Post-Quantum

Quantum Computing Risks to Cryptocurrencies – Bitcoin, Ethereum, and Beyond

(Updated in June 2025 with latest information)

Introduction

Cryptocurrencies like Bitcoin and Ethereum derive their security from cryptographic algorithms – mathematical puzzles that are practically impossible for classical computers to solve in any reasonable time. However, the emergence of quantum computing threatens this security assumption. Unlike classical machines, quantum computers leverage quantum mechanics to perform certain computations exponentially faster, potentially breaking the cryptographic foundations of blockchain systems. While quantum computers remain in their infancy today, future quantum breakthroughs could undermine digital signatures, wallet security, and even aspects of blockchain consensus if no preventive measures are taken.

While quantum computing does not yet pose an immediate danger to cryptocurrencies, the time to act is now. The cryptographic migration to quantum-resistant algorithms is a massive undertaking that could take many years of research and careful implementation. The window of safety for current cryptography might be 5 to 10 years, but the complexity of upgrading decentralized networks means preparation cannot wait until the last minute.

Since I also previously founded Cryptosec.com, a crypto security specialist firm, this topic is very close to me for multiple reasons. So let’s explore.

Quantum Computing vs. Classical Cryptography: The Basics

Quantum computers operate on principles fundamentally different from classical computers. Instead of binary bits (0 or 1), they use quantum bits (qubits) that can exist in superpositions of states, and they leverage quantum phenomena like entanglement and interference to process information in parallel. In practical terms, certain computational problems that are intractable for classical machines become solvable on a sufficiently large and error-corrected quantum computer. Cryptography is especially vulnerable because much of modern security relies on problems like factoring large numbers or computing discrete logarithms – tasks that quantum algorithms can accelerate dramatically.

Shor’s Algorithm: In 1994, Peter Shor discovered a quantum algorithm that factors large integers and solves discrete logarithm problems exponentially faster than any known classical algorithm. This is devastating for public-key cryptosystems. Bitcoin’s and Ethereum’s signatures (whether ECDSA or Schnorr in Bitcoin, or ECDSA in Ethereum’s accounts and BLS in its validators) rely on the difficulty of the discrete logarithm problem over elliptic curves. Shor’s algorithm breaks the core assumption by enabling an attacker with a large quantum computer to derive a private key from a given public key efficiently. In essence, any currently used asymmetric cryptographic scheme (RSA, Diffie-Hellman, ECC, etc.) can be completely compromised if a powerful quantum computer runs Shor’s algorithm. This is why Shor’s algorithm is viewed as an existential threat to cryptocurrencies: an attacker could forge digital signatures, impersonate owners, and spend coins illicitly by solving the underlying math that keeps private keys private.

Grover’s Algorithm: Lov Grover’s quantum algorithm (1996) targets a different problem – unstructured search. It provides a quadratic speed-up for brute-force searching through a space of possibilities. In cryptographic terms, Grover’s algorithm can reduce the effective security of symmetric ciphers and hash functions. For example, a 256-bit hash like SHA-256 (used in Bitcoin’s proof-of-work and address hashing) would have its security reduced from 2256 to roughly 2128 operations – still astronomically large, but a theoretical 50% reduction in the exponent of the work factor. In practice, Grover’s algorithm could at most halve the difficulty of certain brute-force attacks, but it does not fundamentally break these algorithms the way Shor’s does for public-key crypto. For Bitcoin mining, which relies on hashing, a quantum miner might achieve a quadratic speedup in finding a valid block nonce. However, even a quadratic speedup is not enough to outpace the entire global network of classical miners unless quantum hardware becomes extremely powerful and plentiful. I would suggest that quantum computing is “very low” threat to Bitcoin’s mining and consensus in the foreseeable future. The immediate worry is therefore not that quantum miners will dominate, but that quantum attackers could steal keys and coins by breaking signatures.

How far are we from having quantum computers capable of executing these attacks?

As of mid-2025, quantum processors are still small-scale. To break modern cryptography, we would need thousands to millions of high-quality logical qubits, once error-correction overhead is accounted for. For context, today’s largest quantum machines have only low hundreds of qubits. Up until recently, the expert consensus was that we have at least another 10 years. However, the progress in this field is nonlinear. Indeed, I just updated my own prediction to 2030 after a few interesting recent breakthroughs. I break it down here: Q-Day Revisited – RSA-2048 Broken by 2030: Detailed Analysis. Prudent security engineering demands that we prepare for the threat well in advance.

Bitcoin: How Quantum Computing Threatens the King of Crypto

Bitcoin is often described as secure by design, but that security hinges on cryptographic assumptions that Shor’s algorithm can invalidate. At a high level, Bitcoin uses two main cryptographic schemes:

  • Elliptic Curve Digital Signature Algorithm (ECDSA) for authenticating transactions (secp256k1 curve). This allows users to prove ownership of coins by signing a transaction with their private key, which anyone can verify using the corresponding public key.
  • SHA-256 (and RIPEMD-160) hash functions for generating Bitcoin addresses and in the Proof-of-Work mining process. Hashing ensures data integrity and links blocks together, and mining requires finding a hash below a target threshold.

A quantum attack on Bitcoin primarily targets signatures and private keys, not the hashes. With Shor’s algorithm, an attacker who obtains a Bitcoin public key can compute the private key, breaking the one-way trapdoor function that classical security relies on. Let’s break down the threat into two scenarios: “storage attacks” against coins at rest in vulnerable addresses, and “transit attacks” against transactions in flight.

Vulnerable Addresses and “Storage” Attacks

In Bitcoin’s UTXO model, coins are stored at addresses which are typically represented by a hash of the public key (for standard P2PKH addresses). This design provides a little security-by-obscurity: as long as you haven’t spent from an address, your actual public key hasn’t been revealed on-chain – only a hash of it is known. If a quantum computer appears today, any address whose public key is already exposed (i.e. has appeared in a transaction) is vulnerable. Early versions of Bitcoin addresses (P2PK, used in Satoshi’s era mining rewards) stored coins directly by public key and are entirely exposed. Also, if a user reused a P2PKH address (sent funds from it, then later received more to the same address), that address’s public key became exposed in the spending transaction. These are the weak points a quantum attacker would target first.

How much Bitcoin is at risk? Several analyses have quantified this. Deloitte researchers scanned the blockchain and found that as of their study, about 4 million BTC reside in reused addresses (hashed addresses that have revealed a pubkey by spending) and roughly 2 million BTC reside in the old P2PK addresses. Combined, over 6 million bitcoin (around 25% of the total supply) are in theory susceptible to quantum theft if a large-scale quantum computer existed now. This aligns with a River Financial report which estimated about 5.9 million BTC were in quantum-exposed addresses, including nearly 1.9M BTC from the oldest (P2PK) outputs and around 4M BTC in reused addresses. Notably, many of those coins may be lost or long-term dormant (Satoshi’s coins, early miners, etc.), which means their owners might not be around to move them preemptively – a fact that could make them sitting ducks for an eventual quantum attacker.

For coins in “safe” (non-reused P2PKH or SegWit) addresses, the public key is not yet public, so a quantum attacker can’t directly grab those… until the moment you spend them. If you do create a transaction spending from such an address, your public key gets revealed in the transaction input. At that point, that UTXO becomes vulnerable until the transaction is mined into a block. This is the transit attack scenario we’ll discuss shortly. The key point here is that coin storage on Bitcoin is only quantum-safe if the public key remains hidden. Once exposed, that address should be considered insecure. Best practice already today (for unrelated security reasons) is to avoid address reuse, and indeed the amount of BTC sitting in reused addresses has been declining over time. Nonetheless, as of now, a non-trivial chunk of supply would be immediately at risk in a quantum scenario.

Bitcoin’s community is aware of this issue. Some have even proposed drastic measures to mitigate the risk to exposed coins before quantum computers arrive. One Bitcoin Improvement Proposal (BIP) introduced in 2025, for example, is the “Quantum-Resistant Address Migration Protocol” (QRAMP). This proposal suggests that all users be given a deadline to move their BTC from quantum-vulnerable addresses to new, quantum-resistant addresses. After that deadline, any UTXOs still in old address types would be rendered unspendable (“burned”) by consensus rule. This heavy-handed approach – essentially sacrificing any coins whose owners are inactive or lost – underscores the level of concern. It’s controversial, but it aims to ensure that when the day comes, there would be no honeypot of exposed keys for a quantum thief to drain. Of course, implementing such a fork would be challenging and would face opposition, especially from those who fear it could destroy coins unfairly (imagine accidentally burning someone’s savings if they missed the memo). Still, the mere discussion of QRAMP shows the growing urgency in parts of the Bitcoin developer community regarding quantum preparedness.

Short of such extreme measures, the simpler recommendation for users is: don’t reuse addresses and consider moving coins from very old addresses to new ones. If you control coins in a P2PK address from 2009-2010 or any address you’ve used to send before, migrating those funds to a fresh address (one whose pubkey has never been revealed) will protect them for the time being. However, this is only a temporary fix. Even coins in a new address will be vulnerable when you eventually spend them. That brings us to the “transit” attack risk, which threatens all Bitcoin transactions if quantum computing becomes fast enough.

“Transit” Attacks: Race to Break the Key

A transit attack (also called a short-range attack) is when a quantum-equipped adversary targets an outgoing transaction in real time. Here’s the scenario: you, the honest user, create a Bitcoin transaction sending coins from your address. Your wallet signs it with your private key, and the signature (which exposes your public key) is broadcast to the network. Normally, it takes ~10 minutes on average for miners to confirm the transaction in a block (it could be faster or slower depending on luck and fees, but tens of minutes is typical). During that window, the transaction is unconfirmed and could potentially be replaced by a competing transaction. A quantum attacker seeing your transaction could use Shor’s algorithm to derive your private key before your transaction confirms, and then quickly craft their own transaction stealing those same coins to an address they control. If they can get their stealing transaction mined first (say, by attaching a higher fee to entice miners), they would effectively hijack your payment. Your original transaction would be invalidated because the UTXO was already spent in the attacker’s transaction.

The feasibility of a transit attack depends on speed – how quickly can the quantum computer crunch the private key? If it takes, for example, hours or days, the attack is impractical because the transaction will long be confirmed. Research so far suggests that even optimistic projections put the time to crack a 256-bit elliptic curve key on the order of hours. Deloitte’s team cited estimates that a quantum computer might take about 8 hours to break a 2048-bit RSA key, and around 30 minutes to break a Bitcoin (secp256k1) key under certain assumptions. Thirty minutes is an impressively short time to do the impossible – but it’s still generally longer than Bitcoin’s 10-minute block interval. Thus, as long as key-cracking time exceeds the typical confirmation time, Bitcoin transactions remain relatively safe from in-flight hijack. If in the future quantum hardware and algorithms improve to where a key could be cracked in, say, 1 minute or seconds, then no transaction is safe. At that point, the very act of using a non-quantum-safe signature becomes untenable – an attacker could steal coins from any address the moment it sends something. If quantum latency ever nears the block time (10 minutes), the Bitcoin blockchain will be inherently broken without fundamental changes .

The good news is that we are nowhere near 10-minute cracking times; the bad news is that we don’t know how quickly that gap might close. Moreover, transit attacks are an eventual threat to all address types, even those that were safe in storage. In a transit attack, even a freshly generated address (one not seen before) becomes vulnerable the moment it’s used in a transaction, since the public key gets revealed at use. This universality is what makes the quantum threat ultimately a systemic one – in the long run, either everybody transitions to quantum-resistant crypto, or the system becomes insecure.

Other Bitcoin Attack Angles: Mining and Network

Aside from key theft, observers have wondered if quantum computing could disrupt Bitcoin’s mining (Proof-of-Work) or other aspects of the protocol. We’ve touched on mining: Grover’s algorithm can at most give a quadratic advantage in searching for a valid block hash. In theory, a quantum miner could find a block in √N steps instead of N steps (N corresponding to the size of the hash space). This effectively halves the bit-length of the work required, e.g. turning a 256-bit hash problem into 128-bit one. However, even 2128 operations is gargantuan – far beyond the total mining power in the world today. Furthermore, current quantum prototypes are not anywhere near as efficient or scalable as specialized ASIC miners. So, quantum computers do not pose an imminent or even long-term threat to Bitcoin mining under realistic progress scenarios. To outcompete the global network, quantum hardware would not only need the Grover speedup but also thousands of times more qubits and speed than available, plus overcome huge stability and energy challenges. In short, by the time quantum mining becomes a concern, Bitcoin could adjust (e.g. by using bigger hashes or simply relying on the fact that classical mining can also scale resources to compensate).

Could a quantum computer help attack Bitcoin’s network or consensus in other ways? One theoretical possibility raised is enhancing Sybil attacks – where an attacker floods the network with fake nodes to disrupt communication. Quantum optimization might make it easier to coordinate such complex attacks or break certain cryptographic puzzles in networking (for instance, breaking encryption of message channels if any). However, Bitcoin’s P2P messages aren’t generally encrypted with public-key schemes (transaction data is not secret), so there’s limited scope there. A more concrete risk is to second-layer protocols like the Lightning Network, which do use cryptographic timelocks and hash preimages; a quantum attacker could potentially breach Lightning channel security by breaking the hash or signature before timeouts. That said, the most direct and compelling threat remains key compromise.

In summary, at present, roughly a quarter of Bitcoin’s supply is in a vulnerable state (public keys exposed) and would be the first target of a quantum attacker. The Bitcoin network as a whole would remain secure until quantum computers become fast enough to perform short-range (transit) attacks, at which point no transaction can be trusted. The window between “quantum can steal some fraction of coins” and “quantum breaks everything in real-time” might be a period where mitigation is still possible – e.g., if we see quantum capabilities reaching the level to steal old coins, that’s an alarm to urgently upgrade crypto before transaction theft becomes feasible. We will discuss later the potential solutions (post-quantum signatures, etc.) and the challenges of deploying them on Bitcoin.

However, I admit that in this discussion I am only analyzing the technical feasibility of quantum hacks. The reality is that if any old P2PK output gets publicly hacked (e.g. Satoshi’s wallet), it would destroy the trust in Bitcoin and most likely overnight wipe out almost the whole value of Bitcoin.

Ethereum: Quantum Threats in a Smart Contract World

Ethereum shares the fundamental cryptographic building blocks of Bitcoin – its externally-owned accounts (EOAs) use ECDSA signatures on secp256k1, the same curve as Bitcoin. Thus, everything said about Shor’s algorithm breaking ECDSA applies equally to Ethereum accounts and wallets. However, Ethereum’s design and usage patterns make its exposure to quantum attacks even greater in some respects.

Notably, Ethereum uses an account model (each address is a persistent account whose balance changes) rather than Bitcoin’s one-time UTXOs. By default, users reuse the same address continually for receiving and sending Ether, which means the public key associated with that address typically gets revealed with the very first outgoing transaction and remains exposed thereafter. Contrast this with Bitcoin, where best practice is to use a fresh address for each receive (meaning an address might hold funds without ever exposing its pubkey until spend time, and many wallets enforce one-and-done addresses). In Ethereum, address reuse is the norm – it’s how the system was designed for usability and for the functionality of smart contracts that have a fixed address.

Exposure of Ethereum Accounts vs. Bitcoin UTXOs

A detailed 2021 analysis by Deloitte highlighted that Ethereum has a much larger percentage of funds that are “quantum-exposed” compared to Bitcoin. Specifically, over 65% of all Ether in circulation is held in addresses whose public keys have been revealed (i.e., addresses that have conducted at least one outgoing transaction), whereas only about 25% of Bitcoin was in exposed addresses. This discrepancy is directly attributed to Ethereum’s account model.

The implication is that a quantum attacker would have a rich field of targets in Ethereum. An attacker could simply scan Ethereum’s public state (the state trie that all nodes maintain) to find every address that has ever sent a transaction. For each used address with a juicy Ether balance (and note: this also applies to ERC-20 token balances associated with that address!), the attacker can look up a transaction from that address to extract the public key from its signature. With that public key in hand, a quantum computer can then derive the private key and steal the funds. This kind of storage attack on Ethereum could potentially target the majority of Ether supply and token holdings if quantum computing reached the necessary power.

What about Ethereum’s equivalent of a transit attack? It’s fundamentally the same as Bitcoin’s: when an EOA signs a transaction, there’s a window before it’s mined where an attacker could try to crack the key and front-run with their own transaction. Ethereum’s block time is quicker (around 12 seconds in Proof-of-Stake Ethereum), so one might think transit attacks are even less likely (since there’s a smaller window than Bitcoin’s 10 minutes). However, Ethereum’s faster block time is balanced by the fact that an Ethereum attacker doesn’t necessarily need to win a mining race as starkly as in Bitcoin; instead, they could target many transactions and play a statistical game. But realistically, until quantum computers can break keys in seconds, the transit attack is not the first worry. The first worry is the static exposure of the majority of accounts as described.

Another consideration is Ethereum’s Proof-of-Stake (PoS) consensus, introduced with Ethereum 2.0. PoS replaces miners with validators who authenticate blocks using cryptographic signatures (Ethereum uses BLS signature aggregates for attestations in PoS). BLS (Boneh–Lynn–Shacham) signatures rely on elliptic curve pairings (specifically on the BLS12-381 curve). This is a different mathematical setting than secp256k1, but unfortunately it is also vulnerable to Shor’s algorithm – it’s based on a finite-field discrete log problem. So quantum computing could in principle forge validator signatures or compromise validator private keys. An attacker who could steal the private keys of a large number of validators could create fake attestations or slash honest validators by double-signing. In the extreme, a quantum attacker might pretend to be a supermajority of validators, thereby subverting finality and possibly rewriting the chain. This is a rather catastrophic scenario for PoS networks: it means quantum risk isn’t just about theft of funds, but also about integrity of the ledger. A blockchain could be made to finalize fraudulent blocks if the adversary controls enough stake via stolen keys. While this scenario requires an extremely powerful quantum computer (to grab keys quickly and at scale) and is not near-term, it’s a difference worth noting: Bitcoin’s POW chain can still chug along even if some coins are stolen, but a PoS chain could grind to a halt if validator keys are compromised en masse.

Smart Contracts and Other Crypto Algorithms on Ethereum

Ethereum, being programmable, has another attack surface: smart contracts that implement cryptographic schemes. Many contracts (especially in decentralized finance) don’t rely on their own public-key crypto; they usually piggyback on Ethereum’s account keys for ownership and on hash functions for things like randomness or commitments. However, some contracts may use RSA or other primitives (for example, a few early ICO contracts used RSA verification, some use pairing-based crypto for things like identities or zero-knowledge proofs, etc.). Any contract that involves a crypto algorithm which is not post-quantum could be broken by a quantum computer if the contract’s security relies on that assumption. For instance, if a contract uses a hash as a commitment (say a hash puzzle or a timelock enforced by revealing a preimage), Grover’s algorithm might accelerate brute-forcing the preimage – although typically parameters are large enough that even quadratic speedup is insufficient. The more glaring issue is with signatures and keys as covered.

One might ask: are there any Ethereum addresses that are quantum-safe today? Potentially yes – Ethereum does allow contracts as accounts, and a contract could be programmed to require a post-quantum signature for access. For example, one could deploy a smart contract wallet that uses a lattice-based or hash-based signature scheme (with a verifier implemented on-chain) instead of ECDSA. In practice this is not common at all and would be quite expensive gas-wise for now. Almost all users rely on the built-in ECDSA mechanism for EOAs or use standard smart contract wallets that ultimately depend on an ECDSA key for signing meta-transactions. Therefore, effectively Ethereum currently has no widespread quantum-resistant option for users.

Ethereum’s Roadmap for Quantum Resistance

The Ethereum community, led by figures like Vitalik Buterin, is actively discussing quantum mitigation and has incorporated it into long-term roadmaps. Vitalik has noted that switching to quantum-resistant cryptography is one of the motivations behind account abstraction – the idea of making verification of transactions programmable rather than hardcoded to ECDSA. With account abstraction (part of Ethereum’s planned upgrades in the “Verge” or “Splurge” phases), an account could use arbitrary signature schemes or even multiple schemes. For example, one could use a lattice-based signature (like Dilithium or Falcon, two of the algorithms standardized by NIST for post-quantum cryptography) to secure an account, and the Ethereum protocol would accept those signatures as valid via a user-provided verification logic. In Vitalik’s own words, account abstraction enables “switching to quantum-resistant cryptography [and] rotating out old keys” as a recommended practice. This flexibility would make a transition to PQC much easier, as it could be done at the account level without a hard fork that changes the rules for everyone simultaneously.

Another relevant part of Ethereum’s roadmap is an upgrade dubbed “The Splurge,” which is described as focusing on “building defenses against future quantum computing threats” among other improvements. This includes exploring lattice-based cryptography (one of the main families of math problems believed to be quantum-resistant) and adding new EVM (Ethereum Virtual Machine) capabilities to efficiently support these new cryptographic algorithms. A concrete example is the introduction of the EVM Object Format (EOF) and potential new instructions for optimized big-integer arithmetic and even SIMD operations that could be useful for implementing PQC efficiently on-chain. The idea is that Ethereum could first test quantum-resistant algorithms on Layer-2 networks or as opt-in features, vet their performance and security, and then gradually roll them out network-wide. This cautious approach means Ethereum isn’t waiting until the last minute – developers are already experimenting with quantum-safe crypto in the ecosystem.

Vitalik Buterin has also proposed an emergency security plan for a hypothetical scenario where a quantum adversary is suddenly uncovered. In early 2024, he outlined a hard fork contingency: if it were discovered that quantum hackers are actively compromising keys, Ethereum could perform a “recovery fork.” In this plan, the community would agree to revert any quantum-stolen transactions and essentially freeze the affected addresses, allowing legitimate users to move their funds via alternative means (such as proving ownership through other cryptographic evidence). The fork could even disable normal EOA transactions and require moving funds into quantum-safe smart contract wallets until the crisis is resolved. This would be an extreme and chaotic measure, but it shows that Ethereum’s leadership is thinking through disaster scenarios. Such a fork would only be used as a last resort (and would depend on the ability to distinguish quantum hacks from normal transactions, which might be non-trivial). The mere existence of this discussion, however, is a sign that Ethereum plans to meet the threat head-on and have a plan B in case timelines accelerate unexpectedly.

In many ways, Ethereum’s situation is more urgent than Bitcoin’s. A greater proportion of its addresses are exposed by default, and its proof-of-stake consensus introduces new targets (validator keys). On the other hand, Ethereum’s culture of regular upgrades and its flexible scripting engine might make it better equipped to implement quantum-resistant algorithms when they’re ready. The community seems aware and is proactively including quantum safety in the roadmap. Transitioning a running $200+ billion ecosystem to new crypto is daunting, but at least Ethereum’s blueprint envisions how it might unfold (e.g. via account abstraction and Layer-2 trials). Before turning to solutions and mitigation in depth, let’s briefly survey how other cryptocurrencies are faring – and whether any are already quantum-safe or have unique vulnerabilities.

Other Cryptocurrencies and Assets: A Brief Overview of Quantum Exposure

Beyond Bitcoin and Ethereum, virtually all major cryptocurrencies rely on similar cryptographic assumptions and would face similar perils in the advent of quantum computers. Most blockchains use either elliptic curve signatures (with different curves in some cases) or RSA-based signatures, both of which are broken by Shor’s algorithm. Here’s a quick rundown:

  • Altcoins (Litecoin, Bitcoin Cash, etc.): Any Bitcoin-derivative network inherits Bitcoin’s cryptography (often the same secp256k1 ECDSA). Thus, they’re just as vulnerable. Litecoin, for example, differs in its PoW hash (scrypt vs SHA256) but that only affects mining; its addresses and signatures are the same type as Bitcoin’s. If anything, smaller chains could be more vulnerable socially – a quantum attacker might target them first, expecting less resistance or slower upgrades.
  • Smart Contract Platforms (Cardano, Solana, Avalanche, etc.): These typically use modern signature schemes (Ed25519 is popular, as in Cardano and many others, or secp256k1 in some cases) which are elliptic curve based. So they are all vulnerable to key theft. Cardano’s founder Charles Hoskinson has emphasized that they have a large academic team working on issues like quantum safety across the industry . Cardano’s blockchain itself does not yet use PQC, but research is ongoing (e.g. in the context of its Ouroboros consensus and Hydra head protocols). Solana and others have not publicly detailed quantum plans yet; it’s likely on the radar but not a priority while quantum computing is nascent.
  • Privacy Coins (Monero, Zcash): Monero uses Ed25519 for its ring signatures (and stealth addresses), which would be broken by quantum computing – meaning both the spending of coins and possibly the privacy of past transactions could be compromised if ring signatures can be forged or decoded. Zcash relies on zk-SNARKs for privacy, which in turn use elliptic curves and pairings as well (e.g. BLS12-381 in newer SNARKs), so quantum attacks could potentially reveal private transactions or allow counterfeit proofs if the math is broken. However, zero-knowledge cryptography is a fast-moving field and already transitioning to post-quantum alternatives is an active research area. For now, Monero and Zcash are not quantum-resistant and would need upgrades.
  • Proof-of-Stake Networks: As discussed with Ethereum, any PoS chain (Cardano, Polkadot, Tezos, Cosmos, etc.) has an additional risk in that validator keys could be stolen. If an attacker can pose as >=51% of the stake (or 2/3 in BFT-style chains) by key theft, they can subvert consensus. This threat makes the urgency to move to PQC even greater for PoS networks, because it’s not just user funds but the control of the blockchain at stake. It’s worth noting, though, that some newer PoS projects are keeping an eye on quantum developments and might be more nimble in upgrading if needed (being smaller/younger systems).
  • Quantum-Resistant Projects: A few projects have distinguished themselves by focusing on quantum resistance from the start. Quantum Resistant Ledger (QRL), launched in 2018, is an example of a blockchain that uses a post-quantum signature scheme (XMSS – a hash-based signature) for address keys . XMSS is in the family of hash-based one-time signature schemes, which are believed to be secure against quantum attacks (since their security relies on hash functions, which are only mildly weakened by Grover’s algorithm). QRL essentially sacrifices some efficiency and convenience (e.g. larger signature sizes and one-time use keys) to achieve quantum safety. While QRL is a niche project, it demonstrates that technologically, it’s feasible to have a quantum-safe blockchain. Another project, IOTA, famously advertised itself as quantum-resistant in its early design by using a variant of Winternitz one-time signatures for transaction signing. However, IOTA’s approach had some practical issues and they later switched to more conventional schemes in recent upgrades, so it’s not fully PQC in current form. Nevertheless, such projects provide testing grounds for how a quantum-safe crypto system might operate, highlighting trade-offs in performance and usability.
  • Stablecoins and Layer-2s: It’s worth noting that even if the underlying blockchain is secure, applications like stablecoins (e.g. USDT, USDC) or Layer-2 networks that depend on Layer-1 security will inherit the quantum risks of their host chain. Tether’s CTO Paolo Ardoino speculated that quantum computing could eventually crack inactive Bitcoin wallets and “bring lost Bitcoin back into circulation” – a scenario where, say, a stablecoin issuer or anyone could suddenly access long-lost funds. The remark underscores that all actors in the crypto ecosystem, even those not running their own chain, need to be cognizant of quantum developments.

In summary, no major cryptocurrency today is fully quantum-proof. Most are in the same boat: reliant on classical cryptography that needs an upgrade. The advantage is that the cryptographic community, led by efforts like NIST’s post-quantum cryptography project, is developing candidate algorithms that could drop-in replace ECDSA, RSA, and so on. However, integrating those into decentralized networks is non-trivial. We will next discuss the timeline of the threat more concretely and then move on to mitigation strategies and their challenges.

Toward a Quantum-Resistant Crypto Future: Solutions and Challenges

The ultimate fix for the quantum threat is conceptually simple: replace vulnerable cryptographic algorithms with quantum-resistant (post-quantum) algorithms. In practice, however, this is a complex endeavor, especially for decentralized systems with billions at stake. We will discuss the emerging post-quantum algorithms, the trade-offs they bring, and how Bitcoin, Ethereum, and others might implement them. We’ll also consider the governance challenge – reaching consensus on such a profound change.

Post-Quantum Cryptography (PQC) Algorithms

The good news is post-quantum algorithms exist and are being standardized; the bad news is they are not drop-in replacements in terms of performance. New algorithms might have drawbacks relative to our current cryptography – whether in processing time, key size, or signature size. For a blockchain, bigger signatures mean bigger transactions, which affect throughput and storage. Slower verification means each node can verify fewer transactions per second, affecting scalability. Many blockchains are already struggling with throughput and cost, so adopting a slower or bulkier crypto algorithm could be a hard pill to swallow. However, these are not insurmountable issues; they just might require parallel efforts like improving base-layer capacity or using clever techniques (like aggregation of signatures to amortize costs).

Another aspect is that blockchains often use custom cryptography in various places. For example, Ethereum’s address format uses Keccak-256 hashing. Hash functions are largely fine (128-bit security after Grover is okay for now). But something like Ethereum’s BLS signature aggregation might need to move to an aggregated post-quantum signature (still a nascent area of research – how to aggregate PQ signatures efficiently). Additionally, many layer-2 solutions and bridges rely on cryptography that may need upgrading (imagine a SNARK proving system that uses elliptic curve cryptography – it might itself need a PQ overhaul). The industry will have to systematically catalog and upgrade every instance of vulnerable crypto.

Upgrading Bitcoin: Soft Forks vs Hard Forks

For Bitcoin, making a change to the signature algorithm is a big deal. The consensus rules currently require a valid ECDSA or Schnorr signature for spending coins. One path to introduce PQC is via a soft fork – adding a new address version (or script opcode) that allows a choice of signature algorithms. For instance, a new output type could be “P2PQSignature” which, when spent, must provide a signature valid under a post-quantum algorithm (along with perhaps the algorithm identifier). Old nodes would not understand this new rule but could be made to treat such outputs as anyone-can-spend (which is how soft forks usually work, with new rules enforced by updated nodes only). This would require careful design to avoid creating security holes for nodes that haven’t upgraded. An alternative is a hard fork where the entire network switches the required signature algorithm (or allows multiple) – but hard forks are more disruptive and contentious.

There have been proposals in the Bitcoin community to kickstart this process. Aside from the radical QRAMP (which is more about policy than the algorithm), other developers have suggested a BIP for a quantum-resistant signature option, sometimes called P2QR or similar. The idea is to pick a specific PQC scheme (say, Dilithium or Falcon or a hash-based scheme) and implement it as a new standard for addresses. One challenge is which algorithm to choose – each has pros and cons, and making it part of Bitcoin would effectively lock it in unless another fork is done. Some argue for multiple algorithms to hedge bets (so-called hybrid approaches, where an address might require both an ECDSA and a PQ signature, or one of N algorithms).

Another challenge is that some coins (like the 4 million BTC in limbo) whose owners are lost can never be moved to the new scheme without their private keys (which are lost). If those remain in old addresses, they stay an eternal vulnerability. This is what motivates discussions of deprecating old address types entirely after a point in time . But that’s socially and technically tricky.

Crucially, Bitcoin’s governance is famously conservative and slow to change. Past upgrades like SegWit took years of debate. A quantum upgrade might be even more contentious because it could involve perceived winners/losers (e.g., if coins are burned). The panel also highlighted research indicating that performing a full upgrade (including migrating all wallets) could require at least 76 days of dedicated effort on-chain, even in an optimistic scenario. In practice it could be much longer, especially since you can’t freeze the blockchain during that time – the network has to continue operating while upgraded and non-upgraded coins intermingle. This suggests that, ideally, Bitcoin’s transition would start long before the threat is imminent, giving years of overlap where both old and new cryptography coexist. We haven’t seen that start yet in Bitcoin’s roadmap (no concrete BIP for a specific PQC algorithm has been adopted as of 2025), but awareness is growing.

Upgrading Ethereum and Others

Ethereum’s approach, as mentioned, leans towards using account abstraction so that multiple cryptographic schemes can live side by side. This might allow a smoother user-driven upgrade: new wallets could create quantum-safe smart contract wallets and gradually shift funds, without forcing the entire network to flip a switch at once. Ethereum’s willingness to hard fork more frequently could also mean a coordinated cut-over is possible if needed (for example, they could declare that by Ethereum Protocol Version X all validators and wallets must use PQC, and plan that fork accordingly).

One risk for Ethereum is the smart contract ecosystem: contracts that specifically expect ECDSA-based addresses or use ecrecover (a built-in function to recover pubkey from a signature) might break if new schemes are introduced. Ethereum might have to update its precompiles or EVM to handle PQ signature verification (indeed, proposals for new precompiles or EVM opcodes for lattice crypto exist) . This is doable, but until done, it’s a point of friction.

Other chains will have their own specifics, but many will likely follow Bitcoin or Ethereum’s lead. For instance, if Bitcoin picks a scheme, Litecoin and others might copy it. If Ethereum implements one, projects on Ethereum (and perhaps other EVM chains) might adopt similar approaches. There could be an advantage in coordination – industry-wide consensus on a handful of PQC standards would make implementation easier (libraries, hardware support, etc. could be shared).

Hybrid Approaches and Layered Security

One interim strategy that has been suggested is using hybrid cryptography – combining classical and post-quantum keys such that an attacker must break both. For example, an address could be set up to require two signatures: one from a traditional ECDSA key and one from a PQC key. This way, even if quantum appears and breaks ECDSA, the PQC half remains as a hurdle (and vice versa if somehow the PQC scheme had an unforeseen flaw but ECDSA was still strong against classical attacks). Some exchanges and custodians might even now consider adding a layer of PQC to their cold storage (for instance, sign a secondary authentication with a PQ algorithm) such that even a quantum adversary would have to breach two layers. The downside is complexity and larger transaction sizes, but it could be a practical stopgap.

There’s also the concept of crypto-agility: designing systems to be able to swap out cryptographic primitives without huge disruption. Account abstraction in Ethereum is a step towards crypto-agility. Bitcoin could gain some agility by supporting new script opcodes that allow verifying arbitrary signatures (with a pointer to the algorithm). This way, Bitcoin could add algorithm support via soft forks over time. Some altcoins might take the opportunity to market themselves as “quantum ready” by doing this early.

The Human and Regulatory Factor

Technical solutions alone aren’t enough; the transition involves people and institutions:

  • User Migration: Even if a network supports PQC, users have to actually move their funds to new-style addresses. Some will procrastinate or be unaware (just as many Bitcoin users kept using insecure practices long after best practices were known). Wallet software will need to make the new crypto seamless to use, otherwise adoption will lag. This is where education and awareness are key: the community must be informed about quantum risks to motivate action.
  • Regulatory Guidance: Regulators and governments are increasingly aware of quantum risks. Some governments might issue guidelines or requirements for crypto service providers to have quantum risk mitigation plans. The UAE, interestingly, has a Cryptography Executive Regulation that requires integrating quantum-resistant measures in certain contexts. And notably, when BlackRock filed for its Bitcoin ETF, it expanded the risk disclosure to explicitly mention quantum computing as a threat . This kind of language could prod more institutional players to question “what’s the industry doing about this?” and perhaps support efforts to upgrade. Regulators might eventually set a timeline (e.g., “by 2030, critical financial systems should be quantum-resistant”) which would certainly light a fire under crypto projects.
  • Coordination Bodies: Groups like the Blockchain Governance Initiative Network (BGIN) or the IEEE have working groups on quantum-safe blockchain tech. There may emerge an informal consensus or at least shared findings that help each blockchain’s developers. The Linux Foundation’s Decentralized Trust project is analyzing quantum threats to blockchain as well . Cross-industry collaboration will be beneficial because the cryptography itself is universal – it’s not a competitive advantage to have a secure algorithm, everyone will need them.

Conclusion

Quantum computing, with its immense promise, brings equally immense peril to the cryptographic bedrock upon which cryptocurrencies are built. Bitcoin, Ethereum, and almost every other crypto system rely on problems that quantum algorithms will eventually solve with ease – unless we adapt. The quantum threat to crypto is real, but it is also manageable if addressed in time. We have the technical knowledge of what needs to be done: transition to quantum-resistant algorithms for signatures, key exchanges, and potentially redesign parts of protocols to accommodate the new cryptography’s demands. The harder part is the coordination, engineering, and execution across global decentralized communities.

There is a silver lining: if handled properly, the coming quantum revolution could actually strengthen cryptocurrency in the long run. It will force maturation of cryptographic agility in these systems, resulting in designs that can withstand not just quantum computers but also any future advances in computing. And it will distinguish the truly robust decentralized systems from those that can’t upgrade in time.

Bottom line: The sooner we act, the safer our crypto future will be. 

Marin Ivezic

I am the Founder of Applied Quantum (AppliedQuantum.com), a research-driven professional services firm dedicated to helping organizations unlock the transformative power of quantum technologies. Alongside leading its specialized service, Secure Quantum (SecureQuantum.com)—focused on quantum resilience and post-quantum cryptography—I also invest in cutting-edge quantum ventures through Quantum.Partners. Currently, I’m completing a PhD in Quantum Computing and authoring an upcoming book “Practical Quantum Resistance” (QuantumResistance.com) while regularly sharing news and insights on quantum computing and quantum security at PostQuantum.com. I’m primarily a cybersecurity and tech risk expert with more than three decades of experience, particularly in critical infrastructure cyber protection. That focus drew me into quantum computing in the early 2000s, and I’ve been captivated by its opportunities and risks ever since. So my experience in quantum tech stretches back decades, having previously founded Boston Photonics and PQ Defense where I engaged in quantum-related R&D well before the field’s mainstream emergence. Today, with quantum computing finally on the horizon, I’ve returned to a 100% focus on quantum technology and its associated risks—drawing on my quantum and AI background, decades of cybersecurity expertise, and experience overseeing major technology transformations—all to help organizations and nations safeguard themselves against quantum threats and capitalize on quantum-driven opportunities.
Share via
Copy link
Powered by Social Snap