Post-QuantumCrypto Security

Quantum Readiness: What Crypto Exchanges Should Do Today

Photo of Marin Marin Follow on X Send an email March 19, 2025
21 minutes read
Crypto Exchange Quantum

The Quantum Threat: Why Exchanges Can’t Ignore It

Crypto exchanges sit at a unique intersection of traditional IT infrastructure and cutting-edge blockchain systems. And therefore have to consider two sides of the quantum threat.

Quantum computers strong enough to break today’s cryptography are still under development, but their threat is existential. They could theoretically decipher RSA, Diffie-Hellman, and elliptic-curve algorithms (like Bitcoin/Ethereum’s ECDSA) via Shor’s algorithm, and significantly weaken symmetric schemes via Grover’s algorithm. In practice, this means a sufficiently advanced quantum adversary could recover private keys from public keys, forge digital signatures, or even out-compute proof-of-work miners.

In one analysis, researchers estimated that roughly one-quarter to one-third of Bitcoin’s circulating supply might already be vulnerable if a quantum computer existed today, due to exposed public keys on reused addresses.

Share of Bitcoin supply potentially vulnerable to quantum attack (as of early 2025). Addresses that have revealed their public keys are considered “exposed” and comprise an estimated 25-30% of coins, making them high-risk if quantum attackers emerged. Conversely, coins in addresses that have never revealed a public key (yellow segment) are safer until spent (source: Project Eleven analysis).

The timeline for “Q-Day” – when quantum machines can break cryptography – is debated. Some experts argue it’s a decade or more away, while others warn it could come much sooner. Either way, waiting until the last minute is not an option. As Fireblocks notes, migrating to quantum-safe algorithms won’t happen overnight due to the complexity of changing the fundamental cryptographic underpinnings of wallets, transactions, and secure communications.

Industry leaders are urging institutions to aim for quantum readiness by 2030, emphasizing that preparation is the best defense. Dismissing the issue as mere hype is risky – even if quantum attacks are not viable this year, the “harvest now, decrypt later” threat means attackers may already be hoarding encrypted data (and even blockchain transaction info) to decrypt in the future.

Crypto exchanges alone cannot upgrade a decentralized blockchain’s algorithms. However, exchanges are far from helpless:

  • Off-chain, they control extensive IT systems, user data, and operational infrastructure that rely on classical cryptography. These must be assessed and fortified just like any bank or enterprise system.
  • On-chain, exchanges manage the custody of crypto assets and participate in blockchain networks. They can take steps to reduce exposure of vulnerable keys, monitor for quantum-related anomalies, and coordinate with the broader community on upgrades or responses.

In short, quantum preparedness is a shared responsibility. Exchanges that take the lead now – by hardening their own systems and planning for eventual on-chain changes – will not only protect themselves and their customers, but also signal trust and foresight to the market. There are concrete actions exchanges can and should pursue today for quantum readiness.

Securing Off-Chain Infrastructure: Lessons from Traditional IT

First, crypto exchanges should recognize that their off-chain infrastructure is like any other enterprise’s – and just as vulnerable to quantum threats. Customer databases, web services, APIs, internal networks, and communication channels all rely on encryption and digital signatures that quantum computers could one day break. Just because an exchange deals with “crypto” doesn’t mean its off-chain tech is magically quantum-safe. In fact, some exchanges may have a false sense of security (“we use modern encryption, so we’re fine”) when in reality most standard encryption (RSA, ECC, TLS, etc.) will eventually need to be replaced or augmented.

Key steps for exchanges’ off-chain quantum readiness:

Inventory and Risk Assessment

Identify where cryptography is used across the enterprise – from TLS certificates on your websites, to VPNs and SSH, to database encryption, to code-signing certificates, to user authentication flows. Prioritize systems that protect the most sensitive assets (e.g. customer personal data, account credentials, wallet private keys, etc.). Many regulators and standards (e.g. NIST) recommend a full cryptographic inventory as a first step, though this can be daunting in practice. A pragmatic, risk-driven approach is advised: focus on discovering and addressing your highest-risk cryptographic exposures first rather than “boiling the ocean”.

Upgrade Critical Communications

Ensure that inter-office and user-facing communications are using the most robust protocols with Perfect Forward Secrecy. For instance, enforce TLS 1.3 (or TLS 1.2 with ephemeral ECDH) for all web and API traffic so that even if an exchange’s traffic is recorded, it can’t be decrypted later via a broken key exchange. Where possible, start exploring hybrid cryptography (classical + post-quantum) for VPNs, API authentication, and internal messaging. For example, there are already draft standards for TLS 1.3 with post-quantum key exchange; adopting these in a hybrid mode can add quantum resistance to network traffic without dropping support for classical clients. Some exchanges have begun migrating user login and API keys to quantum-resistant algorithms (e.g. using a NIST-approved post-quantum key encapsulation method (KEM) for establishing session keys).

Enforce Strong Crypto Policies

Just as you harden your servers, harden your cryptography. Configure your systems and middleware to disallow outdated or weak algorithms. For example, use your TLS inspection tools or firewalls to block any connection attempting an RSA key exchange or sub-128-bit cipher. Disable old protocol versions (SSLv3, TLS 1.0/1.1, SSHv1) and insecure cipher suites. This “crypto hygiene” ensures attackers can’t downgrade a connection to a breakable algorithm. It also prepares the ground for PQC: as new quantum-safe algorithms become standardized, you can add them to the allowed list while phasing out the obsolete ones.

Shield and Isolate

For legacy systems that must use vulnerable crypto and can’t be upgraded quickly, isolate them as much as possible. Put them on separate network segments, limit access, and if feasible, “encapsulate” their communications with quantum-safe wrappers. For instance, if you have to maintain an older hardware security module or an app that only supports RSA, consider tunneling its connections through a PQC-enabled gateway or VPN so that an attacker intercepting the traffic still faces quantum-safe encryption externally.

Monitoring and Threat Detection

Enhance your Security Operations Center (SOC) monitoring with a quantum-threat perspective. One hallmark of a “harvest now, decrypt later” attack is mass data exfiltration – adversaries might steal large encrypted databases or traffic dumps now to decrypt once they have a quantum capability. Tune your DLP (Data Loss Prevention) and SIEM systems to flag unusual bulk exports of encrypted data. For example, if a normally restrained service account suddenly starts copying gigabytes of archive data, investigate immediately. You’d rather chase a false alarm (a backup job) than miss an indicator that your entire user database was quietly siphoned for future decryption.

Similarly, monitor the integrity of your cryptographic keys and certificates: any unauthorized certificate issuance or access to CA keys should set off alarms. An attacker with a stolen CA key or code-signing key doesn’t even need a quantum computer – they can undermine your security today, so keep a tight watch on your PKI and HSM audit logs.

Vendor and Partner Readiness

Exchanges rely on numerous third-party services – cloud providers, payment processors, analytics tools, etc. Include quantum readiness in vendor assessments and contracts. Ask critical vendors about their post-quantum migration plans. It’s reasonable to mandate (especially for new contracts) that vendors will upgrade to PQC within a certain timeframe once standards stabilize. If you use cloud HSMs or key management services, ensure they have a roadmap for supporting quantum-safe algorithms.

By pressuring vendors now, exchanges can avoid being the slowest link in the supply chain. In one quantum readiness framework for finance, an exchange “mandated that all new vendors provide PQC-compliant APIs” and leveraged cloud providers’ PQ offerings to reduce its own burden.

Crypto-Agility and Testing

Finally, invest in crypto-agility – the ability to swap out cryptographic algorithms with minimal disruption. This is as much about architecture and policy as about technology. Ensure your developers abstract cryptographic operations (so you don’t have algorithm-specific code scattered everywhere). Upgrade libraries to versions that include post-quantum algorithm support (even if you’re not using those yet). Perhaps maintain a test environment where you pilot PQC algorithms on non-production data – for example, test a small internal tool that uses a lattice-based encryption scheme, or experiment with hybrid certificates (certs that contain both classical and PQ public keys). These trials build familiarity in your team.

The goal is that when quantum-resistant standards are fully ready – likely by the early 2030s – your exchange can migrate smoothly, not in panic.

In summary, exchanges should treat quantum preparedness as an extension of good cybersecurity hygiene. Many of the above steps (inventories, network hardening, monitoring for exfiltration) are best practices even against classical threats – they just acquire new urgency in the quantum context. Don’t fall for the misconception that “our off-chain is secure enough.” If it relies on RSA/ECC today, it will not be secure enough for tomorrow. The silver lining is that by starting now, you can gradually update and isolate systems so that you’re not scrambling when standards bodies and regulators finally require PQC compliance.

Crypto Custody Under Quantum Threat: Securing Keys and Wallets

Centralized exchanges are the custodians for millions (or billions) of dollars in crypto assets. Custody systems – the hot wallets, cold wallets, private keys, and signing devices – are the crown jewels of an exchange, and they face unique quantum-related risks. Unlike a traditional bank that might worry about encrypted databases, an exchange’s core risk is that a quantum attacker could directly steal digital assets by breaking the cryptography that controls them. Thus, quantum readiness must be built into the key management and wallet architecture.

Consider the situation: most cryptocurrencies (Bitcoin, Ethereum, and many others) use ECDSA or similar elliptic-curve signatures for transactions. A powerful quantum computer running Shor’s algorithm could derive the private key from any publicly visible ECDSA signature. Normally, Bitcoin and other UTXO-based coins protect public keys by not revealing them until you spend from an address (the pay-to-public-key-hash scheme). But once you do spend, that public key is out in the open – a quantum attacker could swiftly crack it and steal any remaining funds that haven’t been moved yet. Ethereum and many account-based blockchains are even more exposed because public keys are often on-chain from the start.

What can exchanges do to protect their crypto holdings?

Reduce Public Key Exposure

A simple best practice is to avoid re-using blockchain addresses. Ensure that once a deposit address or output address has been used and its public key revealed, you sweep any remaining balance to a fresh address with a new key. Most modern exchanges already utilize one-time deposit addresses and change addresses, but it’s worth doubling down on this policy.

Recent events underscore this: the government of El Salvador, for example, redistribited its 6,000+ BTC reserve from a single address into 14 fresh addresses to ensure none of those new addresses have exposed public keys. By fragmenting funds into unused addresses (each holding at most 500 BTC), they ensured their national crypto treasury isn’t sitting behind one giant exposed key. Exchanges should take a similar cue – don’t put too many assets behind one key, and retire wallets proactively. This way, even if quantum attacks materialize, an attacker has to tackle many targets, not one single point of failure.

Strategic Wallet Fragmentation

Beyond just key reuse, consider limiting the size of each cold wallet address (similar to El Salvador’s 500 BTC cap). Spreading assets across multiple wallets creates “firebreaks” – if one key is compromised in the future, it limits the damage. Yes, this might complicate operations slightly (more UTXOs or addresses to manage), but it is a wise trade-off for risk mitigation. It’s akin to not keeping all your gold in one vault. Many exchanges already use multiple cold wallets (often per currency or per region), but instituting caps per wallet and regular transfers to new wallets can further reduce exposure.

Leverage Multisig and Multi-Algorithm Approaches

If supported by the blockchain, using multisignature (multisig) wallets can offer some quantum resilience. Requiring, say, 3-of-5 keys to move funds means an attacker would need to crack multiple keys, ideally held on different algorithm types. For example, you might use 4 standard ECDSA keys and 1 key from a different curve (or even a post-quantum scheme, if available via a smart contract or sidechain). This way, even if ECDSA falls, that one different key could halt an attacker.

Some forward-looking exchanges are already exploring hybrid signing. In a U.S. SEC-sponsored quantum readiness scenario, a crypto exchange worked with its custody tech provider to implement hybrid ECDSA + “ML-DSA” signatures for Bitcoin wallets, upgrading HSMs to support both algorithms. The idea is to sign transactions with both a classical signature and a post-quantum signature, where the latter acts as a safeguard against future forgery. While current Bitcoin nodes will only verify the ECDSA part, the post-quantum signature can be retained as evidence of authenticity for the day when it might be needed.

Hybrid approaches like this immediately mitigate the “steal now, verify later” threat on the blockchain – an attacker recording the transaction and ECDSA signature would also need to break the post-quantum scheme, which is infeasible if a strong PQC algorithm is used.

Upgrade Custody Tech (HSMs/MPC)

Most exchanges use Hardware Security Modules (HSMs) or Multi-Party Computation (MPC) wallets to secure private keys. Ensure your custody solution is crypto-agile and PQC-ready. This might involve upgrading HSM firmware, or even replacing older HSMs that cannot support new algorithms. Modern HSMs are starting to offer support for NIST’s post-quantum algorithms (like Dilithium or Falcon for signatures).

If you use MPC wallet technology (where multiple servers/devices collaboratively sign transactions without exposing a full key), ask your provider how they plan to incorporate PQC. For instance, Fireblocks has indicated it’s evaluating NIST’s finalist algorithms for compatibility with their MPC custody platform.

Some newer custody projects, like those by BTQ and others, are building “quantum-secure custody” infrastructure from the ground up, using post-quantum signature schemes and even Quantum Proof-of-Work testnets for future resilience. Even if such solutions are experimental, it’s worth keeping abreast or participating in pilots – your exchange might partner with a firm to pilot a post-quantum vault for a small portion of assets as a proof-of-concept.

Cold Storage and Time

Emphasize truly offline cold storage for long-term holdings. The longer your assets need to remain secure, the more likely they could encounter the quantum era. Cold wallets that are kept offline (air-gapped) have a natural protection: an attacker, quantum or not, cannot access a key that’s never online.

However, note that when you do eventually bring a cold wallet online to move funds, that transaction will expose the public key. One strategy is to rotate cold storage more frequently – don’t wait 5 years to move funds; perhaps move them every year or two to new addresses (incurring an on-chain transaction each time, yes, but keeping keys “fresh”). This limits the window in which any given private key might be vulnerable.

Also consider using shorter-lived keys for hot wallets (which are online by necessity). Some exchanges already generate a new hot wallet key every week or day and sweep funds, so that if a key is compromised it only impacts a short window of transactions. Doing this also limits the window for quantum theft – if Q-Day arrives, you have fewer keys in use that were generated pre-quantum.

Plan for Emergency Key Rotation

Quantum preparedness means having a contingency plan if suddenly a cryptographic algorithm is deemed broken. Exchanges should have playbooks for rapidly moving funds if needed. Imagine waking up to news that a breakthrough happened and ECC is effectively cracked. What’s your plan? Ideally, you’d immediately invalidate or retire all exposed keys and move every asset to new addresses secured by whatever interim safe algorithm or method is available (perhaps a larger RSA key or a different curve that isn’t immediately broken, or an off-chain multisig escrow until a fork is arranged).

This kind of extreme scenario planning might feel like overkill, but incident response drills for “quantum attack on crypto” could be hugely beneficial. It’s analogous to disaster recovery planning – you hope to never use it, but you’d better have it.

As part of this, monitor the blockchain ecosystem for quantum-safe address schemes. For example, if Bitcoin soft-forked in a PQC signature option (say, a new address prefix that uses Dilithium signatures), you should be ready to migrate funds to those addresses en masse.

Ethereum’s community is working on account abstraction (ERC-4337 and beyond) which will allow smart-contract wallets that could be programmed to use quantum-resistant signature schemes. Exchanges will want to support customers in migrating to such addresses and possibly use them for their own treasury.

Stay Current on Standards

There’s a growing suite of standards and tools for crypto-asset custody in a post-quantum world. NIST has chosen algorithms like CRYSTALS-Dilithium, Falcon, SPHINCS+ for digital signatures, and CRYSTALS-Kyber for key encapsulation. While blockchain networks haven’t yet integrated these, institutional solutions are emerging that layer PQC on top of existing chains.

Keep an eye on developments such as Bitcoin Improvement Proposals (BIPs) for PQC, Ethereum research, and industry consortia. Engaging with bodies like the Blockchain Association or Global Digital Finance on this topic could give your team early insight. Some exchanges may even contribute to open-source efforts to implement PQC in crypto libraries – positioning themselves as thought leaders in the space.

In essence, custodial quantum readiness boils down to two principles: mitigate exposure (make it hard for an attacker to target your keys by fragmenting and rotating them), and prepare to migrate (build the capability to switch the cryptography protecting those keys on short notice). By taking steps like hybrid signing, multisig, and tech upgrades now, exchanges can significantly reduce the risk of a sudden quantum heist and pave the way for a smoother transition when the ecosystem moves to new crypto algorithms.

Monitoring for Quantum Attack Indicators

Even if an exchange does everything to secure its own systems and keys, a quantum-capable adversary could still wreak havoc directly on the blockchain networks. Centralized exchanges must therefore stay vigilant about the health and security of the blockchains they support. This is analogous to how exchanges monitor forks, bugs, or 51% attacks on smaller coins – quantum attacks might manifest in similar ways, and exchanges need a plan for those scenarios.

Key areas of on-chain monitoring and readiness include:

Unusual Transaction Patterns

A telltale sign of a quantum attacker in the wild would be coins moving from addresses that should be inaccessible. For example, satoshi-era Bitcoin addresses (P2PK outputs from 2009-2010) that suddenly get drained, or an Ethereum address whose known owner lost the key years ago magically coming to life.

Exchanges should employ blockchain analytics (either in-house or via partners) to flag anomalous movements. If, say, a wave of old dormant BTC starts moving to new addresses without known owners, that could indicate someone found their private keys.

Another red flag: if multiple addresses are being emptied almost simultaneously in a way consistent with a large-scale key cracking attempt (e.g., lots of P2PKH UTXOs spent within minutes of each other but with no common input owner). While these could also be due to other exploits or events, it’s better to investigate immediately. An exchange might decide to temporarily pause withdrawals or deposits for a certain blockchain if a quantum attack is suspected, just as they would during a software bug exploit or consensus failure.

Consensus Instability

Quantum computing doesn’t only threaten keys; it could threaten consensus mechanisms. A quantum computer with enough power could potentially outmine all other Bitcoin miners (a hypothetical quantum 51% attack). Similarly, in proof-of-stake, if the signature scheme (like BLS in Ethereum) is broken, an attacker might fake validator identities and subvert block production.

Exchanges should monitor chain reorgs, sudden hash rate jumps, or validator irregularities closely. For instance, if Bitcoin’s hash rate inexplicably spikes and blocks start coming at unusual speeds, that might warrant increasing confirmation requirements or halting block acceptance until things stabilize. Likewise on Ethereum or other PoS chains, if validators start behaving oddly or a large portion get slashed simultaneously (possible if an attacker forged their signatures), the exchange might need to freeze related transactions. It’s a tough decision – pausing customer transactions is never done lightly – but the alternative could be accepting deposits that later vanish in a reorg or allowing withdrawals while the chain’s security is compromised.

Having a policy in advance for “what do we do if the chain’s cryptography is broken or under attack” is critical. This could mean defaulting to emergency settings like “require 100 confirmations for all BTC deposits” or even coordinating with other exchanges to suspend trading of the asset until clarity emerges.

Early Warning Systems

Consider establishing or joining an industry quantum threat intelligence network. This could be informal – e.g. a rapid communication channel among security leads at major exchanges, wallet providers, and blockchain dev teams, to share any hint of quantum-related incidents. Also stay plugged into academic and government reporting. If a lab announces a breakthrough in factoring or discrete log that inches close to cryptographically relevant sizes, that shouldn’t catch you off guard.

By tracking the progress of quantum computing (number of qubits, error rates, etc.), you can continuously update your risk assessments. Some organizations set up internal task forces or designate a “quantum risk owner” who periodically reviews the latest research and revises the company’s estimated quantum timeline and preparedness checklist.

Customer Communication and Market Impact

If a significant quantum event occurs – say a known quantum-vulnerable address is hacked – exchanges will be on the front lines of managing the fallout. Plan how to communicate with users in such a scenario. Customers will want to know: Are my assets safe? What is the exchange doing?

Even if the attack wasn’t on the exchange itself, users of a centralized platform will look to the platform for guidance and protection. Have draft templates for notices ready, and ensure support staff are briefed on the talking points (without causing undue panic). Demonstrating competence and calm in the face of a quantum threat could actually be a trust-building moment for an exchange, whereas confusion or denial would hurt credibility.

Participate in Quantum-Resistant Initiatives

Exchanges don’t have to just be reactive; they can be part of the solution. This means collaborating with blockchain developers and the community on testing and adopting quantum-resistant measures. For example, an exchange could volunteer to run nodes on a testnet that trials post-quantum signature schemes for Bitcoin or Ethereum.

Some exchanges have research arms or invest in startups – they might fund development of quantum-safe blockchain upgrades or sponsor bug bounties related to quantum-proofing. By engaging, exchanges gain a voice in how the eventual transitions are designed (ensuring, for instance, that there’s a reasonable migration path for custodians to move hundreds of thousands of UTXOs to new addresses).

As Fireblocks emphasized, staying involved in emerging standards and protocols – via NIST, ENISA, ISO, and blockchain consortia – is part of preparation. If your exchange has a representative in those discussions, you won’t be caught flat-footed by new requirements.

Decentralized Exchanges (DEX) and DeFi Considerations

While our focus is on centralized exchanges, a brief note on DEXs: If you also operate a DeFi platform or have integrated DEX functionality, remember that DeFi smart contracts are only as secure as the underlying blockchain. A quantum break of Ethereum’s ECDSA or BLS could lead to large-scale breaches of DeFi protocols (e.g., theft from multisig admin wallets, oracle signature forgeries, etc.).

If you provide custodial services for institutional DeFi or run a hybrid model, you’ll need similar contingency plans. Fully decentralized DEXs might argue that users hold their own keys (so the DEX isn’t a custodian), but if those user keys are quantum-vulnerable, the DEX could see chaos in its markets. Thus, even DeFi platforms should start exploring quantum-safe alternatives (like deploying contracts that could accept post-quantum signature verification from users, once available). For a centralized exchange, it’s sufficient to be aware of these because if DeFi gets attacked, it can indirectly impact centralized markets (price crashes, arbitrage exploits).

In any case, decentralized exchanges should advise and help their customers with quantum safety too – for instance, encouraging users (especially high net worth ones) to use hardware wallets or multisig that the exchange knows can be upgraded or replaced quickly when PQC arrives.

Governance, Compliance, and Competitive Edge

Lastly, quantum readiness isn’t just a technical endeavour; it has governance and business strategy dimensions:

Governance & Policy

Make quantum risk a part of your organization’s risk register and security governance. The board and executive team should be aware of it as a long-term strategic risk (like climate change or geopolitical risk).

Assign ownership – e.g., the CISO or a dedicated “Head of Cryptography” – to drive the quantum readiness program. This includes tracking progress on the IT and custody mitigations discussed above, and regularly reporting on readiness status.

Set target dates (in alignment with industry timelines like NIST’s 2030 goal for deprecating vulnerable crypto) to complete certain milestones: e.g., “by 2025, inventory all critical cryptographic systems; by 2026, upgrade all external-facing connections to hybrid PQC; by 2028, begin migrating internal systems; by 2030, have a plan to transition all crypto asset wallets” – whatever makes sense for your risk appetite.

Regulatory Compliance

Financial regulators around the world are waking up to quantum risks. In the U.S., the White House has mandated federal agencies to start the transition to post-quantum cryptography, with targets in the early 2030s.

Bank regulators have also issued advisories to assess quantum risk. Crypto exchanges, while not always under the same regulations as banks, should anticipate similar expectations. Engaging proactively with regulators can be beneficial – if you show that your exchange is already working on quantum-safe custody and communications, it could stave off harsher mandates or give you a voice in shaping reasonable regulations.

In some jurisdictions, demonstrating quantum readiness might become part of licensing (for example, a crypto custodian license might require a PQC transition plan in a few years). Being ahead of this curve avoids compliance scrambles later.

Customer Assurance & Market Differentiation

There’s a marketing upside to all this hard work. As awareness grows, institutional clients (like banks, funds, corporations holding crypto) will prefer partners who take security seriously. Advertising your quantum-readiness can be a differentiator. Fireblocks, for instance, publicly markets its efforts in cryptographic agility and quantum preparedness as a selling point. Likewise, an exchange that can say “we’re quantum-safe” or at least “quantum-ready” by implementing hybrid certificates, PQC-enhanced custody, etc., will attract security-conscious customers. Even retail users, prompted by a scary headline now and then, may feel more at ease using an exchange that has a clear answer to “what are you doing about quantum threats?”

On the flip side, if an exchange is caught flat-footed (imagine a scenario where a quantum hacker steals some crypto and only Exchange X loses funds because they hadn’t upgraded while others had), the reputational damage would be severe.

Learning from Peers and Experts

Don’t go it alone. Share knowledge within the industry. There are already cross-industry working groups on quantum-safe cryptography (e.g., the CSA Quantum-Safe Finance group, various IEEE and ISO initiatives). Some governments sponsor info-sharing forums between banks, tech companies, and academia on this topic. If your exchange has experts, have them contribute; if not, at least send someone to listen. By pooling knowledge, exchanges can develop best practices specific to crypto. For example, exchanges might collectively decide on standards for hybrid post-quantum crypto usage in custody (so that there’s interoperability and consistency).

Collaborative efforts could also reach decentralized communities – e.g., exchanges might help fund a bounty for implementing a post-quantum signature in a major blockchain, or join testnet experiments as mentioned.

Sovereign and Geopolitical Angle

A unique consideration in crypto is that nation-states might be the first with quantum capabilities, and their interests might not align with yours. Nation-states could target cryptocurrency as part of a broader cyber warfare or intelligence effort (e.g., stealing Bitcoin to undermine an economy, or cracking keys to deanonymize users). The fact that nation-state actors are likely racing towards “Q-Day” is often cited. Exchanges should factor this into threat modeling. It’s not just “some random hacker” – it could be a well-resourced adversary. This again underscores the need for urgent preparation despite uncertainty. It also means exchanges might find support from government initiatives (since governments want the financial sector to be secure). For example, some governments might offer incentives or guidance for critical financial market infrastructures to adopt quantum-safe practices. Keep an eye on such opportunities – participating in a government pilot or grant related to post-quantum cryptography could accelerate your readiness and provide extra resources.

Conclusion

Preparing for quantum computing is a grand challenge, but it’s one that crypto exchanges can tackle step by step. By addressing off-chain vulnerabilities, fortifying custodial key management, and staying vigilant on-chain, exchanges can dramatically reduce the risk of being caught off-guard by a quantum breakthrough. The goal is not to panic, but to plan pragmatically. As one strategy guide noted, even if you can’t fix everything overnight, you can mitigate the most critical risks first and “buy time” for a full transition. Every incremental improvement – be it enforcing TLS 1.3 today or testing a Dilithium signing module in your HSM next year – adds up to a stronger posture.

Crucially, don’t buy into the complacency some voices push. Yes, prominent figures have downplayed the quantum threat’s immediacy (calling it hype and assuming upgrades will happen in time). It’s true the blockchain community has a history of adapting to challenges, and I believe protocols will eventually integrate quantum-resistant cryptography. But “eventually” shouldn’t mean exchanges do nothing until a hard fork is handed to them. The better approach – echoed by forward-thinking leaders – is to start preparing now so that you’re ready to support and implement those upgrades when the time comes.

In the process of becoming quantum-ready, exchanges will also bolster their overall security and resilience. You’ll uncover hidden weaknesses, modernize infrastructure, and likely improve operational efficiency (crypto-agility often goes hand-in-hand with good IT architecture). You may even find new business opportunities – offering quantum-resistant custody services, attracting institutions that require higher assurance, or partnering with innovators in cryptography.

Photo of Marin Marin Follow on X Send an email March 19, 2025
21 minutes read
Photo of Marin

Marin

I am the Founder of Applied Quantum (AppliedQuantum.com), a research-driven consulting firm empowering organizations to seize quantum opportunities and proactively defend against quantum threats. A former quantum entrepreneur, I’ve previously served as a Fortune Global 500 CISO, CTO, Big 4 partner, and leader at Accenture and IBM. Throughout my career, I’ve specialized in managing emerging tech risks, building and leading innovation labs focused on quantum security, AI security, and cyber-kinetic risks for global corporations, governments, and defense agencies. I regularly share insights on quantum technologies and emerging-tech cybersecurity at PostQuantum.com.
Share via
Facebook
X (Twitter)
LinkedIn
Mix
Pinterest
Bluesky
Tumblr
Skype
Buffer
Pocket
VKontakte
Parler
Xing
Reddit
Line
Flipboard
MySpace
Delicious
Amazon
Digg
Evernote
Blogger
LiveJournal
Baidu
MeWe
NewsVine
Yummly
Yahoo
WhatsApp
Viber
SMS
Telegram
Facebook Messenger
Like
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap