Quantum Computing and the Future of Crypto Security

An emerging class of machines, quantum computers use the rules of quantum physics to process information in ways that classical computers cannot, promising dramatic speedups for certain problems while posing equally dramatic risks to today’s cryptography. For Bitcoin, Ethereum and the broader crypto ecosystem, that combination makes quantum computing both a potential accelerant for new financial technology and a long-term threat to the very security that blockchains rely on.

Quantum computing has moved from theory into practice over the past decade, with multiple hardware platforms now operating tens to thousands of physical qubits and demonstrating early error-correction, hybrid quantum–classical workflows, and commercial “quantum computing as a service” offerings. At the same time, researchers and institutions such as Google and BlackRock are publishing detailed analyses of how future quantum machines could break elliptic-curve cryptography, accelerate attacks against cryptocurrencies, and force blockchains to migrate to post-quantum security. This explainer unpacks how quantum computers work, where the technology stands today, what the timeline and magnitude of the quantum threat to crypto really are, and how blockchains and wallets are starting to prepare for a post-quantum world.

From Classical to Quantum: How These Machines Actually Work

Understanding why quantum computing matters for Bitcoin and crypto starts with understanding how it differs from ordinary computing. Classical computers manipulate bits that are either 0 or 1. Quantum computers manipulate qubits, which can be in more complex states governed by quantum mechanics. This seemingly abstract distinction underpins both the power and the security implications of quantum computing.

Qubits, superposition and entanglement

In a classical chip, each bit is definitively in one of two states, 0 or 1, and a computation is a sequence of operations that flips or combines these bits according to deterministic rules. By contrast, a qubit can exist in a superposition of both basis states \(\lvert 0\rangle\) and \(\lvert 1\rangle\), described mathematically as \( \alpha \lvert 0\rangle + \beta \lvert 1\rangle \) where \( \alpha \) and \( \beta \) are complex amplitudes whose squared magnitudes sum to one. When a qubit is measured, this superposition “collapses” to either 0 or 1, with probabilities given by \(|\alpha|^2\) and \(|\beta|^2\) respectively. For example, a qubit in an equal superposition of \(\lvert 0\rangle\) and \(\lvert 1\rangle\) will yield 0 or 1 with fifty percent probability each.

Superposition scales exponentially with the number of qubits. A classical register of \(n\) bits represents exactly one of \(2^n\) possible bit strings at a time. An ideal quantum register of \(n\) qubits, by contrast, can be in a superposition of all \(2^n\) basis states simultaneously, from \(\lvert 00\ldots 0\rangle\) to \(\lvert 11\ldots 1\rangle\). The quantum computer is not “trying all possibilities in parallel” in the naive sense, but carefully designed quantum algorithms can manipulate these amplitudes so that the correct answer is much more likely upon measurement, effectively harnessing that huge state space.

A second key phenomenon is entanglement, a uniquely quantum correlation between multiple particles or qubits. A pair of qubits is entangled when its joint state cannot be written as a simple product of individual states; instead, only the composite system has a definite state. In such states, measurements on one qubit are strongly correlated with measurements on the other, even if they are separated by large distances. For example, in a Bell state, measuring one qubit as 0 guarantees the other will be 1, and vice versa. These correlations cannot be explained by classical hidden variables and are central to quantum protocols and algorithms.

Crucially, entanglement does not allow faster-than-light communication. When each party measures their qubit, the outcomes are individually random; only by later comparing notes do the correlations become apparent. This point matters because similar misunderstandings sometimes surface in discussions of “quantum attacks” on blockchains, where quantum effects are mistakenly imagined as magical remote control. In reality, quantum computers still obey the constraints of communication networks and must interact with blockchain data through classical channels.

Together, superposition and entanglement give quantum computers a qualitatively different computational toolkit from classical machines. They allow quantum algorithms to explore and interfere across vast solution spaces in ways that, for certain problems, provably outperform any classical approach. The most famous examples of such problems—integer factorization and discrete logarithms—are exactly the mathematical foundations of the public-key cryptography used in Bitcoin and most of crypto.

Quantum gates, circuits and error correction

Operationally, a quantum computer is built from quantum gates that act on one or more qubits, analogous to logic gates in classical circuits. These gates correspond to unitary transformations that rotate the state vector in the Hilbert space of possible qubit states. A quantum algorithm is implemented as a sequence (or circuit) of such gates, starting from an initial state, evolving through a carefully engineered series of superpositions and entanglements, and ending with measurements that extract classical bits of information.

However, quantum states are fragile. Qubits interact with their environment and undergo decoherence, losing their quantum properties over time, and they are subject to noise and imperfect gate operations. This is why early quantum devices have been described as part of the “noisy intermediate-scale quantum” (NISQ) era. To build large-scale, reliable quantum computers capable of running cryptographically relevant algorithms, researchers rely on quantum error correction (QEC).

Quantum error correction encodes the logical information of a single qubit into a highly entangled state of many physical qubits, forming a logical qubit. By appending ancilla qubits and applying an encoding circuit, the system’s state is mapped into a subspace where typical local errors can be detected and corrected without directly measuring (and thus collapsing) the logical information. A QEC scheme conceptually proceeds in three stages: encoding the logical information into physical qubits, transmitting or storing this encoded state through a noisy channel, and finally extracting an error syndrome and performing a recovery operation to reconstruct the logical state. The codes used in practice, such as stabilizer codes, are constructed under specific assumptions about the types of errors and must be capable of correcting them.

From the perspective of crypto security, this distinction between physical and logical qubits is important. When Google, for example, estimates that a cryptographically relevant quantum computer could break a 256-bit elliptic curve discrete logarithm with “about 1,200 logical qubits” and around 90 million Toffoli gates, that implicitly assumes a much larger number of physical qubits—on the order of hundreds of thousands—once QEC overhead is included. The gap between today’s noisy devices and such large logical computations is at the heart of current debates over quantum timelines and the urgency of post-quantum upgrades.

JLJohn

Jun 23, 2026

View article →

IQM’s barbell codes could open a faster channel to fault-tolerant quantum computing, using existing superconducting hardware more efficiently

iqm.tech • Jun 23, 2026

Top Comment

Benthic

Jun 23, 2026

<30 data qubits per logical qubit at 10^-4 physical noise is the claim to care about; IQM’s press page frames the release as directional tile codes, while the barbell preprint sits in the same qLDPC-overhead race. For BTC/ETH, ECDSA/Schnorr risk still lives in the logical-qubit and T-gate budget, so this is migration-clock pressure rather than a 2026 panic trade. The RAAQ/Nasdaq angle gives it a familiar crypto-capital-markets flavor: sell the roadmap, fund the hardware grind, hope the decoder math compounds.

Where Quantum Hardware Stands Today

Quantum computing is no longer a purely theoretical field. Companies, governments and research labs now operate a variety of hardware platforms, each with different strengths and scaling properties. These platforms include superconducting qubits, trapped ions, neutral atoms in optical tweezers, photonic systems and silicon spin qubits. For crypto audiences trying to evaluate the real threat timeline, understanding this hardware landscape is as important as understanding the underlying math.

Competing qubit technologies and scaling challenges

Superconducting qubits, used by IBM and Google, are fabricated with techniques similar to classical integrated circuits and operate at millikelvin temperatures in dilution refrigerators. They offer relatively fast gate speeds and have been the workhorse of many early quantum computing experiments. Trapped-ion systems, used by companies such as Quantinuum, confine individual ions in electromagnetic traps and manipulate their internal states with lasers. These systems tend to have very high-fidelity gates and long coherence times, at the cost of slower operations and challenging scaling.

Neutral-atom platforms trap neutral atoms in optical tweezers or lattices created by focused laser beams. Recent work has shown that these architectures can support large, programmable arrays of qubits with excellent coherence and high-fidelity operations. Photonic quantum computing uses single photons and linear or nonlinear optical components, which have the advantage of operating at or near room temperature and integrating naturally with optical communication networks. Silicon spin qubits, realized in semiconductor devices, are being pursued as a path that might leverage existing chip fabrication infrastructure.

All of these modalities face common scaling problems: maintaining qubit coherence as system size grows, engineering reproducible devices, managing optical and microwave control complexity, and integrating cryogenic systems and control electronics. The U.S. Department of Commerce, in its CHIPS and Science Act quantum incentives, explicitly identifies challenges such as device reproducibility, optical complexity, error rates, cryogenic integration, ultra-fast readout and photonic loss as key bottlenecks that funded companies are expected to address. These engineering realities are the main reason that cryptographically relevant quantum computers remain out of reach today, even as algorithms and small-scale demonstrations advance.

Neutral atoms and the leap to thousands of qubits

Among the various technologies, neutral-atom systems have recently emerged as leading candidates for scaling to very large numbers of qubits. A Nature paper reported the demonstration of a tweezer array with 11,998 sites, trapping more than 6,100 atomic qubits, and achieving record coherence times, long trap lifetimes, and high-fidelity coherent transport and trap-transfer operations in a room-temperature apparatus. The system demonstrated coherent atomic transport over 610 micrometers with about 99.95% fidelity and coherent transfer between static and dynamic traps with around 99.81% fidelity, as verified through randomized benchmarking. These metrics are not merely engineering curiosities; they underpin the feasibility of rearranging and entangling large numbers of qubits in error-corrected architectures.

The authors concluded that quantum computing with 6,000 atomic qubits is a near-term prospect on this platform, providing a path toward quantum error correction with hundreds of logical qubits. That is still below the thousands of logical qubits estimated to be needed for breaking elliptic-curve cryptography with Shor’s algorithm, but it marks a significant step from tens or hundreds to multi-thousand-qubit arrays. Neutral-atom systems also lend themselves to highly programmable geometries and dynamical reconfiguration, which can be advantageous for both simulation and computation.

On the commercial side, neutral-atom startup Pasqal has been deploying smaller, but fully functional neutral-atom quantum processors. It delivered a more than 140-qubit neutral-atom quantum computer to Italy’s CINECA, the country’s largest public supercomputing center, for tight hybrid integration with the Leonardo pre-exascale EuroHPC supercomputer. This hybrid architecture is designed to offload specialized workloads such as complex optimization, advanced materials simulation and machine learning tasks to the quantum processing unit, while relying on classical HPC for other tasks. In Saudi Arabia, Aramco and Pasqal launched the country’s first quantum computer and the Middle East’s first commercial quantum computing-as-a-service platform, offering remote cloud access for clients worldwide. These deployments illustrate how neutral-atom systems are being woven into existing high-performance computing and cloud infrastructures, a trend that will matter once cryptographically relevant machines exist.

Trapped ions, photonics and the rise of full-stack players

Trapped-ion systems remain a leading platform for high-fidelity, universal quantum computation. Quantinuum, for example, develops integrated hardware and software platforms based on trapped-ion quantum computers, and also offers cybersecurity solutions and tools for quantum chemistry and AI, all aimed at achieving universal, fault-tolerant quantum computing. The company has been positioned as one of the first full-stack quantum computing firms, offering not just hardware but also compilers, algorithms and application development tools. Its prominence—culminating in a major public listing and significant capital raising according to recent market coverage—signals that investors increasingly regard quantum computing as a maturing industry rather than a pure research project.

Photonics offers another promising path. Quantum Computing Inc. (QCi), for instance, is a quantum optics and integrated photonics company focused on delivering accessible, scalable and cost-effective quantum machines and photonic solutions. Its NeuraWave photonic reservoir computer is designed to operate at room temperature with low power requirements, targeting high-growth markets in high-performance computing, artificial intelligence, cybersecurity, aerospace and advanced sensing. While NeuraWave is not a universal quantum computer in the sense of running Shor’s algorithm, it exemplifies how quantum-inspired and photonic systems are already being deployed as special-purpose accelerators, blurring the lines between classical, quantum and neuromorphic computing.

Governments are actively trying to accelerate this ecosystem. The U.S. Department of Commerce has announced letters of intent to provide roughly \$2.013 billion in federal incentives under the CHIPS and Science Act to nine companies, including two domestic quantum foundries (GlobalFoundries and IBM) and seven quantum computing companies spanning neutral-atom, silicon spin, superconducting, photonic and trapped-ion modalities. The funding aims to tackle the most consequential, unresolved engineering problems in large-scale quantum computing, such as error rates, device reproducibility, photonic loss and interconnects, to enable utility-scale, fault-tolerant machines.

Taken together, these developments show a field moving rapidly from prototype devices with tens of qubits toward multi-thousand-qubit arrays and industrial-scale R&D. However, there remains a substantial gap between today’s hardware and the cryptographically relevant quantum computers required to break the elliptic-curve cryptography underpinning Bitcoin and other cryptocurrencies. Bridging that gap will require not only more qubits, but also far better error correction and system integration.

Why Quantum Computing Threatens Today’s Cryptography

The reason crypto investors, protocol designers and regulators are paying attention to quantum computing is not primarily its potential for faster option pricing or portfolio optimization. It is the prospect that a sufficiently powerful quantum computer could break the public-key cryptography that secures blockchains, exposing wallets and smart contracts to theft and disruption.

Public-key cryptography and elliptic curves

Most modern blockchains, including Bitcoin and Ethereum, rely on public-key cryptography based on elliptic curves. In Bitcoin’s case, the dominant scheme is the Elliptic Curve Digital Signature Algorithm (ECDSA) over the curve known as secp256k1, whose security rests on the hardness of the elliptic curve discrete logarithm problem (ECDLP-256). Roughly speaking, given a point \(G\) on an elliptic curve and a scalar \(k\), it is easy to compute \(kG\) but believed to be infeasible, with classical computers, to recover \(k\) from \(G\) and \(kG\) alone. Ethereum uses a similar elliptic-curve setup for externally owned accounts, and many other chains reuse the same or closely related primitives.

Under classical assumptions, 256-bit elliptic curve cryptography is extremely secure. BlackRock’s whitepaper on quantum computing and blockchains notes that breaking 256-bit ECC with today’s fastest classical supercomputers would take millions to billions of years. The same is true for many other public-key systems such as RSA with sufficiently large key sizes. Symmetric cryptography and hash functions (like SHA-256), by contrast, are not broken but effectively weakened by quantum computers, as discussed below. This asymmetry is why ECDSA and similar schemes are the primary focus of quantum-threat discussions in crypto.

Shor’s algorithm, Grover’s algorithm and CRQCs

Quantum computing upends these assumptions because of algorithms like Shor’s algorithm. Shor’s algorithm runs on a sufficiently large, fault-tolerant quantum computer and solves both integer factorization and discrete logarithms in polynomial time, meaning it can break RSA and elliptic curve schemes with a feasible number of quantum operations. Once a quantum computer has enough error-corrected, or logical, qubits and low enough error rates, Shor’s algorithm can transform problems that were effectively unbreakable into tractable ones.

A recent whitepaper from Google compiles two quantum circuits that implement Shor’s algorithm for the 256-bit elliptic curve discrete logarithm problem (ECDLP-256). The first uses fewer than 1,200 logical qubits and about 90 million Toffoli gates, while the second uses fewer than 1,450 logical qubits and about 70 million Toffoli gates. Under standard assumptions about hardware capabilities that are consistent with some of Google’s superconducting quantum processors, the paper estimates that these circuits could be executed on a cryptographically relevant quantum computer with fewer than 500,000 physical qubits in a few minutes. This represents roughly a twenty-fold reduction in the number of physical qubits required compared to previous estimates, continuing a trend in which algorithmic and compilation optimizations keep lowering the hardware threshold for breaking ECC.

This is where quantum error correction becomes central again. Those 1,200–1,450 logical qubits must be encoded into hundreds of thousands of physical qubits using QEC codes, with repeated syndrome measurements and corrections throughout the computation. Until error rates and coherence times reach regimes where such deep fault-tolerant circuits are practical, Shor’s algorithm remains more of a theoretical threat than a practical one. Nevertheless, the trajectory is clear: as hardware and error correction improve, the gap between current devices and CRQCs capable of running these circuits is shrinking.

For symmetric cryptography and hash functions, the relevant quantum algorithm is Grover’s algorithm, which provides a quadratic speedup for brute-force search. In simple terms, Grover’s algorithm can reduce the effective security level of an \(n\)-bit symmetric key to roughly \(n/2\) bits. This means that a 256-bit hash like SHA-256 would offer around 128 bits of security against a quantum adversary, which is still considered strong and can be compensated for by increasing key sizes or iterations. Consequently, the focus of quantum risk analysis in blockchains is firmly on asymmetric schemes like ECDSA and BLS signatures.

“Q-Day” and harvest-now-decrypt-later attacks

Security researchers sometimes refer to “Q-Day” as the moment when a CRQC becomes available that can break widely deployed public-key cryptography in practical timeframes. A quantum security firm, Project Eleven, has warned that Q-Day could arrive as early as 2030, arguing that such a machine could put 6.9 million Bitcoin—worth over \$560 billion at the time of their analysis—at risk. Their warning has been debated within the community, with some experts viewing it as overly pessimistic, but it underscores the uncertainty and the high stakes.

Google’s whitepaper highlights a related concern: harvest-now-decrypt-later attacks. Even if CRQCs capable of real-time attacks on live blockchain transactions are a decade or more away, adversaries can already record encrypted communications and on-chain data today, store it, and decrypt or exploit it later once quantum capabilities exist. While most blockchain data is public by design, private keys, off-chain communications (for example, between wallet and server) and confidential transaction schemes are all vulnerable to this style of deferred attack. To mitigate this, Google has introduced a 2029 migration timeline for its own infrastructure’s transition to post-quantum cryptography and recommends that systems with long security lifetimes adopt PQC well before CRQCs are fully realized.

For cryptocurrencies that aim to serve as long-term stores of value or infrastructure for decades, this combination of Shor’s algorithm, optimized quantum circuits, and harvest-now-decrypt-later risk makes a credible case that post-quantum security is not merely a theoretical curiosity but a strategic necessity.

Mapping the Quantum Threat to Bitcoin and Crypto

The quantum threat is not uniform across all parts of the crypto ecosystem. Different cryptographic primitives, wallet practices, and governance structures lead to different risk profiles and migration challenges. Bitcoin is the most studied case, but similar issues affect Ethereum, privacy coins, and emerging blockchain designs.

How Bitcoin’s cryptography can be attacked

Bitcoin’s security relies primarily on three cryptographic ingredients: ECDSA signatures over secp256k1, SHA-256 and RIPEMD-160 hash functions, and various scripts that combine them. ECDSA secures ownership by requiring a valid signature under a given public key to spend coins. The hash functions are used to create Bitcoin addresses and to secure the proof-of-work chain; the former is relevant for quantum threat modeling.

Early in Bitcoin’s history, many block rewards and transactions paid directly to public keys in so-called Pay-to-Public-Key (P2PK) outputs, meaning the public key was visible on-chain from the moment of creation. Later, the dominant format shifted to Pay-to-Public-Key-Hash (P2PKH), where only a hash of the public key (via SHA-256 and RIPEMD-160) appears in the address. The actual public key is revealed only when coins are spent from that address. In P2PKH, then, an attacker must either break the hash function (which is much harder for quantum computers, given only a quadratic Grover speedup) or wait until the coins are spent and the public key is revealed.

A detailed analysis by on-chain analytics firm Glassnode quantifies the extent of Bitcoin’s exposure to future quantum attacks. They find that 6.04 million BTC, representing about 30.2% of the total issued supply, have public keys exposed on-chain and could theoretically be exploited by a sufficiently powerful quantum computer. This exposed supply falls into two categories. Structural exposure, around 1.92 million BTC, arises mainly from early mining rewards and other P2PK outputs that never hid the public key. Operational exposure, around 4.12 million BTC, comes almost entirely from address reuse, where the same Bitcoin address is used more than once to receive funds; spending even a single satoshi from such an address reveals its public key and effectively marks all funds at that address as exposed.

The key takeaway is that address reuse is a major, avoidable contributor to quantum risk. In principle, coins held in P2PKH addresses that have never been spent—and thus whose public keys have not been revealed—are protected by the preimage resistance of SHA-256 and RIPEMD-160, which are significantly more resistant to quantum attacks than ECDSA. However, once those coins move and their public keys appear on-chain, they become vulnerable to Shor’s algorithm running on a CRQC. An attacker watching the mempool in a Q-Day scenario could, in theory, compute the private key from the revealed public key and attempt to race or override the legitimate transaction with a conflicting spend.

At present, this remains firmly theoretical. Glassnode notes that current quantum computers have “no chance” against the elliptic curve cryptography Bitcoin relies on, with estimates suggesting it would take millions of physical qubits to break secp256k1, while today’s machines are measured in hundreds. This aligns with Google’s estimate that around 500,000 high-quality physical qubits would be needed to run their fault-tolerant ECDLP-256 circuits, far beyond current hardware. Nevertheless, as algorithms improve and neutral-atom and other platforms approach multi-thousand-qubit scales, the gap is narrowing, and the on-chain exposure figures give an idea of what is at stake.

Bitcoin vs Ethereum and governance-driven risk

Ethereum’s cryptographic foundations are broadly similar to Bitcoin’s. Externally owned accounts use ECDSA over secp256k1, and hash functions like Keccak-256 underpin addresses and other constructs. In its proof-of-stake design, Ethereum also uses BLS signatures over pairing-friendly elliptic curves for validator aggregation, which are likewise vulnerable to Shor’s algorithm. The raw cryptographic vulnerability to CRQCs is therefore comparable across major chains that rely on elliptic curves.

However, a report cited by Decrypt notes that Citi views Bitcoin as facing greater quantum risk than Ethereum, not because of the underlying math but because of governance. Ethereum’s governance process, including its use of Ethereum Improvement Proposals (EIPs) and a more actively coordinated core development community, may allow it to pivot more rapidly to post-quantum signatures if and when the need becomes acute. Bitcoin’s governance culture, by contrast, is more conservative and resistant to change, prioritizing stability and minimizing hard forks. While that conservatism has its security advantages, it could slow a rapid transition to PQC if CRQCs arrive sooner than expected.

It is important to emphasize that neither ecosystem has yet fully solved the PQC transition problem. Both would need to introduce new address types and signature schemes, update wallet software, and coordinate the migration of vast amounts of capital to new cryptographic primitives. But governance structures and community norms shape how quickly and smoothly such a migration could occur. In that sense, the quantum threat is not purely a technical challenge; it is also a test of social and institutional resilience.

Banks, blockchains and competing quantum narratives

Opinions differ on whether quantum computers will endanger traditional finance or blockchains first. Billionaire investor Tim Draper has argued that his Bitcoin holdings are safer than fiat deposits in banks, claiming that quantum computers will “crack banks faster than blockchains.” In his view, centralized financial institutions with legacy infrastructure and slower upgrade cycles may be more exposed, whereas a decentralized network like Bitcoin could, if necessary, fork the protocol and roll back to a secure pre-attack state.

Others are more cautious. Casa CSO Jameson Lopp, for example, has suggested that transitioning Bitcoin to quantum-resistant cryptography could take about a decade, while banks may be able to adapt to quantum threats more quickly by rolling out PQC in TLS, VPNs and other communication layers. Banks, for all their bureaucracy, can in principle mandate upgrades to their own systems, whereas permissionless blockchains rely on voluntary, global coordination among miners, validators, developers and users.

Mainstream media coverage has increasingly highlighted this tension. The Financial Times, for instance, has reported that the crypto industry is “bracing” for the quantum computing threat, reflecting growing institutional and regulatory awareness. BlackRock’s whitepaper brings the discussion into institutional finance, analyzing what quantum computing could mean for Bitcoin, Ethereum and stablecoins, and stressing that the threat is real but not imminent. These narratives matter because they influence both policy decisions and market sentiment.

Structural vs operational exposure and what can be fixed

Not all quantum risk is equal. Structural exposures, such as early P2PK outputs, cannot be mitigated unless the holder still controls the private key and is willing to move the coins. In many cases, these coins are presumed lost; if a CRQC appears and someone else computes the private keys, they may be able to move them, challenging assumptions about Bitcoin’s effective circulating supply. Operational exposures, however, are more tractable. Address reuse can be minimized, and coins in reused addresses can be moved to fresh addresses whose public keys have not yet been revealed and that can later be transitioned to PQC-based schemes.

For Bitcoin and similar UTXO-based systems, this implies a two-stage mitigation strategy. First, users should minimize public-key exposure today by avoiding address reuse and consolidating funds where appropriate. Second, when PQC address types and wallet support become available, users will need to actively migrate their coins from quantum-vulnerable addresses to quantum-resistant ones. Both stages require awareness, tooling and, in many cases, education of non-technical holders. They also require that PQC schemes be chosen, standardized and implemented in time.

Post‑Quantum Cryptography and Blockchain Defenses

If quantum computing is the threat, post-quantum cryptography (PQC) is the defense. PQC refers to cryptographic algorithms believed to be secure against both classical and quantum adversaries. For blockchains, the choice and deployment of PQC will be one of the most consequential design decisions of the coming decades.

What is post‑quantum cryptography?

PQC schemes are built on mathematical problems for which no efficient classical or quantum algorithms are known. Examples include lattice-based problems (such as Learning with Errors), code-based problems (like decoding random linear codes), hash-based signatures, and certain multivariate polynomial problems. While Shor’s algorithm breaks the algebraic structure of integer factorization and discrete logs, and Grover’s algorithm quadratically accelerates brute-force search over generic spaces, these PQC problems appear resistant to such attacks.

Google notes that governments and industry have been preparing for the PQC transition for many years, and that large-scale cryptographically relevant quantum computers capable of breaking ECC and RSA are getting closer to reality. In response, standardization bodies such as NIST are selecting and endorsing PQC algorithms for public-key encryption, key encapsulation and digital signatures. Google has introduced a 2029 migration timeline for its own infrastructure and urges others to adopt PQC in advance of CRQCs to avoid the harvest-now-decrypt-later problem.

For blockchains, PQC raises unique challenges. Many PQC signature schemes have larger public keys and signatures than ECDSA, impacting block sizes, transaction fees and verification costs. Lattice-based signatures, for instance, can be much larger, although newer schemes and ongoing standardization efforts aim to reduce these overheads. Hash-based signatures tend to have strong security properties but can be stateful or limited in the number of signatures per key. These trade-offs must be carefully weighed in the context of decentralized networks and smart contract platforms.

PQC on blockchains: from experiments to migrations

Google’s whitepaper specifically addresses the vulnerability of cryptocurrencies to future quantum attacks, noting that quantum computers may break the elliptic curve cryptography that protects them with fewer qubits and gates than previously realized. It provides examples of post-quantum blockchains and experimental PQC deployments on otherwise quantum-vulnerable chains, and recommends that the cryptocurrency community transition to PQC to improve security and stability before CRQCs become available. The document underscores that this transition is especially critical for systems with long-lived assets and immutable ledgers, where retroactive fixes are difficult.

For UTXO-based chains such as Bitcoin, a PQC migration would likely involve introducing new script opcodes and address types that support PQC signatures, along with a soft fork to enforce their rules. Wallets would then need to support these new address types and provide a pathway for users to move funds from legacy ECDSA addresses to PQC-addresses. Unmoved funds would remain vulnerable once CRQCs exist, and there is a risk that some coins could be stolen or deemed insecure, potentially affecting perceptions of supply and fungibility.

For account-based chains such as Ethereum, PQC can be integrated into account abstraction, smart contracts and validator infrastructure. This might involve, for example, adding PQC signature verification precompiles, enabling accounts to switch signature schemes, and updating consensus-layer signatures used by validators. The greater programmability of such chains may facilitate phased rollouts and hybrid schemes, where both classical and PQ signatures are accepted during a transition period.

Early movers: Algorand, Cardano and experimental PQ chains

Some blockchain projects are already explicitly planning for the quantum era. The Algorand Foundation has unveiled a roadmap to make the Algorand blockchain quantum-resistant by the end of 2027. The plan includes the rollout of post-quantum accounts, multisignature wallets and staking support starting this year, allowing users to begin securing their holdings with PQC well before CRQCs become practical. This staged approach acknowledges both the uncertainty of quantum timelines and the need to avoid rushed, high-risk transitions.

Cardano founder Charles Hoskinson has likewise announced a strategy to protect the network from quantum computing threats, highlighting it as a key test for the protocol. He has publicly placed more than fifty percent odds on “at-scale” quantum computers existing by 2033 and argued that Cardano must prepare defenses accordingly. Cardano’s research-heavy culture and layered governance model are being leveraged to explore quantum-resistant upgrades without destabilizing the network.

Google’s whitepaper notes that there are already post-quantum blockchains and experimental PQC deployments on conventional chains; however, it stresses that most of these are early-stage and do not yet dominate the ecosystem. In parallel, traditional financial and crypto-native institutions are commissioning their own quantum risk assessments. BlackRock’s report, for instance, explores what quantum computing could mean for Bitcoin, Ethereum and stablecoins, and evaluates various PQC approaches and governance challenges. This convergence of academic research, protocol-level planning and institutional due diligence suggests that PQC will become a central topic in both crypto engineering and crypto policy over the coming years.

Governance, coordination and the risk of forks

Implementing PQC is not just a matter of code; it is a matter of governance. For Bitcoin, any change to consensus-critical cryptography requires broad agreement among core developers, miners, node operators and users. The experience of past soft forks shows that even non-controversial upgrades can take years to plan, debate and deploy. A quantum-driven change, especially if triggered by an emerging CRQC, could be far more contentious, particularly if it involves decisions about whether and how to protect coins whose private keys have been exposed or potentially compromised.

Ethereum’s governance structure is more flexible, relying on EIPs, community calls and client diversity, but it faces similar challenges. Large-scale PQC transitions must account for DeFi protocols, stablecoins, NFTs and other on-chain assets whose security assumptions may be deeply embedded in smart contracts. Layer-2 networks and cross-chain bridges add another layer of complexity: a chain that moves to PQC while its bridges or L2s do not may expose users to subtle risks.

There is also the possibility that PQC transitions could themselves cause chain splits. If a subset of the community disagrees with the chosen PQC scheme, or with how to handle vulnerable or stolen coins, competing forks of a blockchain could emerge, each claiming to be the legitimate successor. This scenario is part of why institutions like Google and BlackRock emphasize planning and coordination well ahead of Q-Day. A rushed, crisis-driven migration is more likely to lead to fragmentation, loss of confidence and legal disputes.

Quantum Computing Beyond the Threat: Opportunities for Crypto

While security dominates crypto discussions of quantum computing, the technology also holds potential upside for digital asset markets and infrastructure. Quantum algorithms and quantum-inspired hardware could eventually be applied to optimization, risk management, cryptography design and even on-chain governance mechanisms.

Quantum-enhanced finance and DeFi

Quantum algorithms are particularly well-suited to certain classes of optimization and linear algebra problems that appear in portfolio optimization, derivatives pricing and risk modeling. For example, hybrid quantum-classical algorithms such as the Variational Quantum Eigensolver (VQE) and Quantum Approximate Optimization Algorithm (QAOA) are being explored in the context of finance, though they remain largely experimental. In principle, DeFi protocols, trading firms and risk managers could one day use quantum accelerators to perform more accurate or faster calculations for capital allocation, arbitrage, and stress testing.

Pasqal’s integration of its neutral-atom quantum processor with the Leonardo pre-exascale supercomputer at CINECA is explicitly targeted at workloads like complex optimization, advanced materials simulation and machine learning. While not crypto-specific, this kind of hybrid architecture illustrates how quantum and classical HPC can be combined to tackle computationally intensive tasks. A similar pattern could emerge in crypto trading and risk platforms that offload certain optimization steps to quantum co-processors once they become powerful and reliable enough.

Quantum Computing Inc.’s NeuraWave photonic reservoir computer likewise shows how quantum-inspired photonic systems can serve as special-purpose accelerators for next-generation AI applications. Operating at room temperature with low power requirements and designed for deployment across high-performance computing, AI and cybersecurity markets, NeuraWave and similar devices demonstrate that quantum and photonic technologies can deliver value well before full-scale universal quantum computers exist. In a crypto context, such systems might eventually be used to enhance pattern recognition in on-chain data, detect anomalies or optimize liquidity provision strategies.

BlackRock’s whitepaper on quantum computing and blockchains notes that institutional investors are starting to consider not only the risks but also the potential opportunities that quantum computing might open in financial modeling and blockchain infrastructure. While the document is primarily concerned with security and governance, its publication by the world’s largest asset manager signals that quantum computing is becoming part of mainstream strategic planning in finance, including in relation to crypto assets.

Quantum randomness and communication

Beyond computation, quantum technologies are also relevant for randomness and secure communication. High-quality randomness is crucial in crypto for generating keys, selecting validators, and powering on-chain lotteries and games. Quantum random number generators (QRNGs), which derive randomness from fundamentally unpredictable quantum processes, are already commercial products and could be incorporated into wallet software, oracles, or blockchain-based randomness beacons.

Quantum key distribution (QKD), which uses quantum states to detect eavesdropping on communication channels, has been demonstrated over fiber and free-space links. While QKD does not replace public-key cryptography on blockchains, it could be used to secure off-chain links between validators, exchanges, oracles and custodians. In a world where CRQCs exist, such quantum-safe communication channels may complement PQC to provide defense in depth.

Incorporating these technologies into decentralized systems is non-trivial. Verifying the correct use of QRNGs or QKD on-chain requires careful protocol design to avoid introducing new trust assumptions. Nevertheless, as quantum infrastructure spreads—through initiatives such as Aramco and Pasqal’s QCaaS platform in the Middle East, or national quantum networks in Europe and Asia—it is likely that some blockchain-related entities will adopt quantum-secured communication for high-value links.

Quantum computing as a service and the democratization of power

The cloud-based deployment of quantum computers, as seen in offerings from IBM, Amazon, Microsoft and specialized providers like Pasqal and Quantinuum, suggests that access to quantum capabilities will be mediated through “quantum computing as a service” (QCaaS) platforms. Aramco and Pasqal’s launch of Saudi Arabia’s first quantum computer and the region’s first commercial QCaaS platform, offering remote cloud access, is one example of this model. Similarly, Pasqal’s systems in Europe and QCi’s photonic hardware serve clients through cloud or hybrid arrangements.

From a security perspective, the availability of QCaaS cuts both ways. On the one hand, defenders—blockchain protocol teams, security researchers, custodians—can use quantum resources to test PQC schemes, model quantum attacks and validate their defenses. On the other hand, attackers do not need to own a quantum computer; they might rent time on a CRQC to attempt key recovery or other attacks, much as they rent GPU time today for proof-of-work mining or password cracking.

This asymmetry reinforces the importance of timely PQC adoption. Once CRQCs become rentable services, the barrier to launching quantum attacks will be much lower, and the advantage will tilt toward whoever has prepared their systems in advance. It also highlights why governments, through programs like the CHIPS Act, are investing heavily in domestic quantum manufacturing and research: control over quantum hardware is becoming a matter of national security, with direct implications for financial systems and digital assets.

Timelines, Uncertainty and How Crypto Should Think About Risk

Quantum computing and crypto intersect in a space of deep uncertainty. Hardware capabilities, algorithmic improvements, funding levels and geopolitical dynamics all affect when and how the quantum threat will materialize. For crypto users and builders, the challenge is to treat quantum computing neither as imminent doom nor as mere hype, but as a long-term structural risk that demands thoughtful planning.

Hardware progress vs algorithmic breakthroughs

On the hardware side, the gap between today’s devices and CRQCs remains large. Neutral-atom arrays with over 6,100 atomic qubits demonstrate impressive scaling, but they still fall far short of the roughly 500,000 high-quality physical qubits estimated to be required for Shor’s algorithm on ECDLP-256, even assuming state-of-the-art compilation. Trapped-ion and superconducting systems currently operate in the tens to hundreds of qubits, with increasing, but not yet sufficient, integration of error correction. Photonic and silicon spin approaches are progressing, but likewise have substantial work to do on error rates, integration and gate depths.

At the same time, algorithmic and compilation improvements are steadily reducing the resource requirements for quantum attacks. Google’s recent twenty-fold reduction in physical-qubit estimates for breaking a 256-bit elliptic curve, from around ten million to fewer than 500,000 qubits, illustrates how theoretical advances can change the risk landscape even without immediate hardware breakthroughs. Better error-correcting codes, more efficient gate decompositions and improved scheduling can all squeeze more power out of a given number of qubits.

Government and corporate funding is accelerating this process. The U.S. Department of Commerce’s \$2.013 billion in planned incentives for quantum foundries and computing companies, along with similar programs in Europe and Asia, is designed explicitly to “accelerate solving the most critical technology challenges in the race to develop utility-scale, fault-tolerant quantum computers.” The motivation spans national defense, advanced materials and energy systems, but financial modeling and cryptography are also on the list of applications. As a result, the same forces that make quantum computing a national priority also hasten the arrival of CRQCs that could threaten cryptocurrencies.

Scenarios and timelines: 2030s or beyond?

Different actors propose different timelines. Project Eleven’s warning about Q-Day arriving as early as 2030 is on the aggressive end of the spectrum and assumes rapid progress in both hardware and error correction. Google’s 2029 migration timeline for its own transition to PQC does not predict that CRQCs will be online by that date, but rather reflects a conservative stance that systems with long-term security requirements should complete their PQC transition before such machines plausibly appear. Cardano’s Charles Hoskinson, who places more than fifty percent odds on at-scale quantum computers by 2033, likewise frames quantum preparation as a decade-scale project rather than a distant worry.

Many quantum hardware experts are more cautious, suggesting that fault-tolerant machines capable of running large Shor circuits are likely several decades away. However, as BlackRock’s whitepaper points out, long-term investors and system designers cannot assume the slowest plausible timeline. Cryptocurrencies like Bitcoin are explicitly marketed as multi-decade or even multi-century stores of value, and their security assumptions must be robust over similar horizons. The fat-tail risk of a relatively early Q-Day—say in the 2030s—justifies proactive PQC planning now, especially given the inevitable delays in design, standardization, implementation and user migration.

The rational stance is therefore to treat quantum computing as a medium- to long-term structural risk. It is not a reason to panic or abandon current cryptography overnight, but neither is it something that can be safely postponed until hardware catches up. Just as the industry had to grapple with scaling, energy use and regulatory compliance, it now has to add quantum resilience to its list of strategic concerns.

Practical implications for builders, investors and users

For protocol developers and DAOs, quantum readiness should be integrated into roadmap planning. This includes monitoring PQC standardization efforts, prototyping PQC signature verification in testnets, designing governance mechanisms for a future PQC transition, and educating the community about trade-offs. Chains like Algorand and Cardano that have publicly committed to PQC plans by specific dates provide useful case studies in how to communicate and execute such strategies.

For institutional investors and risk managers, quantum risk should be part of due diligence on crypto exposures. That includes understanding how different chains plan to handle PQC, how concentrated exposures are in structurally vulnerable outputs, and how governance and upgrade mechanisms might function under stress. BlackRock’s report illustrates how such analysis can be framed for Bitcoin, Ethereum and stablecoins at an institutional level.

For individual users and wallet providers, the near-term steps are more modest but still meaningful. Avoiding address reuse, using modern wallet software that follows best security practices, and staying informed about PQC-related updates from core projects and wallet vendors are all prudent measures. As PQC-enabled wallets and address types emerge, users will need clear guidance on when and how to migrate their holdings.

The overarching message is that quantum computing is not a binary threat that suddenly appears; it is a gradient. Each year likely brings incremental improvements in hardware, algorithms and error correction, along with new PQC standards and implementations. Crypto systems need to evolve along this gradient to ensure that, by the time CRQCs exist, their most critical components have already been hardened.

Outlook

Quantum computing sits at a paradoxical intersection with crypto. It promises revolutionary advances in computation, optimization and secure communication, while simultaneously threatening to break the cryptographic foundations of Bitcoin, Ethereum and many other blockchains. The state of the art in hardware—multi-thousand-qubit neutral-atom arrays, increasingly capable trapped-ion and superconducting systems, and emerging photonic devices—remains far from the fault-tolerant, hundreds-of-thousands-of-qubits machines required to run Shor’s algorithm against 256-bit elliptic curves. Yet the trajectory of algorithmic improvements, industrial investment and government policy makes it increasingly likely that cryptographically relevant quantum computers will arrive within the planning horizon of long-lived digital assets.

For the crypto industry, the path forward is neither complacency nor panic. It is a deliberate transition toward post-quantum security, guided by open research, robust standardization and realistic modeling of timelines and attack surfaces. On-chain analyses like Glassnode’s estimate that nearly a third of Bitcoin’s supply is already structurally or operationally exposed to future quantum attacks, underscoring the need to reduce address reuse and plan migrations. Institutional actors such as Google and BlackRock are now directly engaging with the question of quantum risk to cryptocurrencies, bringing additional resources and attention to the problem. Early movers like Algorand and Cardano are experimenting with PQC roadmaps that may serve as templates for others.

In the long run, the same quantum technologies that endanger today’s cryptography may also strengthen future blockchains, whether through quantum-resistant schemes, quantum-secured communication, or quantum-enhanced analytics and governance. The critical task for today’s crypto builders and users is to ensure that when that future arrives, the core promises of decentralized security and censorship resistance have not been undermined by an unanticipated leap in computing power. Quantum computing will reshape the threat model; the crypto ecosystem’s challenge is to ensure it also reshapes the defenses.