Quantum Computing Threat to Tari/Minotari (Mimblewimble) – Time to Start Planning a Post-Quantum Upgrade?

Governance
1

(Written by grok)

Hi Tari community,

With 2026 now being widely called the “Year of Quantum Security” (NIST, CISA, and industry coalitions are pushing hard for PQC migration timelines), I wanted to open a constructive discussion about the quantum threat to Tari (Minotari L1) and how we might proactively upgrade the protocol while preserving its core strengths: extreme privacy and Mimblewimble scalability.

1. Why Tari is vulnerable (quick principle recap)

Tari is built on Mimblewimble, which relies heavily on:

  • Pedersen commitments (C = rG + vH) for hidden amounts
  • Schnorr signatures on transaction kernels
  • Bulletproofs (or Bulletproofs+) for range proofs

All of these rest on the elliptic curve discrete logarithm problem (ECDLP). A sufficiently powerful quantum computer running Shor’s algorithm can solve ECDLP in polynomial time. The practical consequence is that the computational binding of Pedersen commitments breaks: anyone could re-open any existing UTXO commitment to an arbitrary new amount v' and spend it with a valid kernel signature. This would allow inflation, theft of any UTXO, and destruction of monetary integrity.

Bulletproofs’ soundness and Schnorr security would also collapse under the same attack. (This is the same risk facing Bitcoin, Grin, Beam, and every ECC-based chain.)

Important: Tari currently has no public RFCs, GitHub issues, or roadmap items addressing post-quantum cryptography (PQC). Searches across rfc.tari.com, the tari-project GitHub repo, and this forum turn up zero results for “quantum”, “post-quantum”, “PQC”, “Dilithium”, “STARKs”, etc.

2. A realistic, privacy-preserving upgrade path (my proposed sketch)

We don’t need to panic, but we should start planning now — similar to how Bitcoin and especially Monero are already moving.

Core principles for any Tari PQC upgrade:

  • Keep Mimblewimble’s perfect privacy (hidden amounts, no addresses, full anonymity set)
  • Minimize disruption to existing users and miners
  • Use mature NIST PQC standards + quantum-safe ZK

Concrete phased proposal (inspired by Monero’s Jamtis/FCMP++ work and Bitcoin’s emerging PQC discussions):

  1. Phase 1 – Soft Fork (allow new transaction types)
    Introduce new address formats and transaction kernels that use:

    • PQC signatures: CRYSTALS-Dilithium (ML-DSA) or Falcon (fast & compact)
    • Post-quantum commitments: lattice-based or hash-based commitments that still support homomorphic addition (so transaction balance validation still works)
    • Post-quantum range/membership proofs: STARKs (naturally quantum-resistant, transparent, no trusted setup)

    Old Mimblewimble transactions remain fully valid forever (or for a long sunset period).

  2. Phase 2 – Optional ZK Migration Window (6–18 months)
    Users prove ownership of old UTXOs via a quantum-safe zero-knowledge proof (STARK-based) that they know the blinding factor r (without revealing it).
    The protocol then creates a new PQC-style commitment and moves the funds to a quantum-safe UTXO.
    This is exactly the pattern Monero is exploring with Jamtis + STARK-like proofs for their own PQC transition.

  3. Phase 3 (optional) – Eventually raise fees or deprecate old kernels after the migration window, but only if community consensus supports it.

This approach means:

  • Historical transactions are not suddenly invalidated
  • Privacy is fully preserved during migration
  • Tari’s L2 digital-asset features can be carried forward unchanged
  • We stay compatible with existing PoW mining hardware

3. Why now?

  • Monero Research Lab already has active post-quantum work (FCMP++ live in Q1 2026, Jamtis with PQ encryption options like CSIDH).
  • Bitcoin developers are discussing STARK-aggregated PQC signatures and soft-fork paths.
  • NIST and governments are setting 2030–2035 deadlines for critical systems. (Probably 2029 by Google)

Tari’s small, focused, privacy-first community is actually in a great position to design this cleanly — we don’t have the legacy baggage of larger chains.

Call to action

I’d love to hear your thoughts:

  • Is this threat on anyone’s radar already?
  • Would you support starting an official RFC for a “Post-Quantum Mimblewimble” upgrade?
  • Any preferred PQC primitives (Dilithium vs Falcon vs hash-based, STARKs vs other ZK)?
  • Developers or researchers interested in collaborating?

I’m happy to help draft the first RFC or prototype some of the migration proof ideas. Let’s turn this into a community-driven strength rather than a future vulnerability.

Looking forward to a productive discussion!

4 Likes
2

@blackwolfsa I know you have some ideas here.

3

Nothing concrete to write about yet. But its on the radar to do.
The difficulty here is that the we have soo many schnorr signatures that we have to port

3 Likes
4

Not technical enough to weigh in on PQC primitives, but from a positioning perspective: being able to say “Tari is building quantum-resistant infrastructure” is huge for institutional conversations, developer recruitment, and long-term credibility.

Support starting an RFC even if implementation is 3-5 years out… the research phase alone positions Tari ahead of most privacy projects imo

@possum @blackwolfsa - timeline thoughts?

4 Likes
5

I appreciate your reply. You are right about the roadmap or just timeline. I love the math of Mimblewimble and want to help make the shift happen.

2 Likes
6

Thanks for the great summary write up - definitely on the radar, but no concrete research has been done to understand the implications for tari specifically yet (undoubtably a massive lift). You’re write up matches with what little looking into it I’ve done. I agree, no better time than now to at least get a rough plan in place.

I’m concerned about the orders of magnature size difference of signatures and that there is no drop in replacement for pedersen commitments - you lose perfect hiding and (it seems) homomorphism is signaficantly more complex. But worth researching, and keeping tabs on Monero’s research.

6 Likes
7

As of replacement of Perdesen Commitment

(written by grok)

Yes, there are many relevant papers on Module-LWE hiding property and lattice-based commitments, which are the core for post-quantum Pedersen commitment replacements in Mimblewimble / Minotari.Here are the most representative and directly relevant papers as of 2026 (with emphasis on the hiding proofs):1. Core Commitment Scheme Papers (BDLOP / Baum et al.) — Most cited for Module-LWE hiding commitments

  • More Efficient Commitments from Structured Lattice Assumptions (Baum, Damgård, Lyubashevsky, Oechsner, Peikert, 2018)
    ePrint: https://eprint.iacr.org/2018/104
    Key point: First efficient additively homomorphic lattice commitment scheme (BDLOP). It explicitly proves that computational hiding reduces to Module-LWE, and binding reduces to Module-SIS.
    This is the most direct reference for replacing Pedersen commitments in Mimblewimble.

  • Lattice-Based Zero-Knowledge Proofs and Applications (Lyubashevsky et al., 2022)
    ePrint: https://eprint.iacr.org/2022/284
    Key point: Uses BDLOP commitments extensively and proves their hiding property based on Module-LWE. Very suitable for Mimblewimble range proofs and transaction aggregation.

2. Papers with Clearer Hiding Proof Details

  • Practical Exact Proofs from Lattices (Esgin et al., 2020)
    ePrint: https://eprint.iacr.org/2020/518
    Key point: Clearly states that the commitment is “computationally hiding under the Module-LWE assumption”.

  • Lattice-Based Zero-Knowledge Proofs in Action (Farzaliyev et al., 2025)
    Key point: Detailed explanation of BDLOP commitment hiding from Module-LWE and binding from Module-SIS.

3. Polynomial Commitments & Mimblewimble-related Papers

  • Polynomial Commitments from Lattices: Post-Quantum Security, Fast Verification and Transparent Setup (Cini et al., 2024)
    ePrint: https://eprint.iacr.org/2024/281
    Key point: Efficient lattice-based polynomial commitments with transparent setup — excellent candidate for replacing Pedersen + range proofs in Mimblewimble.

  • Lattice-based Polynomial Commitments (Fenzi et al., 2024)
    Key point: Discusses hiding properties and efficiency for lattice polynomial commitments.

4. Mimblewimble Quantum Threat & Replacement Papers

  • Many analyses in the Grin, Beam, and Tari communities reference the above lattice commitment schemes when discussing the need to replace Pedersen commitments (often proposing “Switch Commitments” as a short-term bridge).

Recommended Reading Order (from easier to more advanced):

  1. Baum et al. 2018 (BDLOP) — foundational.

  2. Lyubashevsky 2022 — hiding + zero-knowledge proofs.

  3. Cini 2024 — modern polynomial commitments (most practical for Mimblewimble).

8

As of Hybrid signature update of PQC algorithms
(I saw the SEI network did the same security binding process when switching SEI addresses to EVM addresses.)

(written by grok)

Minotari (Tari) Hybrid Signature Upgrade Scheme for Post-Quantum MigrationMinotari, built on the Mimblewimble protocol, can transition from ECC-based signatures (ECDSA/Schnorr) to post-quantum cryptography through a hybrid signature approach, providing a smooth, backward-compatible upgrade path.1. Hybrid Signature Design

  • Each transaction kernel contains two independent signatures:

    • Classic: ECC (secp256k1) signature for backward compatibility.

    • Post-Quantum: ML-DSA (FIPS 204, preferably ML-DSA-65 or ML-DSA-87) signature.

  • OR-mode (either signature valid) for maximum compatibility during transition, or AND-mode for stronger security.

  • The two key pairs (ECC and PQC) are mathematically independent. They are linked only at the wallet/protocol level(via HD derivation paths from the same seed phrase or on-chain key registry).

2. Key Management & User Experience

  • Old wallets with only ECC keys can continue working.

  • Users generate a new PQC key pair (preferably derived from the same mnemonic via a different derivation path).

  • Only one set of backup words is needed if the wallet supports extended derivation.

  • Funds are gradually migrated from legacy ECC addresses to new PQC addresses using hybrid-signed transactions.

3. Security Binding

  • To prevent attacks (e.g., an attacker with a stolen ECC key using an arbitrary PQC key), the protocol requires PQC public key registration or binding to the account.

  • Hybrid signatures include a commitment linking both signatures and the registered PQC public key.

4. Mimblewimble-Specific Challenges & Solutions

  • Pedersen Commitments (core for privacy and amount hiding) rely on ECC and lose binding security under quantum computers.

  • Short-term: Keep Pedersen (hiding still holds) + use PQC range proofs.

  • Medium/Long-term: Replace with lattice-based additively homomorphic commitments (based on Module-LWE for hiding and Module-SIS for binding). This preserves Mimblewimble’s aggregation, privacy, and balance verification.

5. Overall Migration Phases

  1. Phase 1 (Immediate): Enable hybrid signatures + hybrid TLS/P2P encryption.

  2. Phase 2 (Transition): Introduce PQC key registration and controlled key rotation.

  3. Phase 3 (Final): Soft fork to pure PQC mode (only ML-DSA signatures + lattice commitments). Users migrate remaining funds before the cutoff height.

Advantages

  • Backward compatible with old nodes/wallets.

  • Quantum-safe even if ECC is broken (“Harvest Now, Decrypt Later” protection).

  • Maintains Mimblewimble’s strong privacy properties.

This hybrid strategy follows industry best practices (similar to Ethereum, Hedera, and TLS hybrid modes) and leverages Minotari’s Rust implementation for relatively straightforward integration with libraries like liboqs or pqcrypto.The transition is expected to span several years, with soft forks and ample warning periods for users. High-value holdings should be migrated to pure PQC addresses as soon as wallet support is available. This provides a secure, gradual, and user-friendly path to full post-quantum security for the Minotari network.