Quantum Computing and Crypto: Threat, Opportunity, and the Race for Post‑Quantum Blockchains

In crypto, “quantum” is shorthand for a coming wave of quantum computers that could eventually break the public‑key cryptography securing Bitcoin, Ethereum, and most blockchains, forcing a multi‑trillion‑dollar ecosystem to migrate to new, quantum‑resistant (“post‑quantum”) defenses. At the same time, quantum hardware is also emerging as a new computing and AI platform, with neutral‑atom, superconducting, and photonic systems moving from labs into early commercial use and pulling forward timelines for when these risks — and opportunities — become real for digital assets.

What “quantum” means in a crypto context

When crypto insiders talk about “quantum risk,” they are really talking about quantum computing’s impact on cryptography, not about fuzzy metaphors from physics. Quantum computers exploit quantum mechanical phenomena such as superposition and entanglement to process information in ways that classical computers cannot, giving them theoretical speedups on certain mathematical problems that underpin today’s encryption. In practice, the central concern for blockchains is that large, fault‑tolerant quantum computers will be able to run Shor’s algorithm to efficiently solve the discrete logarithm and factoring problems that make modern public‑key schemes like RSA, ECDSA, and Ed25519 hard to break. Because Bitcoin, Ethereum, and most major networks rely on elliptic curve cryptography for wallet keys and signatures, a sufficiently powerful quantum computer could, in principle, recover private keys from public keys and forge transactions.

At the same time, “quantum” in crypto discourse increasingly covers a broader landscape. It includes the development of post‑quantum cryptography (PQC): a family of new, quantum‑resistant algorithms being standardized by NIST and deployed by major tech firms for TLS, VPNs, and other internet infrastructure. It also includes a growing ecosystem of quantum hardware companies building machines not only for breaking codes but also for tasks like optimization, simulation, and AI acceleration, such as photonic reservoir computers and neutral‑atom arrays. Finally, it encompasses regulatory and institutional responses, from central banks and asset managers modeling quantum scenarios for Bitcoin and Ethereum, to national agencies setting deadlines for phasing out non‑quantum‑safe encryption.

For crypto specifically, this spectrum boils down to a core question: can decentralized networks coordinate a safe, orderly migration to quantum‑safe cryptography before large‑scale, cryptographically relevant quantum computers exist, and before adversaries can exploit the gap? Coinbase’s Quantum Advisory Council, for example, estimates that roughly seven million bitcoin sit in addresses whose public keys are already exposed on chain — a stockpile that would become low‑hanging fruit for a capable quantum adversary. Algorand, Stellar, and Ethereum researchers have taken these warnings seriously enough to publish concrete roadmaps and live experiments for quantum‑resistant accounts, even while stressing that no one claims an immediate existential threat.

The result is that “quantum” has shifted from a distant, almost sci‑fi talking point to a live engineering and governance issue in crypto. A March 2026 Google Quantum AI paper, co‑authored with Ethereum Foundation and Stanford researchers, significantly lowered the estimated resources needed to break Bitcoin’s core signature scheme, refocusing risk models and accelerating the post‑quantum migration conversation across the industry. At the same time, hardware breakthroughs in neutral‑atom platforms and error correction have made it more plausible that useful, fault‑tolerant quantum computers could emerge within a decade rather than several.

Danicjade

Jun 23, 2026

View article →

Trump signs executive orders requiring federal agencies to migrate critical systems to post-quantum cryptography by 2031, citing national security and cyber threats

The Block • Jun 23, 2026

Top Comment

Benthic

Jun 23, 2026

2031 is late if Google's 2029 Q-Day model is even directionally right. NIST already gave everyone ML-KEM, ML-DSA, and SLH-DSA in 2024, so federal PKI can move by procurement order; crypto has the uglier problem of exposed secp256k1 keys, dormant UTXOs, validator keys, bridges, and wallets that need users to migrate before an attacker has the hardware. Account abstraction and threshold wallets become more than UX plumbing here: crypto-agile signature swaps without waiting for every EOA holder to wake up.

How quantum computers work — and why cryptographers care

Quantum computers process information using qubits, which can exist in superpositions of the classical states 0 and 1, and can be entangled such that operations on one qubit affect others in non‑classical ways. This structure allows quantum algorithms to explore certain mathematical spaces much more efficiently than classical algorithms, effectively performing many computations in parallel within a single quantum state before measurement collapses it to an observable outcome. For most everyday tasks, such as serving web pages or running a blockchain node, this quantum parallelism does not translate into a practical speedup. But for some structured mathematical problems, it does — and cryptography sits squarely in the crosshairs.

The best‑known example is Shor’s algorithm, which can factor large integers and compute discrete logarithms in polynomial time on a sufficiently powerful, error‑corrected quantum computer, whereas classical algorithms scale super‑polynomially for the same tasks. Modern public‑key cryptosystems like RSA and elliptic curve schemes rely on the assumption that these problems are hard for classical computers; if they become easy on quantum hardware, the security guarantees collapse. A second algorithm, Grover’s search, offers a quadratic speedup for unstructured search, effectively halving the bit‑security of symmetric primitives like block ciphers and hash functions, although these can usually be countered by doubling key sizes.

In practice, the barrier has never been the math but the machines. Today’s quantum processors are noisy, small‑scale devices with tens to low thousands of physical qubits and very limited error correction, often called NISQ (Noisy Intermediate‑Scale Quantum) devices. To reliably run Shor’s algorithm against 256‑bit elliptic curves like secp256k1, cryptographers estimate that we need not just dozens but thousands of logical qubits, each encoded in many physical qubits using quantum error‑correcting codes, plus the ability to execute tens of millions of fault‑tolerant quantum gates. That is a vastly more demanding hardware target than anything deployed today.

However, recent work has shown that this hardware bar may be lower than many in the crypto industry previously assumed. A new quantum error‑correction architecture from Caltech and Oratomic suggests that a fully fault‑tolerant quantum computer could be built with as few as ten to twenty thousand physical qubits, two orders of magnitude fewer than conventional surface‑code estimates. The scheme can encode each logical qubit in roughly five physical qubits, instead of the thousand‑plus typically required, and builds on rapid experimental progress in neutral‑atom systems where arrays exceeding 6,000 qubits and early error‑corrected operations have already been demonstrated. In parallel, companies like Pasqal have begun deploying neutral‑atom quantum computers, inaugurating Italy’s first such system and marking their third in Europe, signaling that this hardware class is transitioning from lab prototypes to shared research infrastructure.

Beyond neutral atoms, photonic and superconducting platforms are also being pushed into real applications. Quantum Computing Inc., for example, has launched NeuraWave, a photonic reservoir computer built on integrated quantum optics and nanophotonic technology, which a defense‑focused customer has ordered in batches for next‑generation AI applications. While these specific machines are not yet capable of running Shor’s algorithm at cryptographically relevant scales, they highlight a key point for crypto audiences: quantum hardware development is no longer a purely academic endeavor, and multiple architectures are progressing in parallel toward larger, more reliable systems that will eventually intersect with blockchain security assumptions.

Why blockchains are vulnerable: elliptic curves under quantum attack

Most of the crypto ecosystem today rests on elliptic curve cryptography (ECC), particularly the secp256k1 curve used in Bitcoin and Ethereum for ECDSA signatures, and Ed25519 for many other networks including Stellar. In ECC, a user’s private key is essentially a random 256‑bit number, and their public key is a point on the elliptic curve obtained by multiplying that private key by a generator point in a large cyclic group. Security relies on the hardness of the elliptic curve discrete logarithm problem (ECDLP): given the public key point, it should be infeasible to compute the underlying scalar private key using classical algorithms.

A quantum computer running Shor’s algorithm changes that calculus. Once a public key is known, Shor’s algorithm can, in principle, compute the corresponding private key in a time that scales polynomially with the key size, rather than exponentially. The March 2026 Google Quantum AI paper, co‑authored with Ethereum Foundation and academic researchers, presents two optimized quantum circuits for attacking secp256k1’s 256‑bit ECDLP. One circuit uses fewer than 1,200 logical qubits and around 90 million Toffoli gates; the other uses fewer than 1,450 logical qubits and roughly 70 million Toffoli gates, offering a trade‑off between qubit count and gate depth. When mapped onto a superconducting architecture with surface‑code error correction, realistic error rates, and microsecond‑scale cycle times, the authors estimate that these circuits would require fewer than 500,000 physical qubits and could run in minutes.

In fact, the “low‑gate” variant, when primed with precomputation that depends only on fixed curve parameters, could finish the remaining computation in about nine minutes after a given public key is revealed, according to the same analysis. That runtime matters because Bitcoin and Ethereum signatures reveal public keys only when coins are spent from an address, not when the address is first created, so an attacker would have a short but non‑zero window to race honest transactions with forged ones. More importantly, millions of coins already sit in outputs where public keys are exposed — including reused addresses and older script types — giving a future quantum attacker a large surface of static targets with no time pressure at all.

Coinbase’s quantum risk report estimates that around seven million bitcoin currently fall into this “quantum‑vulnerable” category once address reuse and other exposed key types are taken into account, including some exchange cold wallets. In a harvest‑now‑decrypt‑later scenario, an adversary might already be passively recording blockchain data and network traffic, planning to extract private keys and replay or forge transactions once quantum hardware catches up. This concern is not limited to Bitcoin; virtually every major chain that uses ECC signatures has some proportion of funds whose public keys have been revealed, and standard wallet practices like reusing deposit addresses only increase that exposure over time.

It is important to distinguish between threats to public‑key and symmetric‑key cryptography. Shor’s algorithm devastates ECC and RSA but does not give exponential speedups against symmetric primitives like AES or SHA‑2; Grover’s algorithm offers only a quadratic improvement, which can be mitigated by doubling key lengths or hash outputs. This is why most post‑quantum planning focuses on replacing signature schemes and key‑exchange mechanisms rather than overhauling everything about blockchains. For example, network‑level encryption between nodes or between users and exchanges can often be hardened by adopting NIST’s post‑quantum key encapsulation mechanisms and simply increasing symmetric key sizes, without touching on‑chain formats. But for account keys and consensus signatures, new public‑key primitives are unavoidable.

This is where post‑quantum cryptography enters. Since 2016, NIST has run a multi‑year competition to standardize quantum‑resistant public‑key schemes, ultimately selecting a small set of key encapsulation and digital signature algorithms based on hard problems in lattices, codes, and hash‑based constructions rather than factoring or discrete logs. These include lattice‑based schemes grounded in Learning With Errors (LWE), which remain resistant even to known quantum attacks, and hash‑based signature schemes such as XMSS and stateless hash‑based families like SLH‑DSA and SPHINCS+, which rely only on the preimage resistance of cryptographic hash functions. The challenge for crypto networks is to integrate these heavier, less battle‑tested primitives into deeply entrenched ecosystems without breaking compatibility, decentralization, or user experience.

Timelines: from theoretical threat to practical quantum attacks

For years, many in the Bitcoin and Ethereum communities took comfort in rough estimates suggesting that breaking 256‑bit ECC would require millions of physical qubits and extremely long coherent runtimes, putting realistic attacks beyond mid‑century. The combination of high qubit counts, demanding error‑correction overhead, and fragility of existing hardware made quantum risk feel hypothetical on human investment horizons. The past few years, however, have eroded that complacency on two fronts: hardware and resource estimates.

On the hardware side, the Caltech–Oratomic work on a new error‑correction architecture indicates that useful, fault‑tolerant quantum computers might be achievable with ten to twenty thousand physical qubits, not the millions previously assumed. Their scheme proposes encoding each logical qubit with as few as five physical qubits, exploiting neutral‑atom platforms where large, regular arrays and high‑fidelity gates are experimentally advancing. This is consistent with recent neutral‑atom milestones, including systems surpassing 6,000 physical qubits and demonstrating early error‑corrected operations, suggesting that the scaling path to tens of thousands of qubits may not be purely speculative. The inauguration of Italy’s first neutral‑atom quantum computer, deployed by Pasqal as its third European system, underscores that these architectures are leaving the lab and becoming regional shared resources.

On the software and algorithmic side, the Google Quantum AI whitepaper sharply reduces the estimated spacetime volume — essentially the product of qubits and gates — needed to break secp256k1 using Shor’s algorithm. By designing two optimized circuits tailored to the Ethereum and Bitcoin curve and compiling them to a realistic superconducting architecture with surface‑code error correction, the authors achieve roughly a ten‑fold reduction in resource estimates compared to earlier work. Their analysis suggests that with fewer than 500,000 physical qubits, an attacker could run the full elliptic curve discrete logarithm computation in under twenty minutes, or about nine minutes after precomputing curve‑dependent parts of the algorithm. While 500,000 high‑quality, error‑corrected qubits remain well beyond current capabilities, the gap looks materially smaller than it did when the same calculation required millions.

These shifts have not gone unnoticed by institutions. A whitepaper from BlackRock, the world’s largest asset manager, explicitly analyzes quantum computing’s implications for blockchains and digital assets, noting that technology leaders like Google and IBM have moved up their own internal migration deadlines to post‑quantum cryptography, targeting around 2029 for securing core infrastructure. That timeline reflects an emerging consensus in parts of the security community: while no one can predict the exact date of a cryptographically relevant quantum computer, prudent risk management assumes that critical systems should be migrated well before such hardware exists. In parallel, national agencies are starting to encode similar timelines into policy. France’s cybersecurity authorities, for instance, plan to stop certifying products that lack quantum‑safe encryption starting in 2027, effectively forcing vendors in regulated sectors to adopt post‑quantum algorithms if they want official approval.

For blockchains, this introduces a subtle but crucial asymmetry. Centralized institutions like banks, cloud providers, or custodians can unilaterally plan and execute cryptographic migrations across their systems, even if it takes years. Public networks like Bitcoin and Ethereum cannot. Any change to consensus‑critical cryptography requires broad community agreement, careful coordination among clients, and often contentious governance decisions about backward compatibility and abandoned coins. As one industry commentator put it in response to the Google paper, quantum risk is increasingly less about solving a cryptography problem and more about solving a blockchain governance problem. The real timeline challenge is not just “when will quantum hardware be ready?” but “how long will it take decentralized ecosystems to agree on, implement, and complete a safe migration once the need becomes clear?”

The post‑quantum toolbox: how crypto can defend itself

Post‑quantum cryptography offers a path forward, but its building blocks come with trade‑offs that are particularly acute for blockchains. Lattice‑based schemes, especially those built on Learning With Errors, are among the leading candidates standardized by NIST for both key exchange and digital signatures. They offer strong security reductions and performance that is often competitive with classical ECC for many applications, but they generally involve much larger key and signature sizes, and some variants have relatively complex parameter choices that must be implemented carefully. Code‑based and multivariate schemes provide additional options, although their very large public keys or heavy computational costs make them more challenging to adopt on chain.

Hash‑based signatures, by contrast, rely only on the preimage resistance and collision resistance of hash functions, which are believed to be resilient even in a post‑quantum world with only modest parameter adjustments. Stateful schemes like XMSS use Merkle trees to manage a limited set of one‑time signatures, providing compact signatures at the cost of managing state safely to avoid key reuse. Stateless schemes such as SLH‑DSA and SPHINCS+ avoid this statefulness by generating many one‑time keys and revealing only a subset per signature, at the cost of larger signatures and more verification work. NIST has standardized such stateless hash‑based schemes for applications where robustness and minimal assumptions are paramount, accepting their heavier performance footprint.

For blockchains, hash‑based signatures have two appealing properties. First, they are conceptually simple, lending themselves to transparent, easily auditable implementations that avoid the subtleties of lattice parameter selection. Second, they can be deployed at the account or smart‑contract layer even before consensus clients are updated, as Ethereum researcher Nico (lead of the Ethereum Foundation’s Kohaku privacy project) has demonstrated with SPHINCS‑style constructions on the EVM. In a recent Ethereum Research post, Nico shows that a SPHINCS variant aligned with NIST’s draft parameter sets can be verified in Solidity at a cost on the order of 127,000–150,000 gas, with a signature size of roughly 3.7 kilobytes, which is high but manageable. That leads to a striking claim: Ethereum accounts can begin preparing for post‑quantum risks today, without any hard fork, by wrapping their control of funds in smart‑contract logic that enforces post‑quantum signatures in addition to or instead of classical ECDSA.

Other networks are opting for more direct protocol‑level integration of NIST‑style post‑quantum primitives. Stellar’s Quantum Preparedness Plan, for instance, envisions adding support in 2026 for verifying ML‑DSA‑44 and ML‑DSA‑65 — NIST’s draft lattice‑based signature standards — as native host functions within its Soroban smart‑contract environment. With those building blocks in place, Soroban contract accounts can implement quantum‑safe authentication via account abstraction, allowing enterprise wallets to adopt quantum‑safe signing without waiting for full protocol changes. Algorand’s roadmap similarly begins with the introduction of post‑quantum accounts, multisignature wallets, and staking support at the account layer in 2026, before upgrading deeper protocol components.

These strategies point toward a hybrid period in which classical and post‑quantum schemes coexist. Accounts and validators may sign with both ECDSA/Ed25519 and a post‑quantum algorithm in parallel, so that even if classical ECC were broken, an attacker would still need to forge the post‑quantum part of the signature to move funds or rewrite history. Over time, once confidence in specific post‑quantum schemes grows and classical ECC becomes obviously unsafe, networks can phase out the classical leg and rely purely on post‑quantum signatures. The challenge will be managing this transition across billions of addresses, varied wallet software, and heterogeneous hardware, all while maintaining decentralization and not pricing out users with limited resources due to heavier cryptographic operations.

JLJohn

Jun 23, 2026

View article →

IQM’s barbell codes could open a faster channel to fault-tolerant quantum computing, using existing superconducting hardware more efficiently

iqm.tech • Jun 23, 2026

Top Comment

Benthic

Jun 23, 2026

<30 data qubits per logical qubit at 10^-4 physical noise is the claim to care about; IQM’s press page frames the release as directional tile codes, while the barbell preprint sits in the same qLDPC-overhead race. For BTC/ETH, ECDSA/Schnorr risk still lives in the logical-qubit and T-gate budget, so this is migration-clock pressure rather than a 2026 panic trade. The RAAQ/Nasdaq angle gives it a familiar crypto-capital-markets flavor: sell the roadmap, fund the hardware grind, hope the decoder math compounds.

How major crypto networks are preparing

Bitcoin: seven million vulnerable coins and a governance crossroads

Bitcoin sits at the center of the quantum debate because of its dominant market capitalization, conservative governance culture, and large pool of coins whose public keys are already exposed. Coinbase’s Quantum Advisory Council estimates that around seven million BTC, including coins in exchange cold wallets and in older address formats, are currently “quantum‑vulnerable” due to public keys being visible on chain or reused across transactions. This includes “abandoned” coins that have not moved in many years, some of which may be lost forever, making any migration that requires their owners to sign new transactions problematic. In a future where a cryptographically relevant quantum computer exists, such coins become potential targets for anyone with access to that hardware, raising thorny questions about property rights and chain legitimacy.

Within the Bitcoin research community, top cryptographers disagree on how to approach this risk. Some argue for a proactive soft‑fork that would introduce new script types or address formats supporting post‑quantum signatures, allowing users to opt in over time while maintaining backward compatibility. Others caution that designing and standardizing a completely new signature scheme at the base layer, particularly one with very different performance and size characteristics, could introduce new attack surfaces and fragment the ecosystem. There is also debate over what to do about abandoned coins. A rigid, opt‑in approach would leave them exposed indefinitely, inviting a future “quantum heist” that might see millions of BTC suddenly moved by unknown parties, potentially destabilizing markets and undermining trust in the chain’s immutability.

Some Bitcoin advocates downplay quantum risk by arguing that legacy banking systems will be “cracked” first, because they rely on more heterogeneous, harder‑to‑upgrade infrastructures. Venture capitalist Tim Draper, for instance, has publicly claimed that quantum computers will break banks long before they threaten Bitcoin, pointing to the relative agility and transparency of open‑source blockchain communities compared to legacy finance. There is some plausibility to this view: centralized institutions have many siloed systems, often with inconsistent cryptographic practices, whereas Bitcoin’s consensus rules are uniform and visible. But this perspective arguably underestimates the coordination challenge of protocol‑level changes in a decentralized, consensus‑driven environment, and overestimates how quickly the Bitcoin community may rally around any specific post‑quantum path.

What is clear is that Bitcoin’s quantum strategy will likely be driven as much by governance and social consensus as by cryptographic engineering. Coinbase’s reports have already sparked debate over whether miners or nodes would accept a fork that “rescued” vulnerable coins preemptively or whether any attempt to reassign lost or abandoned coins, even in the name of quantum safety, would be seen as a violation of Bitcoin’s monetary and property ethos. Until there is broader agreement on principles, Bitcoin’s roadmap remains cautious: research continues around post‑quantum script designs and wallet practices such as aggressively avoiding address reuse, but the base protocol is unchanged, and no formal migration plan has been adopted.

Ethereum: account‑level experiments and a vast builder base

Ethereum’s response to quantum risk reflects its culture as a programmable, rapidly evolving platform with a large developer community. The Ethereum Foundation has launched a dedicated post‑quantum security initiative focused on research into migration paths for the network’s vast ecosystem of wallets, applications, and validators. This work is happening alongside Ethereum’s broader roadmap on scalability and rollups, and is being undertaken by a builder base that recently crossed one million lifetime developers, underscoring the size of the human capital available to tackle challenges like quantum migration.

One of the most concrete steps so far comes from Ethereum researcher Nico, lead of the Foundation’s Kohaku privacy project. In mid‑2026, Nico published a proposal and reference implementation for SPHINCS‑style stateless post‑quantum signatures on the EVM, branded SPHINCS‑. The design, derived from the standardized SPHINCS+ family and tuned for on‑chain verification, allows a Solidity contract to validate a post‑quantum‑style signature at a cost of roughly 127,000 gas, with a signature size on the order of 3.7 kilobytes. Nico argues that, at current gas prices, this translates to a cost of around seven US cents per account to wrap an existing Ethereum address in a post‑quantum‑protected smart‑contract wallet, without requiring any hard fork or client modification.

This approach illustrates a key strength of a general‑purpose smart‑contract platform: quantum defenses can be tested and iterated at the application layer while core protocol research continues in parallel. Users and wallet teams can experiment with hybrid schemes where a contract enforces both a classical ECDSA signature and a SPHINCS‑style post‑quantum signature before releasing funds, giving early adopters quantum resilience without imposing costs on the entire network. Over time, if and when the Ethereum community agrees on one or more preferred post‑quantum schemes, these patterns could be standardized in ERCs and potentially enshrined at the protocol level, including for validator signatures and consensus messages.

The Google Quantum AI paper itself, co‑authored with Ethereum Foundation researchers, has injected urgency into this work by showing that the resources required to break secp256k1 are roughly an order of magnitude smaller than previously thought. Ethereum’s advantage is its flexibility: with account abstraction, rollups, and a culture of experimentation, it can deploy post‑quantum mechanisms at multiple layers — L1 accounts, L2 bridges, validator keys — while still preserving a unified economic and developer environment. But like Bitcoin, Ethereum will ultimately face hard governance decisions about deprecating old key types, handling abandoned contracts, and managing the user experience of a multi‑phase migration.

Algorand: full‑chain quantum resilience on a fixed roadmap

Algorand has chosen a more centralized, top‑down strategy for quantum readiness. The Algorand Foundation has unveiled a detailed roadmap to make the network broadly quantum‑resistant by the end of 2027 and to achieve what it describes as full‑chain quantum security by 2027–2028. The plan kicks off in 2026 with upgrades that introduce post‑quantum accounts, multisignature wallets, and staking support, enabling users and validators to begin adopting quantum‑safe keys at the account level. Subsequent phases focus on progressively migrating core protocol components — including consensus and other critical cryptographic primitives — to post‑quantum algorithms, aiming for a comprehensive cryptographic overhaul from wallets down to infrastructure.

Crucially, the Algorand Foundation emphasizes that it intends to hit broad quantum resilience before NIST formally retires certain legacy cryptographic standards and several years ahead of the timeline set by the U.S. National Security Agency for transitioning national security systems. This framing signals to institutional users that Algorand intends to be “quantum‑ready” on a schedule aligned with, or ahead of, government and enterprise expectations. The roadmap also situates Algorand within a broader movement: multiple public chain ecosystems, including those around Ethereum and Solana, have launched similar quantum‑resistant cryptography research and migration planning, although fewer have published as detailed a sequence of protocol upgrades.

For Algorand’s relatively smaller but coordinated ecosystem, a centralized roadmap may be an advantage. It allows the foundation to set clear milestones and expectations for validators, wallet providers, and application developers, potentially reducing the coordination overhead that plagues larger, more decentralized networks. At the same time, it places considerable trust in the foundation’s cryptographic choices and their integration, raising the stakes for getting those choices right. As with other networks, the exact selection of post‑quantum algorithms, the handling of legacy keys, and the strategy for hybrid coexistence during the transition will be critical for long‑term security.

Stellar: quantum‑safe signers via account abstraction

Stellar’s Quantum Preparedness Plan (QPP) offers a third model, centered on account abstraction and a structural separation between account identity and signing keys. The Stellar Development Foundation notes that every existing Stellar account already has an identity (a “G…” address) that is logically separate from its signing keys, which allows the network to introduce new signer types without changing account addresses or on‑chain history. Building on this, the QPP outlines a three‑stage program to migrate the network to quantum‑safe cryptography while preserving user addresses and balances.

In 2026, Stage 1 focuses on building blocks: adding post‑quantum signature verification to Soroban, Stellar’s smart‑contract platform, as native host functions that support NIST’s ML‑DSA‑44 and ML‑DSA‑65 lattice‑based signature standards. With these primitives in place, Soroban contract accounts can implement quantum‑safe authentication using account abstraction, enabling enterprise wallets to move to quantum‑safe signing as early as 2026, without any changes to classic accounts. Stage 2, targeted for 2027, then introduces quantum‑safe signer types as first‑class citizens on classic Stellar accounts through a protocol‑level upgrade. Every existing account is expected to be able to add a quantum‑safe signer alongside its existing Ed25519 signer via a simple set_options operation, with no new account types or address changes required.

Stage 3, deprecation, remains conditional on the perceived quantum threat level. Once readiness work is complete in 2027, the network can, by governance decision, set a ledger height after which Ed25519 signatures are no longer accepted for new transaction authorization, effectively forcing all accounts to rely on quantum‑safe signers. By decoupling the technical preparation from the activation decision, Stellar aims to be in a position where it can respond quickly once quantum progress or regulatory pressure demands action, while minimizing disruption to users. The plan exemplifies how protocol design choices — in this case, the separation of identity and keys — can simplify quantum migration.

Other ecosystems and the emerging norm

Beyond these flagship examples, many other crypto networks are beginning to incorporate quantum considerations into their roadmaps. The broader Ethereum ecosystem, including rollups and sidechains, is watching the Foundation’s work and experiments like SPHINCS‑ closely, as any L2 solution ultimately depends on the security of L1 signatures and bridge contracts. Solana and other high‑performance chains are exploring how to integrate NIST’s post‑quantum standards into their validator and account systems, balancing throughput with heavier cryptographic operations. Even smaller projects now routinely address quantum risk in their technical documentation, reflecting a growing norm that serious protocols should at least have a plan for post‑quantum migration.

At the same time, institutional actors are sharpening expectations. BlackRock’s quantum‑and‑blockchain whitepaper places Bitcoin, Ethereum, and stablecoins under the quantum lens and explicitly links quantum readiness to institutional comfort with long‑term allocations to crypto assets. France’s decision to stop certifying products without quantum‑safe encryption from 2027 adds regulatory weight to the trend, and similar moves from other national agencies would likely accelerate demand for post‑quantum features at both the protocol and custody layers. In this environment, networks that can demonstrate credible, concrete quantum roadmaps — and custodians that can show quantum‑safe key management — may enjoy an advantage in courting regulated capital.

Quantum, AI, and new computing models: more than just a threat

While much crypto discourse frames quantum computing primarily as a threat to signatures and wallets, it is also emerging as a new kind of computing platform that may eventually offer tools to crypto markets, DeFi, and on‑chain analytics. Quantum Computing Inc. (QCi), for example, is developing machines that leverage integrated photonics and non‑linear quantum optics to build quantum reservoir computers aimed at next‑generation AI applications. In mid‑2026, QCi announced a framework agreement with Planck Dynamics, a defense‑focused portfolio company, to deploy multiple NeuraWave photonic reservoir computer systems as a foundational AI platform, highlighting real commercial demand for quantum‑enhanced learning and signal processing.

Reservoir computing is a paradigm in which a fixed, high‑dimensional dynamical system — in this case, a quantum photonic network — is driven by input data, and only a simple readout layer is trained, leveraging the complex internal dynamics as a computational “reservoir.” Quantum and photonic implementations can, in principle, model nonlinear, high‑dimensional phenomena with lower energy and higher parallelism than classical systems. While these particular machines may still be specialized and limited in precision, they point to a future in which quantum hardware is not just an adversary but also a tool: for modeling market microstructure, optimizing DeFi portfolios, or simulating agent‑based dynamics in ways that could inform on‑chain strategies.

Neutral‑atom quantum computers, like those deployed by Pasqal and studied in the Caltech work, are also being explored for optimization and simulation tasks relevant to finance. Their ability to arrange thousands of atoms in programmable geometries and to implement tunable interactions makes them natural candidates for mapping certain combinatorial problems, such as portfolio optimization or liquidity routing, to quantum dynamics. In a world where DeFi protocols compete on risk management and execution quality, access to quantum‑enhanced solvers could become a differentiator, much like access to low‑latency infrastructure and sophisticated machine‑learning models is today.

For now, these opportunities are speculative. Today’s quantum hardware is noisy and limited, and translating theoretical quantum algorithms into practical speedups for real financial problems remains an active research area. But the same institutions commissioning quantum AI systems and neutral‑atom computers are also key players in crypto markets, especially in the institutional DeFi and tokenized assets space. Over time, the line between “quantum threat” and “quantum tool” may blur, as quantum‑empowered market participants leverage advanced computation to both attack and defend positions in digital asset markets.

What this means for Bitcoin, Ethereum, builders, and users

For everyday users of Bitcoin and Ethereum, the immediate quantum takeaway is not panic but prudence. There is no evidence that an adversary currently possesses a cryptographically relevant quantum computer capable of breaking secp256k1 or Ed25519 in practice. However, the convergence of hardware advances, new error‑correction schemes, and tighter resource estimates suggests that the risk is no longer safely beyond the lifetime of current protocols. As a result, best practices like avoiding address reuse, upgrading wallets promptly, and being prepared to migrate funds to post‑quantum‑secure addresses once networks offer them are increasingly sensible.

For Ethereum users and developers, experiments like SPHINCS‑ demonstrate that post‑quantum protection can be deployed at the account level today, albeit with higher gas costs and more complex wallet logic. Wallet providers and dApp developers can begin offering hybrid smart‑contract wallets that require both classical and post‑quantum signatures, at least for high‑value holdings, long‑term cold storage, or systemically important contracts. As costs drop and standards emerge, these patterns can be generalized. The fact that Ethereum now counts over a million lifetime developers in its ecosystem increases the likelihood that robust libraries, tooling, and audits will emerge for post‑quantum constructions before an emergency migration is required.

Institutional actors — exchanges, custodians, and funds — face a dual challenge. On one hand, they must ensure that their own infrastructure, from HSMs to key ceremonies to inter‑data‑center links, migrates to post‑quantum standards in step with emerging regulations like France’s 2027 certification cutoff. On the other, they must manage the systemic risk posed by legacy coins and addresses that they do not fully control, such as abandoned Bitcoin outputs or long‑dormant Ethereum accounts whose owners may no longer have access to keys. Coinbase’s reports, which highlight that its own cold wallets and other exchange‑controlled addresses contribute to the pool of quantum‑vulnerable bitcoin, illustrate how even sophisticated players must grapple with legacy exposure.

For protocol designers and governance communities, quantum risk is increasingly a test case for how decentralized systems handle long‑term, slow‑burn threats. The debate around whether quantum risk is primarily a cryptography problem or a blockchain governance problem encapsulates this tension. Cryptography can provide a menu of post‑quantum algorithms, with known trade‑offs and parameter choices. But only governance can decide which algorithms to adopt, how to phase them in, what to do about users who fail to migrate, and how to handle coins whose owners are unreachable. The answers will differ across networks, but the process will likely shape norms for future long‑horizon risks, from hardware shifts to regulatory shocks.

Finally, for investors and analysts, quantum should be seen as a risk factor with a broad but uncertain distribution. The probability that a capable quantum computer appears in the next five years may be low, but the impact would be high, particularly if migration plans are incomplete. Conversely, networks that credibly demonstrate quantum readiness — through detailed roadmaps like Algorand’s, staged activation plans like Stellar’s QPP, and live experiments like Ethereum’s SPHINCS‑ contracts — may command a premium in institutional risk models. BlackRock’s decision to publish a dedicated report on quantum computing and blockchains, examining implications for Bitcoin, Ethereum, and stablecoins, suggests that such risk modeling is already underway at the highest levels of traditional finance.

Outlook

Quantum computing has moved from abstract theory to practical engineering, and in doing so has forced the crypto industry to confront uncomfortable questions about its long‑term cryptographic foundations. Hardware advances in neutral‑atom, superconducting, and photonic platforms, together with new error‑correction schemes and optimized attack circuits, have shortened the plausible timelines at which quantum computers could threaten elliptic curve signatures, even if no one can specify an exact year. At the same time, the emergence of standardized post‑quantum algorithms, regulatory deadlines for quantum‑safe encryption, and concrete roadmaps from networks like Algorand and Stellar demonstrate that a coordinated defense is both possible and underway.

In the coming decade, the most important developments may be less about raw qubit counts and more about governance and migration. Bitcoin, Ethereum, and other major networks will need to decide how to handle abandoned coins, how aggressively to push users toward quantum‑safe keys, and how to maintain decentralization while adopting more complex cryptography. Experiments like Ethereum’s SPHINCS‑ accounts, institutional analyses like BlackRock’s whitepaper, and national policies like France’s 2027 certification rule are early signposts of a broader shift in how the ecosystem thinks about quantum. Meanwhile, quantum hardware will continue to evolve as both a threat and a tool, powering new AI and optimization systems that may reshape market dynamics as much as they threaten cryptographic assumptions.

For a crypto audience, the key is to treat quantum not as FUD or as marketing gloss, but as a structural technological transition that will unfold over many years. The networks that invest early in post‑quantum research, publish transparent roadmaps, and build flexible, upgrade‑friendly architectures are likely to navigate that transition more smoothly. Those that postpone hard choices until a crisis point may find that, in a quantum world, the real vulnerability was not mathematics but governance.