What Crypto Can't Afford to Ignore
Quantum computing is no longer a distant threat. Three papers in twelve months compressed the resources needed to break elliptic curve cryptography by an order of magnitude. Every major blockchain relies on signatures Shor's algorithm will break. This report maps where the technology stands, how exposed the industry is, and what a credible response looks like.
The math has been settled since 1994. The engineering is catching up faster than the industry acknowledges. And the window to act is narrower than current assumptions allow.
In 1994, Peter Shor showed that a sufficiently powerful quantum computer could break RSA and elliptic curve cryptography in polynomial time. Every major blockchain relies on elliptic curve signatures. The open question is when quantum hardware will cross the threshold to run Shor's algorithm at scale.
Expert estimates compressed sharply in 2024 and 2025. Google's Willow chip demonstrated that logical error rates can decrease as quantum systems scale. Quantinuum and IonQ pushed gate fidelity past the thresholds required for practical error correction. Software optimizations reduced the estimated resources needed to break RSA-2048 by roughly an order of magnitude. Scott Aaronson, one of the field's most prominent skeptics, now considers it "a live possibility" that a fault-tolerant quantum computer capable of running Shor's algorithm exists before the next US presidential election. DARPA plans for 2033. NIST plans for 2030.
Blockchains are exposed in ways most digital systems are not. Public keys on blockchains are published permanently and often managed by individual users. Web2 can manage cryptography upgrades via server-side pushes. Blockchains require coordinated migration across millions of independent users, wallet providers, and exchanges.
Post-quantum cryptographic standards already exist. NIST finalized ML-DSA (Dilithium), ML-KEM (Kyber), and SLH-DSA (SPHINCS+) in August 2024. Post-quantum signatures are ten to seventy times larger than ECDSA, which creates throughput challenges for blockchains.
Bitcoin's migration path is the industry's hardest problem. BIP 360 is the most developed proposal but has not achieved consensus. Millions of Bitcoin sit in addresses whose owners have lost access. Any migration scheme must decide what happens to those coins, with no clean consensus in sight.
Internet infrastructure and messaging platforms are already moving. Cloudflare now protects most human web traffic with post-quantum encryption. Signal and iMessage deployed post-quantum protocols to billions of users. Google and Cloudflare have committed to a 2029 deadline for full post-quantum migration. By contrast, Stripe's new Tempo blockchain launched in 2026 using cryptography vulnerable to quantum attacks.
Migration will take years. An industry response is necessary now. The cost of preparing early is managing larger transaction sizes. The cost of preparing late is loss of funds, regulatory capture, and a crisis of institutional confidence. Every quarter of inaction narrows the window.
In 2024 and 2025, quantum computing crossed a threshold that had stood for thirty years. What follows is where the field actually stands — measured in gate fidelity, logical qubit counts, and dollars invested.
Google Willow (December 2024) delivered a result the field had been waiting decades for: exponential suppression of errors as the system scaled. As Google increased its qubit lattice from a 3×3 grid to 5×5 to 7×7, the logical error rate decreased exponentially at each step — the foundational requirement for fault-tolerant quantum computing. In October 2025, Google demonstrated quantum advantage on the same architecture, running a computation approximately 13,000 times faster than a classical computer.1,2
IBM Condor and Starling (2023–2025): IBM's Condor remains the largest superconducting processor publicly announced, with 1,121 physical qubits. More significant is the Starling initiative (June 2025), targeting the world's first large-scale fault-tolerant quantum computer, with a roadmap to 200 logical qubits by 2029 — a milestone that would place cryptographically relevant computation within reach of subsequent engineering cycles.3
Quantinuum Helios (November 2025) achieved 99.921% two-qubit gate fidelity with 98 physical qubits and 48 logical error-corrected qubits — reducing the number of physical qubits needed per logical qubit and compressing the timeline to practically useful machines.4
Google Dual-Modality (March 2026): alongside its superconducting architecture, Google is now building a parallel neutral atom capability. Multiple viable architectures advancing in parallel means progress is no longer contingent on any single approach clearing its remaining engineering hurdles.42,43
A quantum computer powerful enough to threaten cryptography requires approximately 1,200 logical qubits, each constructed from many physical qubits that cross-check each other. The ratio depends entirely on hardware error rates — higher fidelity means fewer physical qubits per logical qubit, meaning smaller, cheaper, more buildable machines.
The 2024–2025 results, taken together, describe an industry closing in on the fundamental physics problem that constrained the field for thirty years. Google Willow proved logical error rates decrease as you add more physical qubits. Quantinuum Helios achieved 99.921% gate fidelity on trapped ions. IonQ demonstrated greater than 99.99% two-qubit gate fidelity in October 2025.5 Oxford researchers demonstrated single-qubit gate errors as low as 10⁻⁷, approaching thresholds where error correction becomes remarkably efficient.6 What remains is engineering.
On March 30, 2026, Google Quantum AI published a whitepaper co-authored by nine researchers spanning Google, UC Berkeley, Stanford, and the Ethereum Foundation — with direct implications for every major blockchain: elliptic curve cryptography can be broken with substantially fewer resources than any prior estimate suggested.37,38
Fewer than 1,200 to 1,450 logical qubits and 70–90 million Toffoli gates are sufficient to execute Shor's algorithm against ECDSA-256, with a runtime measured in minutes. The prior leading estimate required approximately 9 million qubits — a roughly 20-fold reduction. The paper also surfaces a compounding vulnerability: Taproot, Bitcoin's most recent major upgrade, exposes key material on-chain in a way that lowers the computational cost of the attack against Taproot-format addresses.40
Google disclosed the findings responsibly, publishing verification through a zero-knowledge proof allowing independent parties to confirm the resource estimates without accessing the underlying attack circuits.
As recently as 2022, most institutional forecasts placed a cryptographically relevant quantum computer 15–30 years out. Today, governmental planning horizons cluster around 2030–2033. DARPA is planning for 2033. NIST is planning for deprecation by 2030. Marin Ivezic revised his estimate to 2030 in June 2025, citing the compound effect of simultaneous improvements in hardware, software, and error correction.8 A paper by Dallaire-Demers, Doyle, and Foo (August 2025) documented an order-of-magnitude drop in estimated physical qubit requirements to break ECC-256 between 2010 and 2025 — the resource requirements have been falling consistently and the trend line points in one direction.9
Global investment now exceeds $40 billion across public and private sectors. DARPA's Quantum Benchmarking Initiative has advanced 11 companies to Stage B evaluation for utility-scale computation by 2033. The US Department of Energy announced $625 million in new funding in early 2025. The EU requires migration of high-risk systems by 2030 and full transition by 2035. The UK's National Cyber Security Centre has outlined an even more structured timeline: inventory of cryptographic dependencies by 2028, migration of high-priority systems by 2031, and full transition by 2035.12,13,15,16
China's posture warrants separate attention. The November 2025 Annual Report to the US-China Economic and Security Review Commission stated that China "has mobilized state-scale investment and industrial coordination to dominate quantum systems and standards" and is "likely concealing the location and status of its most advanced efforts." The pattern across all these initiatives is consistent: governments are planning for a world in which quantum computing matures, and they are acting with urgency.18
The quantum threat to cryptography is not unique to crypto. What is unique is how hard crypto is to fix — and how permanently exposed it already is.
Shor's algorithm solves the discrete logarithm problem in polynomial time. Every signature scheme built on elliptic curves — ECDSA, Schnorr, Ed25519 — falls to the same attack. This has been proven since 1994. More than $2 trillion in digital assets are secured by precisely this class of cryptography.36
The Google March 2026 whitepaper surfaces a compounding vulnerability specific to Bitcoin: Taproot, the network's most recent major protocol upgrade, exposes key material on-chain in a way that lowers the computational cost of running Shor's algorithm against Taproot-format addresses. This is an unintended second-order consequence of a performance and privacy optimisation.37,40
A common deflection is that "SHA-256 is quantum-resistant," which is true but irrelevant. SHA-256 is Bitcoin's hash function. The vulnerable component is secp256k1, the elliptic curve scheme authenticating every transaction. Conflating the two is a category error that has led to dangerous complacency.36
Post-quantum signature schemes produce dramatically larger signatures. ECDSA has a useful property: the public key can be recovered from the signature itself. Post-quantum schemes lack this — both signature and full public key must be transmitted in every transaction.
The cryptographic material a quantum computer would target is already public — permanently recorded on a ledger anyone can download today. There is no interception required, no storage costs, no intelligence operation. The attack surface is open, permanent, and growing with every transaction that reveals a public key.20
The traditional internet has taken this threat seriously. Cloudflare now protects the majority of human-initiated web traffic with post-quantum encryption. Signal deployed its PQXDH key exchange protocol in 2023 and followed with the SPQR protocol in October 2025. Apple rolled out PQ3 post-quantum encryption for iMessage in February 2024. These upgrades were deployed invisibly, requiring no action from users. Blockchain faces a more persistent version of this problem. Any address holding unspent funds with an exposed public key remains economically consequential for as long as those funds sit there — with no expiration on the threat.
Not all Bitcoin addresses are equally vulnerable. In Bitcoin's original P2PK format, the public key is stored directly on-chain — every coin held there is immediately vulnerable the moment a quantum computer can run Shor's algorithm. This includes the estimated one million Bitcoin mined by Satoshi Nakamoto, worth approximately $100 billion at current valuations.21 Later P2PKH formats store only a hash of the public key, but any address that has ever spent funds has already revealed its public key. Once revealed, it is revealed permanently.
An estimated 2.3 to 3.7 million Bitcoin are permanently lost, held in addresses whose owners have lost access to their private keys. These coins cannot be migrated. Any migration scheme must resolve what happens to them — and there is no clean answer. Burning or freezing them establishes the precedent that the network can confiscate holdings. Leaving them creates a permanent pool of exposed assets claimable by whoever operates a sufficient quantum computer. The Satoshi coins represent the sharpest version of this dilemma: a quantum attacker that steals and dumps them could impose a crisis of confidence that would be catastrophic for the market.22
The public conversation around quantum threats has focused primarily on wallet security. This significantly understates the scope of exposure.
DeFi protocols. Smart contracts that custody billions rely on the same elliptic curve signatures for access control, governance votes, and oracle attestations. A quantum-capable attacker could forge signatures to drain liquidity pools, manipulate governance votes, or corrupt price feeds.
Stablecoin admin keys. Stablecoins like USDC and USDT are managed through admin keys controlling minting, burning, and address freezing. A quantum attacker who derives a minting key could mint an unlimited supply, crash the peg, and trigger cascading liquidations across every DeFi protocol that holds it as collateral. USDC and USDT collectively serve as the base collateral layer for hundreds of billions of dollars in DeFi positions.
Cross-chain bridges. Bridges rely on validator signatures and cryptographic attestations. Bridge exploits have already accounted for billions in losses using classical attack vectors. Quantum capability adds an entirely new class of attack.
Governance contracts. On-chain governance systems controlling protocol upgrades, treasury disbursements, and parameter changes rely on cryptographic signatures to authenticate votes. Quantum forgery of governance signatures could enable hostile takeover of protocols.
The attack surface is a systemic vulnerability woven through every layer of the decentralised finance stack. Addressing wallet security alone only covers the most visible component of a much deeper structural exposure.
NIST finalised post-quantum standards in August 2024. The defensive algorithms are ready. The open question is whether adoption will outrun the hardware.
In August 2024, after nearly a decade of evaluation, NIST finalised its first suite of post-quantum cryptographic standards: ML-KEM (Kyber) for key encapsulation, ML-DSA (Dilithium) as the primary replacement for ECDSA, and SLH-DSA (SPHINCS+) as a hash-based alternative. A fourth standard based on Falcon is expected in 2026. The defensive algorithms exist. They are ready for deployment.19
Bitcoin faces the most difficult quantum migration challenge in the ecosystem: governance deadlock, chain bloat, lost coins, no hardware wallet support for post-quantum schemes, and the requirement that every user actively migrate their own funds.
BIP 360 (Pay-to-Merkle-Root), proposed by Hunter Beast, is the most developed migration path — a new address type compatible with post-quantum signature algorithms, designed as a soft fork preserving backward compatibility. Crucially, BIP 360 introduces the address type but does not add support for post-quantum signatures themselves. That will require a separate fork. As of early 2026, BIP 360 has not achieved consensus.24
Vitalik Buterin stated in November 2025 that elliptic curves are "on their way out because of looming quantum risk." The Ethereum Foundation has elevated post-quantum security as a top research priority, and multiple EIPs have explored migration strategies including emergency hard-fork transition paths.25
Ethereum's governance advantage over Bitcoin is concrete: its community has demonstrated capacity to execute hard forks (the DAO fork, the Merge) when the Foundation, core developers, and validators align. A post-quantum hard fork is politically conceivable within Ethereum's model in a way it is not within Bitcoin's. However, Ethereum's smart contract ecosystem creates additional complexity — every contract performing signature verification or cryptographic operations would need to be updated or replaced. As of early 2026, no concrete implementation timeline exists.
Solana uses Ed25519 signatures, which like ECDSA are vulnerable to Shor's algorithm. There is a meaningful structural advantage: because Ed25519 keys are deterministically derived from a seed per RFC 8032, users can authorise new quantum-resistant signatures through zero-knowledge proofs tied to that seed, without changing addresses or generating new key material — a backward-compatible path that works even for accounts with already-exposed keys.35 Project Eleven deployed a functioning post-quantum signature system on Solana's testnet and raised a $20M Series A in January 2026.27 Solana's core value proposition — high throughput and low transaction costs — is in direct tension with the larger signatures post-quantum migration requires.
NEAR has a structural migration advantage: account identity is decoupled from cryptography and tied to human-readable account IDs rather than a fixed public key. Accounts support rotatable access keys and can hold multiple keys simultaneously, allowing migration to future signature schemes without changing account identity. NEAR One is actively developing support for FIPS-204 ML-DSA (Dilithium), initially targeting testnet deployment. NEAR's Chain Signatures architecture, which lets accounts and contracts request MPC-generated signatures for outbound transactions on other chains, concentrates the migration burden in the MPC operator set and wallet layer rather than forcing every user to move assets to a new address.
A small number of projects have taken the only approach that eliminates the migration problem entirely: building post-quantum systems from inception. Quantus uses ML-DSA-87 for all transaction signatures — NIST Level 5 — with Plonky2 ZK aggregation for scalability using Poseidon2 hash functions, on Substrate's forkless upgrade infrastructure. Every transaction, from the genesis block forward, is quantum-secure.28
Cloudflare announced in October 2025 that post-quantum encryption now protects the majority of human-initiated traffic on its network. Google and Cloudflare jointly committed to a 2029 deadline for full post-quantum migration. Signal deployed PQXDH in 2023 and SPQR in October 2025. Apple rolled out PQ3 for iMessage in February 2024. These upgrades were invisible to users. Stripe's Tempo, launched in 2025–2026 after NIST finalised post-quantum standards, uses secp256k1 and P-256 — both quantum-vulnerable. The decision to build a new blockchain on quantum-vulnerable primitives, after the standards for replacement exist, illustrates how far the industry has to go.30
Early but meaningful capital signals suggest the investment community is beginning to take the quantum threat seriously. Coinbase established an independent quantum computing advisory board in January 2026 — the largest US-based exchange signalling quantum risk is material enough to warrant dedicated institutional attention.29 Beyond Project Eleven's $20M raise, a16z and other major crypto venture firms have begun directing research funding toward post-quantum infrastructure. The Messari research platform has published dedicated coverage of quantum risk to digital assets. These are early signals. The smart money is beginning to position for a transition that, on arrival, will reward preparation and punish complacency.
There are two ways to get a quantum-safe blockchain. Migration is patching a moving airplane. Genesis is designing the airplane correctly before takeoff.
Migration requires every participant in a decentralised network to take coordinated action: consensus on algorithms, backward-compatible protocol changes, wallet updates, user education, exchange support, and a governance process capable of resolving inevitable disagreements — all before a quantum computer makes the exercise moot.
Systems designed around post-quantum cryptography from inception face none of these challenges. No legacy addresses to migrate, no exposed public keys in the transaction history, no governance deadlock, no throughput crisis from signature bloat.
ML-DSA is built on lattice cryptography, one of the most extensively studied foundations in post-quantum research. ML-DSA-87 offers NIST Level 5 security — the highest standardised tier. Signature verification is fast. The tradeoff is size: ML-DSA-87 produces signatures of approximately 4,595 bytes and public keys of 2,592 bytes, versus 97 bytes of combined cryptographic payload for an ECDSA-signed Bitcoin transaction. A Bitcoin block filled entirely with ML-DSA-87 signed transactions would carry roughly an order of magnitude fewer transactions.23
The quantum safety of a ZK system depends entirely on the cryptographic primitives it uses. Elliptic-curve-based ZK is quantum-vulnerable (Groth16, PLONK with KZG, Bulletproofs). Hash-based ZK is quantum-safe (STARKs, FRI). Even a STARK-based proof system can have quantum-vulnerable signatures, bridges, or custody around it.
The original blockchain trilemma pits scalability, security, and decentralisation against each other. The quantum transition introduces a new version: quantum security, privacy, and scalability. Post-quantum signatures increase payload sizes by up to 74×. Scalability becomes the binding constraint.
For institutional investors and fiduciaries evaluating long-term digital asset exposure, the migration-versus-genesis distinction has direct implications for risk assessment. A digital asset secured by a chain with a credible quantum migration plan carries bounded but uncertain quantum risk — it depends on whether migration succeeds, completes before Q-Day, and whether governance challenges resolve in time. A digital asset secured by a quantum-native chain carries bounded and more readily quantifiable quantum risk, limited to the possibility that the underlying post-quantum algorithms themselves are broken — a risk that applies equally to every post-quantum system, including those protecting banking and military communications.
BlackRock's amended prospectus for the iShares Bitcoin Trust (IBIT), filed with the SEC on May 9, 2025, made this risk explicit — warning that quantum computing could "allow a malicious actor to compromise the wallets holding bitcoin owned by the Trust" and cautioning that "there is no guarantee that new quantum-proof architectures will be built and appropriate transitions will be implemented across the network at scale in a timely manner." BlackRock tripled the length of its quantum risk disclosure compared to the original filing.32
None of what follows is a prediction. These are planning frameworks — ways to stress-test positioning against different timelines and levels of urgency.
The asymmetry of outcomes is stark. The cost of preparing too early is manageable. The cost of preparing too late is severe and structural.
Every quarter of inaction narrows the window. Hardware milestones are accelerating. Software optimisations are compressing qubit requirements. Governments are planning for 2030. The question is whether the cryptocurrency industry will plan with them — or be planned for.