Quantum risk

Where Tidecoin's coins actually sit on the threat axis.

Tidecoin signs every transaction with from genesis. There is no ECDSA on this chain. , the famous quantum attack on Bitcoin, does not apply. What does apply is a finer question — which is what this page measures.

Quantum supply data not available yet.

Either the backend isn't running, the indexer isn't connected, or the query failed. Check the backend logs and try again.

See /threat-model for the conceptual partition that this page is meant to measure.

What this page is, and what it isn't

Not a claim that Tidecoin is “quantum-proof.” That word is avoided across the site. The correct phrase is post-quantum by construction, and even that comes with three residual risks documented on /threat-model.
Not a panic gauge. None of the three residual risks are urgent today. The page exists to make them legible — defence in depth is cheap, and the partition above tells you which of your coins have how much defence.
Is a real measurement against the live UTXO set. Every number above comes from the prevblock indexer's aggregate over prevblock.outputs WHERE spent_by_txid IS NULL. No estimates, no extrapolation. The freshness label says when it was last computed.

The three risks, in descending likelihood

1. Implementation bugs and side channels

Highest near-term risk

Tidecoin signs with the PQClean Falcon-512 reference implementation. That implementation's Gaussian sampler is built on floating-point arithmetic, and floating-point operations have observable timing variations on many CPUs.

Guerreau, Martinelli, Ricosset & Rossi (CHES 2022) recover signing keys from real measurements on the reference implementation. Not fault injection, not invasive access — a clean side-channel attack on commodity hardware. Long version with citations.

2. Cryptanalysis of Falcon itself

Medium horizon

is an active research area. Falcon-512 is NIST level 1 (~AES-128 classical and quantum). No break exists. The conservative assumption is that some erosion of the security margin is possible over the chain's lifetime, which is exactly why the next risk matters.

If Falcon's margin ever shrinks, the bucket above is your insurance: the barrier still applies whether or not Falcon itself remains as strong as it is today. coins do not have that insurance.

3. Grover's algorithm against the address hash

Longest horizon, lowest concern today

takes Hash160 preimage work from ~2^160 to ~2^80. 2^80 is roughly a billion times the largest classical hash campaign ever attempted; it is not a near-term concern at all.

We track it because the math is well-defined and the threat model deserves a coherent third vertex. Hash-protected coins get both the Falcon layer and the Hash160 layer; the bigger cryptographic event between now and a hypothetical Grover-relevant machine is almost certainly going to be one of risks 1 or 2.

Methodology

The four numbers above come from a single SQL aggregate against the indexer's UTXO table. Bucket assignment is exact, not heuristic:

hashProtected:  pubkey_revealed_at_height IS NULL
                AND script_type IN (p2pkh_falcon, p2wpkh_falcon,
                                     p2wsh_falcon, p2sh)

pubkeyExposed:  pubkey_revealed_at_height IS NOT NULL
                AND script_type IN (p2pkh_falcon, p2wpkh_falcon,
                                     p2wsh_falcon, p2sh)

bareP2pk:       script_type = 'p2pk_falcon'

unclassified:   script_type IN (op_return, witness_unknown, nonstandard)

The indexer fills pubkey_revealed_at_height two ways: directly when an output is created bare-P2PK (the pubkey is on chain from the moment the output exists), and propagated when a Falcon witness later spends from any address that shares the revealed Hash160.

← Dashboard·Threat model (long)·Richlist