Three risks to track. Shor isn't one of them.

The threat that does not apply

Shor's algorithm

Shor's algorithm is the famous quantum attack on Bitcoin. A sufficiently large quantum computer running Shor's can recover an ECDSA private key from a published public key in polynomial time. It is the reason post-quantum signature schemes exist.

It does not apply to Tidecoin. There is no ECDSA code path in the binary. Every on-chain signature — including the genesis coinbase from December 2020 — is Falcon-512. Shor provides no known speedup against the NTRU lattice problems Falcon rests on. A CRQC arriving tomorrow would not, by itself, endanger any TDC.

Source: docs/source-extracts/key.h:17-19 — the three PQCLEAN_FALCON512 constants fully define CKey and CPubKey sizes, with no secp256k1 code path retained.

Risk 1 — highest near-term likelihood

Implementation bugs and side channels

Tidecoin signs transactions using the PQClean Falcon-512 reference implementation. That implementation's Gaussian sampler is built on floating-point arithmetic, and floating-point operations have observable timing variations on many CPUs.

Concrete prior art: Guerreau, Martinelli, Ricosset & Rossi, "The Hidden Parallelepiped is Back Again: Power Analysis Attacks on Falcon", CHES 2022. The authors recover signing keys from measurements on the reference implementation running on an ARM Cortex-M4. Not fault injection, not invasive access — a clean side-channel recovery.

Operational implication: signing on a general-purpose CPU without constant-time floating-point guarantees is a risk today. Most desktops and phones fall into that category. Hardware wallets need a masked integer-only sampler or a certified constant-time FP unit — no shipped consumer wallet advertises that yet.

Risk 2 — medium horizon

Cryptanalysis of Falcon itself

Lattice cryptanalysis is an active research area. Falcon-512 is NIST level 1 (~AES-128 classical and quantum), which gives a conservative margin today but is not the sort of margin one can leave unmonitored for twenty years. Recent improvements in BKZ-style reduction have shaved bits off several lattice schemes without breaking them; structured lattices like NTRU attract attacks that exploit the ring structure specifically.

Why this is why hash-protected matters. If Falcon's security margin erodes over the chain's lifetime, the Hash160 barrier still keeps hash-protected coins safe — the attacker would have to break both the hash and Falcon. pubkey-exposed coins have no such insurance.

Risk 3 — longest horizon

Grover's algorithm vs the address hash

Grover's algorithm gives a quadratic speedup to black-box search, which applies to pre-image attacks on cryptographic hashes. Against Tidecoin's Hash160:

• Classical pre-image work: ~2^160
• Grover-accelerated work: ~2^80

2^80 is roughly a billion times the largest classical hashing campaign ever done. It is not a near-term concern. We track it because defence in depth is cheap: if Falcon itself is later weakened, the hash layer remains a meaningful barrier. Hash-protected coins get both layers; exposed coins have one.