Original Article Title: "IOSG Weekly Brief | Q-Day Countdown: Will Quantum Computing End Cryptocurrency? #335"
Imagine that one early morning in the year 203X, the on-chain monitoring alarm suddenly shattered the peace: a batch of dormant BTC addresses that had been inactive for over a decade began ghostly moving assets outward. With no hack, no private key leak, only "legitimate" signatures generated out of thin air. As high-value dormant UTXOs were successively emptied, the market finally awoke from its dream: some unknown quantum compute entity could now derive private keys directly from historically exposed public keys. Panic instantly swept through the market, in the depths of the dark web, the hoarded "harvest-first, decrypt-later" public key library from the past decade was being frantically auctioned off, quietly waiting for compute power to realize its wealth.
Meanwhile, the Bitcoin community found itself in an unprecedented crisis of faith: faced with dormant coins ravaged by quantum compute, was it to uphold the "code is law" immutable baseline, or to enforce a legacy asset freeze through a soft fork? The collision of property rights narrative and survival rules detonated governance deadlock. On that day, blocks continued to be mined in order, the network never paused for a second, quantum computing did not erase the doomsday magic of everything, but rather plunged the entire Web 3 ecosystem into a long game of cryptographic reconfiguration and consensus abyss.
Quantum computing has often been interpreted as the "Sword of Damocles" hanging over blockchain. Reexamining the greatest "security debt" that the Web 3 world is about to face. We find that the quantum threat to blockchain is fundamentally a stress test on its triple-layer foundation of "transparent ledger, irreversible assets, self-custodial keys." As the dawn of fault-tolerant quantum computers (CRQCs) emerges, the industry faces the challenge of crossing the extremely complex social consensus and governance game within the remaining 5 to 8 years of the pre-Q-Day "engineering comfort window."
Quantum computing is a new computing paradigm based on the principles of quantum mechanics. It uses quantum bits (qubits) as information carriers, breaking the binary limitations of classical bits that can only represent 0 or 1, and utilizes quantum properties such as superposition, entanglement, interference, and measurement to achieve computing efficiency that classical computing finds hard to reach:
· Superposition — Expanding the state space: Quantum bits can be in a linear combination of 0 and 1.
· Quantum Entanglement — Establishing global correlations: Non-local strong correlations formed between multiple qubits.
· Quantum Interference — Manipulating Probability Amplitudes: The essential mechanism of quantum algorithm acceleration, where the probability amplitudes of incorrect answers cancel each other out (destructive interference), while amplifying the probability amplitudes of the correct answer (constructive interference).
· Quantum Measurement — Collapsing Quantum States to a Classical Outcome: The core of quantum algorithms is not to "read all answers" but to make the correct answer more likely to appear upon measurement.

Figure 1: The Four Pillars of Quantum Computing
(①) Superposition Expands the State Space — Quantum bits exist in a continuous superposition of |0⟩ and |1⟩ on the Bloch sphere.
(②) Entanglement Creates Non-local Correlations: Measuring one quantum bit immediately determines its counterpart.
(③) Interference is the Acceleration Engine: Amplitudes of incorrect answers cancel out, while amplitudes of correct answers amplify.
(④) Measurement Collapses the Quantum State to a Single Classical Outcome — The algorithm's task is to ensure the correct result appears with overwhelming probability.
· Shor's Algorithm (1994): "Dimensionality Strike" of Public-key Cryptography: Shor's Algorithm can directly leverage quantum properties to "see through" the mathematical principles of integer factorization and discrete logarithms, thereby shattering the foundation of trust for modern internet and blockchain technologies based on RSA, Elliptic Curve Cryptography (ECC), and more. However, constrained by real-world quantum error correction overhead, breaking mainstream encryption still requires millions of physical quantum bits, and with more aggressive algorithm optimizations, the threshold may be significantly reduced.
· Grover's Algorithm (1996): "Brute-force Accelerator" for Symmetric Encryption: Grover's Algorithm cannot directly break the structure of passwords but exponentially accelerates the speed of "guessing passwords" (e.g., reducing the security strength of 128-bit encryption directly to 64 bits). Its threat is far less deadly than Shor's, and the countermeasures are straightforward — usually achieved through longer keys, longer hash outputs, or higher security parameters to restore security margins (e.g., upgrading to AES-256 or SHA-512).

Figure 2: Two Core Algorithms of Quantum Computing: Shor's Algorithm and Grover's Algorithm
No particular quantum bit technology has established a clear engineering leadership position. There are currently five routes for commercialization, each with its own advantages and disadvantages.

The core value of quantum computing lies in breaking through the capability boundaries of classical computing in specific complex problems, driving paradigm-level advances in fundamental science and engineering. Its positive value mainly focuses on two directions: simulating complex quantum systems, including quantum chemistry, drug discovery, new materials, and energy technologies; and solving high-complexity optimization problems, including logistics, finance, supply chain, chip design, and industrial scheduling, among others. Quantum simulation is widely regarded as a long-term application scenario with higher determinism, while complex optimization is still in the exploration and validation stage. Currently, quantum computing is at a crucial stage of transitioning from laboratory prototypes to engineered applications. Decoherence, physical noise, error correction overhead, and system scalability are still the key barriers to cross for industrialization.
Quantum threats fundamentally target the foundation of modern public key cryptography and spread layer by layer along the logic of "data lifespan × migration difficulty × attack benefits": national security, defense, and intelligence systems are the first to face the "harvest now, decrypt later" (HNDL) strategic level risk; the financial and payment infrastructure, due to deep reliance on TLS, HSM, and identity authentication systems, will be the first to enter the compliance migration track; the Internet's trust roots and the blockchain/Web 3 ecosystem face multiple systemic risks such as code signing, cloud key management (KMS), irreversibility of on-chain assets, and governance migration; and the sectors of healthcare, energy, industrial control, and IoT, due to long device lifecycles and narrow upgrade windows, will form long-term and hard-to-eradicate tail risks.

Q-Day refers to the first time a quantum computer achieves the practical ability to break mainstream public key cryptography. It is not a specific date but a probability interval influenced by hardware progress, error correction capabilities, algorithm optimization, and national project secrecy. The current mainstream expectations are roughly concentrated between 2035–2045, with an accelerated scenario possibly advancing to 2030–2035. Before 2030, it belongs to the low-probability tail risk.
The Mosca Inequality X + Y > Z explains why, even though Q-Day is not yet near, post-quantum migration remains a practical urgency. Here, X is the time data needs to remain secure, Y is the time needed to complete the cryptographic migration, and Z is the remaining time until Q-Day. As long as the sum of the data lifecycle and migration period exceeds the time remaining until Q-Day, the system has entered the migration lag zone: data collected today could be decrypted by quantum computing in the future. Therefore, post-quantum security is not an emergency measure after Q-Day arrives but a long-term infrastructure migration that must be initiated in advance.

Figure 3: Expert Q-Day Prediction Distribution for 2026. Each bar represents a reasonable window from a single source; dots mark the central estimate.
Color coding represents speech categories: Red = Radical Industry; Orange = Baseline Survey/Consensus; Blue = Hardware Roadmap; Green = Skeptic.
Post-Quantum Cryptography (PQC), also known as quantum-resistant cryptography or quantum-secure cryptography, is a new generation of cryptographic algorithms designed to withstand future quantum computer attacks. Its key feature is that it still operates on existing classical computing architecture but its security is based on mathematical problems that quantum computers would also find difficult to solve efficiently. PQC has become the most realistic and scalable deployment potential for the global digital infrastructure's post-quantum migration mainstream.
The current research and implementation of PQC mainly focus on the following major mathematical camps:
· Lattice-based Cryptography: Security is based on high-dimensional lattice problems (such as Module-LWE), which combine efficiency and security. It is the core direction of current standardization and engineering implementation and the representative algorithms are ML-KEM and ML-DSA.
· Hash-based Signatures: They rely solely on the collision resistance of hash functions, with extremely simple and conservative mathematical assumptions. The standard representative is SLH-DSA.
· Other Routes: The Hash-based Cryptography (HQC) was selected by NIST as the fifth PQC algorithm in March 2025, serving as the non-lattice-based backup to ML-KEM. The draft standard is expected to be released in 2026, with the formal standard anticipated in 2027. However, both Multivariate and Isogeny-based cryptography have not yet entered the mainline standardization process at NIST due to security or efficiency concerns. The Isogeny-based route especially suffered a major setback after the SIKE algorithm was compromised.
The standardization process led by the National Institute of Standards and Technology (NIST) has been a crucial turning point in advancing PQC from theory to application. In August 2024, NIST officially released three core standards, establishing the basic division of labor for PQC migration:
· FIPS 203 (ML-KEM): Key Encapsulation Mechanism (KEM) based on lattice problems, responsible for key exchange;
· FIPS 204 (ML-DSA): Digital Signature Algorithm based on lattice cryptography, handling general digital signatures;
· FIPS 205 (SLH-DSA): Stateful Hash-based Digital Signature Algorithm, serving as an alternative solution for high-security-level signatures.
In addition to the core algorithms, the construction of a post-quantum secure system also relies on a multi-layered engineering strategy:
· Hybrid Deployment: Adopting a "Traditional Algorithm (such as ECC/RSA) + PQC" parallel signing/encryption mode as an early migration risk mitigation measure to ensure that even if new algorithms have unknown vulnerabilities, traditional algorithms can still provide baseline security.
· Crypto-agility: Designing architectures to enable systems to quickly replace, upgrade, or rollback algorithms to address the potential risks of algorithm compromise in the future.
· Auxiliary Enhancement Technologies: These include Quantum Key Distribution (QKD) (suitable for government/military dedicated networks but not a replacement for internet signature verification), Quantum Random Number Generation (QRNG), and Hardware Security Modules (HSM/Secure Enclave) used to enhance the quality of random numbers and key storage security.

Figure 4: Quantum Resistance Roadmap
Blockchain is not the primary target of quantum threats but represents the most research-worthy "stress test" scenario. Compared to traditional Web 2 relying on centralization mechanisms (such as certificate rotation and account freezing) to mitigate data leakage risks, blockchain directly and instantly transforms underlying cryptographic crises into asset loss and governance deadlock. Its architecture's underlying "triple irreversibility" — immutable ledger, irreversible asset transfer, and self-custody of private keys — has exposed assets held by public keys to the risks of private key recovery and signature forgery without any centralized backstop. More critically, the elliptic curve and BLS signature schemes heavily relied upon by mainstream public chains face structural breakdowns in the face of the Shor algorithm; once fault-tolerant quantum computers (FTQC) emerge, attackers can derive private keys from exposed public keys on the chain and forge signatures, fundamentally undermining the blockchain's trust foundation.

Cryptography Threat Landscape of Blockchain Systems
For the blockchain industry, the core proposition is not to deal with immediate hackers but to initiate a "migration countdown" race against time. Quantum computing will not instantly destroy the blockchain but will force the industry through a more challenging underlying cryptographic rehaul compared to Web 2. The real risk lies not in the lack of standardized post-quantum algorithms but in whether the entire ecosystem can undergo a coordinated migration from the underlying protocols to existing assets before Q-Day (the time when fault-tolerant quantum computers have practical decryption capabilities).
Within this process, the quantum threat does not descend uniformly; instead, it propagates step by step along the five-layer architecture of "assets, protocols, infrastructure, applications, governance." The key insight is that the high-value infrastructure layer (such as exchanges, custodians, cross-chain bridges) will face pressure before the L1 mainnet protocols; and the ultimate bottleneck determining the success or failure of this full-stack migration is not the replacement of cryptographic technologies but the highly complex social consensus and governance game.

The quantum risk of Bitcoin is not evenly distributed across all BTC, but highly depends on whether the public key has been exposed on the chain. The real high risk is not the entire UTXO set of the network, but is concentrated in early legacy outputs, addresses with exposed public keys and remaining balances, and long-dormant high-value UTXOs. Bitcoin's hash components (SHA-256, SHA-256d, and RIPEMD-160) mainly face a security margin decrease from Grover's algorithm, rather than a structural breakthrough from Shor's algorithm like ECDSA/Schnorr.
· High Risk: UTXOs with statically exposed public keys: Early P2PK, Taproot (P2TR) outputs, and spent and reused P2PKH/P2WPKH addresses still holding a balance. Their full public key has been permanently recorded on the chain and will be directly compromised by Shor's algorithm once CRQC emerges.
· Medium Risk: UTXOs with public keys not yet exposed but will be in the future: Unspent and non-reused P2PKH/P2WPKH addresses. Only the public key hash is exposed on-chain, and the risk only exists within a short "quantum supremacy window" until future transactions are broadcast and confirmed.
· Low Risk: Assets migrated to quantum-secure addresses: Assets migrated to post-quantum (PQ) addresses through a soft fork in the future will significantly lower the risk, but this highly depends on a long-term ecosystem-wide coordinated upgrade.
Under Bitcoin's governance structure, a one-time hard fork to eliminate ECDSA/Schnorr has an extremely high political cost. Introducing new quantum-secure output types through a soft fork is a more realistic incremental path. Current discussions include draft proposals such as BIP-360/P2MR (Pay-to-Merkle-Root), but there is still a long way to go before achieving full network consensus and activation.
This approach incurs a hefty "engineering tax": Current ECDSA/Schnorr signatures are only about 64–72 bytes, while candidate ML-DSA (2.4–4.6 KB) and SLH-DSA (7–49 KB) signatures see a volume increase of tens of times. This order of magnitude expansion will trigger a systemic chain reaction: directly increasing block weight and fees, worsening node storage and bandwidth burdens, leading to a significant deterioration in UTXO set and wallet UX, ultimately forming a negative feedback loop, further increasing the network's resistance to post-quantum migration.
Most importantly, Bitcoin lacks the ability to quickly switch algorithms. Unlike centralized systems where a single entity can upgrade certificates or replace algorithms, Bitcoin requires consensus rule changes, address format upgrades, wallet, mining pool, exchange, custodian, and hardware wallet sync-up. Therefore, quantum resistance is not a single-point technology upgrade but a long-term coordinated effort across the entire ecosystem.
Even if PQ addresses are successfully implemented, how to handle legacy UTXOs that have not migrated for a long time, including BTC believed to be from the Satoshi era, remains the ultimate challenge. Two extreme solutions both conflict with Bitcoin's core values:
· Do Nothing: Legacy coins would become a "free lunch" for the first attacker with CQRC capability, causing market panic.
· Forced Freeze/Nullification: Directly violating the property rights principle of "Not your keys, not your coins" and the immutability narrative, easily dividing the community consensus and even causing a chain split.
A practical middle-of-the-road approach is to implement a multi-year "Legacy Sunset" mechanism: through long-term deprecation warnings, gradually increasing friction in spending old outputs through a relay strategy, and ultimately imposing constraints through a soft fork agreed upon by multiple parties. Discussions such as BIP-361 on legacy signature sunset are fundamentally exploring this path.
Therefore, Bitcoin migration is fundamentally not a cryptographic issue. The PQ algorithm already exists and can be integrated; the real bottleneck lies in the social consensus around immutability, ownership, and the legality of declaring assets as quantum insecure. In other words, Bitcoin's quantum risk is not a doomsday scenario that suddenly goes to zero one day, but rather a progressive process from theoretically feasible, economically expensive to practically executable; what the industry truly needs to strive for is to complete the migration coordination before the attack economics are established.

Figure 5: Bitcoin's Quantum Resistance Migration: A Long-Term Governance Process
Ethereum is proactively addressing the quantum threat. Led by the Ethereum Foundation (EF) Post-Quantum team, research is steadily progressing through open governance processes such as All Core Devs. Its core strategy is not a "one-time bet on a single Post-Quantum (PQ) algorithm," but a comprehensive enhancement of the network's cryptographic agility—ensuring that account authentication, consensus signatures, proof systems, and data layer commitments have the long-term replaceable, upgradable, and verifiable capability.
The quantum risk of Ethereum is highly concentrated in four major cryptographic components: Externally Owned Account (ECDSA/secp256k1), Validator Consensus (BLS signature), Data Availability (KZG commitment), and certain ZK proof systems. To address this, the EF has designed a "Lean" roadmap that progresses along three tracks of execution, consensus, and data in parallel.
· Execution Layer (User Accounts): AA Buffer and L2 Testnet
Facing a massive number of EOAs, direct hard forks face significant resistance. Ethereum leverages an account abstraction (such as ERC-4337 and EIP-7702) to provide smart contract wallets with "signature agility," supporting hybrid signatures and progressive migration to avoid network-wide coordination. Meanwhile, L2 serves as a natural testbed for PQ deployment with its flexible governance;
· Consensus Layer (Validator Signatures): leanXMSS and leanVM Combo
Aimed at completely replacing BLS signatures relying on elliptic curve pairings. The core strategy is to use a hash-based leanXMSS and combine it with a minimalist zkVM (leanVM) for SNARK aggregation. A key engineering breakthrough: leanVM is expected to compress the large hash signature data by about 250 times, mitigating the PQ signature size expansion, while retaining the "multi-sign-to-one" scaling advantage as we enter the post-quantum era.
· Data Layer (Blob, DA, and KZG): Long-term Restructuring of Foundational Commitments
Under CRQC conditions, the underlying security assumptions of KZG still need to be reevaluated and will be migrated in the long term to more PQ-friendly commitments or proof systems, with the ultimate direction evolving towards hash-based STARK or lattice-based commitment schemes. This is a multi-year protocol-level foundational restructuring, not an immediate collapse.
Furthermore, Ethereum's quantum risk is not evenly distributed. EOAs represent the largest value pool; transaction platforms, bridges, custodial hot wallets, governance/upgrade keys, L2 sequencers, and admin keys are high-value operational keys that may come under pressure before the protocol itself. Overall, Ethereum's quantum-resistant migration is not a single-point signature replacement but a multi-year full-stack engineering effort involving accounts, consensus, DA, ZK, L2, bridges, custody, and formal verification.

Figure 6: Ethereum Post-Quantum Migration: Execution (User Accounts), Consensus (Validator Signatures), and Data (Commitment and Proof).

Bitcoin vs. Ethereum Post-Quantum Migration Image Panorama Comparison
In theory, all public blockchains relying on traditional public-key cryptography face quantum risk. However, the ones that truly constitute a systemic proposition against quantum migration are still mainly Bitcoin and Ethereum: the former involves legacy UTXO, immutability, and property rights governance, while the latter involves an all-stack reconfiguration of accounts, consensus, DA, ZK, and L2. Other public blockchains are more suitable as complementary references for technical pathways and risk scenarios.
· Solana represents a high-throughput chain's engineering exploration of PQ signature verification costs. Its community has discussed Falcon-512 / FN-DSA verification syscalls, but this solution is still an exploratory supplement, not a replacement for the existing Ed25519, nor does it represent an official migration route for Solana;
· Starknet / STARK represents a ZK route with a hash-based proof system that is more PQ-friendly. Compared to SNARK systems that rely on pairing / KZG, STARK's underlying proof mechanism is more suitable for the post-quantum ZK direction; however, this does not mean that the entire Starknet network is already quantum-secure. Wallet signatures, hash parameters, bridging mechanisms, and Ethereum L1 settlement still need synchronized migration.
· QRL, Quantus, Abelian, and other native or semi-native PQ chains provide technical references for a clean-slate post-quantum design: QRL represents the early hash-based signature route, Quantus represents a native PQ L1 of the new generation of NIST PQC narrative, Abelian leans towards lattice-based privacy-preserving L1. They offer a feasible path to "build a quantum-resistant chain" from day one, but their network effects, liquidity, and application ecosystem are still far weaker than BTC / ETH, making them more suitable as technical samples.
Quantum computing is not the "doomsday weapon" ending blockchain, but a systemic reset of modern public-key cryptography. The core threat lies in large-scale fault-tolerant quantum computers (CRQC) with future strategic decryption capabilities. The industry's real risk is not the lack of post-quantum algorithms (PQC), but whether the entire Web 3 ecosystem can complete a coordinated migration across the entire chain before Q-Day (quantum decryption threshold). In the short to medium term, the risks of the existing signature system becoming obsolete and the high cost of full-stack upgrades constitute a heavy "security debt"; in the long run, survival pressure will transform into an industrial catalyst, directly driving new security infrastructure lanes such as PQ hybrid wallets, quantum-resistant custody, quantum risk radar, and PQ signature aggregation.
Despite a potential macro preparedness period of up to 5–15 years, the true state of calm in the "engineering comfort window" is now reduced to only 5–8 years. This requires highly coordinated full-stack efforts (from BIP/EIP proposals, node implementations, wallet adaptations to exchange platforms, and custodians' compliance upgrades). More importantly, market repricing may occur earlier than the Q-Day itself: once quantum resource estimates continue to decrease, hardware roadmaps advance significantly, or regulatory bodies and major custodians are the first to propose PQC compliance requirements, the market may preemptively assess the cryptographic security model of blockchain assets. During this window, the two core ecosystems will face dramatically different ultimate tests:
· Bitcoin: The core challenge lies not in cryptography but in global social consensus and property rights governance. How to manage long-term dormant funds and exposed public keys within Legacy UTXOs is a political game that concerns the "immutable" narrative baseline.
· Ethereum: The core challenge lies in the engineering complexity of a multi-layered protocol and full-stack ecosystem. How to achieve cross-layer cryptographic replacements of accounts, consensus, DA, and ZK layers without network paralysis, and mitigate signature volume expansion is key.
In long-term asset allocation, post-quantum governance friction poses a "structural tail risk" to BTC, but it is by no means a reason to be bearish at the moment. Its "difficult-to-change" extremely conservative governance presents a double-edged sword effect: it is both the greatest resistance to quantum migration and the core moat to maintain its value storage narrative and resist centralization interference, requiring investors to abandon the static belief that "BTC will never need a major upgrade." In the future, if the Q-Day timeline is substantially accelerated, the community refuses to push forward with PQ migration while the peripheral ecosystem has already taken action, high-value exposed public key UTXOs trigger panic selling, or the disposal of Legacy assets leads to a complete split, any of these scenarios will lead the market to reprice Bitcoin's security model and underlying consensus.
Original Article Link
Welcome to join the official BlockBeats community:
Telegram Subscription Group: https://t.me/theblockbeats
Telegram Discussion Group: https://t.me/BlockBeats_App
Official Twitter Account: https://twitter.com/BlockBeatsAsia