Most assume their crypto holdings are secured by unbreakable mathematics. That confidence is not unfounded. But the strength of any cryptographic system depends on the computational capability of those trying to break it. And those capabilities are changing.
This piece examines this shift. Progress in quantum computing represents a gradual but material change to the underlying assumptions that make modern cryptography work, and one that financial infrastructure cannot afford to ignore.
On public blockchains such as Bitcoin and Ethereum, transactions are authenticated using elliptic curve cryptography (ECDSA): a private key produces a digital signature, and the corresponding public key verifies it. The security of the model rests on a foundational assumption that has held for decades, that solving the elliptic curve discrete logarithm problem (ECDLP) and thus deriving a private key from a public key is computationally infeasible. On classical computers, that assumption still holds. On sufficiently powerful quantum computers, if it exists, it does not.
Shor's algorithm provides an efficient method for discovering the mathematical structure underlying elliptic curves. In theory, a future fault-tolerant quantum computer could recover private keys from public keys quickly enough to compromise current systems.
Grover's algorithm provides a quadratic speedup for brute-force search problems such as mining. In practice, however, this speedup is neutralized by quantum error correction overhead and the algorithm's inability to parallelize, leaving proof-of-work consensus firmly out of reach, based on Google Quantum AI and collaborators including Justin Drake from the Ethereum Foundation.
The U.S. National Institute of Standards and Technology (NIST) announced that widely used public-key systems such as RSA and ECC are vulnerable in a post-quantum setting, which is why it has already finalized replacement standards. The implication is precise but consequential: onchain wallets remain secure today. The assumption guaranteeing that security, however, has a finite horizon.
Many users believe their funds are safe as long as they never reveal their private key. That is only half true. On public blockchains, the public key itself is often exposed once a transaction is made.
In Bitcoin, certain address types have historically revealed public keys directly. In Ethereum, public keys can be derived from transaction signatures. In both cases, the result is the same: a permanent, publicly accessible record of cryptographic material that cannot be retracted.
This creates an asymmetric risk profile. An attacker does not need to compromise a wallet in real time. They can collect blockchain data today, extract public keys, and wait.
Estimates vary depending on methodology, but Chaincode Labs Analysis suggests that roughly 1.6–1.7 million BTC sit in clearly exposed legacy formats, with broader exposure potentially extending into the millions when address reuse and other patterns are included. Additionally, there are sizable dormant BTC assets including accounts where the keys are likely lost or abandoned.
The precise figure matters less than the structural reality: exposure is permanent, and exploitation can be deferred.
Quantum risk is not a purely forward-looking concern. The dominant threat model, known as "Harvest Now, Decrypt Later" (HNDL), is straightforward: collect data today that cannot yet be broken, and decrypt it once the necessary computational capability becomes available.
This model has been explicitly identified as a systemic risk by institutions such as the Federal Reserve Paper and is also discussed in NIST migration guidance.
For blockchain systems, the implications are direct. Historical transactions, exposed public keys, and long-lived financial data are already available for collection. The moment that data enters the public record, the clock begins.
Progress is advancing on multiple fronts: quantum hardware has scaled from tens to hundreds of physical operational qubits; error correction is being demonstrated experimentally at a small scale; and algorithmic research has reduced the estimated resources required for classical system compromise. Despite this progress, a critical "scaling gap" must still be solved to build a fault-tolerant machine capable of breaking the 256-bit elliptic curve signature scheme.
The Cambridge Centre for Alternative Finance (CCAF) Report and Google Research Blog have reduced estimates for the quantum resources needed to break common blockchain cryptography. CCAF analysis suggests fewer logical qubits are needed to break RSA-2048 and explicitly warns that progress is occurring much faster than previously anticipated, narrowing the window for a smooth transition. Similarly, Google Quantum AI and collaborators compiled quantum circuits for the 256-bit elliptic curve discrete logarithm problem (ECDLP), estimating it could run on a superconducting quantum computer with under 500,000 physical qubits in minutes. This drastically reduces the estimated machine size, underscoring the urgency of action.
According to the CCAF Report, expert consensus typically places a cryptographically relevant quantum computer (CRQC) 10 to 20 years away, though this is a volatile forecast. Both hardware scaling and algorithmic breakthroughs continue to compress the timeline. That said, progress is not linear: a single breakthrough could accelerate the threat significantly, while stubborn engineering hurdles could equally delay it. Thus, critical breakthroughs in scaling are still required and the uncertainty cuts both ways. Deferring action until certainty arrives compounds the liability, considering the catastrophic impact compared to migration to quantum-resistant cryptographic schemes.
The Google Quantum AI and collaborators’s vulnerability assessment extends beyond individual wallets. Among the top 500 smart contracts by ETH balance, representing approximately 2.5 million ETH, the paper identifies roughly 70 contracts as vulnerable to quantum key derivation through their admin keys. The classification criteria are telling: contracts are flagged as vulnerable if their event logs contain AdminChanged or Upgraded events (consistent with ERC-1967 proxy standards) or OwnershipTransferred events from OpenZeppelin's Ownable pattern.
These are industry-standard smart contract primitives in widespread production use. Their inclusion in the paper's vulnerability taxonomy is a direct signal that quantum risk extends to onchain financial infrastructure, not only to individual key holders. Admin key compromise at scale would affect protocol governance, upgradability, and asset custody across a significant portion of the ecosystem.
Zero-knowledge proofs let one party prove a statement is valid without revealing the secret data behind it. They are used in privacy systems such as Zcash shielded transactions and in scaling systems such as Ethereum zk-rollups. Many production zkSNARK systems rely on elliptic-curve or pairing-based cryptography that a cryptographically relevant quantum computer (CRQC) could threaten, although some production systems, such as Starknet’s STARK-based design, use hash-based constructions believed to be more quantum-resistant. In trusted-setup systems, a major risk is that a CRQC could recover setup secrets such as KZG “toxic waste” from public parameters, turning them into a reusable backdoor. If the binding of the underlying commitments fails, SNARK soundness can fail and forged proofs may verify; in some systems, privacy can also degrade through other quantum breaks. Post-quantum alternatives, including hash-based and lattice-based approaches, are advancing, so teams building on quantum-vulnerable ZK primitives could expect migration pressure over time.
After nearly a decade of global collaboration, the NIST PQC standards finalized its first post-quantum cryptography (PQC) standards in August 2024. These include ML-KEM (FIPS 203) for key encapsulation, ML-DSA (FIPS 204) for digital signatures, and SLH-DSA (FIPS 205) as a hash-based signature scheme that provides algorithmic diversity as a backup to ML-DSA. The lattice-based systems (ML-KEM, ML-DSA) rely on learning-with-errors problems for which no efficient quantum attacks are currently known. SLH-DSA takes a different approach entirely, using hash-based constructions as a fallback in case lattice assumptions weaken.
NIST has also selected two additional algorithms for ongoing standardization: Falcon, a lattice-based signature scheme favored for its compact signatures, and HQC, a code-based key encapsulation mechanism chosen as a mathematically diverse backup to ML-KEM.
"Quantum-resistant" does not mean unconditionally secure. It means that, based on current knowledge, no algorithm analogous to Shor's or Grover’s exists for these constructions.
Replacing cryptographic infrastructure at global scale requires coordinated transformation across systems that were not designed with cryptographic agility in mind.
Decentralized blockchain environments amplify this complexity. Their immutability preserves historical data indefinitely. Their governance structures require broad coordination without central authority. Their ecosystems depend on backward compatibility.
Different networks are responding in different ways. Ethereum PQC Roadmap has begun coordinated research and public roadmap discussions around post-quantum migration. Binance Report on BIP-360 successfully executed the first transaction on the quantum-resistant test network with BIP-360 merged, making it the most advanced active proposal for protecting exposed Bitcoin addresses.
Across the broader ecosystem, including enterprise platforms, there are already PQC experiments integrating PQC algorithms into test environments. The pattern is consistent: migration is not a single upgrade but a multi-year process that touches every layer of the stack.
It would be a mistake to treat quantum risk as a niche blockchain concern. Financial institutions, regulators, and infrastructure providers are already preparing for a post-quantum transition.
The World Economic Forum (WEF) Financial Services Report estimates that quantum computing could generate up to hundreds of billions of dollars in value for financial services, while simultaneously introducing new security risks. NIST Migration Target has set a broad target for transitioning away from quantum-vulnerable cryptography by 2035.
The reason is systemic. Financial infrastructure is deeply interconnected. A vulnerability in one layer does not remain contained; it propagates. If blockchain systems are used for settlement, custody, or tokenization of real-world assets, they are part of that infrastructure. Their security posture is a financial system concern, not merely a technical one.
Quantum risk demands an operational response on a finite horizon, not a theoretical debate about an uncertain future.
Start by understanding where cryptography lives in your system. Inventory every use of quantum-vulnerable public-key cryptography, such as RSA, elliptic curve schemes (ECDSA, EdDSA, ECDH), Diffie-Hellman, and pairing-based schemes like BLS, across wallets, APIs, infrastructure, and smart contracts. Reduce unnecessary exposure wherever possible: avoid address reuse, and where public-key exposure is unavoidable by design (as with Ethereum accounts after first spend), plan for key rotation or migration to post-quantum formats when they become available. Every exposed public key becomes part of the permanent, harvestable attack surface for future quantum adversaries. Behavioral changes buy time, but durable protection will require protocol-level migration to post-quantum cryptography.
Experiment early with hybrid approaches, running post-quantum algorithms alongside existing RSA/ECC systems in test environments to build crypto agility before production migration. The Linux Foundation's Open Quantum Safe (OQS) project provides prototyping libraries and protocol integrations for exactly this purpose, though OQS itself flags its implementations as research-grade rather than production-ready.
Track ecosystem developments: Ethereum's post-quantum strawmap, Bitcoin's BIP-360 draft, and the rollout of NIST's finalized PQC standards plus ongoing standardization of Falcon and HQC.
Finally, ask direct questions of your vendors. Custody providers, cloud platforms, and infrastructure partners should be able to articulate a concrete post-quantum strategy, for instance, which algorithms, on what timeline, and how they handle hybrid deployments during the transition.
The fundamental assumption underpinning onchain security is changing. Recent research confirms that the quantum resources needed to break elliptic curve cryptography are shrinking, moving the challenge from a theoretical impossibility toward a practical engineering concern.
This validates the "Harvest Now, Decrypt Later" threat model as a long-term liability: exposed public keys, smart contract admin keys, and protocol-level systems are permanently vulnerable to future decryption once a cryptographically relevant quantum computer is available.
Fortunately, the necessary solutions are available. NIST has finalized quantum-resistant standards, and concrete migration proposals like Bitcoin's BIP-360 are already underway. The current focus is strategic operational adoption. Financial infrastructure, protocols, and users should proactively integrate Post-Quantum Cryptography as a crucial step in long-term risk management, ensuring a smooth and secure transition.
Does quantum computing pose a real threat to blockchain security today?
Not as an executable attack, no quantum computer yet exists that can break elliptic-curve cryptography. But the structural risk is already in motion. Every exposed public key on a public blockchain today is permanently recorded and can be harvested now for decryption later, once a cryptographically relevant quantum computer (CRQC) arrives. Expert timelines for a CRQC typically fall in the 10–20 year range, but the forecast is volatile in both directions. Recent research from Google shows the required quantum resources are dropping significantly, pulling the threshold closer; while significant engineering bottlenecks, including logical-qubit error rates, physical-qubit coherence times, and scaling to hundreds of thousands of physical qubits, still need to be solved before a CRQC becomes reality.
What is the "Harvest Now, Decrypt Later" threat, and why does it matter for onchain assets?
"Harvest Now, Decrypt Later" (HNDL) refers to adversaries collecting cryptographic material today and storing it for later decryption once a cryptographically relevant quantum computer (CRQC) arrives. On blockchains, the exposed public keys from historical transactions are the primary harvest target and because transaction records are permanent and publicly visible, this threat is not future-facing: the data being targeted already exists on-chain. Federal Reserve researchers and NIST have both examined HNDL as a present-day risk driving the urgency of post-quantum migration.
Are smart contracts also at risk, or is this only a wallet-level concern?
Smart contracts are explicitly in scope. Google's March 2026 research flagged roughly 70 of the top 500 smart contracts by ETH balance as vulnerable to quantum key derivation through their admin keys, contracts using industry-standard patterns including OpenZeppelin's Ownable and ERC-1967 proxy standards. Compromise of those admin keys would affect protocol governance, upgradability, and asset custody across a significant portion of onchain financial infrastructure.
Do post-quantum cryptography standards exist yet, and are they ready to use?
Yes. NIST finalized its first post-quantum cryptography (PQC) standards in 2024, including ML-KEM for key encapsulation, ML-DSA for digital signatures, and SLH-DSA as a hash-based backup to ML-DSA. These standards rely on mathematical problems for which no efficient quantum attack is currently known, though "quantum-resistant" means secure based on current knowledge, not unconditionally secure.
What should teams building onchain financial infrastructure prioritize now?
Start with a full inventory of where quantum-vulnerable public-key cryptography (RSA, ECDSA, EdDSA, DH, BLS) lives across wallets, APIs, smart contracts, and infrastructure. From there, teams should avoid address reuse, minimize avoidable public-key exposure, and begin experimenting in test environments with hybrid PQC, that is running post-quantum algorithms alongside existing classical ones. Design for crypto agility so algorithms can be swapped later without rebuilding core systems, and ask custody providers, cloud platforms, and other infrastructure partners directly for concrete post-quantum roadmaps. Migration is a multi-year to decade long process; starting early reduces both risk and operational disruption.