NOSTR hasn't reached critical mass of users yet, that's really it's only issue.
That and client-server decentralization instead of p2p decentralization, which isn't exactly the protocol's fault. I don't think technology is there yet.
Discussion
The curve is the protocol's fault though. It's 2026, nothing can be advertised as the anything of the future it's built on elliptic-curve cryptographic and with no possible migration pathway to lattice based or other.
What do you mean no possible pathway? Just add another field in the JSON...
That's not a migration pathway though, in the sense that many other things can have one.
Even if you add, let's say, fields for a falcon sig and pubkey, a quantum baddie can ignore the falcon sig and just forge a valid schnorr sig for your identity. To the legacy part of the network the forged event looks authentic. For a migration to actually protect you, every relay and client would have to disregard schnorr sigs altogeher. So siging schnorr over falcon (or whatever) is a pointless act. No matter what, you end up with a breaking change, no cross-fade.
Also there is no mathematical pathway to derive a lattice-based key from an elliptic-curve key. This means every user would have to generate a brand-new lattice key, post an event signed by the old schnorr key attesting that the new key is the rightful heir. And where does that attestation event go? And will all in the decentralised network know about it? And what about agreed time-stamping, etc. (All requires *some* centralisation.)
And after q-day the schnorr key is meaningless and the baddie can post that same event claiming one of their falcon keys is the rightful heir, maybe before you get round to it, if this all happens fast enough. Or maybe delete your attestation event and post theirs in its place, and so on.
Also any baddie from q-day onwards can insert anything into your history before q-day and it's indistinguishable from anything else in your history, at least at the atomic event level (which is what nostr is supposed to be).
Basically nostr as it stands cannot be advertised as the future. It doesn’t really matter how you assess the quantum threat, for the coming years with quantum-vulnerable cryptography you’ll be swimming against the current of internet opinion, and that's the real issue, not the true nature of the threat.
Can't you do some key encapsulation mechanism to include both keys?
No, any attempt would be theatre, there's no key ECC-to-lattice key derivation and that's the only thing that would allow events themselves to declare both identities in a way that can't just be "re-declared" post q-day.
If you keep nostr what it is (no blockchain time-stamping, etc.) then the only sensible option is for everyone to consider their current identity meaningless (consider their nsec "pre-stolen") and start with a new post-quantum key pair identity, from zero. So all web of trust gone, etc.
The route is something like this.
First all concerned agree on a PQC key type for nostr identity (not easy).
Then everyone creates a fresh identity, with that PQC key type.
That means everyone has accepted that there is no way to link their old identity events to their new identity events that will survive q-day.
To be clear, before q-day, yes, you can use your old identity to bootstrap your PQC identity. But this is raw bootstrapping, not some kind of hybrid posting that will survive q-day. After q-day everything from your old key, including attestations and wrappings regarding your new key, will become cryptographically meaningless text files, with anyone able to add to your old-key history as they like. So the strategy is to stop posting things of value with your old key right after the creation of your new key, and use the old key exclusively as a tool to bootstrap the new key (add trust).
Also post q-day all your NIP17 DMs that made their way to public relays, and other things like encrypted follow lists, will be open to all that have collected them to read.
Again, though, it’s not whether q-day will ever actually happen or not that matters, it’s the fact that the internet thinks it could well happen. Opinion as reality.
Yes, this is also true but not a top issue. If ECC is cracked tomorrow, the whole internet will be in flames, not just NOSTR.
Many critical parts of the internet are either hybrid migrated or fully migrated already. Chrome uses hybrid (kyber) today, Apple is basically done, iOS 26 enabled quantum-secure by default for all systemwide web traffic. Signal is basically done too, etc.
Pretty soon it'll feel like anything that can't ever be practically migrated (like the current nostr) just won't be the future. And that's regardless of what actually happens or doesn't happen with quantum computing itself, just the wider vibes.