent transactions or been used for Masternode creation expose the public key and become vulnerable to long-range Shor’s attacks.
Transparent addresses aren't completely quantum-proof, even when they haven’t been reused because Grover's Algorithm does provide some speedup for finding the public key. But they remain strongly resistant. The 160-bit hash security would be reduced to roughly 90 effective bits, which remains computationally intractable. The bigger worry by far is Shor’s. (Source)
SHIELD Addresses Security: More Complex but Also Vulnerable
PIVX's SHIELD addresses use zk-SNARKs technology based on Zcash's Sapling protocol. This involves several cryptographic components, each with its own quantum considerations:
zk-SNARK Groth16 with BLS12-381 pairing: Used for zero-knowledge proofs in shielded transactions. The BLS12-381 curve is based on a 381-bit field, making it more expensive to attack than Bitcoin's 256-bit secp256k1—but still vulnerable to Shor's Algorithm. (Zcash Protocol Spec) (BLS12-381 Implementation)
Jubjub elliptic curve: Used for key-related operations in Sapling. As an elliptic curve, it's vulnerable to Shor's Algorithm. (Shor's Algorithm Paper)
A leading Zcash developer has explicitly noted that "practical post-quantum zk- SNARKs" remain a missing piece for a fully post-quantum system, indicating that these current implementations aren't quantum-safe. (Zcash Zips Issue #1134)
Unlike PIVX transparent addresses, which are made using a cryptographic hash, with that hash being the only data on the public key exposed before funds are moved, SHIELD addresses directly contain some elliptic curve points for view keys. Thus, knowledge of a SHIELD address by an attacker enables direct long-range attacks using Shor’s on privacy. This is part of why keeping shielded addresses private is post- quantum important.
However—and this is critical—for shielded transactions a post-quantum attacker can also still forge proofs and counterfeit/take funds without the private key. This risk is systemic for Groth16, where the zk-SNARK as a whole gets defeated rather than one address at a time. So, with long-range application of Shor’s, security for SHIELD transactions can be broken without address knowledge. (Source)
The Privacy Dimension: Enduring Protection
Here is where PIVX shines. Security (protecting funds from theft) and privacy (hiding transaction details) are separate concerns with different quantum implications. Both are important, but security problems can be fixed in the future, while privacy for past coin movement cannot.
PIVX's SHIELD transactions, when conducted entirely between shielded addresses that aren't exposed to attackers, likely maintain "post-quantum privacy" even if the underlying cryptography is eventually broken for security purposes. The Zcash specification explicitly mentions keeping shielded addresses private "to maintain post- quantum privacy." (Source)
This is subtle but important: even after Q-Day, when quantum computers can break cryptographic proofs, if attackers never had access to the shielded addresses involved in a PIVX transaction, they likely will not be able to de-anonymize it retroactively. This is a strength of PIVX compared to some other privacy coins.v
Comparative Difficulty: PIVX SHIELD vs. Bitcoin
Using published formulas from Roetteler et al. for quantum resource requirements to break security, we can estimate comparative difficulty. (Source)
For elliptic curve discrete logarithms (the problem Shor's Algorithm solves):
Bitcoin's secp256k1 (256-bit): approximately 2,330 logical qubits are needed to break security
PIVX SHIELD's BLS12-381 (381-bit): approximately 3,457 logical qubits are needed to break security
Beyond these factors, some attack paths against SHIELD transactions require multiple discrete-log computations, further increasing difficulty. And logical qubit counts alone do not convey quantum computer power. Other factors like logical gate count and speed factor in as well. The exact increase in difficulty depends on quantum computer implementation details, but PIVX's shielded transactions will likely be harder to crack than simple Bitcoin transactions.
Should PIVX Users Be Concerned?
The wide range of expert estimates for Q-Day, from the late 2020s to the 2040s, reflects genuine uncertainty. The field has surprised experts before with faster-than-expected progress.
Factors are worth considering:
Cryptocurrency upgrade timelines are long: Major cryptographic changes require testing, community consensus, and careful deployment. Though PIVX can be faster than most, time requirements should be considered.
Early quantum computers will be slow: Even after Q-Day arrives, cracking an individual key may take many days. This provides some buffer.
PIVX has clear timing and value advantages over Bitcoin: With an average blocktime of 1 minute compared to 10 minutes for Bitcoin, the window to perform short-range attacks is smaller. Also, Bitcoin has many addresses vulnerable to long-range attacks. This combined with higher value targets on Bitcoin make Bitcoin an early indicator of threats to PIVX.
PIVX has some timing and value advantage over Zcash: Because PIVX uses Zcash’s Sapling techniques, which are similar in quantum robustness to Zcash’s current techniques, private transactions on Zcash and PIVX face similar threats. PIVX, with a block time of 60 seconds has a modest advantage over Zcash’s 75 seconds for short-range attacks. More significant is Zcash presenting higher value targets. With these two factors, Zcash also serves as an early indicator of threats to PIVX.
Given that post-quantum technologies already exist but are resisted today because of their burdensome blockspace and computation requirements, the unfolding from now to Q-Day may be predictable. An uncertain prediction if Q-Day were to happen soon: Quantum advancements will continue and be publicized, and one day Q-Day will appear imminent. Large cryptocurrencies like Bitcoin and Zcash will urgently move and adopt existing post-quantum technologies despite the high resource requirements. The updates will require users to move coins to new post-quantum addresses, so the technologies will need to be fielded as early as possible to allow this. PIVX will quickly adopt these new technologies as they are developed, implemented, or fielded for other coins.
When and if this happens, PIVX users that move their funds to the new quantum- resistant addresses will be protected by post-quantum security, while their privacy likely remains intact due to PIVX’s longstanding post-quantum protection. If this is well executed, PIVX will look and be strong in comparison to other cryptocurrencies that did not move quickly or did not have post-quantum secrecy already in place.
Recommendations
While we await these protocol-level quantum-resistant upgrades, PIVX users can take several practical steps to minimize their post-quantum risk:
For Transparent Address Users
Avoid address reuse: Each time you send from a transparent address, the public key is exposed, introducing a long-range vulnerability to Shor’s. Use fresh addresses for each transaction when possible.
Claim cold staking all at once: When reclaiming funds from a cold-staking configuration, don’t leave residual balances. Instead, move remaining funds to a pristine address and set up a new cold-staking delegation with that address to avoid public-key exposure and vulnerability to long-range Shor’s.
Weigh pluses and minuses of moving long-term holdings to SHIELD: SHIELD addresses offer privacy benefits and arguably better quantum resistance than reused transparent addresses. However, pristine transparent addresses, which have protection against long-range Shor’s attacks, offer better security. Prefer SHIELD addresses for privacy and pristine transparent addresses for security.
For SHIELD Users
Keep shielded addresses private: The "post-quantum privacy" property only works if attackers don't have your shielded addresses.
Prefer shielded-to-shielded transactions: Transactions that move between shielded addresses without exposing either address or the amount of funds maintain better long-term privacy.
Stay informed about protocol updates: As post-quantum cryptography matures, PIVX may implement upgrades. PIVX has a history of effective adoption of new technology. Being ready to migrate when these become available is important.
For All Users
Objectively follow quantum computing news: Major public breakthroughs will make headlines. Assumptions will change. Staying informed helps you adjust your security posture as needed. This is a complex topic—view all claims in light of the motivation of the claimer.
Support quantum-resistance research: Engage with the PIVX community on quantum preparedness. Community encouragement on Discord and other online venues helps prioritize upgrades, which may be incremental. Adopt new technologies when available and vetted.
Keep perspective: Quantum computing is a real threat, but PIVX is not unique in being subject to it. Most cryptocurrencies are vulnerable, many to a greater degree than PIVX. Moreover, much of the digital world—from banking to military communications—faces similar challenges. Solutions will emerge.
Conclusion
Quantum computing represents a genuine long-term threat to PIVX. However, PIVX's combination of Bitcoin-like transparent transactions and Zcash-derived shielded transactions creates a nuanced vulnerability profile.
Transparent addresses follow the Bitcoin security model, where avoiding address reuse gives meaningful protection. SHIELD addresses, while based on quantum-vulnerable cryptography, use larger key sizes that increase attack difficulty over Bitcoin, and they offer post-quantum privacy benefits when addresses are kept secret.
Quantum computing also brings opportunity to PIVX if practical security measures are taken today and post-quantum cryptographic upgrades are made quickly in the future. The PIVX community has successfully navigated major technical challenges before. Navigating this one will play to PIVX’s unique strengths and allow it to lift up its users through enduring secure, private money.
PIVX Team (Research yenechar)