Author|0xjacobzhao @ IOSG
Imagine a quiet morning in 203X, when on-chain monitoring alarms suddenly shatter the peace: a batch of long-dormant early Bitcoin addresses begin to move assets like ghosts. There is no hacker intrusion, no private key leak—only the sudden generation of “legitimate” signatures. As high-value dormant UTXOs are cleared out one after another, the market finally awakens to reality: some unknown entity with quantum computing power can now directly reverse-engineer private keys from historically exposed public keys. Panic instantly grips the market, while in the dark web, a hoard of “harvest now, decrypt later” public keys—accumulated over a decade—is being auctioned off frantically, waiting for the computational power to unlock their wealth. Meanwhile, the Bitcoin community is plunged into an unprecedented ideological rift: faced with coins looted by quantum power, should they stick to the unbreakable principle that “code is law,” or enforce a soft fork to freeze legacy assets? The collision between property rights and survival logic completely detonates a governance deadlock. On that day, blocks continued to be mined, and the network did not stop for a second. Quantum computing was not an apocalyptic magic that erased everything, but it pushed the entire Web3 ecosystem into a prolonged struggle of cryptographic restructuring and a crisis of consensus.
Quantum computing is often portrayed as the “Damocles’ Sword” hanging over blockchain. Let’s re-examine the biggest “security debt” the Web3 world is about to face. The threat from quantum computing to blockchain is, in essence, an extreme stress test of its three foundational pillars: public ledger, irreversible asset transfer, and self-custody of private keys. As the dawn of fault-tolerant quantum computers (CRQC) appears, the industry faces the daunting task of navigating extremely complex social consensus and governance battles within the remaining “engineering comfort window” of just 5 to 8 years before Q-Day arrives.
Quantum Computing: Technical Principles, Value, and Threats
Quantum computing is a new computational paradigm based on quantum mechanics principles. It uses quantum bits (qubits) as information carriers, breaking through the binary limitation of classical bits that can only represent 0 or 1, and leverages quantum properties such as superposition, entanglement, interference, and measurement to achieve computational efficiencies difficult for classical computing:
-
Superposition — Expanding the state space: A qubit can exist in a linear combination of 0 and 1.
-
Quantum Entanglement — Establishing global correlation: The strong non-local correlation formed between multiple qubits.
-
Quantum Interference — Manipulating probability amplitudes: The core mechanism for quantum algorithm speedup, where the probability amplitudes of wrong answers cancel each other out (destructive interference), while the probability amplitudes of correct answers are amplified (constructive interference).
-
Quantum Measurement — Collapsing the quantum state into a single classical result. The core of quantum algorithms is not to “read out all answers,” but to make the correct answer appear with a high probability during measurement.

Figure 1: Four Pillars of Quantum Computing
(①) Superposition expands the state space — A qubit exists as a continuous mixture of |0⟩ and |1⟩ on the Bloch sphere.
(②) Entanglement creates non-local correlations; measuring one qubit instantly determines its partner.
(③) Interference is the engine of speedup: Wrong answers' amplitudes cancel, correct answers' amplitudes reinforce.
(④) Measurement collapses the quantum state into a single classical result — the algorithm's task is to make the correct result appear with an overwhelming probability beforehand.
Two Core Quantum Algorithms: Shor's "Dimensionality Reduction Strike" and Grover's "Brute-Force Accelerator"
-
Shor's Algorithm (1994): The "Dimensionality Reduction Strike" Against Public-Key Cryptography : Shor's algorithm leverages quantum properties to directly "see through" the mathematical patterns of integer factorization and discrete logarithms, thereby completely destroying the trust foundations of modern internet and blockchain, such as RSA and Elliptic Curve Cryptography (ECC). However, limited by real-world quantum error correction overhead, cracking mainstream cryptography still requires millions of physical qubits, though this threshold could be significantly lowered with more aggressive algorithm optimization.
-
Grover's Algorithm (1996): The "Brute-Force Accelerator" for Symmetric Encryption: Grover's algorithm cannot directly break cryptographic structures, but it boosts the speed of "guessing passwords" by a square root factor (e.g., directly halving the security strength of 128-bit encryption to 64-bit). Its threat is far less fatal than Shor's, and countermeasures are straightforward—typically restoring security margins by using longer keys, longer hash outputs, or higher security parameters (such as upgrading to AES-256 or SHA-512).

Figure 2: Two Core Quantum Algorithms: Shor's Algorithm and Grover's Algorithm
Quantum Computing Commercialization Roadmap: The "Clash of the Titans" Among Five Technical Factions
No single qubit technology has established a clear engineering lead. Currently, five routes are being commercially pursued, each with its own advantages and disadvantages.

Positive Value and Negative Threat of Quantum Computing
The core value of quantum computing lies in breaking through the capability boundaries of classical computing for specific complex problems, driving paradigm-level leaps in fundamental science and engineering. Its positive value is concentrated in two main directions: first, the simulation of complex quantum systems, including quantum chemistry, drug development, new materials, and energy technologies; second, solving high-complexity optimization problems, including logistics, finance, supply chains, chip design, and industrial scheduling. Among these, quantum simulation is widely considered a more deterministic long-term application scenario, while complex optimization is still in the exploration and validation stage. Currently, quantum computing is at a critical stage moving from laboratory prototypes toward engineering applications. Decoherence, physical noise, error correction overhead, and system scalability remain the core barriers to crossing the industrialization chasm.
The quantum threat essentially targets the foundations of modern public-key cryptography systems and spreads layer by layer according to the logic of “data lifetime × migration difficulty × attack benefit.” National security, military, and intelligence systems are the first to bear the brunt, facing strategic-level “Harvest Now, Decrypt Later” (HNDL) risks. Financial and payment infrastructures, deeply reliant on TLS, HSMs, and identity authentication systems, will be the first to enter compliance migration tracks. Internet trust roots and blockchain/Web3 ecosystems face multiple systemic risks including code signing, cloud key management (KMS), irreversible on-chain asset transfers, and governance migration. Meanwhile, sectors like healthcare, energy, industrial control, and IoT will form long-term, difficult-to-eliminate tail risks due to long device lifecycles and narrow upgrade windows.

Time Window and Planning Rule: Q-Day and the Mosca Inequality
Q-Day refers to the point in time when a quantum computer first possesses the practical capability to break mainstream public-key cryptography. It is not a fixed date, but a probability interval influenced by hardware progress, error correction capabilities, algorithm optimization, and the secrecy of national projects. Current mainstream expectations are roughly concentrated between 2035 and 2045. Fast scenarios could advance it to 2030–2035, while a pre-2030 timeline is considered a low-probability tail risk.
Mosca Inequality X + Y > Z explains why even if Q-Day is not yet imminent, post-quantum migration still has real urgency. Here, X is the time data needs to remain confidential, Y is the time required to complete cryptographic migration, and Z is the remaining time until Q-Day. As long as the sum of the data's lifetime and the migration period exceeds the remaining time until Q-Day, the system is already in a migration lag zone: data collected today may be decrypted by quantum computing in the future. Therefore, post-quantum security is not an emergency engineering task after Q-Day arrives, but a long-term infrastructure migration that must be started in advance.

Figure 3: Expert Q-Day Forecast Distribution in 2026. Each bar shows a single source's reasonable window; dots mark central estimates.
Color coding represents speaker categories: Red = Aggressive industry; Orange = Benchmark survey/consensus; Blue = Hardware roadmap; Green = Skeptics.
Post-Quantum Cryptography (PQC): Technology Roadmap, Standardization, and Industry Migration Overview
Post-Quantum Cryptography (PQC), also known as quantum-resistant cryptography or quantum-safe cryptography, is a new generation of cryptographic algorithm systems designed to resist future attacks by quantum computers. Their core characteristic is that they still run on existing classical computing architectures, but their security is based on mathematical problems that are also difficult for quantum computers to solve efficiently. PQC has become the most realistic and scalable mainstream pathway for the global digital infrastructure's quantum migration.
Main Technical Routes: The Duel of Lattice-Based and Hash-Based Signatures
Current PQC research and implementation primarily focus on several major mathematical families:
-
Lattice-Based Cryptography: Security is based on hard problems in high-dimensional lattices (e.g., Module-LWE). It balances efficiency and security, making it the core direction for current standardization and engineering implementation. Representative algorithms are ML-KEM and ML-DSA.
-
Hash-Based Signatures: Relies solely on the collision resistance of hash functions, with extremely simple and conservative mathematical assumptions. The representative standard is SLH-DSA.
-
Other Routes: Code-based cryptography (HQC) was selected by NIST as the fifth PQC algorithm in March 2025, serving as a non-lattice backup to ML-KEM. The draft standard is expected in 2026, with the final standard in 2027. Meanwhile, Multivariate and Isogeny-based cryptography have not yet entered NIST's first batch of standardization due to security or efficiency concerns. Notably, the isogeny route suffered a major setback when the SIKE algorithm was broken.
Standardization Milestone: NIST Establishes the "One KEM, Two Signatures" Pattern
The FIPS standardization process led by the U.S. National Institute of Standards and Technology (NIST) is a key turning point in moving PQC from theory to practice. In August 2024, NIST officially released three core standards, establishing the basic division of labor for PQC migration:
-
FIPS 203 (ML-KEM): A Lattice-based Key Encapsulation Mechanism (KEM) for key exchange.
-
FIPS 204 (ML-DSA): A Lattice-based Digital Signature Algorithm for general-purpose digital signatures.
-
FIPS 205 (SLH-DSA): A Stateless Hash-Based Digital Signature Algorithm, serving as a backup option for high-security-level signatures.
Industry Implementation Ecosystem: A Three-Tier Architecture of Mainstream, Transition, and Auxiliary
Beyond core algorithms, building a quantum-resistant security system relies on multi-layered engineering strategies:
-
Hybrid Deployment: Uses a "traditional algorithm (e.g., ECC/RSA) + PQC" parallel signing/encryption mode as a risk-hedging measure in the early migration stages, ensuring baseline security remains intact via the traditional algorithm even if unknown vulnerabilities exist in the new one.
-
Cryptographic Agility: Architectural design that enables systems to quickly replace, upgrade, or roll back algorithms to respond to future potential algorithm breakage risks.
-
Auxiliary Enhancement Technologies: Including Quantum Key Distribution (QKD) (suitable for government/military private networks but cannot replace internet signature verification), Quantum Random Number Generation (QRNG), and Hardware Security Modules (HSM/Secure Enclave), used to enhance random number quality and key storage security.

Figure 4: Post-Quantum Roadmap Panorama
Quantum Risk and Quantum-Resistant Practices in the Blockchain Industry
Blockchain is not the primary target of the quantum threat, but it is a highly valuable “stress test” scenario. Compared to traditional Web2, which relies on centralized mechanisms (like certificate rotation, account freezing) to buffer data breach risks, blockchain directly and instantly transforms underlying cryptographic crises into asset loss and governance deadlock. The “triple irreversibility” at its architectural core—permanently public ledger, irreversible asset transfers, and self-custody of private keys—means that assets with exposed public keys may face private key recovery and signature forgery, with no centralized safety net. More critically, the Elliptic Curve and BLS signature systems heavily relied upon by mainstream public chains face structural breakdown under Shor’s algorithm. Once a fault-tolerant quantum computer (CRQC) emerges, attackers can derive private keys from exposed public keys on-chain and forge signatures, fundamentally shaking blockchain's trust foundation.

Threat Map of Cryptographic Components in Blockchain Systems
For the blockchain industry, the core proposition is not to fight immediate hackers but to initiate a “migration countdown” race against time. Quantum computing will not instantly destroy blockchain, but it will force the industry through a much more difficult underlying cryptographic reconstruction than Web2. The real risk is not the lack of standardized post-quantum algorithms, but whether the entire ecosystem can complete full-chain coordinated migration—from underlying protocols to existing assets—before Q-Day (the critical time point when fault-tolerant quantum computers possess practical cracking capabilities).
In this process, the quantum threat does not arrive uniformly but propagates level by level across a five-layer architecture: “Assets, Protocols, Infrastructure, Applications, Governance.” The most crucial insight is that the high-value Infrastructure layer (exchanges, custodians, cross-chain bridges) will bear the pressure before the L1 mainnet protocols. The ultimate bottleneck determining the success of this full-chain migration is not the replacement of cryptographic technology, but the extremely complex social consensus and governance negotiations.

Bitcoin and Ethereum's Quantum-Resistant Practices
Bitcoin's Quantum Risk: Public Key Exposure, Signature Inflation, and Governance Friction
Bitcoin's quantum risk is not evenly distributed across all BTC; it depends highly on whether the public key has already been exposed on-chain. The true high risk is not all UTXOs network-wide, but concentrated in early legacy outputs, addresses with exposed public keys that still hold balances, and long-dormant, high-value UTXOs. Bitcoin's hash components (SHA-256, SHA256d, and RIPEMD-160) primarily face a reduction in security margin from Grover's algorithm, not the structural breakdown that ECDSA/Schnorr faces from Shor's algorithm.
-
High Risk: UTXOs with Public Keys Statically Exposed: Early P2PK, Taproot (P2TR) outputs, and spent/reused P2PKH/P2WPKH addresses that still hold balances. Their full public keys are permanently on-chain and will be the first to be directly broken by Shor's algorithm once CRQC arrives.
-
Medium Risk: UTXOs with Public Keys Not Yet Exposed but Will Be in the Future: Unspent and unused P2PKH/P2WPKH addresses. Only the public key hash is exposed on-chain; risk exists only during the brief “quantum preemption window” between transaction broadcast and confirmation.
-
Low Risk: Assets Migrated to Quantum-Safe Addresses: Assets that have migrated in the future to post-quantum (PQ) addresses via soft forks will see significantly reduced risk, but this heavily relies on long-term coordinated upgrades across the entire ecosystem.
Engineering Challenges: Signature Inflation and the “Soft Fork First” Path
Under Bitcoin's governance structure, the political cost of a one-time hard fork to retire ECDSA/Schnorr is extremely high. Introducing new quantum-safe output types via soft fork is one of the more realistic incremental paths. Current related discussions include draft directions like BIP-360 / P2MR (Pay-to-Merkle-Root), but there is still a long way to go before achieving network-wide consensus and activation.
This move necessitates paying a heavy “engineering tax.” Current ECDSA/Schnorr signatures are only about 64–72 bytes, while candidate algorithms like ML-DSA (2.4–4.6 KB) and SLH-DSA (7–49 KB) see volume surges of tens to hundreds of times. This magnitude of inflation will trigger systemic chain reactions: directly increasing block weight and transaction fees, worsening node storage and bandwidth burdens, significantly deteriorating the UTXO set and wallet UX, ultimately forming negative feedback that further increases network-wide resistance to quantum migration.
More importantly, Bitcoin lacks rapid algorithm switching capability. Unlike centralized systems where a single entity can upgrade certificates or replace algorithms, it requires simultaneous adaptation of consensus rules, address formats, wallets, mining pools, exchanges, custodians, and hardware wallets. Therefore, quantum migration is not a single-point technical upgrade, but a long-term coordinated engineering effort across the entire ecosystem.
Governance Dilemma: The “Values Conflict” of Legacy UTXOs
Even if PQ addresses are successfully launched, how to handle long-term un-migrated legacy UTXOs—including early long-dormant BTC often believed to belong to the Satoshi era—remains an ultimate challenge. Two extreme approaches both conflict with Bitcoin's core values:
-
Do Nothing: Legacy coins will become “free lunch” for the first attacker with CRQC capability, triggering market panic.
-
Force Freeze/Invalidation: Directly violates the property rights principle of “Not your keys, not your coins” and the immutable narrative, easily tearing community consensus apart and potentially causing chain forks.
A practical middle path is implementing a multi-year “Legacy Sunset” mechanism: issuing long-term deprecation warnings, gradually increasing relay policy friction for spending old outputs, and finally, after multi-party coordination, imposing constraints through a soft fork. Discussions like BIP-361 “legacy signature sunset” essentially explore this path.
Therefore, Bitcoin's migration is fundamentally not a cryptography problem. PQ algorithms already exist and can be integrated. The real bottleneck lies in the social consensus around issues like immutability, property rights, and the legitimacy of “declaring assets quantum-unsafe.” In other words, Bitcoin's quantum risk is not an apocalyptic scenario where everything goes to zero one day, but a gradual process from theoretical feasibility, economic expensiveness, to practical executability. What the industry truly needs to achieve is completing migration coordination before the attack becomes economically viable.

Figure 5: Bitcoin's Quantum-Resistant Migration: A Long-Term Governance Process
Ethereum's Quantum Migration — Full-Stack Refactoring and the “Lean” Roadmap
Ethereum is proactively addressing the quantum threat. Led by the Ethereum Foundation (EF) Post-Quantum team (https://pq.ethereum.org/) and steadily advanced through open governance processes like All Core Devs, its core strategy is not a “one-time bet on a single post-quantum algorithm,” but comprehensively improving the network's Cryptographic Agility—ensuring long-term replaceability, upgradability, and verifiability for account authentication, consensus signatures, proof systems, and data layer commitments.
Ethereum's quantum risk is highly concentrated in four cryptographic components: EOA accounts (ECDSA/secp256k1), validator consensus (BLS signatures), data availability (KZG commitments), and some ZK proof systems. Accordingly, the EF has designed a “Lean” roadmap advancing on three parallel tracks: execution, consensus, and data.
-
Execution Layer (User Accounts): Account Abstraction as Buffer and L2 as Testbed
Facing a massive number of EOAs, direct hard fork resistance is extremely high. Ethereum leverages Account Abstraction (e.g., ERC-4337 and EIP-7702) to grant smart contract wallets “signature agility,” supporting hybrid signatures and gradual migration, avoiding network-wide forced coordination. Meanwhile, L2s, with their flexible governance, become natural testbeds for PQ deployment.
-
Consensus Layer (Validator Signatures): The "One-Two Punch" of leanXMSS and leanVM
Aims to completely replace BLS signatures that rely on elliptic curve pairings. The core strategy is adopting hash-based leanXMSS, combined with a minimalist zkVM (leanVM) for SNARK aggregation. Key engineering breakthrough: leanVM is expected to compress the large hash signature data by about 250 times, counteracting PQ signature volume inflation, and preserving the scaling advantage of “many signatures aggregated into one” while entering the post-quantum era.
-
Data Layer (Blobs, DA, and KZG): Long-Term Refactoring of Underlying Commitments
Under CRQC conditions, the underlying security assumptions of KZG need to be re-evaluated, with a long-term migration toward more PQ-friendly commitment or proof systems. The endgame direction is evolving towards hash-based STARKs or lattice-based commitment schemes. This is a multi-year protocol-level refactoring, not an immediate failure.
Furthermore, Ethereum's quantum risk is not evenly distributed. EOAs constitute the largest pool of value; exchange/bridge/custody hot wallets, governance/upgrade keys, L2 sequencer, and admin keys are high-value operational keys that may bear pressure before the protocol itself. Overall, Ethereum's quantum migration is not a single-point signature replacement, but a multi-year, full-stack engineering effort involving accounts, consensus, DA, ZK, L2s, bridges, custody, and formal verification.

Figure 6: Ethereum Post-Quantum Migration: Execution (User Accounts), Consensus (Validator Signatures), and Data (Commitments and Proofs).

Panoramic Comparison of Post-Quantum Migration Profiles for Bitcoin and Ethereum
Theoretically, all public chains relying on traditional public-key cryptography face quantum risk. However, those truly constituting a systemic quantum migration proposition are still primarily Bitcoin and Ethereum: the former involves legacy UTXOs, immutability, and property rights governance, while the latter involves full-stack refactoring of accounts, consensus, DA, ZK, and L2s. Other public chains are better suited as supplementary references for technical paths and risk scenarios.
-
Solana represents high-throughput chains exploring the engineering cost of PQ signature verification; its community has discussed Falcon-512 / FN-DSA verification syscalls, but this solution remains exploratory and complementary, not replacing existing Ed25519, nor does it mean Solana has an official migration roadmap.
-
Starknet / STARKs represent the more PQ-friendly ZK route of hash-based proof systems. Compared to SNARK systems relying on pairings/KZG, STARK's underlying proving mechanism is more suitable as a post-quantum ZK direction. However, this does not mean the entire Starknet network is quantum-safe; wallet signatures, hash parameters, bridging mechanisms, and Ethereum L1 settlement still require synchronized migration.
-
QRL, Quantus, Abelian and other native or quasi-native PQ chains provide technical references for clean-slate post-quantum design: QRL represents the early hash-based signature route, Quantus represents the new-generation narrative of native PQ L1 based on NIST PQC, and Abelian leans towards lattice-based privacy-preserving L1. They demonstrate viable paths of “building quantum-resistant chains from day one,” but their network effects, liquidity, and application ecosystems are still far weaker than BTC/ETH, making them better suited as technical samples.
Conclusion: Security Debt Maturity and the "Q-Day" Countdown for the Entire Ecosystem
Quantum computing is not an “apocalyptic weapon” that will end blockchain but represents a systemic reset of modern public-key cryptography. The core threat lies in future large-scale fault-tolerant quantum computers (CRQC) with strategic-level cracking capabilities. The industry's real risk is not the lack of post-quantum algorithms (PQC), but whether the entire Web3 ecosystem can complete full-chain coordinated migration before Q-Day (the critical point of quantum cracking capability). In the short to medium term, the risk of failure in existing signature systems combined with the high cost of full-stack upgrades constitutes a heavy “security debt.” In the long run, survival pressure will transform into an industrial catalyst, directly spawning entirely new security infrastructure sectors like PQ hybrid wallets, quantum-resistant institutional custody, quantum risk radars, and PQ signature aggregation.
Although the macro preparation period may be as long as 5–15 years, the truly comfortable “engineering comfort window” is only 5–8 years remaining. This demands high coordination across the entire chain (from BIP/EIP proposals, node implementations, wallet adaptations, to compliance upgrades for exchanges and custodians). More importantly, market re-pricing may occur before Q-Day itself: once quantum resource estimates continue to be revised downward, hardware roadmaps significantly accelerate, or regulators and large custodians begin demanding PQC compliance, the market may start scrutinizing blockchain assets' cryptographic security models earlier. Within this window, the two core ecosystems will face fundamentally different ultimate tests:
-
Bitcoin: The core challenge is not cryptography, but global social consensus and property rights governance. How to handle long-dormant Legacy UTXOs with exposed public keys is a political battle concerning the narrative foundation of “immutability.”
-
Ethereum: The core challenge lies in the engineering complexity of multi-layer protocols and the full-stack ecosystem. How to complete cryptographic replacement across account, consensus, DA, and ZK layers without causing network paralysis, while counteracting signature volume inflation.
In long-term asset allocation, post-quantum governance friction constitutes a “structural tail risk” for BTC, but it is by no means a reason for bearishness today. Its “difficult to change” ultra-conservative governance presents a double-edged sword effect: it is both the greatest resistance to quantum migration and the core moat maintaining its store-of-value narrative and resisting centralized intervention, requiring investors to abandon the static belief that “BTC never needs major upgrades.” In the future, if any of the following scenarios occur—the Q-Day timeline is substantively accelerated, the community refuses to advance PQ migration while the peripheral ecosystem has already taken action, high-value exposed public key UTXOs trigger panic selling, or legacy asset disposal falls into complete fragmentation—the market will reprice BTC's security model and underlying consensus.





