Golden Quantum Leaps and Risks: Tokenized Gold in a Post-Quantum World

Explore the promise and pitfalls of tokenized gold as quantum technology reshapes security and ownership in digital finance.

I've wanted to write about this for ages but kept putting it off, mainly because I could never get my hands on meaningful data about who actually invests in these tokenized gold instruments and, more importantly, why. Why choose this route over countless other options? Not much has changed on that front, but lately, the topic of gold is back on my mind, mostly because I keep getting asked what I think of HSBC’s gold tokenization model and whether it’s “real.”

Another reason is entirely personal: I’m wondering whether my country album Of Love and Gold from Memory has hit the Billboard charts yet—and if not, why not, given that it’s obviously a masterpiece. Feel free to verify this yourself here.

HSBC Gold Tokenization

As for HSBC, I’d say it’s probably “real,” since they issued a press release about it. Some parts of the release sound a bit fantastical although unrelated to the gold. You can find the original release here. I had a quick look, and HSBC does, as expected, mention in their Code of Conduct that:

Practices are considered unfair, deceptive or abusive if they [..] Represent [..] something that misleads or is likely to mislead the consumer [..]

Now, I’m not saying the release announcing HSBC’s institutional and retail gold tokenization service on the Orion digital assets platform is unfair, deceptive, or abusive, definitely not abusive. Just pointing out the policy context here. I’ll admit I might have gone with a different name; "Orion" evokes Star Trek's Orion Syndicate, a fictional criminal network notorious for everything from smuggling to extortion and even worse. To boldly go where no one has gone before!

What really stood out in HSBC’s announcement was their statement on platform security: their tech partner reportedly used its tools to

"demonstrate holistic protection of digital assets such as HSBC gold tokens from a quantum computing attack and prevent 'store now, decrypt-later' (SNDL) cyber incidents."

Demonstrate is a strong word implying to establish truth supported by some evidence. So I can’t help but feel this is one of those press releases where each partner writes their own piece, leaving HSBC’s marketing team to simply hope no one scrutinizes the tech partner’s enthusiastic jargon—or lets them make claims indirectly. Marketing professionals can be cunning.

The release links to a report titled Asset Tokenization in the Quantum Age, which includes an eyebrow-raising statement:

“For tokenization platforms, the greatest near-term risks from quantum attacks are related to confidentiality. Transaction data, even if encrypted, could be stored and attacked in the future using a powerful quantum computer. To resolve this future threat, the data communications that underpin the gold tokens must be protected using PQC (Post-Quantum Computing) standards.”

This statement raises some questions. What value, really, could be derived from knowing that Mr. Leung (梁) bought a gram of gold a year ago? Does Orion even manage this level of personal data, or is that exclusively handled by HSBC in applications other than blockchain? And, if Orion is a permissioned network, does anyone beyond HSBC even have a node? The graph in the report (p. 11) suggests that HSBC’s Orion network may be largely centralized, with nodes exclusively under HSBC’s control rather than distributed widely across independent entities. In such a setup, an attacker would first need access to encrypted data before attempting to break encryption—no trivial feat, assuming competent IT practices. This centralized control would explain why Orion does not require the PQC enhancements directly, but instead, they simulate a third-party permissioned blockchain belonging to an asset manager with nodes in the UK, USA, and Japan, providing encrypted communication channels among these nodes.

It’s interesting that they had to simulate a client network, suggesting that they assume asset managers (AMs) will run their own private chains and manage their nodes in the future but seemingly not right now. If that’s the case, and there are reasons why distribution needs to be decoupled, HSBC’s involvement would indeed become superfluous.

Putting that (not completely irrelevant question) aside, Ethereum relies on an encryption approach that is not quantum-resistant. The encryption and signature algorithms chosen by HSBC are currently considered quantum-safe, but this brings us to another bold claim:

“the capability to convert HSBC’s gold tokens into ERC-20 fungible tokens, thereby enhancing distribution and interoperability with other DLTs and digital wallets.”

HSBC’s configuration uses AES-256-GCM for encryption, with p384_kyber768 as the key encapsulation mechanism (KEM) and p384_dilithium3 for signatures. These algorithms require larger key sizes than traditional cryptography, potentially doubling in size. Adopting PQC algorithms would demand modifications to Ethereum’s protocol to support such larger key sizes for both encryption and digital signatures. This is not a mere configuration change; it would involve core changes to Ethereum’s cryptographic libraries, consensus mechanisms, and data-handling protocols across all network nodes. To me, this document points to a present lack of interoperability (i.e., the opposite conclusion to what the authors claim) and reveals at least one key challenge. Given that they don’t mention others, it could also signal a lack of awareness of additional hurdles.

Converting HSBC’s gold tokens from a permissioned blockchain (like Hyperledger) to a public blockchain format like ERC-20 is neither direct nor simple due to fundamental differences in architecture and governance. When HSBC’s tokens are created in a private environment, converting them to ERC-20 while maintaining control and security raises unique custodial and regulatory challenges. While feasible in test environments or small-scale trials, such conversions pose scalability and security issues in real-world applications, especially if the tokens represent fractional ownership of physical assets.

In permissioned blockchain systems like HSBC Orion, gaining data access would require breaching a network node. But even then, these networks typically restrict what each node can access, meaning that a compromised node might only have limited visibility. Permissioned networks also incorporate security monitoring and anomaly detection, so even a quantum-powered attack might trigger alerts with any unusual behavior or unauthorized access attempts.

Beyond mere access, attackers would still face layers of encryption, key management, network permissions, and security protocols. The so-called “quantum advantage” primarily applies to breaking specific encryption algorithms but wouldn’t be sufficient to bypass a comprehensive suite of defenses in a well-protected permissioned network.

The solution of ensuring perfect randomness doesn’t offer much benefit to permissionless networks unless their design changes as well. For example, Bitcoin uses a fixed key space, and a quantum computer could theoretically try all possible keys faster than today’s classical computers. In such cases, increasing randomness doesn’t expand the key space or increase the number of possible combinations, so it’s not a real defense—and the authors seem to tacitly acknowledge this.

This leaves us with permissioned networks. HSBC’s solution here relies heavily on QRNGs, or quantum-random number generators, to generate encryption keys. Traditional computers often use pseudo-random number generators (PRNGs), which inherently follow certain patterns and can be easier to predict. Quantum randomness, on the other hand, introduces true unpredictability, making keys theoretically harder to crack.

However, knowing a system might use a potentially predictable random number generator (RNG) isn’t enough; attackers still need to figure out how it’s predictable. This is no easy task, particularly in high-security systems with layered or hybrid randomness. Modern cryptosystems, unlike older ones, don’t reveal clues about their RNGs, especially when designed with rigorous security standards.

Today’s secure systems mix various types of RNGs, combining them to make predictability even harder to exploit. Predictability isn’t “easy” to hack, especially when attackers don’t know the RNG type. Attackers face immense challenges even in identifying the nature of the randomness—let alone testing theories without detection. So, while HSBC’s press release touts “holistic protection” for digital assets, I’m not entirely convinced. Who really needs HSBC to manage this? Hard to say.

What is the difference between gold ETF and tokenized gold?

”Tokenized gold offers you more direct ownership; with tokenized gold tokens, you own the gold. While gold ETFs represent a share in a fund that holds the physical gold (indirect ownership). With these, you don't actually own the gold.”

What’s unfortunate about this statement from INX, a company involved in trading tokenized assets, is not that it could be considered somewhat misleading in how it portrays facts and their consequences—I’m used to that by now (general statement, not specifically about INX). The sad thing is that if I search for “gold tokenization” on Google, Gemini AI jumps in and presents this question and answer as something I should be interested in and since there is no warning presumably finds the explicit approval of the AI in which case this technology still has a long way to go. And isn’t that investment advice, especially if presented without disclaimers, which underscores the need for AI to carefully contextualize financial products rather than merely echo marketing language.

And what triggered my interest in this in the first place was Paxos Gold and the claims made on their website:

“If you own PAXG, you own the underlying physical gold, held in custody by Paxos Trust Company.”

The brochure states something that sounds similar though it means something very different.

“Ownership of PAXG is the equivalent to ownership of allocated gold bars. Purchasing PAXG is free from settlement and credit risk.”

If owning something is the equivalent of owning something else, then what you own is not this something else. At least that’s the conventional meaning of the word equivalent. And what is the legal meaning? Oh and there is no settlement risk. Absolutely none. Hm?

The white paper lists a few benefits of this product.

“The benefits of building on Ethereum and ERC-20 include: The security and availability guarantees of one of the largest global blockchain networks (Ethereum) and its proof-of-work model.”

Mind you, simply updating “proof-of-work” to “proof-of-stake” would be misleading, since the benefits of building on Ethereum no longer include proof-of-work, assuming they ever did. I’m keen to see how they argue for and against something at the same time when this statement gets updated.

“In the event customers are not allocated ownership of a full gold bar, customers will own a pro-rata share of that bar as determined by PAX Gold token holdings.”

These statements suggest that unless you have bought enough tokens to make up a full gold bar, you don’t own any specific gold but rather a percentage of what’s there. You don’t own fractional gold; you own an entitlement to a portion of gold. Now, I understand why this might not be relevant to Paxos—the reason is that their product managers claim to have eliminated all settlement and credit risk from this product. Under such perfect—and, I should add, implausible—conditions, questions about what exact legal position this token represents become rather uninteresting. Perhaps this should be added to the benefits list: zero “Legal Expense Ratio (LEP)” or, even better, zero “Lawyer Expense Ratio.” Who wouldn’t love that?

Their asset report says this:

“The PAX Gold token is a cryptographic stored-value token, […] as each token represents ownership of an allocated troy ounce of London Good Delivery gold held in vaults for the benefit of the Company."

The ‘Company’ here is Paxos, which holds this benefit.

“The London Good Delivery gold bars are stored with Brink’s Global Services Ltd., Hongkong and Shanghai Banking Corporation (HSBC), and Industrial and Commercial Bank of China Ltd (ICBC) Standard Bank. […] This report does not contemplate the impact […] on the third parties’ ability to effectively custody assets on behalf of the Company.”

I think I just made a huge discovery and found settlement and credit risk.

BlackRock says this in their prospectus concerning the same issue:

“Risks Related to the Custody of Gold: The gold bullion custody operations of the Custodian are not subject to specific governmental regulatory supervision. […] Furthermore, although the Custodian is generally regulated in the UK by the Prudential Regulation Authority and the FCA, such regulations do not directly cover the Custodian’s gold bullion custody operations in the UK. Accordingly, the Trust is dependent on the Custodian […]”

This isn’t a “gotcha” moment just yet because BlackRock may have negotiated unfavorable terms.

“The Custodian Agreement provides for indemnification of the Custodian by the Trust under certain circumstances. This means that it may be necessary to sell assets of the Trust in order to cover losses or liability suffered by the Sponsor or the Custodian. Any sale of that kind would reduce the net asset value of the Trust and the value of the Shares.”

Perhaps Paxos has a more generous indemnification, but it would not eliminate settlement risk—it would merely reduce the expected financial loss.

I am not making any argument here for or against investing in any product mentioned, and I am not providing any financial advice. I am simply saying accurate and clear documentation is needed if we want orderly and fair markets, and both TradFi and NewFi can do better. And to Google Gemini—please, your AI kid muss nachsitzen (is up for detention).