Monero's brand rests on being private by default. Attackers with a sufficiently powerful quantum computer in the near future won't care about its branding, though. If you're holding Monero, you need to know whether a future capability could invalidate today's security assumptions fast enough to force a messy protocol scramble, or worse, an outright loss of funds.
The awkward truth is that claims stating that Monero is already “quantum safe” are usually unsupported. On the other hand, claims that quantum computers will definitely crack Monero next year are also unsupported, and, in the big scheme of things, bogus. The honest answer is a bit more technical, and it requires stepping back to ask what it would even mean to “break” the chain, which layers are exposed, and what upgrades might actually change the outcome. With that in mind, the highly abridged version of the honest answer is that yes, quantum computers could indeed break Monero -- but there's a lot of nuance that's worth understanding in detail beyond the top level.
Let's ease our way into the technical issues by building some context.
What “Breaking Monero” Means in Practice
When discussing cybersecurity matters, a lot of people say that something would “break Monero” when really they mean that it would enable the tracing of transactions on Monero. Stealing Monero is also another possibility that gets lumped in, and it's a separate issue. Each detrimental outcome implies different threat models, and with different consequences for users and investors.
To keep this grounded, the table below is a map of the layers that matter most for this question.
Cryptographic property | What it protects | Where it shows up | Quantum-relevant failure mode | Mitigation lever |
|---|---|---|---|---|
Spender authentication | Ability to spend and match outputs to users | A Monero address is composed of a public spend key | A Shor-style attack could eventually recover private keys from public keys | Move to post-quantum keys and signatures |
Amount confidentiality | Hides transaction amount | Amount hiding plus supply checks are defined in the Ring Confidential Transactions paper | If discrete logs become easy, attackers can see the amounts in transactions | Redesign commitments and proofs using PQ assumptions |
Sender ambiguity | Hides which input is spent | Inputs are obscured using ring signatures | If signatures can be forged, an attacker can spend funds and link transactions to users | New proving system without discrete log hardness assumptions |
As you can see, quantum computing offers more than one can of worms to be opened. Privacy can degrade gradually, or fail silently. Inflation bugs or mass theft could kill credibility in days.
Can Quantum Computers Break Monero?
The core quantum threat to most blockchains is a specific family of algorithms that changes which kinds of cryptographic problems are efficiently solvable. The big one to know is Shor's algorithm, which threatens public-key systems by making factoring and discrete logarithms tractable on a sufficiently large and fault-tolerant quantum machine. NIST's migration guidance explicitly says common public-key algorithms are vulnerable to Shor's algorithm, which is why its transition and standards efforts exist in the first place.
The academic side goes further than slogans. Researchers have produced widely cited resource estimates for cracking elliptic curves. Those papers don't claim that actually doing the attack is quick or easy, even with the right hardware; they claim that it's structurally feasible to accomplish, given a fault-tolerant machine.
The catch is the fault-tolerant machine part. Most public discussion quietly swaps the idea that a quantum chip exists for the much more ambitious idea that a cryptanalytically relevant quantum computer will exist very soon.
That's where readers get misled; even optimistic reporting still describes devices with 48 logical qubits, which is nowhere near the scale implied by the fault-tolerance overhead in mainstream resource estimates. This is a threat for a handful of years from now at the earliest. In other words, the sky is not falling, but it's worth keeping an eye on the clouds, as they're undeniably drawing closer.
Symmetric crypto and hashing are a different category. Quantum attacks like Grover's are generic speedups rather than structure-breaking algorithms. Grover's algorithm also threatens Monero because it could help to undermine the critical load-bearing pillars of authentication and proof soundness.
Again, quantum risk is unlikely to be a near-term exploit risk. It remains a long-term design risk that can become a sudden governance crisis if a network cannot migrate in time. No chain has yet been felled by such a risk, but it's obviously at the top of many peoples' minds.
And that's where FCMP++ enters the conversation, and it's also where (and why) people tend to overinterpret it.
FCMP++ Is The Next Evolution of RingCT
Monero's RingCT was implemented in January 2017, and it's been upgraded and modified many times since then.
FCMP++ is best understood as another step in that evolutionary line. Monero Research Lab frames FCMP-related work as a path toward full-chain membership proofs. Originally developed by Luke Parket, the FCMP++ draft focuses on constructing large-set membership proofs in a way that is intended to be deployable.
This would be an important step forward because small anonymity sets can be vulnerable to statistical and side-information attacks. The research literature has documented real traceability concerns in earlier designs, so upgrading RingCT is a top priority for the chain.
But FCMP++ is not a post-quantum computing security redesign. A new proving system that still relies on discrete-log-style hardness assumptions does not remove the fundamental risk posed by either Shor's or Grover's algorithms. It could improve the chain's privacy properties and reduce some attack surfaces, but it simply won't change the category of mathematics under pressure because that isn't something it ever aimed to accomplish. Examine the table below.
Cryptographic property layer | What it protects | Where it shows up (post-FCMP Monero) | Quantum-relevant failure mode | Mitigation lever |
|---|---|---|---|---|
Spender authentication, addresses, and keys | Scanning for incoming funds and authorizing spends | Address layer still uses long-lived public keys (public view and spend keys) and one-time destinations derived from them | Shor-style attacks on elliptic curves can recover private keys from public keys, enabling theft and view-key compromise | Migrate to post-quantum keys and signatures, likely requiring new address formats and key-rotation tooling |
Amount confidentiality | Hides amounts while keeping supply checks | Amount hiding still comes from RingCT-style commitments and range proofs; FCMP++ does not replace this stack | If discrete logs become easy, commitments/proofs can fail, making amounts visible and/or weakening integrity checks | Redesign commitments and proofs under post-quantum assumptions |
Sender ambiguity | Hides which output is spent | Inputs are obscured via full-chain membership proofs that aim for a near-global anonymity set, plus linkability controls to prevent double-spends | If the proof system relies on discrete-log hardness, quantum capability can enable spend-proof forgery or secret recovery, leading to theft | Replace spend authorization and membership proofs with post-quantum secure primitives, including a PQ-safe anti-double-spend mechanism |
So what would a realistic mitigation story look like if you refuse both doom and denial?
The Mitigation Story Isn't Written Yet
There is no post-quantum safety toggle you can flip on a privacy coin. Any credible strategy has to satisfy three constraints at once: sound cryptography, acceptable performance on commodity hardware, and a migration path that does not strand users or fracture the network. Each of those is challenging, and none (especially not the last one) are trivial or within striking distance of being solved by Monero or most other blockchains today. Nonetheless, it's worth recognizing that this is still a very solvable problem, especially given a couple of years of lead time.
The broader security world is converging on standardized post-quantum building blocks. NIST has released finalized post-quantum standards, and it describes the first set of post-quantum encryption standards as ready for adoption. At the protocol layer, the hard part is replacing discrete-log-based commitments and zero-knowledge proofs while preserving Monero's privacy and verification properties. Implementing STARKs could be one approach which would fulfill these conditions, though it's unclear if Monero developers are intent on taking that approach.
A plausible path is one that's deployed in stages and uses hybrid security measures. One approach might be to adopt post-quantum authentication for address ownership and wallet communications first, then redesign the transaction proof system as the performance and engineering elements mature.
So, Can Quantum Computers Break Monero?
In closing, quantum computers do not break Monero today, but, especially in the sense of compromising the chain's privacy, they could indeed break the chain in the future, once they're powerful enough. And despite what investors might be wishing, FCMP++ looks like a privacy and scalability move inside the existing paradigm, and it's not a quantum shield whatsoever.
To keep up with the latest in blockchain technology and quantum computing, join us on X and subscribe to our newsletter.
