What Crypto Can't Afford to Ignore
Quantum computing is no longer a distant threat. Three papers in twelve months compressed the resources needed to break elliptic curve cryptography by an order of magnitude. Every major blockchain relies on signatures Shor's algorithm will break. This report maps where the technology stands, how exposed the industry is, and what a credible response looks like.
In 1994, Peter Shor showed that a sufficiently powerful quantum computer could break RSA and elliptic curve cryptography in polynomial time. Since then, engineers have been racing to catch up to the theory. Every major blockchain relies on elliptic curve signatures. The open question: When will quantum hardware cross the threshold to run Shor's algorithm at scale?
Expert estimates compressed sharply in 2024 and 2025. Google's Willow chip demonstrated that logical error rates can decrease as quantum systems scale. Quantinuum and IonQ pushed gate fidelity past the thresholds required for practical error correction. Software optimizations reduced the estimated resources needed to break RSA-2048 by roughly an order of magnitude. Scott Aaronson, one of the field's most prominent skeptics, now considers it "a live possibility" that a fault-tolerant quantum computer capable of running Shor's algorithm exists before the next US presidential election. DARPA plans for 2033. NIST plans for 2030.
Blockchains are exposed in ways most digital systems are not. Public keys on blockchains are published permanently and often managed by individual users. Web2 can manage cryptography upgrades via server-side pushes. Blockchains require coordinated migration across millions of independent users, wallet providers, and exchanges.
Post-quantum cryptographic standards already exist. They are ready for deployment. NIST finalized ML-DSA (Dilithium), ML-KEM (Kyber), and SLH-DSA (SPHINCS+) in August 2024. Post-quantum signatures are ten to seventy times larger than ECDSA, which creates throughput challenges for blockchains.
Bitcoin's migration path is the industry's hardest problem. Its governance process has failed to produce broad support for a post-quantum protocol upgrade. BIP 360 is the most developed proposal but has not achieved consensus. Millions of Bitcoin sit in addresses whose owners have lost access. Any migration scheme must decide what happens to those coins, with no clean consensus in sight.
The market has taken notice of Bitcoin's inadequate response to the quantum threat. BlackRock tripled the length of the quantum risk disclosure section in its IBIT Bitcoin ETF prospectus in May 2025, warning that quantum computing could "allow a malicious actor to compromise the wallets holding bitcoin owned by the Trust" and cautioning that "there is no guarantee that new quantum-proof architectures will be built and appropriate transitions will be implemented across the network at scale in a timely manner."
Internet infrastructure and messaging platforms are moving to post-quantum cryptography (PQC). Cloudflare now protects most human web traffic with post-quantum encryption. Signal and iMessage deployed post-quantum protocols to billions of users. Google and Cloudflare have committed to a 2029 deadline for full post-quantum migration. By contrast, Stripe's new Tempo blockchain launched in 2026 using cryptography vulnerable to quantum attacks.
Migration will take years. An industry response is necessary now. The cost of preparing early is managing larger transaction sizes. The cost of preparing late is loss of funds, regulatory capture, and a crisis of institutional confidence. Every month of inaction narrows the window.
Quantum computing has entered a phase of measurable, accelerating progress. The milestones of 2024 and 2025 mark a shift in what the field believes is possible, and how soon.
Practitioners in the crypto industry don't need to be experts in quantum computing, but we should be aware of the landscape so as to not misread the rate of technical progress.
Matt Swayne, Chief Content Officer at Resonance, the market intelligence group that publishes The Quantum Insider, frames it directly: "We often hear about quantum hype, but we also have to be aware that the quantum industry is underselling its progress. If so, companies and organizations, particularly in the crypto industry, should be aware of the landscape and options to mitigate any potential threat."
The pace of hardware development across multiple competing architectures has accelerated significantly. Four announcements in particular have reshaped both expert and institutional expectations.
Google Willow (December 2024). Google's Willow chip, a 105 physical qubit superconducting processor, delivered a result the field had been waiting decades for: exponential suppression of errors as the system scaled. Historically, adding more qubits to a quantum processor introduced more noise, making large-scale computation practically impossible. Willow demonstrated the opposite. As Google increased its qubit lattice from a 3x3 grid to a 5x5 grid to a 7x7 grid, the logical error rate decreased exponentially at each step. This is the foundational requirement for fault-tolerant quantum computing. Willow is an experimental logical-qubit demonstration rather than a fault-tolerant system, but it shows that the scaling behavior holds in practice and not only in theory.1
In October 2025, Google followed up by demonstrating "quantum advantage" on the same Willow architecture, running a computation approximately 13,000 times faster than a classical computer.2
IBM Condor and Starling (2023-2025). IBM's Condor processor remains the largest superconducting quantum processor publicly announced, with 1,121 physical qubits. The more significant recent development is IBM's Starling initiative (June 2025), which aims to deliver the world's first large-scale, fault-tolerant quantum computer. IBM's roadmap targets 200 logical qubits by 2029, a milestone that would place cryptographically relevant computation within reach of subsequent engineering cycles.3
Quantinuum Helios (November 2025). Quantinuum's Helios processor demonstrated the viability of a competing architecture: trapped-ion qubits. With 98 physical qubits achieving 99.921% two-qubit gate fidelity and 48 logical error-corrected qubits, Helios showed that trapped-ion systems can achieve the precision required for meaningful error correction. High gate fidelity is significant because it directly reduces the number of physical qubits needed to construct a single reliable logical qubit, compressing the timeline to practically useful machines.4
Google Dual-Modality Strategy (March 2026). In March 2026, Google Quantum AI announced a structural expansion of its hardware program: a second modality. Alongside its flagship superconducting qubit architecture, the platform behind Willow, Google is now building a parallel neutral atom quantum computing capability, led by JILA physicist Dr. Adam Kaufman from a new facility in Boulder, Colorado.
The two approaches offer complementary characteristics. Superconducting qubits operate at high gate speeds but require intensive error correction overhead. Neutral atom arrays offer natural scalability to large qubit counts and high connectivity between qubits, with characteristics well-suited to certain classes of computation. Google's wager is that pursuing both architectures simultaneously increases the probability of reaching fault-tolerant, utility-scale quantum computation ahead of any single-track program.
The strategic significance of this move extends beyond Google's internal roadmap. Multiple viable architectures advancing in parallel means that progress toward a cryptographically relevant quantum computer is no longer contingent on any single approach clearing its remaining engineering hurdles. The redundancy compresses the timeline and reduces the reliability of any forecast that assumes all pathways will stall simultaneously.42,43
Quantum processors are being built on several competing physical platforms, each with distinct tradeoffs.
Superconducting qubits (Google, IBM) use tiny circuits cooled to near absolute zero. They offer fast gate operations, but qubits are fragile and require significant error correction overhead. This is currently the most mature platform.
Trapped-ion qubits (Quantinuum, IonQ) use individual atoms held in electromagnetic fields. Slower gate speeds, substantially higher fidelity, fewer physical qubits needed per logical qubit.
Topological qubits (Microsoft) encode information in exotic particle states that are inherently resistant to noise. Still early-stage. Could offer dramatic scaling advantages once the physics proves out.
Neutral atom qubits (QuEra, Pasqal) use arrays of individual atoms manipulated with laser beams. Naturally scalable to large qubit counts and well-suited to certain optimization problems.
Photonic qubits (PsiQuantum, Xanadu): Quantum information encoded in particles of light. Attractive for room-temperature and networked systems, but difficult because photons do not easily interact.
Silicon spin qubits (Intel, Diraq, Silicon Quantum Computing): Electron or nuclear spins in silicon. Earlier-stage, but compelling because the approach could use existing semiconductor manufacturing.
The important point is diversification. Quantum computing is not waiting on one architecture to win. Several paths are improving in parallel, and a breakthrough in any one of them could compress the timeline.
Error correction is the central engineering problem in quantum computing, and it has been the single largest barrier between experimental quantum processors and practically useful quantum computation for three decades. Quantum bits are fragile and every useful quantum algorithm must run long enough to produce an answer without the noise washing out the signal. Error correction fixes this by encoding a single reliable "logical" qubit across many "physical" qubits that cross-check each other.
A quantum computer powerful enough to threaten modern cryptography requires a relatively small number of logical qubits (~1200), each constructed from many physical qubits working together to detect and correct errors. The ratio between physical and logical qubits depends entirely on the error rate of the underlying hardware. Higher fidelity means fewer physical qubits per logical qubit, which means smaller, cheaper, more buildable machines.
This is why the convergence of results in 2024 and 2025 matters.
Google Willow proved that logical error rates decrease as you add more physical qubits, the essential prerequisite for scaling.1
Quantinuum Helios achieved 99.921% gate fidelity on trapped ions, reducing the physical-to-logical overhead.4
IonQ (via Oxford Ionics) demonstrated greater than 99.99% two-qubit gate fidelity in October 2025, pushing the precision frontier even further.5
Oxford researchers demonstrated single-qubit gate errors as low as 10⁻⁷, approaching the theoretical thresholds where error correction becomes remarkably efficient.6
Taken individually, each result is a milestone. Taken together, they describe an industry that is close to solving the fundamental physics problem that has constrained quantum computing for thirty years.
The expert consensus on when a cryptographically relevant quantum computer (CRQC) might emerge has shifted dramatically. As recently as 2022, most institutional forecasts placed a CRQC at 15 to 30 years out. Today, governmental planning horizons cluster around 2030 to 2033 and leading researchers have narrowed their personal estimates further. The contrast between the 2022 consensus and the 2025 and 2026 estimates is the single clearest signal that something in the field has changed.
The shift is driven by both hardware results (Willow, Helios, Oxford fidelity work) and software and algorithm results that reduced the cryptanalytic target.
The Gidney Paper (May 2025). Craig Gidney, a researcher at Google Quantum AI, published a paper demonstrating that software optimizations could reduce the resources required to factor RSA-2048 to approximately 1,400 logical qubits. Previous estimates required millions of physical qubits. This is a software result rather than a hardware result, meaning the target that hardware needs to hit is closer than previously understood.7
The Ivezic Revision (June 2025). Marin Ivezic, a recognized authority on quantum risk assessment, revised his Q-Day timeline from 2032 to 2030. His reasoning combined three converging signals: IBM's roadmap for 200 logical qubits by 2029, the Gidney paper showing approximately 1,400 logical qubits might suffice for RSA-2048, and Oxford's demonstration of 10⁻⁷ gate error rates. The acceleration, he argued, is the compound effect of simultaneous improvements in hardware, software, and error correction rather than a single breakthrough.8
The Dallaire-Demers, Doyle, and Foo Paper (August 2025). This paper documented an order-of-magnitude drop in estimated physical qubit requirements to break ECC-256 between 2010 and 2025. The resource estimates have been falling consistently as both hardware improves and algorithms become more efficient. The trend line points in one direction.9
Google ECDSA Whitepaper (March 2026). On March 30, 2026, Google Quantum AI published a whitepaper with direct implications for cryptocurrency: a detailed demonstration that elliptic curve cryptography, the specific signature scheme securing Bitcoin, Ethereum, and the majority of the digital asset ecosystem, can be broken with substantially fewer resources than any prior estimate suggested.
The headline figures. Fewer than 1,200 to 1,450 logical qubits and 90 to 70 million Toffoli gates are sufficient to execute Shor's algorithm against ECDSA-256. On a superconducting architecture, this translates to fewer than 500,000 physical qubits, with a runtime measured in minutes rather than days or weeks. The prior leading estimate, from Litinski in 2023, required approximately 9 million qubits on a photonic architecture. The Google paper represents a roughly 20-fold reduction in resource requirements.
The underlying reason for this compression is structural. ECC requires approximately 100 times fewer Toffoli gates than RSA-2048. The Gidney paper7 established a new floor for attacking RSA. The March 2026 paper establishes a separate and, for the cryptocurrency industry, more immediately relevant floor for attacking the signature scheme that secures every major blockchain. These are different problems, and the ECC problem turns out to be meaningfully easier for a quantum attacker.
The paper was co-authored by nine researchers spanning Google Quantum AI, UC Berkeley, Stanford, and the Ethereum Foundation. Google disclosed the findings responsibly, publishing verification through a zero-knowledge proof that allows independent parties to confirm the resource estimates without accessing the underlying attack circuits. The decision to disclose at all, and to do so via peer-verifiable methodology rather than a press release, signals that Google treats the findings as genuinely actionable.37,38
Taken alongside the Gidney paper7 and the Dallaire-Demers, Doyle, and Foo paper9, the March 2026 whitepaper completes a pattern. Three significant papers, each compressing qubit requirements from a different angle, published within a twelve-month window. The trend line is not ambiguous. The requirements are falling. The hardware is rising to meet them.41
Scott Aaronson (November-December 2025). Perhaps the most telling signal came from Scott Aaronson, a computational complexity theorist at the University of Texas at Austin and one of the most respected voices in quantum computing. Aaronson has historically been among the field's most prominent skeptics regarding near-term timelines.
Between November and December 2025, he published three blog posts that marked a significant shift in his position. In the second, he drew a historical parallel that resonated widely. His framing reads as a caution against overconfident five-year safety assumptions rather than a prediction of near-term Q-Day. In his words: "If you think Bitcoin, and SSL, and all the other protocols based on Shor-breakable cryptography, are almost certainly safe for the next 5 years... then I submit that your confidence is also unwarranted. Your confidence might then be like most physicists' confidence in 1938 that nuclear weapons were decades away, or like my own confidence in 2015 that an AI able to pass a reasonable Turing Test was decades away."10
In the third, he wrote: "I'm now more optimistic than I've ever been that, if things continue at the current rate, either there are useful fault-tolerant QCs in the next decade, or else something surprising happens to stop that."11
Independent forecasters have begun publishing their own near-term estimates. Colton Dillion, CEO of Quip Networks, a post-quantum infrastructure firm that maintains the quantumdoomclock.com risk model, places a 10 percent probability on a quantum computer breaking cryptography by March 2028, and is direct about the method behind it: "All we did was take the published performance specs over time of commercially available quantum computers and draw them on a line of best fit for exponential growth ... We stand by this forecast as a quantitative guide for making decisions about quantum risk."
Quantum computing has transitioned from a research curiosity into strategic national infrastructure. Global investment now exceeds $40 billion across public and private sectors, with the largest commitments coming from precisely the actors who take long-term threats most seriously: governments and intelligence agencies.
United States. DARPA's US2QC program set the tone, aiming to determine whether an underexplored approach to quantum computing could achieve utility-scale operation "much faster than conventional predictions," a hedge against being caught off guard by a technology developing faster than the field expects.12
In mid-2024, DARPA expanded that initiative into the Quantum Benchmarking Initiative (QBI), with a concrete planning target: determining whether a utility-scale quantum computer can be built by 2033. DARPA has since advanced 11 companies to Stage B evaluation. The 2033 figure is a planning target.12b
In early 2025, the US Department of Energy announced $625 million in new funding to advance quantum research.13 In June 2025, the Trump administration issued an executive order on cybersecurity, including post-quantum cryptography requirements.14
European Union. The EU has published a post-quantum migration strategy requiring migration of high-risk systems by 2030 and full transition by 2035.15
United Kingdom. Britain's National Cyber Security Centre has outlined an even more structured timeline: inventory of cryptographic dependencies by 2028, migration of high-priority systems by 2031, and full transition by 2035.16
NIST. The US National Institute of Standards and Technology has stated plainly: "Organizations should start planning now to migrate to PQC."17 NIST has further recommended deprecating legacy algorithms, including RSA and ECC-256, by 2030 and fully disallowing them by 2035. These are planning targets rather than binding deadlines, but NIST's standards cascade globally through federal procurement, regulator references in the EU, UK, and Japan, and de facto adoption by enterprise infrastructure, making its 2030 and 2035 dates the working horizon for most institutional migrations.17b
China. The November 2025 Annual Report to Congress from the US-China Economic and Security Review Commission stated: "China has mobilized state-scale investment and industrial coordination to dominate quantum systems and standards. For the purposes of this recommendation, the Commission presumes that China is actively racing to develop cryptographically relevant quantum computing capabilities and is likely concealing the location and status of its most advanced efforts." The Commission recommended that Congress provide additional funding to quantum initiatives to ensure the United States does not fall behind.18
The pattern across these initiatives is consistent. Governments are planning for a world in which quantum computing matures, and they are acting with urgency. The private sector, led by Google, IBM, Microsoft, Amazon, and a growing venture ecosystem, is investing accordingly.
We do not need a quantum computer to know which cryptographic systems it will break. Cryptographic security rests on mathematical hardness assumptions: specific classes of problems that are computationally infeasible for classical computers. RSA depends on the difficulty of factoring large integers. Elliptic curve cryptography (ECDSA, Schnorr) depends on the difficulty of the elliptic curve discrete logarithm problem. In 1995, thirty years before any quantum processor approached practical scale, Peter Shor published a quantum algorithm that solves both problem classes in polynomial time, meaning computation scales manageably with key size rather than exponentially. The algorithm's correctness has been proven mathematically and verified experimentally at small scales. The only open question is when hardware capable of running it at a cryptographically relevant scale will exist.
This mathematical certainty cuts in both directions. We know which algorithms will fail, and under what conditions. We also know which will survive. Symmetric cryptography (AES) and hash functions (SHA-256) face only a quadratic speedup from quantum attacks via Grover's algorithm, a gap that can be closed by doubling key lengths. The vulnerability is specific to public-key systems built on factoring and discrete logarithms, precisely the systems that secure digital signatures, key exchange, and every major blockchain.
Current expert estimates for Q-Day range from the early 2030s to as late as the 2040s. Several prominent researchers have recently compressed their estimates toward the nearer end of that range. DARPA is planning for 2033. NIST is planning for deprecation by 2030. Ivezic estimates 2030. Aaronson no longer considers five-year safety windows to be warranted. These are planning horizons and expert judgments, not measured facts.
No credible expert in the field today argues that Q-Day will never arrive. The debate has moved entirely from "if" to "when," and the "when" is getting closer with each passing quarter.
The quantum threat is not unique to crypto. What is unique is how hard crypto is to fix. The cryptography is broken by the same algorithm that breaks banking and HTTPS. The system architecture turns that vulnerability into a permanent, public attack surface. And the governance model makes coordinating a fix harder than in any comparable sector.
The quantum threat to cryptography is not unique to the cryptocurrency industry. Every system that relies on public-key cryptography, from banking infrastructure to military communications to the HTTPS connections securing the global internet, faces the same fundamental challenge. What distinguishes the cryptocurrency industry is the combination of factors that other sectors do not carry in the same degree: permanent public key exposure on an immutable ledger, the absence of any key rotation mechanism at the protocol level, and a governance model that requires coordinated migration across millions of independent actors with no central authority empowered to mandate it.
The Elliptic Curve Digital Signature Algorithm (ECDSA) is the most widely deployed signature scheme in the cryptocurrency ecosystem. Bitcoin, Ethereum, Solana, and the overwhelming majority of Layer 1 and Layer 2 systems rely on elliptic curve cryptography for the digital signatures that authenticate transactions and prove ownership of assets.
Shor's algorithm, running on a sufficiently powerful quantum computer, breaks this entire class of cryptography. It does so not by brute force but by efficiently solving the discrete logarithm problem on which elliptic curve security is founded. The result is a complete break: given a public key, Shor's algorithm can derive the corresponding private key in polynomial time.
More than $2 trillion in digital assets are currently secured by cryptographic primitives known to be vulnerable to this attack. That figure encompasses not only the major Layer 1 chains but the entire ecosystem built on top of them: decentralized finance protocols, bridges, multisignature wallets, oracle networks, and governance contracts. The exposure is systemic.
As of March 2026, the resource requirements for executing this attack are no longer theoretical projection. Google Quantum AI published a whitepaper quantifying the precise computational cost of breaking ECDSA-256: fewer than 500,000 physical qubits, with a runtime measured in minutes. The prior best estimate required approximately 9 million qubits. That 20-fold reduction came from a more efficient algorithm, one published by a team of nine researchers spanning Google Quantum AI, UC Berkeley, Stanford, and the Ethereum Foundation.
The same research surfaced a compounding vulnerability specific to Bitcoin: Taproot, the network's most recent major protocol upgrade, exposes key material on-chain in a way that lowers the computational cost of running Shor's algorithm against Taproot-format addresses. This is an unintended second-order consequence of a performance and privacy optimization, not a deliberate tradeoff.37,40
A common deflection in the Bitcoin community is that "SHA-256 is quantum-resistant," which is true but irrelevant. SHA-256 is a hash function used in Bitcoin's proof-of-work mining and address derivation. The vulnerable component is the elliptic curve signature scheme (secp256k1) that authenticates every transaction. Conflating mining security with signature security is a category error that has led to dangerous complacency.36
Another dimension of the quantum threat is a strategy already believed to be in active use by nation-state actors: Harvest Now, Crack Later (HNCL).
The premise is straightforward. Encrypted data intercepted today can be stored indefinitely and cracked later, once quantum capability matures. Intelligence agencies and sophisticated threat actors have strong incentives to collect encrypted communications, financial data, and cryptographic material now, banking on future capability.
The traditional internet has taken this threat seriously. Cloudflare announced in October 2025 that post-quantum encryption now protects the majority of human-initiated web traffic on its network.20 Signal deployed its PQXDH post-quantum key exchange protocol in 2023 and followed up with the SPQR (Sparse Post Quantum Ratchet) protocol in October 2025.33 Apple rolled out PQ3 post-quantum encryption for iMessage in February 2024.34 These upgrades were deployed through server-side and client updates, invisible to most users, requiring no action from the billions of people who rely on these services daily.
Blockchain faces a more persistent version of this problem. The cryptographic material that a quantum computer would target is already public. Every public key that has ever been exposed onchain, whether through legacy address formats, address reuse, or Taproot outputs, sits on a ledger that anyone in the world can download today. There is no interception required, no storage costs, and no intelligence operation. The attack surface is open, permanent, and growing with every transaction that reveals a public key.
No key rotation mechanism exists for public ledger exposure.
For most encrypted communications, the HNCL window is bounded by relevance. A diplomatic cable from 2025 may have limited intelligence value by 2035. Blockchain exposure carries no such expiration. Any address holding unspent funds with an exposed public key remains economically consequential for as long as those funds sit there.
Not all Bitcoin addresses are equally vulnerable. The critical distinction lies in whether an address has revealed its public key onchain.
In Bitcoin's original design (Pay-to-Public-Key, or P2PK), the public key is stored directly on the blockchain. Every coin held in a P2PK address is immediately vulnerable the moment a quantum computer can run Shor's algorithm against secp256k1. This includes the earliest Bitcoin addresses, notably the estimated one million Bitcoin mined by Satoshi Nakamoto, worth approximately $100 billion at current valuations.21
Later Bitcoin address formats (Pay-to-Public-Key-Hash, or P2PKH) improved this situation by storing only a hash of the public key onchain. The actual public key is revealed only when coins are spent. This provides a degree of protection. An address that has never spent does not have its public key publicly visible.
The protection is fragile. Any address that has ever been used to send a transaction has already revealed its public key. Address reuse, a practice that Bitcoin's design discourages but does not prevent, has exposed millions of addresses. Once a public key appears in the blockchain's transaction history, it remains there permanently. There is no way to un-reveal it.
The scale of exposure is substantial. Analysis by Chainalysis and other blockchain analytics firms estimates that 2.3 to 3.7 million Bitcoin are permanently lost, held in addresses whose owners have lost access to their private keys.22 These coins cannot be migrated to quantum-safe addresses because no one controls them. They will sit in their current addresses, with their public keys exposed, indefinitely.
The existence of millions of irrecoverable Bitcoin creates a governance problem with no clean solution.
Migration for public blockchains refers to a period of time where every user, exchange, custodian, and private key holder needs to create a new quantum-secure address and move their coins from legacy addresses to their new post-quantum address. Joe Mattia, COO of Quantus, noted "The migration itself will take years. Wallets and exchanges need infrastructure upgrades, and every user will individually need to move their funds. That can only begin once implementation details have been decided by a governance process which will itself take time."
A successful Bitcoin migration to post-quantum cryptography forces a decision about coins that cannot migrate. There are two common opinions regarding what to do with coins that fail to migrate.
The first option is an open-ended grace period. Unlimited time for holders to migrate. Lost coins remain in quantum-vulnerable addresses permanently, creating an ever-present pool of exposed assets. Once a cryptographically relevant quantum computer can run Shor's algorithm against secp256k1, those coins become claimable by whoever operates it. There is no onchain mechanism to distinguish between a legitimate owner migrating with their private key and a quantum attacker who has derived the same key. Both look identical to the protocol.
The second option is a hard cutoff. Set a deadline after which unmigrated coins are burned, frozen, or forked out of the active supply. This protects the network but constitutes confiscation of legitimate property, including coins held by people who simply didn't act in time, didn't know they needed to, or lost access years ago.
Practitioners disagree on which path is less risky. Colton Dillion of Quip Networks argues for non-intervention: "I think they should be treated as abandoned property claimable by the first entrepreneur who invests in the hardware ... It is better to support a principle of non-intervention than to give protocol developers power to freeze arbitrary addresses, thus compromising the chain's neutrality." Auryn Macmillan, co-founder of Gnosis Guild, which builds governance and security tooling for onchain organizations, argues for the hard cutoff: "The only practical solution is to set a hard deadline for account owners to migrate their tokens to quantum safe accounts, after which all tokens held in vulnerable accounts will be permanently frozen."
In either case, wallets and exchanges would encourage migration through software updates and user prompts. Encouraging migration without protocol enforcement leaves the network permanently exposed to quantum theft. Chains that take this path may find themselves on the wrong side of what some have called the Great Quantum Filter: the moment when capital flows decisively away from quantum-vulnerable chains toward alternatives that offer cryptographic certainty.
The Satoshi coins represent the sharpest version of this dilemma. A quantum attacker that steals and dumps them on the market imposes sell pressure and a crisis of confidence that could be catastrophic. Burning or freezing them by protocol rules establishes the precedent that the network can confiscate holdings, undermining the property rights foundational to its value proposition.
This is a political problem, and Bitcoin's governance structure, which relies on rough consensus among miners, developers, and users with no formal decision-making authority, is poorly suited to resolving it. Ethereum's governance, by contrast, has demonstrated repeatedly (the DAO fork, the Merge) that hard forks can be coordinated when the Foundation, core developers, and validators align, giving it a structurally easier path to a post-quantum transition than Bitcoin.
This vulnerability is not unique to the quantum era. Cryptography has always been an arms race. Classical cryptanalysis advances, algorithms once considered unbreakable get deprecated, and security assumptions erode over time. DES lasted roughly twenty years before it was retired. MD5 and SHA-1 were both considered secure for over a decade before practical collision attacks rendered them obsolete. The assumption that any protocol could permanently ossify around a single cryptographic scheme, elliptic curves or otherwise, was always unrealistic. Quantum computing did not introduce this dynamic.
Governance aside, post-quantum migration introduces a severe technical constraint: chain bloat.
The problem is twofold. Post-quantum signature schemes produce dramatically larger signatures, but the size increase does not stop there. ECDSA has a useful property: the public key can be recovered from the signature itself, so it does not need to be transmitted or stored separately. Post-quantum schemes lack this property. Both the signature and the full public key must be included in every transaction, compounding the size increase. The result is not just signature bloat but signature and key bloat, multiplied across every transaction on the network.
Current Bitcoin transactions using ECDSA produce signatures of approximately 64 bytes with a 33-byte public key (roughly 97 bytes of cryptographic payload per transaction). The table below compares the NIST-standardized post-quantum signature algorithms against classical schemes.
Even the most compact post-quantum option (Falcon-512) produces signatures ten times larger than ECDSA. ML-DSA-87, the highest security level and the scheme used by projects like Quantus, produces roughly 7,187 bytes of signature and key material per transaction versus 97 bytes for an ECDSA-signed Bitcoin transaction, a roughly 70x increase in per-transaction cryptographic payload. SPHINCS+ signatures reach over 120 times the size of ECDSA, though they offer the advantage of relying on hash-based cryptography rather than lattice assumptions.
The implications for Bitcoin's throughput are severe. Bitcoin's block size is effectively fixed at approximately 4 MB (including SegWit). A block filled entirely with ML-DSA-87 signatures would carry roughly an order of magnitude fewer transactions than a block filled entirely with ECDSA signatures. Falcon-512 would cut throughput by roughly half at maximum density. BIP 360's proposed hybrid approach, which allows gradual migration and compatibility with multiple post-quantum algorithms, softens the transition but does not eliminate the scaling pressure.
When asked about how blockchains should choose post-quantum signature schemes and deal with these technical challenges, Christopher Smith, CEO of Quantus, said, "Every chain is going to take a performance hit when going post-quantum. We find it useful to measure chain throughput by quantum transactions per second (QTPS) rather than traditional TPS. For our use case, security is more important than performance. It's possible that cryptanalysis of lattice cryptography has a breakthrough. Choosing the highest security level ensures we have plenty of padding in that situation. And the real scaling solution for blockchains is ZK. Our wormhole transactions use zk-proofs to drive the amortized transactions costs down to about 100 bytes, well below the best known post-quantum signatures."
BIP 360 (Pay-to-Merkle-Root, or P2MR) is the most developed proposal for Bitcoin's quantum migration. It introduces a new address type compatible with (but not yet supporting) post-quantum signature algorithms, designed as a soft fork that preserves backward compatibility. Its proponents acknowledge the remaining challenges: significantly larger transaction sizes, no existing hardware wallet support for post-quantum cryptography, longer and less human-readable addresses, and the fundamental question of what to do with coins that never migrate.24
When asked about accommodating larger signature schemes like ML-DSA-87 in hardware wallets, Aaron Chen, CTO of Keystone, said, "For a hardware wallet, the device is typically MCU-based, which means its hardware resources are inherently limited, including limited Flash, limited RAM, and limited computing power—especially when it comes to a secure element. Therefore, for algorithms such as ML-DSA-87, the hardware resource requirements are significantly higher, particularly when user experience must also be preserved. This indeed introduces additional challenges for hardware wallet development."
When asked again about what it would take for a device like the Keystone 3 Pro or future iterations to sign a post-quantum transaction, he clarified, "At Keystone, we are closely following the progress of quantum-resistance efforts across the broader blockchain community. As soon as there are any updates or developments, we will evaluate them promptly and plan our next steps accordingly."
It's clear that these are technical challenges that require an extraordinary amount of cross-stakeholder coordination in an industry that has historically struggled to achieve consensus on far simpler changes.
The public conversation around quantum threats to cryptocurrency has focused primarily on wallet security. This significantly understates the scope of exposure.
DeFi protocols. Smart contracts that custody billions of dollars in assets rely on the same elliptic curve signatures for access control, governance votes, and oracle attestations. A quantum-capable attacker could forge signatures to drain liquidity pools, manipulate governance votes, or corrupt price feeds.
Stablecoin admin keys. Stablecoins like USDC and USDT are managed through admin keys that control minting, burning, and address freezing. These keys are protected by elliptic curve cryptography. A quantum attacker who derives the minting key for a major stablecoin could mint an unlimited supply, crash the peg, and trigger cascading liquidations across every DeFi protocol that holds it as collateral. The total value at risk extends well beyond the stablecoin's own market capitalization. USDC and USDT collectively serve as the base collateral layer for hundreds of billions of dollars in DeFi positions. A single compromised minting key could propagate failures across lending protocols, automated market makers, and derivative platforms simultaneously.
Multisignature schemes. Multi-party computation and threshold signature schemes used for institutional custody, DAO treasuries, and bridge security inherit the same elliptic curve vulnerability. Breaking one key in a multisig setup may be sufficient to compromise the entire arrangement, depending on the threshold.
Cross-chain bridges. Bridges that transfer assets between chains rely on validator signatures and cryptographic attestations. These are high-value targets. Bridge exploits have already accounted for billions of dollars in losses using classical attack vectors. Quantum capability adds an entirely new class of attack.
Oracle networks. Price oracles like Chainlink rely on signed attestations from data providers. Forged oracle signatures could manipulate prices across every protocol that consumes their feeds, enabling cascading liquidations and market manipulation at scale.
Governance contracts. Onchain governance systems that control protocol upgrades, treasury disbursements, and parameter changes rely on cryptographic signatures to authenticate votes. Quantum forgery of governance signatures could enable hostile takeover of protocols.
Identity. As Ian Chong of Terminal 3 put it, "A wallet key is valuable only while funds sit at that address. Once moved, the key is worthless. Identity data — KYC records, biometric hashes, government-issued credential attributes — remains exploitable for the full duration of a person's life."
The attack surface is a systemic vulnerability woven through every layer of the decentralized finance stack. Addressing wallet security alone, while necessary, only covers the most visible component of a much deeper structural exposure.
The comparison to traditional internet infrastructure is instructive. When HTTPS needs to upgrade its cryptography, a relatively small number of organizations (certificate authorities, browser vendors, and server operators) coordinate the transition. The public key material is ephemeral. It exists for the duration of a session and is not permanently recorded. Users do not need to take any action. The upgrade happens invisibly.
Blockchains sit at the opposite end of every relevant axis. Public key material is permanent, broadcast globally, and recorded immutably. Upgrades require consensus among millions of independent actors with varied incentives. Users must actively migrate their own assets, a process that requires technical competence, functioning hardware wallets, and awareness that migration is necessary.
There is no central authority to mandate, enforce, or even coordinate this transition. A Cloudflare encryption upgrade propagates to millions of websites through one engineering team's decision. An Apple PQ3 deployment ships through a software update. Blockchain migration requires convincing a fragmented ecosystem of core developers, miners, node operators, wallet providers, exchanges, custodians, and individual users to move in the same direction, on the same timeline, with no one empowered to compel any of them. Bitcoin's two most recent upgrades (SegWit and Taproot) each took years of debate for changes far less fundamental than replacing the network's entire cryptographic foundation.
Blockchains are exposed in ways most digital systems are not. The persistence of the attack surface and the coordination cost of mitigation make cryptocurrency one of the harder classes of digital infrastructure to protect against a quantum threat. The industry's response to this reality will define whether digital assets transition as a credible long-term store of value or whether they become a cautionary tale in the history of cryptographic failures.
The tools to fix this already exist. The industry is slowly beginning to pick them up, but the pace lags the traditional internet sector by a wide margin.
The cryptocurrency industry has begun acknowledging the quantum threat. Research papers have been published, proposals have been drafted, and a small number of projects have started building. An honest assessment is that the majority of active development remains early-stage, and the distance between acknowledgment and implementation is wide.
This section surveys the landscape of responses: from the institutional standards now in place, to the efforts of major chains, to the projects building quantum resistance from the ground up. The picture that emerges is one of an industry that knows what is coming but has not yet moved with the urgency the timeline demands.
In August 2024, after nearly a decade of evaluation involving hundreds of candidate algorithms and contributions from researchers worldwide, the US National Institute of Standards and Technology (NIST) finalized its first suite of post-quantum cryptographic standards. These represent the algorithms that will underpin the next generation of cryptographic infrastructure across every industry, not just cryptocurrency.
FIPS 203: ML-KEM (Kyber). A lattice-based key encapsulation mechanism for secure key exchange. Replaces the key exchange protocols vulnerable to quantum attack.
FIPS 204: ML-DSA (Dilithium). A lattice-based digital signature scheme. The primary replacement for ECDSA and RSA signatures in a post-quantum world.
FIPS 205: SLH-DSA (SPHINCS+). A hash-based signature scheme offering an alternative cryptographic foundation to lattice-based approaches, providing algorithmic diversity.
A fourth standard, FIPS 206 (based on Falcon), is expected in 2026.19
NIST standards are adopted globally because they are vetted through an open international process, required by US federal procurement, and referenced as baselines by other national standards bodies in the EU, UK, and Japan, giving the NIST post-quantum suite outsized influence on migration efforts across industries. The algorithms have been subjected to years of public scrutiny, cryptanalysis, and peer review. They are ready for deployment.
Bitcoin faces the most difficult quantum migration challenge in the ecosystem, for the reasons detailed in Section II: governance deadlock, chain bloat, lost coins, no hardware wallet support, and the requirement that every user actively migrate their own funds.
Bitcoin's governance model is deliberately conservative. Changes advance only when there is rough consensus across miners, core developers, node operators, exchanges, and users, with no single party empowered to mandate a change. This structure is a strength against rash decisions. It is a severe constraint when the network needs to execute a cryptographic transition on a schedule.
BIP 360 (Pay-to-Merkle-Root, or P2MR), proposed by Hunter Beast, represents the most developed migration path. It introduces a new address type compatible with multiple post-quantum signature algorithms (Dilithium, Falcon, SPHINCS+), designed as a soft fork that preserves backward compatibility. It does not, however, add support for these signatures. That will have to be done in another fork.24
As of early 2026, BIP 360 has not achieved consensus for activation. The proposal exists, but the political and social coordination required to implement it has not materialized.
Ethereum's response to the quantum threat has been more openly engaged than Bitcoin's but remains largely conceptual.
Vitalik Buterin has been vocal about the risk. In November 2025, he stated plainly that elliptic curves are "on their way out because of looming quantum risk."25 The Ethereum Foundation has elevated post-quantum security as a top priority in its research agenda, and multiple EIPs (Ethereum Improvement Proposals) have explored migration strategies, including emergency hard-fork transition paths and new signature schemes.
Ethereum's governance advantage over Bitcoin is concrete. Ethereum's community has demonstrated capacity to execute hard forks (the DAO fork, the Merge) when the core developer team, the Foundation, and a substantial share of validators and exchanges align on a change. Bitcoin's governance model requires a broader and slower alignment across miners and users. A post-quantum hard fork is politically conceivable within Ethereum's model in a way it is not within Bitcoin's.
The challenges remain substantial. Ethereum's smart contract ecosystem creates additional complexity. Every contract that performs signature verification, access control, or cryptographic operations would need to be updated or replaced. The composability that makes DeFi powerful also means that a migration cannot be piecemeal. One critical protocol in the stack remaining on classical cryptography leaves the entire chain of dependencies above it vulnerable.
As of early 2026, Ethereum's quantum migration strategy remains a research priority without a concrete implementation timeline.
Solana's quantum preparedness illustrates a tension that will define much of the industry's response: the tradeoffs between performance and security.
Solana uses Ed25519 signatures, which, like ECDSA, are vulnerable to Shor's algorithm. Quantum Canary, a quantum readiness assessment project, grades Solana's quantum preparedness as F, the same as Ethereum's.26
There is a meaningful migration advantage that Ed25519 chains hold over their secp256k1 counterparts. Researchers at Mysten Labs (the team behind SUI) published a paper demonstrating that EdDSA-based blockchains have a structural advantage. Because Ed25519 keys are deterministically derived from a seed per RFC 8032, users can authorize new quantum-resistant signatures through zero-knowledge proofs tied to that seed, without changing addresses or generating new key material. The approach is backward-compatible and works even for accounts with publicly exposed keys. Viability at scale would give Ed25519 chains, including Solana, SUI, Near, and Cosmos, a significantly smoother migration path than Bitcoin or Ethereum, whose transition to post-quantum cryptography demands entirely new keys for every user.35
There are other encouraging signals. Project Eleven, a startup focused on post-quantum security for Solana, deployed a functioning post-quantum signature system on Solana's testnet and raised a $20 million Series A led by Castle Island Ventures.27 Solana has also explored Winternitz signature vaults and engaged with Qdayclock, a quantum threat awareness initiative.
Solana's core value proposition, high throughput and low transaction costs, is in direct tension with post-quantum migration. Post-quantum signatures are larger and slower to verify. The very performance characteristics that differentiate Solana would be degraded by the cryptographic transition it needs to survive.
NEAR has a migration advantage because account identity is decoupled from cryptography and tied to human-readable account IDs rather than a fixed public key. Accounts support rotatable access keys and can hold multiple keys simultaneously, allowing migration to future signature schemes without changing account identity.
NEAR One is actively developing support for post-quantum signing schemes and has stated plans to introduce FIPS-204 ML-DSA (formerly Dilithium), initially targeting testnet deployment. Support remains under active development and is not yet production infrastructure. An account could add a quantum-safe full-access key, remove its legacy Ed25519 or secp256k1 full-access keys, and audit or remove remaining classical function-call keys. Balances and application assets stay tied to the account ID, which reduces the user-facing migration burden.45
A small number of projects have taken a fundamentally different approach: rather than retrofitting quantum resistance onto legacy architectures, they have built quantum-secure systems from inception.
Quantus is designed as a quantum-secure store of value blockchain, built on Substrate (Polkadot SDK) with post-quantum cryptography as a foundational design choice rather than a future migration target. Quantus uses ML-DSA-87 (Dilithium at NIST Level 5) for all transaction signatures, providing the highest standardized security level against both classical and quantum attacks.
For scalability, Quantus employs aggregated zero-knowledge proofs using Plonky2 (a STARK-based system with no trusted setup) and Poseidon2 hash functions, specifically chosen for their compatibility with the ZK proving stack. The system's Substrate foundation enables forkless runtime upgrades, meaning future cryptographic transitions can be executed through onchain governance without the coordination crises that legacy chains face.28
Other quantum-focused projects include the Quantum Resistant Ledger (QRL), built on XMSS hash-based signatures and XX Network, which uses WOTS+ signatures. Each represents a different approach to quantum-native design, contributing to a growing ecosystem of alternatives for users and institutions prioritizing long-term cryptographic security.26
A comparison to non-crypto responses provides useful context and a note of urgency for the cryptocurrency industry.
Cloudflare announced in October 2025 that post-quantum encryption now protects the majority of human-initiated traffic on its network, directly mitigating the Harvest Now, Crack Later threat for web communications.20
In March 2026, Google formalized this trajectory with a jointly announced commitment alongside Cloudflare: a concrete 2029 deadline for full post-quantum cryptography migration across their combined infrastructure. The rationale was stated plainly. The timeline to a cryptographically relevant quantum computer is shorter than institutional forecasts assumed as recently as 2024, and the resources required to break elliptic curve cryptography specifically are now within reach of near-term hardware projections. The world's dominant search company and the infrastructure layer protecting the majority of human web traffic are not hedging. They are operating on a deadline.37,39
Coinbase established an independent quantum computing advisory board in January 2026, signaling that the largest US-based exchange considers quantum risk material enough to warrant dedicated institutional attention.29
NIST's September 2025 migration roadmap explicitly urged organizations to begin PQC migration planning immediately.17
Stripe provides an instructive counterexample. Stripe announced Tempo, a new Layer 1 blockchain for stablecoin payments, built in 2025 and 2026. Despite being designed and constructed after NIST finalized its post-quantum standards, Tempo uses secp256k1 and P-256 for its cryptography, both quantum-vulnerable. The decision to build a new blockchain on quantum-vulnerable primitives, after the standards for replacement exist, illustrates how far the industry has to go.30
The contrast is stark. The traditional internet is already deploying post-quantum cryptography to protect ephemeral web sessions. The cryptocurrency industry, which stores permanent, public, high-value cryptographic material, is still debating whether to start.
Early but meaningful capital flows suggest that the investment community is beginning to take the quantum threat seriously.
Christopher Smith, CEO of Quantus, predicts "We don't know exactly how this will play out. I think the most realistic scenario is that the major chains upgrade the cryptography and some are partway through migration when Q-Day happens. This will result in a significant reshuffling of capital allocation depending on how far along in migration each chain is. Some chains may not make it through."
Beyond Project Eleven's $20 million raise, a16z and other major crypto venture firms have begun directing research funding toward post-quantum infrastructure. Academic institutions with quantum computing programs have started collaborating with blockchain projects. The Messari research platform has published dedicated coverage of quantum risk to digital assets.
These are early signals. They indicate that the smart money is beginning to position for a transition that, on arrival, will reward preparation and punish complacency.
There are two ways to get a quantum-safe blockchain: migrate an existing chain, or build a new one that was quantum-safe from day one. Migration is harder than it looks. New chains start with an advantage.
The dominant assumption in the industry is that existing blockchains will eventually migrate to post-quantum cryptography. The question, in this framing, is simply one of timing and coordination.
This framing underestimates the difficulty by a wide margin.
As Alex Shevchenko, CEO of NEAR Intents and Aurora Labs, tweeted, "Existing blockchain may introduce post-quantum cryptography (PQC). But they will face the moral dilemma to freeze assets that didn't migrate. PQC-native chains avoid this issue. @QuantusNetwork is building exactly that."44
Migration requires every participant in a decentralized network to take coordinated action. It requires consensus on which algorithms to adopt, agreement on transition timelines, backward-compatible protocol changes, wallet software and hardware updates, user education campaigns, exchange support, and a governance process capable of resolving the inevitable disagreements. It requires solving the lost coin problem, the throughput problem, and the address format problem simultaneously. And it requires doing all of this before a quantum computer makes the exercise moot.
Systems designed around post-quantum cryptography from inception face none of these challenges. There are no legacy addresses to migrate, no exposed public keys in the transaction history, no governance deadlock over algorithm selection, and no throughput crisis from signature bloat, because the system was sized for post-quantum signatures from day one. Every transaction, from the genesis block forward, is quantum-secure.
This is a fundamentally different risk profile. Migration is an attempt to patch a moving airplane. Genesis is designing the airplane correctly before takeoff.
When asked how he thought about the tradeoffs between building another L1 and migrating an existing one, Christopher Smith, Quantus CEO, said, "Our choice was really between forking an existing chain or building our own. If we fork an existing chain we inherit a bunch of technical debt, have to deal with additional political issues as an outsider team, and the migration issue remains unchanged. We decided that building a quantum-native chain lets us skip the technical debt, political issues and the migration issue becomes a user-adoption issue."
However, Lana Ivina of CircuitLabs clearly articulated the advantage of building on top of existing infrastructure: "Solutions that build on existing infrastructure and user trust have a strong advantage over chains that need to build a user base, community, and credibility from the ground up. Most users ultimately want confidence that the value of their assets is secure and that their ownership guarantees will be preserved.
A new chain may be designed without today's quantum vulnerabilities, but that does not automatically make it the preferred destination for existing assets. Many users may prefer to remain on a chain with a smaller but well-understood quantum attack surface, especially if that chain has a credible path toward upgrades, hard forks, or user-level migration schemes.
Bitcoin is the clearest example. It would be very difficult to convince some of the committed Bitcoin holders, including large holders and long-term Bitcoin maximalists, to move their assets to an entirely new chain. Bitcoin has a long security track record and a level of social trust that is hard to replicate fast. Even though dormant assets and exposed keys remain difficult problems, many community members would likely prefer to move funds to stronger signature schemes rather than abandon Bitcoin altogether."
The distinction becomes especially consequential under timeline uncertainty. A fifteen-year Q-Day horizon gives migration-based approaches room to succeed, though the coordination challenges remain formidable. A five-year Q-Day horizon, or a situation in which quantum capability is developed in secret by state actors, collapses migration timelines and leaves only systems that are already quantum-secure standing.
ML-DSA (previously known as Dilithium and standardized as FIPS 204) is the NIST-selected digital signature scheme that will likely serve as the backbone of post-quantum cryptographic infrastructure. Understanding both its strengths and its limitations is essential for evaluating any quantum-native architecture.
Strengths. ML-DSA is built on lattice cryptography, one of the most extensively studied foundations in post-quantum research. It provides strong security guarantees at multiple parameter levels, with ML-DSA-87 offering NIST Level 5 security, the highest standardized tier. Signature verification is fast, which matters for blockchain throughput. The algorithm has survived years of public cryptanalysis as part of NIST's evaluation process.
Tradeoffs. ML-DSA-87 produces signatures of approximately 4,595 bytes and public keys of 2,592 bytes. In aggregate, each ML-DSA-87 signed transaction carries roughly 7,187 bytes of signature and key material versus 97 bytes for an ECDSA-signed Bitcoin transaction, a roughly 70x increase in per-transaction cryptographic payload.
The throughput implications are measurable. A Bitcoin block filled entirely with ML-DSA-87 signed transactions would carry roughly an order of magnitude fewer transactions than one filled with ECDSA signatures, because a significant share of block capacity is now signature and key data rather than transaction logic. Network bandwidth requirements scale in proportion. Storage requirements scale similarly. These are engineering challenges, not fundamental barriers, but they are considerable. Any project claiming quantum resistance while ignoring the scalability implications of post-quantum signature sizes is not being forthcoming with its users or investors.
Zero-knowledge proof systems have become a cornerstone of modern blockchain architecture, used for scalability (rollups), privacy, and verification. A widespread and incorrect assumption is that ZK-based systems inherit quantum resistance by virtue of using advanced cryptography.
Lana Ivina of CircuitLabs stated, "The most dangerous misconception is that "ZK" implies security properties. However, it does not. Zero knowledge is a mathematical property of a proof system: it means the proof reveals nothing beyond the correctness of the statement being proven. It does not automatically tell you whether the proof system is post-quantum secure.
This matters especially for systems that rely on ZK proofs for their entire state transition logic, including many layer-2s. In those systems, the proof system is part of the core security model. If the proving system, commitment scheme, or trusted setup depend on quantum-vulnerable cryptography, then the system may have a deeper quantum attack surface than just user wallets.
The loud narrative that quantum computers will break everyone's keys shifts the focus off of other infrastructural problems that come along with ZK-based systems. There are various levels where a quantum attacker's ability to create false proofs (proofs that have not been correctly created but can pass verification) is critical to the integrity of blockchain systems as a whole, not just individual wallets."
The quantum safety of a ZK system depends entirely on the cryptographic primitives it uses. A useful heuristic: elliptic-curve-based ZK is quantum-vulnerable (Groth16, PLONK with KZG, Bulletproofs), and hash-based ZK is quantum-safe (STARKs, FRI). Even a STARK-based proof system can have quantum-vulnerable signatures, P2P, bridges, or custody around it, so due diligence on any project claiming quantum readiness through ZK should evaluate both the proof system and the surrounding components.26
When asked how to assess the post-quantum standing of proving systems and the surrounding components that also rely on elliptic curves, Midnight Foundation's Sebastien Guillemot answered, "We see a Post-Quantum roadmap as a common requirement from partners. To facilitate this, we've created a new post-quantum proof system called Nightstream that is built from lattice assumptions (the only lattice-based full zkVM to date). We believe that lattices will provide the composability, the efficiency and the feature set required by most projects. Additionally, we're doing this effort through the Linux Foundation's LFDT to facilitate contributions from many other partners who are on this journey with us."
The original blockchain trilemma, articulated by Vitalik Buterin, posits that decentralized systems must trade off among scalability, security, and decentralization. The quantum transition introduces a new version: quantum security, privacy, and scalability.
Post-quantum signatures increase payload sizes. Privacy-preserving cryptography adds further overhead. Scalability becomes the binding constraint.
A blockchain that adopts ML-DSA-87 for quantum-secure signatures sees a 70x increase in signature data per transaction. Adding privacy features (shielded transactions, confidential transfers) compounds the cryptographic overhead. Achieving acceptable throughput with both properties requires ZK aggregation, recursive proofs, or other architectural innovations that are themselves subject to the quantum-safety constraints described above.
No single project has fully solved this trilemma under one roof. The projects making the most credible progress are those using STARK-based ZK systems (plausibly post-quantum) for scalability, lattice-based signatures (ML-DSA) for quantum-secure authentication, and careful architectural design to manage the resulting data overhead.
For institutional investors, fund managers, and fiduciaries evaluating long-term exposure to digital assets, the migration-versus-genesis distinction has direct implications for risk assessment.
A digital asset secured by a chain with a credible quantum migration plan carries bounded but uncertain quantum risk. The risk depends on whether migration succeeds, whether it completes before Q-Day, and whether governance challenges resolve in a timely way.
A digital asset secured by a quantum-native chain carries bounded and more readily quantifiable quantum risk. The risk is limited to the possibility that the underlying post-quantum algorithms themselves are broken, a risk that applies equally to every post-quantum system, including the ones protecting banking infrastructure and military communications. This is a meaningfully different risk profile for institutional portfolios.
There is early evidence that markets may already be pricing this distinction. Research by Charles Edwards has proposed that Bitcoin trades at a 20 to 30 percent valuation discount attributable to unhedgeable quantum risk, a discount that could narrow alongside a credible migration plan or widen alongside a more immediate threat.31
BlackRock's amended prospectus for the iShares Bitcoin Trust (IBIT), filed with the SEC on May 9, 2025, made this risk explicit. The filing warned that quantum computing "could result in the cryptography underlying the Bitcoin network becoming ineffective" and could "allow a malicious actor to compromise the wallets holding bitcoin owned by the Trust or others on the Bitcoin network, which would result in losses to Shareholders." BlackRock further cautioned that "there is no guarantee that new quantum-proof architectures will be built and appropriate transitions will be implemented across the network at scale in a timely manner." The world's largest asset manager tripled the length of its quantum risk disclosure in this filing compared to the original.32
The traditional finance sector has already begun positioning around quantum risk, not only as a defensive measure but as a potential vector for expanding influence over cryptocurrency markets. Institutions may use quantum security requirements as justification for centralizing custody, imposing compliance frameworks, or steering assets toward regulated, centrally managed platforms. The distinction between custody failures (which accounted for $2.2 billion in losses in 2024) and cryptographic failures (which have not yet occurred at scale) is critical. Quantum-native architecture preserves decentralized custody and self-sovereignty. Centralized "quantum-safe" custody solutions do not.26
This section uses three planning scenarios to frame the range of outcomes. They are not predictions. The purpose is to help decision-makers stress-test their positioning against different timelines.
Forecasting is inherently uncertain, and the timeline for quantum computing's maturation carries more uncertainty than most. Uncertainty is an argument for scenario planning rather than against it.
The three scenarios below are planning frameworks, not predictions. Each one is grounded in dynamics already visible in the current landscape.
The common thread across all three scenarios is that the window between "too early to act" and "too late to migrate" is significantly narrower than the industry currently assumes.
Scenario A preserves a window, although it requires immediate, sustained coordination that has not yet begun in earnest. Scenario B compresses that window to a sliver. Scenario C creates conditions under which the window's status is unknowable, because the attack is designed to be invisible.
The asymmetry of outcomes is stark. The cost of preparing too early is manageable: larger transactions, some engineering overhead, the inconvenience of migration. The cost of preparing too late is severe: loss of funds, collapse of institutional confidence, regulatory capture, and the potential loss of cryptocurrency's position as a credible store of value.
Every month of inaction narrows the window further. Hardware milestones are accelerating. Software optimizations are compressing qubit requirements. Institutional forecasts are shortening. Governments are planning for 2030. The question is whether the cryptocurrency industry will plan with them, or be planned for.