ZCash and Algorand are not quantum resistant.

[DiscoJoker]

Algorand and Zcash are not quantum-resistant in the strict cryptographic sense, even though they are sometimes included in informal discussions about post-quantum systems.

Algorand’s security is based on Ed25519 signatures and a VRF-based leader selection mechanism, both built on elliptic curve cryptography over Curve25519. Its Pure Proof-of-Stake consensus and cryptographic sortition define how validators are selected and how agreement is reached, but they do not change the underlying cryptographic assumptions. The system ultimately depends on the hardness of the elliptic curve discrete logarithm problem, which is vulnerable to Shor’s algorithm once a sufficiently capable quantum computer exists. Algorand itself acknowledges this limitation: its current signature and VRF schemes are not post-quantum secure. While it has introduced Falcon-based state proofs for certain cross-chain verification use cases, these do not extend quantum resistance to user accounts or validator signatures, which remain exposed.

Zcash has a more layered exposure. Its shielded transactions rely on zk-SNARKs built over the BLS12-381 elliptic curve. These proofs depend on standard elliptic curve and pairing assumptions, which are not resistant to quantum attacks. zk-SNARKs provide zero-knowledge and succinct verification, but they do not avoid the underlying reliance on elliptic curve hardness. If those assumptions break, the integrity of the system’s privacy and correctness guarantees also breaks, enabling potential forgery of proofs and unauthorized note creation.

There is also a separate issue in Zcash’s encryption model. Transaction notes are encrypted using ECDH between a recipient’s viewing key and an ephemeral key. The ephemeral public key is published on-chain. A sufficiently powerful quantum attacker could recover the shared secret, allowing decryption of historical shielded transactions. This creates a “harvest now, decrypt later” risk for all encrypted data recorded today.

Under a strict definition, neither Algorand nor Zcash can be considered quantum-resistant.

Systems that can legitimately claim native post-quantum design are limited. The common examples are Quantum Resistant Ledger (QRL), Mochimo, and Abelian.

QRL uses XMSS, a hash-based signature scheme standardized in NIST SP 800-208 and RFC 8391, which avoids elliptic curves entirely. Mochimo relies on WOTS+, another hash-based one-time signature construction. Abelian is based on lattice cryptography, using assumptions derived from Learning With Errors (LWE), which is widely considered resistant to both classical and quantum attacks.

Hash-based and lattice-based systems share a key property: no known quantum algorithm, including Shor’s, breaks them in polynomial time. Grover’s algorithm only reduces the security of hash functions quadratically, which can be compensated for by increasing parameter sizes.

The main distinction is structural. Most blockchains, including Algorand and Zcash, rely on classical elliptic curve assumptions that will fail in the presence of a sufficiently powerful quantum computer. QRL, Mochimo, and Abelian remove that dependency entirely by redesigning the signing layer around post-quantum primitives.

[Oshosondy]

I do not know about zcash, it was only algo that Google said recently that is quantum resistant which caused the price of algo to increased to almost double at the time before falling back.

But algo is planning on full quantum resistant cryptography
https://pluang.com/en/news-feed/algorand-ungkap-peta-jalan-ketahanan-kuantum-2027

[DiscoJoker]

I do not know about zcash, it was only algo that Google said recently that is quantum resistant which caused the price of algo to increased to almost double at the time before falling back.

But algo is planning on full quantum resistant cryptography
https://pluang.com/en/news-feed/algorand-ungkap-peta-jalan-ketahanan-kuantum-2027

Thanks for sharing the link. I agree that Algorand having a roadmap is a positive thing, and it’s something worth recognizing. But there is a difference between having a migration plan and being quantum-resistant today. The roadmap itself acknowledges that the current cryptographic stack still relies on primitives that are not post-quantum secure.

Algorand’s current security model still depends on Ed25519 signatures and an ECVRF construction based on elliptic curve cryptography. Those are well-tested schemes against classical attacks, but they are not designed to withstand a sufficiently powerful quantum computer running Shor’s algorithm.

The Falcon-based state proofs are definitely an important development and show that Algorand is actively researching the problem. However, they do not make the entire network quantum-resistant. They are mainly focused on specific verification use cases, such as cross-chain proofs. User account keys, validator signatures, and the consensus layer still rely on traditional elliptic curve assumptions.

The difficult part is not adding one quantum-resistant component, it is migrating the entire cryptographic foundation of a live blockchain. Replacing the signature scheme, VRF mechanism, and account structure while maintaining performance, compatibility, and decentralization is a major engineering challenge. Post-quantum alternatives, especially lattice-based systems, usually come with larger keys, larger signatures, and additional computational overhead.

Regarding the Google/Falcon announcement: it was a meaningful step, but some coverage exaggerated what it meant. Implementing Falcon in a specific part of the ecosystem is not the same as making Algorand fully quantum-resistant.

The same discussion applies to many major chains, including Bitcoin. Any network relying on ECDSA, EdDSA, or similar elliptic curve-based cryptography will eventually need to address this transition. Algorand deserves credit for recognizing the issue earlier than many projects, but awareness of the problem is not the same as having solved it.

The projects that are quantum-resistant today are the ones that were designed around post-quantum cryptography from the beginning.

[asriloni]

I think have to disagreed with you about Zcash was not quantum resistant. It's basically already a quantum resistant because it's already used the shielded transaction. The shielded transactions was already built on zcash construction since it's being created. So i believe to call it's not yet quantum resistant is not right.

However, improvement to ensure it's will be quantum resistant is needed like doing implement post-quantum algorithm to its structure.

As i know Zcash developers and its community are now focusing on post-quantum algo update. So it's likely we will see Zcash to be fully quantum resistant.

As for Algorand, i don't see any urgent to implement quantum resistant update bcoz none uses it now.

[DiscoJoker]

I think have to disagreed with you about Zcash was not quantum resistant. It's basically already a quantum resistant because it's already used the shielded transaction. The shielded transactions was already built on zcash construction since it's being created. So i believe to call it's not yet quantum resistant is not right.

However, improvement to ensure it's will be quantum resistant is needed like doing implement post-quantum algorithm to its structure.

As i know Zcash developers and its community are now focusing on post-quantum algo update. So it's likely we will see Zcash to be fully quantum resistant.

As for Algorand, i don't see any urgent to implement quantum resistant update bcoz none uses it now.

Respectfully, I have to disagree here. Shielded transactions provide privacy, not quantum resistance,  these are not the same thing cryptographically.

The zk-SNARKs underlying Zcash’s shielded pool are instantiated over elliptic curve pairings (BN-254/BLS12-381). Those pairing assumptions are broken by Shor’s algorithm just like any other ECDLP-based construction. The zero-knowledge property survives, but the soundness does not, meaning a quantum adversary could potentially forge valid proofs entirely.

There’s also a second vector that rarely gets discussed: note encryption in shielded transactions uses ECDH key derivation, with the ephemeral public key recorded on-chain. That’s a textbook harvest-now-decrypt-later exposure, every shielded transaction recorded today is retroactively decryptable by a future quantum attacker with the recipient’s address.

Tachyon is promising, but it’s a roadmap, not a deployment.

Genuinely curious, what specific property of the shielded construction do you believe provides quantum resistance? Because from a strict cryptographic standpoint I don’t see it, and would love to be corrected if I’m missing something.

[Robyer]

ZCash is currently not quantum resistant. Privacy provides benefits in some aspects, but it also makes other aspects worse. For example attacker with quantum computer will be able to secretly create new coins, because the ZK proofs are currently based on the vulnerable elliptic curve cryptography. And thanks to the privacy, no one could detect if/when that happens.

And the transparent addresses face the same issues as other public chains, where quantum attacker can steal the coins from any wallet with exposed public keys (which become exposed when you send first transaction from your wallet).

They are working on improvements, which is great, but all the users still need to manually migrate their coins eventually (after the PQ upgrade of the network is completed), and that is probably the most painful part of the whole process.