The $2.7 trillion in crypto assets that already exist rest on a cryptographic infrastructure that quantum computers will eventually be able to tear down. A new report published Tuesday lays out how the chasm between quantum capabilities and industry safeguarding measures has widened, and it isn’t an evenhanded one.
The report, of course, by the quantum-secure blockchain Quantus, deserves to be set aside from its source. The core premise does not hinge on any one firm having an axe to grind; still, all significant blockchain ledgers use elliptic-curve signatures, like ECDSA or Ed25519. And Shor’s algorithm, once quantum computing hardware is large enough, will shatter both. This is not an outlier opinion. It’s why the U.S. National Institute of Standards and Technology rubber-stamped its first post-quantum cryptography standards in 2024.
The public key problem
What sets the crypto industry’s exposure apart in permanence is the structural departure from the established internet. Whether it’s a bank or a certificate authority, they have the authority to add the private key to its software, then toggle it through an update. In a blockchain, digital items always have user-controlled keys, governance occurs symmetrically, and encrypted matter sent to the chain should follow the immutable metrics.
The public keys that are published on-chain do not go away, and they will be there forever. In addition, the practice of reusing addresses historically implemented by most cryptocurrency back-end software pushed towards the earliest adopters of cryptocurrencies and many wallets before and left a fixed attack vector, which no patch can fix in retrospect. An attacker with sufficient quantum ability would not need to observe a transaction as it occurs, as all of the data is simply waiting there on the chain.
If we look into the individual wallets, the threats are not limited to the same. The classical structure has provided its dependencies to stablecoin administrator keys, bridge validators, oracle networks, multisig custody systems, and governance contracts. In the case of any successful attack following these control points, it would not be contained.
The signature size problem
.One standard ECDSA transaction, however, will carry around 97 bytes of signature and public key information. The same transaction using ML-DSA-87 1, one of NIST’s final round post-quantum signature algorithms, will carry around 7,187 bytes . This is a factor of 74x higher. The end result at scale is that larger signature sizes will meaningfully reduce transaction throughput per block without any modification to the existing base layer architecture.
In terms of Bitcoin, BIP 360 offers up a new type of post-quantum address as one possible way of transitioning. The proposal doesn’t address the problem that it sets up three ways: big transactions hog block space, current hardware wallets don’t support post-quantum schemes yet, and coins still in non-migrated addresses remain vulnerable. No proposal addresses all three issues at the same time.
The same tension exists in zero-knowledge proof systems that are now fundamental underpinnings of Ethereum and the broader ecosystem’s scalability and privacy. Not all zero-knowledge systems will make it through the quantum transition. Those built on elliptic-curve foundations, like Groth16, PLONK with KZG, and Bulletproofs, are vulnerable to quantum; hash-based ZK systems like STARKs and FRI are not. If we compare it, then over the last three years, the zero-knowledge ecosystems’ zero-knowledge buildout has focused overwhelmingly on the former.
The preparedness gap
From the year 2024, NIST finalized the post-quantum standards. Signal, Chrome, and IM have now completed the experimental stage and implemented the same in the production stage. The standards are publicly tested and available for the industry to use the same. The crypto industry has not utilized much from it.
Wallets have not enabled post-quantum signatures. Exchanges have not made the necessary changes to their key management systems. In addition to this, custodians with institutional clients have not announced migration schedules. The real difference is not just technical; it is institutional inertia with no clear deadline.
The thing that is important to note and is being stated as the problem by the report is the lack of a deadline. The launching points shifted much earlier when better error correction, higher gate fidelity, and new cryptanalytic resource calculations came together to converge on dates when what was believed to be classical public-key encryption and digital signatures became breakable. If industry isn’t certain about exactly when that is, they will stay unsure until they are and have much the same reason to do nothing.