TON's Cryptographic Architecture
The Open Network (TON) uses ed25519 as its account signature scheme. Account addresses on TON are derived from a hash of the account's initial state, which includes the public key. SHA-256 provides data integrity for blocks and messages. The address system uses 256-bit hashes to identify accounts within workchains and shards.
Ed25519 is a well-implemented elliptic curve signature scheme with strong classical security. It is the same scheme used by Solana, Cardano, and Algorand. The quantum vulnerability is the same: Shor's algorithm breaks elliptic curve discrete logarithm problems, which means a cryptographically relevant quantum computer can derive private keys from public keys. Any TON account that has signed a transaction has exposed its public key on-chain.
The 256-bit hash addresses provide partial protection for fresh accounts. A new TON account whose spending key has never been used in a transaction has not yet revealed its public key on-chain. The address is a hash commitment to the public key, not the key itself. However, the moment that account sends a transaction, the public key is revealed. Active TON wallets are fully exposed to the quantum attack described in the Shor's algorithm breakdown.
What Is SHA-256's Security Level Against Quantum Attacks?
SHA-256 is not directly attacked by Shor's algorithm. Shor's algorithm targets problems with algebraic structure: integer factorization and discrete logarithms. SHA-256 is a hash function without that structure.
Grover's algorithm is the relevant quantum threat to symmetric cryptography and hash functions. Grover's provides a quadratic speedup for brute-force search, which effectively halves the security level of a hash function against quantum adversaries. SHA-256 provides 256 bits of classical security. Against a quantum adversary using Grover's algorithm, it provides approximately 128 bits of security.
128 bits of security is currently considered adequate. NIST's post-quantum security standards define Level 1 security as equivalent to AES-128, which provides approximately 128-bit quantum security. TON's use of SHA-256 for data integrity does not represent an immediate quantum vulnerability. The meaningful quantum risk in TON is ed25519 account signatures, not SHA-256 hashing.
This is worth clarifying because some analyses conflate quantum threats to asymmetric cryptography (serious, addressed by Shor's algorithm) with quantum threats to symmetric cryptography and hash functions (manageable, addressed by longer keys or larger hashes). TON's hash-based address system provides meaningful protection for unspent accounts but no protection once accounts become active.
What Is the Scale of TON's Quantum Exposure?
TON's quantum exposure scale is difficult to overstate. Telegram, the messaging application with over 900 million monthly active users as of 2025, has integrated TON as its native blockchain infrastructure. Telegram's built-in wallet (Wallet in Telegram) and TON Space wallet are accessible directly within the Telegram interface.
The integration means that TON wallet creation and usage is accessible to Telegram's user base without requiring users to download separate applications or understand blockchain infrastructure. Many TON users created wallets as an incidental part of using Telegram features, not as a deliberate choice to participate in blockchain ecosystems. These users are unlikely to understand their cryptographic exposure or to take proactive steps to protect their funds if a quantum migration is required.
Estimating how many active TON wallets exist is complicated by TON's unique account lifecycle. TON accounts can be in an "uninitialized" state before their first transaction. As of 2026, active TON wallets numbered in the tens of millions, with a larger pool of initialized-but-dormant accounts. Each active wallet that has sent transactions has an exposed public key on-chain.
The Telegram integration creates a specific user population risk. Users who accessed TON through Telegram's interface are less likely to be technically sophisticated, more likely to have wallets that are difficult to self-custody migrate, and less likely to respond to migration notices that require on-chain action. This is a different risk profile than the technically engaged user bases of developer-oriented chains like Polkadot or Algorand.
How Does TON's Sharding Architecture Interact with Quantum Risk?
TON uses a dynamic sharding architecture. The network divides into workchains, and each workchain can split into shards to handle load. The masterchain coordinates all workchains and shards, maintaining the global state. Account addresses encode the workchain and shard routing information.
The sharding architecture affects quantum migration complexity. A post-quantum migration would need to propagate consistently across all active shards and workchains simultaneously, or include a coordination protocol for handling accounts that span shard boundaries during migration. TON's dynamic sharding, which splits and merges shards based on load, adds a moving-target complexity to any network-wide cryptographic upgrade. Polkadot's multi-chain architecture presents an analogous coordination challenge, where a relay chain upgrade must propagate through hundreds of parachains.
The masterchain validator set uses ed25519 for its signing keys. These validators maintain the global state of all workchains. Breaking masterchain validator keys would allow an attacker to forge masterchain blocks, which would compromise the integrity of the entire TON network. Validator key security is a higher-priority target than individual user wallets from a network security perspective.
What Is the TON Foundation's Post-Quantum Position?
As of June 2026, the TON Foundation had not published a post-quantum cryptography roadmap for the TON network. There were no public proposals, technical improvement documents, or research publications specifically addressing the transition from ed25519 to post-quantum signatures for TON accounts or validator infrastructure.
TON's development and governance situation is complex. The network was originally developed by Telegram but was subsequently handed to the open-source community after Telegram's conflict with the SEC in 2020. The TON Foundation and independent development organizations now maintain the network. The decentralized governance structure may complicate coordinated migration planning.
The absence of a post-quantum roadmap is consistent with the broader blockchain industry. Most chains have not produced concrete migration plans. But TON's Telegram integration creates a specific escalation risk: if quantum computers become capable of breaking ed25519 keys in the next 10 to 15 years, the TON network would need to migrate hundreds of millions of Telegram-integrated wallet users within a compressed timeframe. The logistical and communications challenge of that migration, given the non-technical nature of much of TON's user base, would be severe. For context on how a major chain is attempting to plan that transition, see the Ethereum post-quantum roadmap and the EIP-driven process it describes.
How Does TON Compare to Quantum-Resistant Alternatives?
TON's quantum risk profile is representative of mainstream blockchains: elliptic curve signatures, large active user base with exposed public keys, no deployed post-quantum solution, and no public roadmap. Its distinguishing feature is the Telegram integration, which concentrates quantum exposure among users who are less equipped to manage a self-directed migration.
The chains with the most serious post-quantum posture are those that built post-quantum cryptography into their protocols from the start, eliminating the migration problem entirely. A blockchain that uses NIST-standardized post-quantum signatures as its native signing scheme does not need to migrate users. Every wallet created on that chain is quantum-resistant by default, regardless of whether the wallet holder understands cryptography.
The Layer 1 blockchain comparison for 2026 covers how TON compares to other networks across performance and security dimensions. For investors specifically evaluating quantum risk exposure, the cryptocurrency quantum vulnerability ranking provides a structured comparison. The key question for TON is whether its development community can coordinate a post-quantum migration across a user base largely unaware of the underlying cryptographic risk before quantum computers make that migration necessary.
