blockchain network
Litecoin LTC
Litecoin is a classical PoW UTXO chain with ECDSA/secp256k1 spend authorization and an optional MWEB privacy extension using classical Schnorr, Pedersen commitments, and Bulletproofs on secp256k1-zkp. Every critical cryptographic layer is quantum-vulnerable. The Litecoin project has published exactly one quantum-related mitigation proposal: LIP-0003's switch-commitment-to-Elgamal for MWEB commitments, which addresses only supply-inflation risks in the extension block—not ECDSA key recovery, not base-layer transaction signing, not long-exposure public-key theft. This proposal has never been implemented or activated. No comprehensive cryptographic inventory, quantum threat model, PQC design, prototype, testnet, or migration plan exists. Charlie Lee publicly acknowledged quantum risk in March 2026 but stated the community 'can quite easily switch to quantum safe encryption algorithms' without publishing a roadmap. With ~0.45% of supply in MWEB and >99.5% on the transparent ECC-vulnerable ledger, material long-exposure value-at-risk exists with no protection or migration path. Litecoin's 2.5-minute block time provides partial mitigation against on-spend attacks (<3% success probability per Google Quantum AI) but zero protection against at-rest attacks on already-exposed public keys. The project earns minimal credit for LIP-0003's quantum acknowledgment (Stage 1) but remains far from any production quantum protection. QRI Score 5 reflects evidence of quantum risk awareness at the specification and founder level with no meaningful production protection.
Roadmap OnlyPartial ProtectionECC-DependentLong-Exposure Value-at-RiskMWEB-Quantum-Acknowledged
Category breakdown
QRI Factors
Algorithm & Implementation Assurance
1.67 / 20
Migration Mechanism, Governance & Ecosystem Coordination
0.75 / 15
Migration Status & Value-at-Risk
1 / 25
Production Cryptographic Protection
0 / 35
Security Assessment & Evidence Preparedness
1.75 / 5
Critical Quantum Blockers
- No public cryptographic inventory or quantum threat assessment has been published by the Litecoin project.
- All production spend authorization (base layer and MWEB) remains exclusively ECDSA/secp256k1 or classical Schnorr—fully vulnerable to Shor's algorithm.
- Material long-exposure quantum-vulnerable value exists across P2PK outputs, reused P2PKH/P2WPKH addresses, and P2TR key-path outputs with no migration, freeze, deprecation, or recovery path.
- MWEB Pedersen commitments and Bulletproofs rely on the discrete logarithm assumption; the Google Quantum AI paper (iacr 2026/625) identifies an on-setup vulnerability enabling permanent classical inflation exploits after a single ECDLP solution.
- No PQC design, prototype, testnet, or mainnet path exists for the base-layer ECDSA spend authorization—the LIP-0003 switch-commitment proposal addresses only MWEB commitment binding, not transaction signing.
Key Risks
- All LTC spend authorization (ECDSA/secp256k1, MWEB Schnorr) is fully breakable by Shor's algorithm—a CRQC can forge transactions and steal funds from any address with an exposed public key.
- Significant long-exposure value-at-risk: early P2PK mining outputs, reused P2PKH/P2WPKH addresses, and P2TR key-path outputs have public keys permanently visible on-chain with unlimited attack window.
- MWEB Pedersen commitments use fixed public parameters; a single ECDLP solution creates a permanent classical exploit for undetected MWEB inflation (Google Quantum AI paper, iacr 2026/625).
- MWEB privacy guarantees are retroactively breakable—a future CRQC can decrypt historical confidential transactions, deanonymizing years of MWEB activity. This damage is irreversible.
- No migration, freeze, deprecation, burn, or recovery mechanism exists for quantum-vulnerable UTXOs. Lost/abandoned coins with exposed public keys are permanently vulnerable with no policy path to address them.
- Litecoin's development resources are significantly smaller than Bitcoin's; any PQC upgrade would likely trail Bitcoin's already-uncertain timeline, creating a window where LTC is the softer quantum target among BTC-fork chains.
- The misleading 'Quantum resistant' claim in official documentation may cause users to falsely believe their funds are protected, delaying precautionary measures.
Assurance Notes
- MWEB audit (Quarkslab 2021-2022) is stale but relevant to current MWEB design; covers only classical cryptography with no quantum scope.
- Litecoin Core source code is fully open source and publicly verifiable, but no PQC implementation exists to review.
- Litecoin's official documentation (litecoin.com/learning-center/addresses-prefixes) contains a misleading claim that addresses provide 'Quantum resistant' protection because SHA256 and RIPEMD are quantum-resistant. This conflates hash-function security with overall system security—spend authorization remains ECDSA-dependent and fully quantum-vulnerable.
- MWEB suffered a critical validation bug exploited in March 2026 (85,034 LTC peg-out inflation) and a follow-on mutated-block handling issue in April 2026 (13-block invalid chain). Both were resolved. This demonstrates active classical security maintenance but does not directly affect quantum readiness.
- No formal quantum-specific incident-response playbook, security contact for quantum disclosures, or emergency governance process for quantum-related vulnerabilities has been published.
- No performance or resource-impact analysis for potential PQC signature/verification costs exists.
- Litecoin founder Charlie Lee publicly acknowledged quantum risk in March 2026 interviews, stating the community 'can quite easily switch to quantum safe encryption algorithms' when the time comes, but no formal roadmap or implementation plan has been published.
Non-Scoring Caveats
- Litecoin's 2.5-minute block time reduces on-spend attack probability to <3% per the Google Quantum AI paper, but this provides no protection against at-rest attacks on already-exposed public keys.
- MWEB adoption (~378,000 LTC, ~0.45% of supply) is negligible relative to total value-at-risk; the transparent ledger holds >99.5% of all LTC in quantum-vulnerable address formats.
- Litecoin's position as a Bitcoin fork means any PQC upgrade would likely follow Bitcoin's lead; Bitcoin itself has no committed PQC timeline (BIP-360 and BIP-361 remain draft proposals).
- The hash-based 'Quantum resistant' claim on litecoin.com is misleading and could create false user confidence.
- Future PQ-to-PQ upgrades or transitions from one PQ-secure design to another are not relevant to the current evaluation scope since no PQ protection exists today.
- Lack of exchange/custody migration attestations is not score-reducing since no PQ migration path exists to attest to.
- Stale MWEB audit (2022) is relevant to current design but does not independently make quantum-critical properties unverifiable—the primitives are well-documented in public code and specifications.
- MWEB March-April 2026 security incidents (validation bug causing 85,034 LTC inflation, mutated-block handling issue) were classical security issues resolved through emergency miner upgrades; they do not directly affect quantum readiness but demonstrate implementation fragility.
Evidence record
Claims and Caveats
Security Assessment & Evidence Preparedness
Public cryptographic inventory and quantum threat model
Claim: LIP-0003 acknowledges quantum risk for MWEB Pedersen commitment binding and proposes switch commitments to Elgamal; no comprehensive cryptographic inventory or quantum threat model exists.
Coverage basis: Protocol specification (LIP-0003), public source code, third-party quantum analysis (Google iacr 2026/625, BMIC 2026)
Implementation score: 0.25 · Evidence confidence: High
Issue classification: quantum-critical uncertainty · Score treatment: score-reducing
Quantum blocker: No public cryptographic inventory or quantum threat assessment has been published by the Litecoin project; LIP-0003 addresses only one narrow vulnerability
Assurance: Third-party quantum analysis (Google, BMIC, PostQuantum.com) provides an external assessment but does not substitute for a project-published inventory and threat model
LIP-0003 section 'Switch Commitment to Elgamal' explicitly states: 'We will implement switch commitments to elgamal as a safety measure against the threat of quantum computers.' This is a specification-level acknowledgment (2019-2022) of one specific quantum vulnerability, not a comprehensive assessment. The switch commitment has never been implemented or activated on mainnet.
Security Assessment & Evidence Preparedness
Public evidence record supporting assessment
Claim: Source code, protocol specifications (LIPs), MWEB audit (Quarkslab 2022), block explorers, and third-party quantum analyses collectively document Litecoin's cryptographic primitives and quantum vulnerabilities.
Coverage basis: Public code repositories, LIP specifications, Quarkslab audit report, block explorers (blockchair.com, mwebexplorer.com), Google Quantum AI paper
Implementation score: 0.5 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
Assurance: Evidence exists from multiple independent sources but has not been assembled by the project into a coherent quantum risk assessment. MWEB audit is stale (2022) and explicitly excludes quantum considerations.
The evidence is sufficient for third-party quantum risk evaluation but does not represent project-organized assessment preparedness.
Production Cryptographic Protection
Spend authorization / transaction signatures
Claim: All transaction signatures use ECDSA on secp256k1 (base layer) or classical Schnorr signatures on secp256k1-zkp (MWEB). No PQC or hybrid-PQC signatures exist.
Coverage basis: ECDSA/secp256k1 for base-layer P2PKH, P2SH, P2WPKH, P2TR; Schnorr/secp256k1-zkp for MWEB
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: cap-applying
Quantum blocker: Active production spend authorization remains entirely ECC/Schnorr-only with no PQC or hybrid path
Assurance: Confirmed by source code review, Quarkslab audit, and multiple independent analyses
Triggered 'Active production spend authorization remains entirely ECC/BLS/Schnorr/EdDSA-only' Readiness & Risk Cap (max QRI 40). LIP-0003 switch commitment does not address transaction signing.
Production Cryptographic Protection
Account, address, public-key exposure
Claim: All Litecoin address formats (L, M, ltc1q, ltc1p) derive from ECDSA public keys. P2PK outputs directly expose public keys. P2PKH/P2WPKH addresses expose public keys on spend. No PQ address formats exist.
Coverage basis: Standard Bitcoin-fork address model: P2PK, P2PKH, P2SH, P2WPKH, P2TR all ECDSA-based; MWEB uses secp256k1-zkp stealth addresses
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: All address formats expose or derive from ECDSA public keys; long-exposure quantum-vulnerable ownership paths exist by default
Litecoin's official documentation misleadingly states addresses provide 'Quantum resistant' protection because SHA256 and RIPEMD are quantum-resistant. This ignores that spend authorization still requires ECDSA private key—hash functions protect address derivation, not transaction authorization.
Production Cryptographic Protection
Consensus-critical authentication
Claim: Litecoin is a PoW chain with no validator signatures, BLS threshold signatures, VRFs, or finality signatures. Consensus-critical authentication is not applicable.
Coverage basis: PoW consensus via Scrypt; no validator set or BFT finality
Implementation score: 1 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
PoW consensus authentication (hash-based) is not directly quantum-vulnerable in the way BLS validator signatures would be. Scrypt PoW itself provides no additional quantum resistance vs SHA-256.
Production Cryptographic Protection
State-integrity and data-availability mechanisms
Claim: Base-layer UTXO state integrity relies on ECDSA script verification. MWEB uses Pedersen commitments and Bulletproofs on secp256k1-zkp—all classical ECC, quantum-vulnerable.
Coverage basis: ECDSA for base-layer script authorization; Pedersen commitments + Bulletproofs for MWEB confidential transactions and supply binding
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: MWEB Pedersen commitments have fixed public parameters; a single ECDLP solution enables permanent classical inflation exploits (Google iacr 2026/625)
Assurance: Quarkslab audit (2022) confirms implementation correctness for classical security but does not assess quantum vulnerabilities. Google paper (2026) provides independent quantum vulnerability analysis.
LIP-0003's proposed switch-commitment-to-Elgamal would sacrifice hiding (privacy) to preserve binding (supply integrity) post-quantum, but this has never been implemented. The Google paper notes the Litecoin community 'chose to sacrifice privacy protection rather than monetary integrity' in this design.
Production Cryptographic Protection
Privacy and proof layers
Claim: MWEB uses MimbleWimble with classical ECC: Pedersen commitments, Bulletproof range proofs, ECDH key exchange for stealth addresses, and Schnorr signatures. All are quantum-vulnerable.
Coverage basis: MWEB extension block: confidential transactions via Pedersen commitments, range proofs via Bulletproofs, stealth addresses via ECDH
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Quantum blocker: MWEB privacy guarantees are retroactively breakable by a future CRQC; historical confidential transactions can be deanonymized irreversibly
Assurance: PostQuantum.com categorizes Litecoin MWEB as Category 4: 'Privacy-preserving with retroactive deanonymization risk.' This damage cannot be undone through migration.
MWEB does not use pairing-based proof systems (ZK-SNARKs); it uses Bulletproofs which rely on discrete log assumptions. The zkSTARK alternative was evaluated by the Litecoin community but rejected due to cost.
Production Cryptographic Protection
P2P transport, node identity
Claim: Litecoin uses standard Bitcoin-style P2P networking with no PQC or hybrid-PQC protection for node identity or peer authentication.
Coverage basis: Standard Bitcoin-fork P2P networking; no special quantum protection
Implementation score: 0 · Evidence confidence: Medium
Issue classification: assurance-only caveat · Score treatment: note-only
Assurance: P2P node identity is not spend-authorization, consensus, bridge, or custody-critical. Per QRI spec Section 7, this could be satisfied-by-design if asset-spending authorization were PQ-signed—but it is not. Currently score-reducing but not a primary quantum blocker.
P2P transport quantum vulnerability is a secondary concern relative to ECDSA spend authorization and long-exposure public key risk.
Production Cryptographic Protection
Critical wallet, custody, HSM support
Claim: No PQC or hybrid-PQC wallet, custody, or HSM workflows exist for Litecoin. All wallet software uses classical ECDSA key management.
Coverage basis: Litecoin Core, Electrum-LTC, Cake Wallet, hardware wallets—all ECDSA-only
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
No wallet supports PQ or hybrid-PQC signing paths because no such protocol capability exists on Litecoin mainnet.
Migration Status & Value-at-Risk
Percentage of value-at-risk protected
Claim: 0% of Litecoin value-at-risk is protected from quantum key-recovery attacks. ~0.45% of supply (~378,000 LTC) is in MWEB which is also quantum-vulnerable. >99.5% remains on the transparent ECC-only ledger.
Coverage basis: ~84M LTC total supply; ~378,000 LTC in MWEB (~$20M); all addresses ECC-based; significant long-exposure P2PK and reused-address value
Implementation score: 0.05 · Evidence confidence: Medium
Issue classification: quantum-critical vulnerability · Score treatment: cap-applying
Quantum blocker: Material long-exposure quantum-vulnerable value exists with no migration, freeze, deprecation, burn, recovery, or policy path
Assurance: Value-at-risk figures are approximate. Exact percentage of LTC supply in addresses with exposed public keys (P2PK, reused P2PKH/P2WPKH, P2TR key-path) is not independently verified for Litecoin specifically. Bitcoin estimates suggest >34% of BTC supply has exposed public keys; Litecoin likely has comparable or higher exposure due to similar UTXO architecture and longer history of address reuse.
Coverage <25% → score 1 of 20 per QRI Section 9.3.1. MWEB's ~0.45% of supply does not meaningfully change coverage. MWEB is itself quantum-vulnerable. Triggered 'Material long-exposure quantum-vulnerable value exists with no migration path' cap (max QRI 55).
Migration Status & Value-at-Risk
Critical wallets migrated or protected
Claim: No critical wallets (treasuries, exchanges, custodians, bridges, foundations) have migrated to PQC or hybrid-PQC protection, as no such capability exists on Litecoin.
Coverage basis: No PQ wallet infrastructure exists
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Exchange and custody migration is not possible when the protocol itself provides no PQC migration path.
Migration Status & Value-at-Risk
Legacy vulnerable pools identified and managed
Claim: No formal identification, measurement, deprecation, freeze, or migration mechanism exists for quantum-vulnerable UTXOs or accounts.
Coverage basis: No policy or mechanism exists
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Early P2PK mining outputs (analogous to Bitcoin's ~1.7M BTC P2PK exposure) are permanently vulnerable with no policy path. Charlie Lee (Litecoin founder) publicly warned about this risk for Bitcoin in March 2026 but no Litecoin-specific policy has been proposed.
Migration Mechanism, Governance & Ecosystem Coordination
Public migration or protection roadmap
Claim: LIP-0003 proposes a switch-commitment-to-Elgamal for MWEB as a quantum safety measure, but this is a narrow specification-level proposal (unimplemented) addressing only MWEB commitment binding, not base-layer ECDSA migration.
Coverage basis: LIP-0003 (2019-2022), section 'Switch Commitment to Elgamal'
Implementation score: 0.25 · Evidence confidence: High
Issue classification: quantum-critical uncertainty · Score treatment: score-reducing
Quantum blocker: No roadmap exists for base-layer ECDSA-to-PQC migration; LIP-0003 switch commitment addresses only MWEB and has no implementation
Assurance: LIP-0003 explicitly states: 'We will implement switch commitments to elgamal as a safety measure against the threat of quantum computers. More discussion must be had around its specific implementation and activation.' No progress beyond this specification text since 2022.
This is the only quantum-related proposal in any Litecoin Improvement Proposal. It was specified alongside MWEB activation (2022) but never prioritized for implementation. Charlie Lee's March 2026 public comments about quantum risk have not translated into a formal roadmap.
Migration Mechanism, Governance & Ecosystem Coordination
Migration accessibility and defaults
Claim: No PQC or hybrid-PQC account creation, wallet tooling, transaction paths, custody paths, user-facing warnings, education, or migration prompts exist.
Coverage basis: No PQ infrastructure exists
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
No wallet warns users about quantum-vulnerable address formats or recommends migration strategies.
Migration Mechanism, Governance & Ecosystem Coordination
Migration enforcement and coordination
Claim: No enforcement mechanisms exist (deprecation, freeze, disabled legacy signing, restricted withdrawals, unsafe-path blocking, mandatory migration deadlines). No exchange, custody, bridge, wallet, or infrastructure coordination for quantum migration.
Coverage basis: No enforcement or coordination exists
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
The MWEB March 2026 incident demonstrated Litecoin's ability to coordinate emergency miner upgrades, but this was for classical security, not quantum migration.
Migration Mechanism, Governance & Ecosystem Coordination
Emergency disclosure and incident response
Claim: No quantum-specific vulnerability disclosure process, incident-response plan, or governance process has been published.
Coverage basis: No quantum-specific process exists
Implementation score: 0 · Evidence confidence: High
Issue classification: assurance-only caveat · Score treatment: note-only
Assurance: Per QRI spec Section 8.2, lack of a formal quantum-specific IR playbook does not by itself create a Readiness & Risk Cap when no PQC production system exists. This is recorded as an assurance note.
Litecoin demonstrated classical incident response capability during the MWEB March-April 2026 security incident, but no quantum-specific processes are formalized.
Algorithm & Implementation Assurance
Uses NIST-standardized PQC algorithms
Claim: No NIST-standardized, standards-track, or broadly reviewed PQC or hybrid-PQC algorithms are used in any Litecoin production layer.
Coverage basis: No PQC algorithms deployed
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical vulnerability · Score treatment: score-reducing
Litecoin uses only classical algorithms: ECDSA (secp256k1), Schnorr (secp256k1-zkp), SHA-256, RIPEMD-160, Scrypt. None are post-quantum for their cryptographic purpose.
Algorithm & Implementation Assurance
Independent cryptographic audit for quantum-critical scope
Claim: MWEB audit (Quarkslab 2021-2022) covers classical cryptography implementation correctness but explicitly excludes quantum considerations. No PQC audit exists because no PQC implementation exists.
Coverage basis: Quarkslab audit of MWEB integration; audit scope excluded low-level cryptographic primitives and quantum analysis
Implementation score: 0.25 · Evidence confidence: High
Issue classification: assurance-only caveat · Score treatment: confidence-only
Assurance: Audit is stale (2022) and scope-mismatched for quantum assessment—it explicitly states 'Very low-level cryptographic primitives are left out of scope (secp256k1, bulletproof) and considered secure.' No quantum threat model was applied. The audit is still relevant for classical implementation correctness of current MWEB design.
Partial credit (0.25) for having an independent audit of the production cryptographic implementation, even though quantum considerations are absent.
Algorithm & Implementation Assurance
Open-source, reproducible implementation
Claim: Litecoin Core and libmw are fully open source under permissive licenses. However, no PQC implementation exists to be open source.
Coverage basis: MIT-licensed code on GitHub; no PQC code exists
Implementation score: 0 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
Assurance: Classical code is fully open source and reproducible. This subfactor measures PQC implementation openness; since no PQC implementation exists, score is 0.
The classical implementation's open-source nature is a positive indicator for future PQC development transparency.
Algorithm & Implementation Assurance
Parameter agility and future upgrade path
Claim: No documented parameter agility or PQC upgrade path exists. LIP-0003's switch commitment mentions activation via miner signaling but provides no concrete parameters or timeline.
Coverage basis: No PQC agility documentation exists
Implementation score: 0 · Evidence confidence: High
Issue classification: quantum-critical uncertainty · Score treatment: score-reducing
Assurance: LIP-0003 mentions BIP8 activation with 75% miner signaling threshold for the switch commitment, but this is only a high-level mechanism description with no concrete parameters.
Litecoin's Bitcoin-fork architecture may allow it to adopt Bitcoin PQC upgrades (e.g., BIP-360 P2QRH) relatively quickly if they materialize, but this is speculative and not a documented upgrade path.
Algorithm & Implementation Assurance
Stateful-signature safety
Claim: Litecoin does not use stateful hash-based signatures (XMSS/LMS). Not applicable.
Coverage basis: No stateful signatures in use
Implementation score: 1 · Evidence confidence: High
Issue classification: none · Score treatment: not applicable
Algorithm & Implementation Assurance
Performance and resource-impact analysis
Claim: No performance or resource-impact analysis for PQC signature/verification costs has been published.
Coverage basis: No analysis exists
Implementation score: 0 · Evidence confidence: High
Issue classification: assurance-only caveat · Score treatment: note-only
Assurance: Per QRI spec, lack of a formal performance benchmark does not by itself reduce the QRI Score when no PQC implementation exists. Recorded as an assurance note for future PQC consideration.
Litecoin's 2.5-minute block time and 1 MB block size would need analysis for PQC signature size impact (ML-DSA signatures ~2.4KB, SLH-DSA ~7-8KB vs ECDSA ~70 bytes).
Report metadata