Article by imToken
Last week, the Google Quantum AI team published a landmark paper indicating that, under a superconducting architecture with specific error correction and hardware assumptions, future quantum computers could break the 256-bit elliptic curve discrete logarithm problem (ECDLP-256)—widely used in current cryptocurrencies and blockchains—in just minutes using fewer than 500,000 physical qubits, reducing the estimated qubit requirement by approximately 20 times compared to prior projections.
This directly points to ECDSA, the core signature scheme used by Bitcoin, Ethereum, and nearly all major public blockchains. As soon as the news broke, claims that “quantum computers could crack Bitcoin private keys” began spreading rapidly online.
In fact, it's necessary to take a step back and clarify this matter—the threat is real, but it is still far from "your wallet won't be safe tomorrow."
More importantly, the entire industry has already taken action.
I. What exactly is quantum computing threatening?
To understand this issue, let’s start at the most fundamental level: how are your crypto assets actually protected?
It is well known that on Bitcoin or Ethereum, each account is associated with a pair of keys: a private key and a public key. The private key is a randomly generated large number, kept highly confidential, much like the password to your safe. The public key is derived from the private key through elliptic curve multiplication, and your wallet address is a string obtained by applying a hash function to the public key.
The security foundation of this system lies precisely in the fact that this process is one-way.
Ultimately, deriving the public key from the private key is straightforward, but reversing the process—deriving the private key from the public key—would take far longer than the age of the universe on classical computers. This is the essence of the "elliptic curve discrete logarithm problem" (ECDLP): forward computation is easy, but reverse decryption is impossible.
However, quantum computers break this assumption—they can solve integer factorization and discrete logarithm problems in polynomial time. In other words, a sufficiently powerful quantum computer could, in theory, derive your private key from your public key.
So the question arises: when is the public key exposed?
Every time you initiate a transaction on the blockchain, you must sign the transaction data with your private key and broadcast your public key for verification, meaning that once you've sent a transaction, your public key is already publicly available on the chain.
The significance of this Google paper is that it moves the task of "deriving the private key from the public key" from a theoretically possible but absurd notion to a tangible goal on the roadmap of quantum hardware. For instance, according to the paper’s estimates, breaking 256-bit ECDLP would require approximately 500,000 physical qubits in a fault-tolerant quantum computer—significantly lower than previous estimates.
Ultimately, quantum computing is not breaking blockchain itself—it first targets the signature systems within blockchain that still rely on the elliptic curve discrete logarithm problem.
Therefore, the threat is real, but strictly speaking, the term "imminent" is inaccurate; industry experts generally estimate the window will open no sooner than around 2030.
II. What preparations are each blockchain making?
Of course, objectively speaking, there is a key distinction that many reports have failed to clarify: many Bitcoin addresses do not immediately expose the public key on the blockchain.
For common formats such as P2PKH and P2WPKH, the address itself is typically just a hash of the public key; the public key is usually only revealed at the time of the "first spend." This means that if your address has never initiated a transaction, only your wallet address appears on the blockchain, not the public key.
Therefore, the most direct attack surface of quantum computing is more focused on the public keys of addresses that have already made transactions. Of course, this detail immediately leads to the first action users can take today—we’ll discuss that shortly.
The industry is well aware of this issue; in fact, preparations for the migration to post-quantum cryptography are being advanced simultaneously on multiple fronts.
Ethereum's approach is to decouple the account layer from the signature scheme—for example, through the advancement of EIP-7702 and Account Abstraction (AA)—allowing Ethereum accounts to define what constitutes a valid signature via smart contract logic. This means that, in the future, when post-quantum signature schemes are introduced, there will be no need to rewrite the underlying protocol; only the account’s signature verification module needs to be replaced.
Furthermore, Ethereum Foundation cryptographer Antonio Sanso presented the latest progress on Ethereum’s quantum resistance at EthCC9, noting that quantum computers could pose a practical threat to the ECDSA signature algorithm by the mid-2030s. Ethereum has already completed approximately 20% of its quantum resistance preparations and plans to achieve full quantum resistance through the Lean Ethereum upgrade between 2028 and 2032.
However, the primary technical challenge currently is signature size: even the most lightweight post-quantum signature algorithm, Falcon, produces signatures more than 10 times larger than ECDSA, and verifying lattice-based signatures directly in Solidity incurs extremely high Gas costs. Therefore, the research team has established two core technical pathways:
First, account abstraction allows users to upgrade their wallet signing algorithms to quantum-resistant solutions without modifying the underlying protocol;
Second, introduce LeanVM to handle complex hash computations and combine it with zero-knowledge proofs to verify ownership of address mnemonics, ensuring asset security during the migration process.
Antonio will host the biweekly ACD post-quantum special meetings starting February 2026; experimental post-quantum testnets are already live on consensus clients such as Lighthouse and Grandine.
In addition, the Bitcoin community has a notably more conservative approach; the recently submitted BIP360 to the BIPs repository introduces a new output type, P2MR (Pay-to-Merkle-Root), one of whose design goals is to eliminate the quantum-vulnerable key-path spend from Taproot, thereby reserving a more favorable structure for potential future migration to post-quantum signatures.
Of course, a proposal entering the BIPs repository does not imply community consensus has been reached, nor does it mean adoption is imminent. Therefore, it can only be said that the Bitcoin community has begun more specific discussions around quantum exposure and potential changes to output types, which is entirely consistent with Bitcoin's一贯 style—first clearly defining the problem, then slowly building consensus.
Notably, as early as 2024, the U.S. National Institute of Standards and Technology (NIST) officially released three post-quantum cryptographic standards, providing the blockchain ecosystem with a clear migration target and eliminating the need to wait for consensus on which algorithm is superior—practical implementation has already been underway.
III. What should regular users do?
Although the threat from quantum computers is years away, what lies in the future doesn’t mean it can be ignored today—some good habits, adopted now, come at almost zero cost.
First and foremost, avoid address reuse—it’s the most direct and effective way to protect yourself.
As mentioned above, the reason is that if you are a user of UTXO chains like Bitcoin, your public key is exposed on the chain with every transaction; if you repeatedly use the same address, your public key remains publicly visible long-term, and once quantum computing becomes viable, attackers could effortlessly derive your private key from your public key.
Most mainstream wallets, such as imToken, now default to HD wallet functionality. A good practice is to use a new address for each transaction rather than repeatedly using the same address as a permanent identifier. For addresses that have never sent a transaction, the public key has never been exposed, making current quantum threats nearly irrelevant.
Second, pay attention to the post-quantum upgrade roadmap for your wallet.
If you primarily use account-based chains like Ethereum, the focus should not be on mechanically switching to new addresses constantly, but rather on whether the wallet you use and the public chain you're on will offer a clear migration path in the future.
For account-based blockchains, the greater challenge in the quantum era is not single-point exposure, but the long-term binding of active accounts, public key histories, on-chain identities, and application permissions. Once the actual migration window opens, those whose accounts are more upgradable and whose wallets can more smoothly replace signature logic will be safer.
Finally, and from a human perspective, it is foreseeable that as interest in this topic grows, an increasing number of wallets and protocols claiming to be “quantum-safe” will emerge—we must remain vigilant against wallets, protocols, and infrastructure products that use the banner of “quantum safety.”
When faced with such claims, the most important questions aren't about the marketing copy—but three tougher ones:
Is the algorithm it relies on a finalized NIST standard?
Has its security been independently audited and thoroughly verified?
Is its claimed quantum security a chain-level migration, an account-level upgrade, or merely an application-layer wrapper?
After all, true post-quantum security must ultimately cover the entire path—from signing and verification to on-chain compatibility—not just an app label.
Overall, the threat quantum computing poses to blockchain is real, and the significance of Google’s latest white paper lies in moving this threat from a distant theoretical concept closer to a tangible, foreseeable risk.
But this is still not a sign that “your wallet will be hacked tomorrow.” A more accurate understanding is that post-quantum migration is no longer just an academic topic—it will gradually become a practical issue in protocol upgrades, wallet design, and user asset management over the coming years.
In conclusion
What truly matters for the industry next is not who shouts “quantum is coming” first, but who can clearly design the migration path first.
For users, there’s no need to panic right now—instead, start by building a basic understanding of risk: which assets are most exposed, which actions increase exposure, and which wallets and blockchains are most likely to offer smooth upgrades in the future.
What we need is to act early, not to become overly anxious.
Let’s strive together.