Two distinct quantum tracks matter for IMPT. One is operational — credit-matching at scale benefits from quantum-inspired optimisation today. The other is defensive — every cryptographic primitive on the wallet and ledger has a 10-year shelf life if quantum advances continue at current rate. Both tracks are worth designing for now.
A buyer needs N tonnes of carbon retirement, with quality constraints (vintage, project type, geography, additionality grade, co-benefit weighting) and a price ceiling. The supply side is millions of credits across hundreds of projects, each with their own attribute set, each priced differently, some bundled, some split.
Classical solvers handle this. They handle it slowly. As the market grows past one million transactions a year — which is the scale we're targeting — the matching problem becomes the bottleneck. Quantum-inspired solvers (QAOA, simulated annealing variants, hybrid classical-quantum optimisation) are already faster than pure-classical for problems in this exact shape.
We don't need a fault-tolerant quantum computer for this. We need quantum-inspired algorithms running on classical-plus-accelerator hardware. That's tractable today, in 2026.
The retirement events we sign today live on Ethereum forever. The signature scheme securing them — ECDSA over secp256k1 — is vulnerable to a sufficiently capable quantum adversary running Shor's algorithm. The current consensus among cryptographers is that "sufficiently capable" lands somewhere between 2030 and 2040. The exact year is debated; the trajectory isn't.
NIST's first post-quantum standards. Lattice-based, well-studied, performant on commodity hardware. The sensible default for new cryptographic work in 2026.
Stateless hash-based signatures. Larger signature size but minimal cryptographic assumptions. Belt-and-braces for high-stakes signing where Kyber fails.
Sign every transaction with both classical (ECDSA) and post-quantum (Dilithium). Both have to break for the transaction to be forgeable. Standard transitional design pattern.
The IMPT carbon ledger today uses classical EVM signatures. That's the right call for 2026 — the tooling is mature, every wallet supports it, the gas cost is known. We are not migrating off it tomorrow.
But every retirement event we sign today is meant to be permanent. The customer's name on a tonne of CO₂ retired in 2026 should still be cryptographically intact in 2046. That's a 20-year horizon.
Our internal work adds a parallel post-quantum signature alongside the classical one. The retirement event is dual-signed: classical ECDSA (current standard) plus Dilithium (post-quantum). Either signature alone is enough to verify the event. To forge the retirement, an attacker has to break both.
The cost of doing this is small. The signature size grows modestly per event. On Ethereum L1 that's expensive; on L2 (Base, Arbitrum) it's negligible. Most of our retirement traffic is on L2 already for cost reasons. The post-quantum upgrade is essentially free at our current scale.
The credit-matching side is more speculative. We're running classical solvers in production today. The quantum-inspired path is research-grade, not production. We expect 2027–2028 before that's a meaningful production lever.
Both tracks are worth being ready for. Both tracks are why IMPT has a quantum thesis at all — not because it's fashionable, but because the asset class we're building has a 20-year horizon and the cryptographic ground under it is shifting.