Every encrypted transaction you send to Ethereum today is being recorded by someone, somewhere. They cannot break it now. But, when a quantum computer with enough coherent qubits comes online, it decrypts everything at once, faster than you might expect.
This is a classic "harvest now, decrypt later" (HNDL) attack and for onchain privacy, this creates an existential problem: the transactions you encrypt today remain onchain forever, vulnerable to retrospective decryption for decades to come.
Platus is building onchain private accounts for Ethereum and EVM chains with a simple belief: make them composable, usable, and secure for the future.
This blog explains why we're deploying post-quantum cryptography now, years before quantum computers become a practical threat and why current privacy solutions are already obsolete.
TL;DR: We're implementing a hybrid key-agreement protocol BJJ-KEM1024, combining ECDH on zk-friendly baby jubjub with ML-KEM-1024, the NIST-standardized post-quantum key encapsulation mechanism. For technical details, see our documentation.
The Quantum Threat Timeline
IBM's largest quantum system has 1,121 qubits. Sounds impressive until you realize that breaking 2048-bit RSA requires around 20 million noisy physical qubits, or roughly 4,000 fault-tolerant logical qubits with error correction. We're not close. Gate fidelities hover around 99.5-99.9%, but you need 99.99%+ for stable logical qubits. No one has demonstrated a system with more than a dozen error-corrected logical qubits running deep circuits.
Conservative estimates put cryptographically relevant quantum computers (CRQCs) at 10-15 years out. Optimistic researchers say 5 years. Pessimists say never, that we'll hit fundamental limits in qubit coherence before we get there.
Here's the thing: the timeline doesn't matter.
If a CRQC shows up in 2030, every transaction encrypted in 2026 using ECDH becomes readable in 2030. Blockchain makes this worse because everything is public and permanent. An adversary doesn't need to intercept your traffic—they just read the chain. The ciphertext sits there, waiting.
Onchain transactions leak: who you transacted with, how much, when, and often what for (based on linked metadata or counterparty identification). This information stays valuable. A business competitor learns your customer list. A government traces dissident funding. An ex-spouse finds hidden assets in a divorce settlement. You can't rewind the blockchain and re-encrypt with stronger algorithms once quantum computers exist.
Elliptic Curves break
Public-key cryptography relies on mathematical one-way functions: easy to compute forward, hard to reverse. RSA uses integer factorization (easy to multiply two primes, hard to factor the product). Elliptic curve cryptography, which we use in baby jubjub, relies on the discrete logarithm problem over elliptic curves.
Both are instances of the hidden subgroup problem, which Shor's algorithm solves efficiently on a quantum computer. A CRQC with enough coherent qubits breaks ECDH, ECDSA, RSA—all of it.
Post-quantum cryptosystems use different one-way functions that resist quantum attacks. ML-KEM is a lattice-based key encapsulation mechanism. The underlying hardness assumption is the Learning With Errors (LWE) problem: given noisy linear equations, solve for the secret vector. No known quantum algorithm breaks this efficiently.
This doesn't mean ML-KEM is invulnerable. That's why we are not willing to bet everything on a single new primitive.
Hybrid Post-Quantum Key Agreement
Platus implements BJJ-KEM1024, a hybrid post-quantum key agreement protocol designed to securely establish a shared secret between two mutually authenticated parties.
The protocol combines:
- Elliptic-curve Diffie–Hellman over the Baby Jubjub curve, and
- ML-KEM-1024, a NIST-standardized post-quantum key encapsulation mechanism.
Each party derives independent shared secrets from both the classical elliptic-curve exchange and the post-quantum KEM. These secrets are then cryptographically combined into a single master key. As a result, an attacker must successfully break both Baby Jubjub ECDH and ML-KEM-1024 to recover the final shared secret, a significantly stronger security model than relying on either primitive alone.
Tradeoff: Slightly larger key sizes and ciphertext in exchange for dramatically higher security assurance against both classical and quantum adversaries.
Why ML-KEM-1024 instead of ML-KEM-768? ML-KEM-1024 offers NIST Security Level 5, comparable to the strength of AES-256, while ML-KEM-768 provides Security Level 3. For long-term financial privacy and on-chain security, Platus prioritizes the highest available security margin to remain robust against future cryptanalytic and quantum advances.
Is it experimental or production-ready?
Platus is not taking a risky, unproven approach. Hybrid post-quantum cryptography has already been deployed at scale.
- Cloudflare: X25519 + ML-KEM-768 for TLS connections
- Apple iMessage: PQ3 protocol combining ECDH with Kyber
- Signal: PQXDH (X25519 + CRYSTALS-Kyber)
These are not experiments. They're production systems that protect billions of messages and handles billions of secure connections daily. If you are developing a privacy protocol in 2026 without post-quantum encryption, you are, at best, a long way away.
What about signatures and zkSNARKs?
Digital signatures don't encrypt data, they authenticate it. If you sign a transaction with ECDSA today and a CRQC appears in 2030:
- Anyone can verify the signature was valid when created
- But new signatures can be forged going forward
The threat is prospective, not retrospective. Past signatures don't become invalid; you just can't trust new ones after CRQCs arrive.
zkSNARKs have the same property:
- The zero-knowledge property resists quantum attacks: a quantum adversary looking at a Groth16 proof learns nothing about the witness, same as a classical adversary.
- A zkSNARK proof generated today remains cryptographically trustworthy forever; the statement being proved is provably true
- The proof's validity is information-theoretic, not computational, it's checking polynomial identities, which quantum computers don't help with.
What changes post-CRQC: attackers can forge new proofs of false statements. A quantum computer could break the discrete log assumptions underlying the trusted setup and generate false proofs. But proofs generated before CRQCs remain valid.
So signatures and zkSNARKs need eventual migration (likely to hash-based signatures and post-quantum SNARK), but there's no harvest-now-decrypt-later attack. The old data stays safe.
Onchain privacy protocols should default to the strongest reasonable security model. For encryption, that means post-quantum hybrid constructions, deployed now, while we still have time to get it right.
Check out our technical documentation for a deep dive into our hybrid post-quantum key agreement protocol, or reach out if you have any questions.