Quantum Computing and Blockchain: A Systemic Reset of Public-Key Cryptography

iconMetaEra
Share
AI summary iconSummary
Quantum computing is not a "doomsday weapon" that ends blockchain, but rather a systemic reset of modern public-key cryptography.

Author: 0xjacobzhao @ IOSG

Source: IOSG

Suppose, on a quiet凌晨 in some year 203X, an on-chain monitoring alert suddenly shattered the stillness: a batch of early BTC addresses, dormant for over a decade, began ghostlike transferring assets. There was no hacking, no private key exposure—only seemingly legitimate signatures generated out of thin air. As high-value dormant UTXOs were systematically drained, the market finally awoke from its slumber: an unknown quantum computing entity had gained the ability to reverse-engineer private keys directly from historically exposed public keys. Panic instantly shattered the market; deep in the dark web, a decade-old “harvest-first, decrypt-later” public key repository was being frenziedly auctioned off, awaiting computational power to unlock its wealth. Meanwhile, the Bitcoin community plunged into an unprecedented crisis of faith: faced with dormant coins plundered by quantum computing, should they uphold the unyielding principle of “code is law” and immutable ledger integrity, or enact a soft fork to forcibly freeze the remaining assets? The collision between property narratives and survival imperatives triggered a total governance deadlock. On that day, blocks continued to be produced in sequence, the network never paused for a second—quantum computing did not unleash a doomsday spell erasing everything, yet it thrust the entire Web3 ecosystem into a prolonged struggle over cryptographic reconstruction and consensus collapse.

Quantum computing is often perceived as the "Doomsday Sword of Damocles" hanging over blockchain. Reexamining the largest "security debt" facing the Web3 world, we find that the quantum threat exerts extreme pressure on blockchain’s three foundational pillars: public ledger, irreversible assets, and user-controlled private keys. As the dawn of fault-tolerant quantum computers (FTQCs) emerges, the industry faces the challenge of navigating an extremely complex landscape of social consensus and governance博弈 within the remaining 5 to 8 years—the “engineering comfort window” before Q-Day.

Part One: Quantum Computing: Technical Principles, Value, and Threats

Quantum computing is a novel computational paradigm based on the principles of quantum mechanics. It uses qubits as information carriers, overcoming the binary limitation of classical bits that can only represent 0 or 1, and achieves computational efficiency unattainable by classical computers through quantum properties such as superposition, entanglement, interference, and measurement.

  • Superposition — Expanding the state space: A qubit can exist in a linear combination of 0 and 1.
  • Quantum entanglement — Establishing global correlations: A non-local strong correlation formed between multiple qubits.
  • Quantum interference —— Manipulating probability amplitudes: the core mechanism behind quantum algorithm acceleration, which cancels out the probability amplitudes of incorrect answers (destructive interference) while amplifying the probability amplitudes of correct answers (constructive interference).
  • Quantum measurement —— collapses the quantum state into a classical result; the core of quantum algorithms is not to "read out all answers," but to make the correct answer more likely to appear upon measurement.

Figure 1: The Four Pillars of Quantum Computing

(①) The superposition state expands the state space—qubits exist as continuous combinations of |0⟩ and |1⟩ on the Bloch sphere.

(2) Entanglement creates non-local correlations; measuring one qubit instantly determines its partner.

(3) Interference is the engine of acceleration: destructive interference cancels out the amplitudes of incorrect answers, while constructive interference enhances the amplitudes of correct answers.

(4) Measurement collapses the quantum state into a single classical outcome—the algorithm's task is to ensure that the correct result appears with overwhelming probability beforehand.

The two core quantum algorithms: Shor’s “dimensionality reduction” and Grover’s “brute-force acceleration”

  • Shor's algorithm (1994): A "dimensional reduction" attack on public-key cryptography: Shor's algorithm leverages quantum properties to directly "see through" the mathematical patterns underlying integer factorization and discrete logarithms, thereby completely undermining the foundational trust of modern internet and blockchain systems such as RSA and elliptic curve cryptography (ECC); however, due to the practical overhead of quantum error correction, breaking mainstream cryptographic systems still requires millions of physical qubits—though this threshold could be significantly lowered with more aggressive algorithmic optimizations.
  • Grover's algorithm (1996): A "brute-force accelerator" for symmetric encryption: Grover's algorithm does not directly break cryptographic structures but instead quadratically speeds up a computer's ability to "guess passwords" (e.g., reducing the security strength of 128-bit encryption directly to that of 64-bit); its threat is far less severe than Shor's algorithm, and the countermeasure is straightforward—typically achieved by using longer keys, longer hash outputs, or higher security parameters (such as upgrading to AES-256 or SHA-512).

Figure 2: The two core quantum computing algorithms: Shor's algorithm and Grover's algorithm

The Commercialization Path of Quantum Computing: A Race Among Five Major Technology Camps

No quantum bit technology has yet established a clear engineering lead. Five approaches are currently being advanced toward commercialization, each with its own advantages and disadvantages.

The positive value and negative threats of quantum computing

The core value of quantum computing lies in breaking through the capabilities of classical computing on specific complex problems, driving paradigm-shifting advances in fundamental science and engineering. Its positive impacts are primarily focused on two areas: first, simulating complex quantum systems, including quantum chemistry, drug discovery, new materials, and energy technologies; second, solving highly complex optimization problems, such as logistics, finance, supply chains, chip design, and industrial scheduling. Quantum simulation is widely regarded as a more certain long-term application, while complex optimization remains in the exploration and validation phase. Currently, quantum computing is at a critical stage of transitioning from laboratory prototypes to engineered applications, with decoherence, physical noise, error correction overhead, and system scalability remaining the key barriers to overcoming the industrialization gap.

Quantum threats fundamentally target the foundations of modern public-key cryptography and propagate layer by layer along the logic of “data lifespan × migration difficulty × attack payoff”: national security, defense, and intelligence systems are most immediately exposed to strategic-level risks of “harvest now, decrypt later” (HNDL); financial and payment infrastructures, due to their heavy reliance on TLS, HSMs, and authentication systems, will be among the first to enter compliance-driven migration pathways; internet trust roots and blockchain/Web3 ecosystems face multiple systemic risks including code signing, cloud key management (KMS), irreversible on-chain assets, and governance migration; while healthcare, energy, industrial control, and IoT sectors, due to long device lifecycles and narrow upgrade windows, will face persistent and difficult-to-eliminate tail risks.

Time Window and Planning Principle: Q-Day and Mosca’s Inequality

Q-Day refers to the point in time when quantum computers first gain the practical ability to break mainstream public-key cryptography. It is not a fixed date, but rather a probability range influenced by hardware advancements, error correction capabilities, algorithmic optimizations, and the secrecy of national projects. The current mainstream expectation places it roughly between 2035 and 2045, with accelerated scenarios potentially bringing it forward to 2030–2035; occurrences before 2030 are considered low-probability tail risks.

Mosca’s inequality, X + Y > Z, explains why post-quantum migration remains urgently practical even before Q-Day is imminent. Here, X is the period during which data must remain confidential, Y is the time required to complete cryptographic migration, and Z is the remaining time until Q-Day. As long as the sum of the data’s lifecycle and the migration timeline exceeds the time left until Q-Day, the system has already entered a migration lag phase: data collected today could be decrypted by quantum computers in the future. Therefore, quantum-resistant security is not an emergency project to be undertaken after Q-Day arrives—it is a long-term infrastructure migration that must be initiated now.

Figure 3: Distribution of expert Q-Day forecasts for 2026. Each bar represents a plausible range from a single source; the dot marks the central estimate.

Color coding represents speaker categories: Red = Radical Industry; Orange = Benchmark Research/Consensus; Blue = Hardware Roadmap; Green = Skeptics.

Part Two: Post-Quantum Cryptography (PQC): A Comprehensive Overview of Technical Approaches, Standardization, and Industry Transition

Post-Quantum Cryptography (PQC), also known as quantum-resistant or quantum-safe cryptography, is a new generation of cryptographic algorithms designed to withstand attacks from future quantum computers. Its core characteristic is that it operates on existing classical computing architectures but derives its security from mathematical problems that are also intractable for quantum computers. PQC has become the most practical and scalable pathway globally for transitioning digital infrastructure to quantum resistance.

Mainstream technical approaches: Lattice-based cryptography and hash-based signatures stand side by side.

Current research and implementation of PQC primarily focus on the following major mathematical approaches:

  • Lattice-based cryptography: Security is based on hard problems in high-dimensional lattices, such as Module-LWE, offering both efficiency and security, and is a core focus for standardization and practical implementation; representative algorithms include ML-KEM and ML-DSA.
  • Hash-based signatures: Rely solely on the collision resistance of hash functions, featuring minimal and highly conservative mathematical assumptions, with SLH-DSA as the representative standard.
  • Alternative paths: Code-based cryptography (HQC) was selected by NIST in March 2025 as the fifth PQC algorithm, serving as a non-lattice-based backup to ML-KEM; the draft standard is expected in 2026, with the final standard anticipated in 2027. Meanwhile, multivariate and isogeny-based cryptography have not yet been included in NIST’s initial standardization roadmap due to concerns regarding security or efficiency, with isogeny-based cryptography suffering a major setback after the SIKE algorithm was compromised.

Standardized milestone: NIST establishes the "one envelope, two signatures" framework

The FIPS standardization process led by the National Institute of Standards and Technology (NIST) marks a pivotal turning point in moving PQC from theory to practice. In August 2024, NIST officially released three core standards, establishing the foundational framework for PQC migration:

  • FIPS 203 (ML-KEM): A lattice-based key encapsulation mechanism (KEM) responsible for key exchange;
  • FIPS 204 (ML-DSA): A lattice-based digital signature algorithm responsible for general-purpose digital signatures;
  • FIPS 205 (SLH-DSA): A stateless hash-based digital signature algorithm, offered as an alternative for high-security signing.

Industry Implementation Ecosystem: A Three-Tier Architecture of Core, Transitional, and Supporting Components

In addition to core algorithms, the construction of quantum-resistant security systems relies on multi-layered engineering strategies:

  • Hybrid Deployment: Utilize a parallel signing/encryption model that combines "traditional algorithms (such as ECC/RSA) with PQC" as a risk mitigation strategy during the transition phase, ensuring baseline security even if unknown vulnerabilities exist in the new algorithms.
  • Crypto-agility: The ability, through architectural design, to quickly replace, upgrade, or roll back algorithms to address potential future risks of algorithmic compromise.
  • Auxiliary enhancement technologies: including Quantum Key Distribution (QKD) (suitable for government/military dedicated networks but cannot replace internet-based signature verification), Quantum Random Number Generation (QRNG), and Hardware Security Modules (HSM/Secure Enclave) to enhance the quality of random numbers and the security of key storage.

Figure 4: Comprehensive Quantum-Resistant Roadmap

Part Three: Quantum Risks and Quantum-Resistant Practices in the Blockchain Industry

Blockchain is not the primary target of quantum threats, but it represents the most valuable "stress test" scenario for research. Unlike traditional Web2 systems, which rely on centralized mechanisms—such as certificate rotation and account freezing—to mitigate the risks of data breaches, blockchain directly and immediately transforms cryptographic crises into asset loss and governance paralysis. Its foundational architecture, characterized by "triple irreversibility"—permanent public ledger, irreversible asset transfers, and user-controlled private keys—exposes assets to risks of private key recovery and signature forgery, with no centralized fallback. Even more critically, the elliptic curve and BLS signature systems upon which major blockchains heavily depend are structurally vulnerable to Shor’s algorithm; once a cryptographically relevant quantum computer (CRQC) emerges, attackers could derive private keys from publicly exposed public keys and forge signatures, fundamentally undermining the foundation of trust in blockchain.

Cryptography Component Threat Landscape of Blockchain Systems

For the blockchain industry, the core challenge is not defending against today’s hackers, but launching a race against time—a migration countdown. Quantum computing will not instantly destroy blockchain, but it will force the industry to undergo a more difficult foundational cryptographic overhaul than Web2 ever did. The real risk is not the lack of standardized post-quantum algorithms, but whether the entire ecosystem can coordinate a full-chain migration—from underlying protocols to existing assets—before Q-Day, the critical threshold when fault-tolerant quantum computers gain practical breaking capability.

In this process, the quantum threat does not arrive uniformly but propagates progressively through a five-layer architecture: assets, protocols, infrastructure, applications, and governance. The key insight is that high-value infrastructure layers—such as exchanges, custodians, and cross-chain bridges—will come under pressure before L1 mainnet protocols; and the ultimate bottleneck determining the success of this end-to-end migration is not the replacement of cryptographic techniques, but the extremely complex social consensus and governance dynamics.

Part Four: Quantum-Resistant Practices for Bitcoin and Ethereum

Bitcoin’s Quantum Resistance: Public Key Exposure, Signature Bloat, and Governance Friction

The quantum risk to Bitcoin is not evenly distributed across all BTC, but rather depends heavily on whether public keys have been exposed on-chain. The real high-risk targets are not all UTXOs on the network, but rather early legacy outputs, addresses with exposed public keys that still hold balances, and long-dormant high-value UTXOs. Bitcoin’s hash components (SHA-256, SHA256d, and RIPEMD-160) primarily face reduced security margins from Grover’s algorithm, rather than being structurally broken by Shor’s algorithm as with ECDSA/Schnorr.

  • High risk: UTXOs with statically exposed public keys—early P2PK, Taproot (P2TR) outputs, and P2PKH/P2WPKH addresses whose keys have been reused and still hold balances. Their full public keys are permanently on-chain and will be the first targets directly broken by Shor’s algorithm once CRQC becomes available.
  • Medium Risk: UTXOs at P2PKH/P2WPKH addresses that have not yet been exposed but will be exposed in the future. Only the public key hash is visible on-chain; risk exists solely during the brief "quantum front-running window" between transaction broadcast and confirmation.
  • Low risk: Assets migrated to quantum-safe addresses; the risk of assets to be migrated to quantum-resistant (PQ) addresses via a soft fork in the future will be significantly reduced, but this heavily depends on long-term coordinated upgrades across the entire ecosystem.

Engineering Challenge: Signature Bloat and the "Soft Fork First" Approach

Under Bitcoin’s governance structure, the political cost of a one-time hard fork to deprecate ECDSA/Schnorr is extremely high. Introducing a new quantum-safe output type via a soft fork is one of more realistic incremental pathways. Current discussions include draft proposals such as BIP-360/P2MR (Pay-to-Merkle-Root), but there remains a long way to go before network-wide consensus and activation are achieved.

This move incurs a substantial "engineering tax": current ECDSA/Schnorr signatures are only about 64–72 bytes, while the candidate ML-DSA (2.4–4.6 KB) and SLH-DSA (7–49 KB) increase in size by dozens of times. This order-of-magnitude expansion will trigger systemic ripple effects: directly increasing block weight and transaction fees, exacerbating storage and bandwidth burdens on nodes, significantly degrading the UTXO set and wallet user experience, and ultimately creating a negative feedback loop that further increases resistance to the network-wide quantum migration.

More importantly, Bitcoin lacks the ability to quickly switch algorithms. Unlike centralized systems, which can be upgraded by a single entity through certificate updates or algorithm replacement, Bitcoin requires synchronized adaptation across consensus rules, address formats, wallets, mining pools, exchanges, custodians, and hardware wallets. Therefore, quantum-resistant migration is not a single-point technical upgrade, but a long-term, coordinated effort across the entire ecosystem.

Governance博弈:The "Value Dilemma" of Legacy UTXOs

Even if PQ addresses are successfully launched, handling long-unmigrated legacy UTXOs—including early, long-dormant BTC commonly believed to date back to the Satoshi era—remains the ultimate challenge. Both extreme solutions conflict with Bitcoin’s core values:

  • Inaction: The leftover coins will become a "free lunch" for the first attacker with CRQC capabilities, triggering market panic.
  • Forced freezing/deactivation: Directly contradicts the property principle of "Not your keys, not your coins" and the immutability narrative, easily fracturing community consensus and potentially triggering a chain fork.

A pragmatic middle ground is to implement a multi-year "Legacy Sunset" mechanism: by issuing long-term deprecation warnings, gradually increasing the relay policy friction for spending old outputs, and ultimately imposing constraints via a soft fork through coordinated multi-party efforts. Discussions such as BIP-361 on legacy signature sunset are essentially exploring this path.

Therefore, the Bitcoin migration is fundamentally not a cryptographic issue. Post-quantum algorithms already exist and can be integrated; the real bottleneck lies in achieving social consensus around issues such as immutability, property rights, and the legality of declaring assets quantum-insecure. In other words, Bitcoin’s quantum risk is not a doomsday scenario where value suddenly drops to zero overnight, but rather a gradual process evolving from theoretical feasibility and economic cost to practical implementability; what the industry truly needs to achieve is coordinating the migration before quantum attacks become economically viable.

Figure 5: Bitcoin’s Quantum Resistance Migration: A Long-Term Governance Process

Ethereum's Quantum Resistance Migration—Full-Stack Reconstruction and the "Lean" Roadmap

Ethereum is proactively addressing quantum threats. Led by the Ethereum Foundation’s Post-Quantum team (https://pq.ethereum.org/), research is steadily advancing through open governance processes such as All Core Devs. Its core strategy is not to “bet on a single post-quantum (PQ) algorithm,” but rather to enhance the network’s cryptographic agility—ensuring that account authentication, consensus signatures, proof systems, and data layer commitments are permanently replaceable, upgradable, and verifiable.

Ethereum’s quantum risk is highly concentrated in four cryptographic components: EOA accounts (ECDSA/secp256k1), validator consensus (BLS signatures), data availability (KZG commitments), and certain ZK proof systems. To address this, the EF has designed a “Lean” roadmap that advances in parallel along three tracks: execution, consensus, and data.

  • Execution Layer (User Accounts): AA Buffer and L2 Playground

Facing a vast number of EOAs, a direct hard fork faces significant resistance. Ethereum leverages account abstraction (such as ERC-4337 and EIP-7702) to grant smart contract wallets “signature agility,” enabling hybrid signatures and gradual migration without requiring full network-wide coordination. Meanwhile, L2s, with their flexible governance, serve as natural testbeds for PQ deployment;

  • Consensus Layer (Validator Signatures): The Synergy of leanXMSS and leanVM

Aims to completely replace BLS signatures that rely on elliptic curve pairings. The core strategy involves adopting the hash-based leanXMSS, combined with a minimal zkVM (leanVM) for SNARK aggregation. Key engineering breakthrough: leanVM is expected to compress large hash signature data by approximately 250 times, mitigating the bloat of post-quantum signatures while preserving the scalability advantage of "multi-signature aggregation" as we enter the post-quantum era.

  • Data Layer (Blob, DA, and KZG): Long-term Reconstruction of Underlying Commitments

Under CRQC conditions, the underlying security assumptions of KZG still require reassessment and a long-term migration toward more PQ-friendly commitment or proof systems, with the ultimate direction being a transition to hash-based STARKs or lattice-based commitment schemes. This is a multi-year, protocol-level foundational restructuring, not an immediate failure.

Moreover, Ethereum’s quantum risk is not evenly distributed. EOA accounts represent the largest value pools; exchanges, bridges, custodial hot wallets, governance/upgrading keys, L2 sequencers, and admin keys are high-value operational keys that may come under pressure before the protocol itself. Overall, Ethereum’s quantum-resistant migration is not a simple replacement of single-signature schemes, but a multi-year, full-stack effort involving accounts, consensus, DA, ZK, L2s, bridges, custody, and formal verification.

Figure 6: Ethereum Post-Quantum Migration: Execution (User Accounts), Consensus (Validator Signatures), and Data (Commitments and Proofs).

Comprehensive Comparison of Post-Quantum Migration Profiles for Bitcoin and Ethereum

Theoretically, all public blockchains relying on traditional public-key cryptography face quantum risks. However, the systemic case for quantum-resistant migration primarily centers on Bitcoin and Ethereum: Bitcoin due to its legacy UTXO model, immutability, and property rights governance; Ethereum due to the full-stack reconstruction required for accounts, consensus, data availability, ZK, and L2s. Other blockchains serve better as supplementary references for technical pathways and risk scenarios.

  • Solana represents an engineering exploration of high-throughput chains for PQ signature verification costs; its community has discussed Falcon-512/FN-DSA verification syscalls, but this approach remains exploratory and supplementary, not replacing the existing Ed25519, nor indicating an official migration roadmap by Solana.
  • Starknet / STARK represents a hash-based proof system with a more PQ-friendly ZK approach. Compared to SNARK systems that rely on pairing/KZG, STARK’s underlying proof mechanism is better suited for the post-quantum ZK direction; however, this does not mean the entire Starknet network is quantum-safe—wallet signatures, hash parameters, bridge mechanisms, and Ethereum L1 settlement still require coordinated migration.
  • Native or quasi-native post-quantum blockchains such as QRL, Quantus, and Abelian serve as technical references for clean-slate post-quantum design: QRL represents the early hash-based signature approach, Quantus embodies a native post-quantum L1 aligned with the next-generation NIST PQC narrative, and Abelian focuses on lattice-based, privacy-preserving L1 solutions. While these projects demonstrate a viable path to building quantum-resistant blockchains from day one, their network effects, liquidity, and application ecosystems remain far weaker than those of BTC or ETH, making them better suited as technical exemplars.

Part Five: Conclusion: Security Debt Maturity and the Full Ecosystem's Q-Day Countdown

Quantum computing is not a "doomsday weapon" that ends blockchain, but rather a systemic reset of modern public-key cryptography. The core threat lies in future large-scale fault-tolerant quantum computers (CRQCs) with strategic-level cracking capabilities. The industry’s true risk is not the lack of post-quantum cryptography (PQC) algorithms, but whether the entire Web3 ecosystem can achieve end-to-end coordinated migration before Q-Day (the quantum breaking threshold). In the short to medium term, the risk of existing signature systems becoming obsolete and the high cost of full-stack upgrades create a heavy "security debt"; in the long term, this survival pressure will act as an industry catalyst, directly spawning entirely new security infrastructure sectors such as PQ hybrid wallets, quantum-resistant institutional custody, quantum risk radar systems, and PQ signature aggregation.

Although the macro preparation phase may last 5–15 years, the truly comfortable “engineering window” is now reduced to just 5–8 years. This demands tight coordination across the entire stack—from BIP/EIP proposals and node implementations to wallet compatibility and compliance upgrades by exchanges and custodians. More importantly, market repricing may occur even before Q-Day itself: once quantum resource estimates continue to be revised downward, hardware roadmaps are significantly accelerated, or regulators and major custodians率先 propose PQC compliance requirements, the market may begin reevaluating the cryptographic security models of blockchain assets. Within this window, two core ecosystems will face fundamentally different ultimate tests:

  • Bitcoin: The core challenge is not cryptography, but global social consensus and property rights governance. How to handle long-dormant, publicly exposed Legacy UTXOs is a political struggle over the底线 of the "immutable" narrative.
  • Ethereum: The core challenge lies in the engineering complexity of its multi-layer protocols and full-stack ecosystem. How can cryptographic replacements across account, consensus, DA, and ZK layers be performed without causing network disruption, while mitigating signature bloat?

In long-term asset allocation, post-quantum governance friction constitutes a "structural tail risk" for BTC, but it is by no means a reason for bearishness today. Its extremely conservative, hard-to-change governance presents a double-edged sword: it is both the greatest barrier to quantum migration and the core moat preserving its narrative as a store of value and defending against centralized interference. This demands investors abandon the static belief that "BTC will never require major upgrades." In the future, if any of the following scenarios occur—Q-Day timelines are substantially accelerated, the community refuses to advance PQ migration while the外围 ecosystem moves first, high-value exposed public key UTXOs trigger panic selling, or legacy asset disposal descends into complete fragmentation—the market will reassess and reprice BTC’s security model and underlying consensus.

Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.