Imagine a morning in the year 203X, where an on-chain monitoring alarm suddenly shatters the silence: dormant early BTC addresses from over a decade ago begin transferring assets like ghosts. No hacker intrusions, no private key leaks—only "legitimate" signatures seemingly generated out of thin air. As high-value dormant UTXOs are cleared out one after another, the market finally awakens from its slumber: an unknown entity with quantum computing power can now directly deduce private keys from historically exposed public keys. Panic instantly tears through the market, while deep in the dark web, hoarded "harvest first, decrypt later" public key databases are being frantically auctioned, awaiting computational power to cash out wealth.
Meanwhile, the Bitcoin community plunges into an unprecedented crisis of faith: Faced with dormant coins looted by quantum computing power, should they uphold the "code is law" principle of immutability at all costs, or enforce a soft fork to freeze legacy assets? The clash between the property rights narrative and the law of survival ignites a deadlock in governance. On that day, blocks continue to be produced in order, the network never skips a beat—quantum computing isn't the apocalyptic magic that erases everything, but it pushes the entire Web3 ecosystem into the prolonged game of cryptographic reconstruction and a consensus abyss.
Quantum computing is often interpreted as the "Damocles' sword of doom" hanging over the blockchain. Upon re-examining the most significant "security debt" the Web3 world is about to face, we find that the quantum threat's impact on blockchain is essentially a stress test of its three foundational pillars: "public ledger, irreversible assets, and self-custody of private keys." As the dawn of Cryptographically Relevant Quantum Computers (CRQC) approaches, the industry faces the challenge of navigating the extremely complex social consensus and governance game within the remaining 5 to 8-year "engineering comfort window" before Q-Day arrives.
Quantum Computing: Technical Principles, Value, and Threats
Quantum computing is a new computing paradigm based on quantum mechanics principles. It uses quantum bits (qubits) as information carriers, breaking through the binary limitation of classical bits that can only represent 0 or 1. It leverages quantum properties such as superposition, entanglement, interference, and measurement to achieve computational efficiency unattainable by classical computing:
· Superposition — Expanding the state space: A qubit can exist in a linear combination of 0 and 1.
· Quantum Entanglement — Establishing global correlations: Strong non-local correlations formed among multiple qubits.
· Quantum Interference — Manipulating probability amplitudes: The essential mechanism behind quantum algorithm speedup, causing probability amplitudes of wrong answers to cancel out (destructive interference), while amplifying those of correct answers (constructive interference).
· Quantum Measurement — Collapsing the quantum state to a classical result. The core of a quantum algorithm is not "reading all answers," but making the correct answer appear with a higher probability upon measurement.

Figure 1: The Four Pillars of Quantum Computing
(1) Superposition expands the state space—a qubit exists as a continuous mixture of |0⟩ and |1⟩ on the Bloch sphere.
(2) Entanglement creates non-local correlations; measuring one qubit immediately determines its partner.
(3) Interference is the engine of acceleration: wrong answer amplitudes cancel, correct answer amplitudes reinforce.
(4) Measurement collapses the quantum state to a single classical result—the algorithm's task is to make the correct result appear with an overwhelming probability beforehand.
Two Core Quantum Algorithms: Shor's "Dimensionality Reduction Attack" and Grover's "Brute-Force Accelerator"
· Shor's Algorithm (1994): The "Dimensionality Reduction Attack" on Public-Key Cryptography: Shor's algorithm leverages quantum properties to directly "see through" the mathematical principles of integer factorization and discrete logarithms, thereby completely destroying the trust foundation of modern internet and blockchain systems like RSA and Elliptic Curve Cryptography (ECC). However, limited by real-world quantum error correction overhead, cracking mainstream cryptography still requires millions of physical qubits, though this threshold may be significantly lowered under more aggressive algorithm optimization.
· Grover's Algorithm (1996): The "Brute-Force Accelerator" for Symmetric Encryption: Grover's algorithm cannot directly break cryptographic structures; instead, it allows computers to "guess passwords" at a square-root-level speed increase (e.g., reducing the security strength of 128-bit encryption directly to an equivalent of 64-bit). Its threat is far less fatal than Shor's, and countermeasures are simple and crude—typically, longer keys, longer hash outputs, or higher security parameters can restore the security margin (e.g., upgrading to AES-256 or SHA-512).

Figure 2: Two Core Quantum Algorithms: Shor's Algorithm & Grover's Algorithm
Commercialization Roadmap: The "Warring States" of Five Technology Factions
No single qubit technology has established a clear engineering lead. Currently, five technological paths are advancing commercially, each with its own advantages and disadvantages.

Positive Value and Negative Threats of Quantum Computing
The core value of quantum computing lies in breaking through the capability boundaries of classical computing for specific complex problems, promoting paradigm-level leaps in fundamental science and engineering. Its positive value is concentrated in two main directions: first, the simulation of complex quantum systems, including quantum chemistry, drug development, new materials, and energy technologies; second, solving high-complexity optimization problems, including logistics, finance, supply chain, chip design, and industrial scheduling. Among these, quantum simulation is widely considered a more certain long-term application scenario, while complex optimization remains in the exploratory and validation stage. Currently, quantum computing is at a critical stage transitioning from laboratory prototypes to engineering applications, with decoherence, physical noise, error correction overhead, and system scalability remaining the core barriers to crossing the industrialization gap.
The quantum threat fundamentally targets the foundation of modern public-key cryptography systems, spreading layer by layer along the logic of "Data Lifetime × Migration Difficulty × Attack Benefit": National security, military, and intelligence systems are the first line of defense, facing the strategic-level risk of "Harvest Now, Decrypt Later" (HNDL). Financial and payment infrastructures, deeply reliant on TLS, HSM, and identity authentication systems, will be the first to enter compliance migration tracks. Internet trust roots and the Blockchain/Web3 ecosystem face multiple systemic risks such as code signing, cloud key management (KMS), on-chain asset irreversibility, and governance migration. In contrast, fields like healthcare, energy, industrial control, and IoT, due to long device lifecycles and narrow upgrade windows, will create long-term, difficult-to-eliminate tail risks.

Time Window and Planning Principle: Q-Day and Mosca's Inequality
Q-Day refers to the point in time when a quantum computer first possesses the practical capability to crack mainstream public-key cryptography. It is not a fixed date but a probability interval influenced by hardware progress, error correction capability, algorithm optimization, and the secrecy of national projects. The current mainstream expectation roughly centers around 2035–2045, with fast-paced scenarios potentially advancing to 2030–2035, while pre-2030 remains a low-probability tail risk.
Mosca's Inequality X + Y > Z explains why post-quantum migration is urgently necessary even before Q-Day arrives. Here, X is the required secrecy time of the data, Y is the time needed to complete the cryptographic migration, and Z is the remaining time until Q-Day. As long as the sum of the data lifetime and the migration period exceeds the remaining time to Q-Day, the system is already in the migration lag zone: data collected today could be decrypted by quantum computing in the future. Therefore, quantum-resistant security is not an emergency engineering task after Q-Day but a long-term infrastructure migration that must be initiated in advance.

Figure 3: Expert Q-Day Predictions Distribution for 2026. Each bar shows a reasonable window from a single source; dots mark the central estimate.
Color coding represents speaker category: Red = Aggressive industry; Orange = Benchmark survey/consensus; Blue = Hardware roadmap; Green = Skeptics.
Post-Quantum Cryptography (PQC): Technology Paths, Standardization, and Industry Migration Panorama
Post-Quantum Cryptography (PQC), also known as quantum-resistant cryptography or quantum-safe cryptography, is a new generation of cryptographic algorithm systems designed to withstand future attacks from quantum computers. Its core characteristic is that it still runs on existing classical computing architectures, but its security is based on mathematical problems that are difficult for quantum computers to solve efficiently. PQC has become the most realistic and scalable post-quantum migration mainline for global digital infrastructure.
Main Technology Paths: The Duel Between Lattice-Based and Hash-Based Cryptography
Current PQC research and implementation focus on several major mathematical camps:
· Lattice-based Cryptography: Security is based on high-dimensional lattice problems (e.g., Module-LWE), offering both efficiency and security. It is the core direction for current standardization and engineering implementation, with representative algorithms being ML-KEM and ML-DSA.
· Hash-based Signatures: Rely solely on the collision resistance of hash functions, with extremely minimalist and conservative mathematical assumptions. The representative standard is SLH-DSA.
· Other Paths: Code-based cryptography (HQC) was selected by NIST as the fifth PQC algorithm in March 2025, serving as a non-lattice-based backup to ML-KEM. Draft standards are expected in 2026, with final standards in 2027. Multivariate and Isogeny-based cryptography, due to security or efficiency issues, have not entered NIST's first batch of standardization mainline, with the Isogeny path suffering a major setback after the SIKE algorithm was broken.
Standardization Milestone: NIST Establishes "One KEM, Two Signatures" Framework
The FIPS standardization process led by the U.S. National Institute of Standards and Technology (NIST) is the key turning point driving PQC from theory to application. In August 2024, NIST officially released three core standards, establishing the basic division of labor for PQC migration:
· FIPS 203 (ML-KEM): Lattice-based Key Encapsulation Mechanism (KEM), responsible for key exchange.
· FIPS 204 (ML-DSA): Lattice-based Digital Signature Algorithm, responsible for general-purpose digital signatures.
· FIPS 205 (SLH-DSA): Stateless Hash-based Digital Signature Algorithm, serving as an alternative for high-security-level signatures.
Industry Implementation Ecosystem: A Three-Tier Architecture of Mainline, Transitional, and Auxiliary Strategies
Beyond the core algorithms, building a quantum-resistant security system relies on multi-layered engineering strategies:
· Hybrid Deployment: Adopts a parallel signature/encryption mode of "Traditional algorithm (e.g., ECC/RSA) + PQC," serving as a risk hedging measure in the early stages of migration, ensuring baseline security from the traditional algorithm even if unknown vulnerabilities exist in the new algorithm.
· Crypto-agility: Through architectural design, systems gain the ability to quickly replace, upgrade, or rollback algorithms to cope with potential future algorithm-breaking risks.
· Auxiliary Enhancement Technologies: Include Quantum Key Distribution (QKD) (suitable for government/military private networks but cannot replace internet signature verification), Quantum Random Number Generation (QRNG), and Hardware Security Modules (HSM/Secure Enclave), used to enhance random number quality and key storage security.

Figure 4: Panorama of Quantum-Resistant Pathways
Quantum Risks and Quantum-Resistant Practices in the Blockchain Industry
Blockchain is not the primary target of quantum threats but is the most valuable "stress test" scenario. Compared to traditional Web 2, which relies on centralized mechanisms (like certificate rotation, account freezes) to buffer data breach risks, blockchain directly and instantly transforms underlying cryptographic crises into asset loss and governance deadlock. Its architecture's underlying "threefold irreversibility"—permanently public ledger, irreversible asset transfers, and private key self-custody—makes assets with exposed public keys vulnerable to private key recovery and signature forgery, with no centralized safety net. More critically, the elliptic curve and BLS signature systems heavily relied upon by mainstream public chains face structural breakdown under Shor's algorithm; once a Cryptographically Relevant Quantum Computer (CRQC) emerges, attackers could deduce private keys from exposed public keys on-chain and forge signatures, fundamentally shaking the trust foundation of blockchain.

Threat Profile of Cryptographic Components in Blockchain Systems
For the blockchain industry, the core proposition is not responding to immediate hackers, but initiating a "migration countdown" race against time. Quantum computing will not instantly destroy blockchain but will force the industry through a more difficult underlying cryptographic reconstruction than Web2. The real risk is not the lack of standardized post-quantum algorithms, but whether the entire ecosystem can complete a full-chain coordinated migration from the underlying protocol to legacy assets before Q-Day (the critical point in time when fault-tolerant quantum computers possess practical cracking capabilities).
In this process, the quantum threat does not descend uniformly but transmits progressively through the five-layer architecture of "assets, protocol, infrastructure, applications, governance." The most crucial insight is that high-value infrastructure layers (like exchanges, custodians, cross-chain bridges) will face pressure earlier than the L1 mainnet protocol. Ultimately, the final bottleneck determining the success of this full-chain migration is not the replacement of cryptographic technology but the extremely complex social consensus and governance game.

Quantum-Resistant Practices of Bitcoin and Ethereum
Bitcoin's Quantum Risks: Public Key Exposure, Signature Bloat, and Governance Friction
Bitcoin's quantum risk is not evenly distributed across all BTC but highly depends on whether the public key has already been exposed on-chain. The truly high risk is not all UTXOs, but concentrated in early legacy outputs, addresses with exposed public keys that still hold balances, and long-dormant high-value UTXOs. Bitcoin's hash components (SHA-256, SHA256d, and RIPEMD-160) primarily face security margin reduction from Grover's algorithm, not the structural breakdown under Shor's algorithm like ECDSA/Schnorr.
· High Risk: UTXOs with statically exposed public keys: Early P2PK, Taproot (P2TR) outputs, and spent/reused P2PKH/P2WPKH addresses that still hold balances. Their full public keys are permanently on-chain; they will be the first to be directly broken by Shor's algorithm once CRQC emerges.
· Medium Risk: UTXOs with public keys not yet exposed but will be in the future: Unspent and unreused P2PKH/P2WPKH addresses. Only the public key hash is exposed on-chain; risk exists only in the brief "quantum front-running window" between transaction broadcast and confirmation.
· Low Risk: Assets migrated to quantum-safe addresses: Assets migrated in the future via soft forks to post-quantum (PQ) addresses will have significantly lower risk, but this highly depends on long-term coordinated upgrades across the entire ecosystem.
Engineering Challenges: Signature Bloat and the "Soft-Fork-First" Path
Under Bitcoin's governance structure, the political cost of a one-time hard fork to eliminate ECDSA/Schnorr is extremely high. Introducing new quantum-safe output types via a soft fork is one of the more realistic incremental paths. Current discussions include draft directions like BIP-360 / P2MR (Pay-to-Merkle-Root), but there is still a long way to go before reaching network-wide consensus and activation.
This move necessitates paying a hefty "engineering tax": Current ECDSA/Schnorr signatures are only about 64–72 bytes, while candidate algorithms like ML-DSA (2.4–4.6 KB) and SLH-DSA (7–49 KB) increase in size by tens to hundreds of times. This magnitude of bloat will trigger systemic chain reactions: directly increasing block weight and transaction fees, exacerbating node storage and bandwidth burdens, causing significant degradation of the UTXO set and wallet UX, ultimately forming negative feedback that increases resistance to network-wide PQ migration.
More importantly, Bitcoin lacks rapid algorithm-switching capability. Unlike centralized systems where a single entity can upgrade certificates or replace algorithms, Bitcoin requires consensus rules, address formats, wallets, mining pools, exchanges, custodians, and hardware wallets to adapt synchronously. Therefore, PQ migration is not a single-point technical upgrade but a long-term coordinated engineering effort across the entire ecosystem.
Governance Game: The "Values Dilemma" of Legacy UTXOs
Even if PQ addresses are successfully deployed, how to handle legacy UTXOs that remain un-migrated for a long time, including early long-dormant BTC often considered to belong to the Satoshi era, remains the ultimate challenge. Both extreme solutions conflict with Bitcoin's core values:
· Do nothing: Legacy coins will become "free lunch" for the first attacker with CRQC capability, triggering market panic.
· Enforced freezing/invalidation: Directly violates the property rights principle of "Not your keys, not your coins" and the immutability narrative, easily tearing apart community consensus and potentially leading to a chain fork.
A pragmatic compromise path is implementing a multi-year "Legacy Sunset" mechanism: issuing long-term deprecation warnings, gradually increasing the relay policy friction for spending old outputs, and ultimately imposing constraints via a soft fork under multi-party coordination. Discussions like BIP-361 (legacy signature sunset) essentially explore this path.
Therefore, Bitcoin migration is fundamentally not a cryptography problem. PQ algorithms already exist and can be integrated. The real bottleneck is the social consensus around issues like immutability, property rights, and the legitimacy of "declaring assets as quantum-unsafe." In other words, Bitcoin's quantum risk is not a doomsday scenario where everything suddenly goes to zero, but a gradual process from theoretical feasibility to economic viability and practical execution. What the industry truly needs to strive for is completing migration coordination before attack economics become viable.

Figure 5: Bitcoin's Post-Quantum Migration: A Long-term Governance Process
Ethereum's Post-Quantum Migration — Full-Stack Refactoring and the "Lean" Roadmap
Ethereum is proactively addressing the quantum threat. Led by the Ethereum Foundation (EF) Post-Quantum team, research is steadily progressing through open governance processes like All Core Devs. Its core strategy is not a "one-time bet on a single PQ algorithm," but comprehensively enhancing the network's Cryptographic Agility—ensuring long-term replaceability, upgradability, and verifiability of account authentication, consensus signatures, proof systems, and data layer commitments.
Ethereum's quantum risk is highly concentrated in four cryptographic components: EOA accounts (ECDSA/secp256k1), validator consensus (BLS signatures), data availability (KZG commitments), and some ZK proof systems. Accordingly, EF has designed a "Lean" roadmap progressing along three parallel tracks: Execution, Consensus, and Data.
· Execution Layer (User Accounts): AA Buffer and L2 Testing Ground
Facing a vast number of EOAs, direct hard-fork resistance is immense. Ethereum leverages Account Abstraction (like ERC-4337 and EIP-7702) to grant smart contract wallets "signature agility," supporting hybrid signatures and progressive migration, avoiding network-wide forced coordination. Meanwhile, L2s, with their flexible governance, serve as natural testing grounds for PQ deployment.
· Consensus Layer (Validator Signatures): The "Combination Punch" of leanXMSS and leanVM
Aims to completely replace the BLS signature system that relies on elliptic curve pairings. The core strategy is to adopt hash-based leanXMSS, combined with a minimal zkVM (leanVM) for SNARK aggregation. Key engineering breakthrough: leanVM is expected to compress the massive hash signature data by about 250x, hedging against PQ signature size bloat, preserving the scaling advantage of "multisignature aggregation" while entering the post-quantum era.
· Data Layer (Blobs, DA & KZG): Long-term Refactoring of Underlying Commitments
Under CRQC conditions, the underlying security assumptions of KZG still need to be re-evaluated, with a long-term migration towards more PQ-friendly commitment or proof systems. The endgame direction is moving towards hash-based STARKs or lattice-based commitment schemes. This is a multi-year protocol-level refactoring, not an immediate failure.
Furthermore, Ethereum's quantum risk is not evenly distributed. EOAs represent the largest value pool; exchange keys, bridge keys, custodial hot wallet keys, governance/upgrade keys, L2 sequencer keys, and admin keys are high-value operational keys that may face pressure before the protocol itself. Overall, Ethereum's post-quantum migration is not a single-point signature replacement but a multi-year, full-stack engineering effort involving accounts, consensus, DA, ZK, L2, bridges, custody, and formal verification.

Figure 6: Ethereum's Post-Quantum Migration: Execution (User Accounts), Consensus (Validator Signatures) & Data (Commitments & Proofs).

Panoramic Comparison of Bitcoin and Ethereum Post-Quantum Migration Portraits
Theoretically, all public chains relying on traditional public-key cryptography face quantum risks. However, the ones that truly constitute a systemic post-quantum migration proposition are primarily Bitcoin and Ethereum: the former involves legacy UTXOs, immutability, and property rights governance; the latter involves full-stack refactoring of accounts, consensus, DA, ZK, and L2. Other public chains are better suited as supplementary references for technological paths and risk scenarios.
· Solana represents high-throughput chains exploring the engineering costs of PQ signature verification. Its community has discussed a Falcon-512 / FN-DSA verification syscall, but this scheme remains exploratory and supplementary, not replacing the existing Ed25519, nor does it represent an official migration roadmap for Solana.
· Starknet / STARKs represent a more PQ-friendly ZK path via hash-based proof systems. Compared to SNARK systems reliant on pairings/KZG, STARK's underlying proving mechanism is more suitable as a post-quantum ZK direction. However, this does not mean the entire Starknet network is already quantum-safe; wallet signatures, hash parameters, bridging mechanisms, and Ethereum L1 settlement still require synchronous migration.
· QRL, Quantus, Abelian and other native or quasi-native PQ chains provide technical references for clean-slate post-quantum design: QRL represents an early hash-based signature path, Quantus represents a native PQ L1 under the new NIST PQC narrative, and Abelian leans towards a lattice-based privacy-preserving L1. Their approach of "building quantum-resistant chains from day one" is feasible, but their network effects, liquidity, and application ecosystems remain far weaker than BTC/ETH, making them more suitable as technical samples.
Conclusion: Security Debt Maturity and the Entire Ecosystem's "Q-Day" Countdown
Quantum computing is not the "doomsday weapon" that ends blockchain but a systematic reset of modern public-key cryptographic systems. The core threat lies in future large-scale, fault-tolerant quantum computers (CRQC) with strategic cracking capabilities. The industry's real risk is not the lack of Post-Quantum Cryptography (PQC) algorithms but whether the entire Web3 ecosystem can complete a full-chain coordinated migration before Q-Day (the quantum cracking critical point). In the short to medium term, the risk of existing signature system failure and the high cost of full-stack upgrades constitute a heavy "security debt." In the long run, survival pressure will transform into an industry catalyst, directly spawning new security infrastructure sectors like PQ hybrid wallets, quantum-resistant institutional custody, quantum risk radar, and PQ signature aggregation.
Although the macro preparation period could be as long as 5–15 years, the truly comfortable "engineering comfort window" is only about 5–8 years remaining. This requires high coordination across the entire chain (from BIP/EIP proposals, node implementations, wallet adaptations to exchange and custodian compliance upgrades). More importantly, market repricing may occur earlier than Q-Day itself: once quantum resource estimates continue to be revised downward, hardware roadmaps significantly accelerate, or regulators and large custodians first propose PQC compliance requirements, the market may begin re-evaluating the cryptographic security models of blockchain assets. During this window, the two core ecosystems face distinctly different ultimate tests:
· Bitcoin: The core challenge is not cryptography but global social consensus and property rights governance. How to handle long-dormant, public-key-exposed Legacy UTXOs is a political game concerning the "immutable" narrative's bottom line.
· Ethereum: The core challenge lies in the engineering complexity of its multi-layer protocol and full-stack ecosystem. How to replace cryptography across the account, consensus, DA, and ZK layers without causing network paralysis, while also hedging against signature size bloat.
In long-term asset allocation, post-quantum governance friction constitutes a "structural tail risk" for BTC, but it is by no means a reason to be bearish at present. Its "hard-to-change" extremely conservative governance presents a double-edged sword effect: it is both the greatest resistance to PQ migration and the core moat maintaining its value storage narrative and resisting centralization interference. This requires investors to abandon the static belief that "BTC never needs major upgrades." In the future, if any of these scenarios occur—Q-Day timeline being materially brought forward, the community refusing to advance PQ migration while the surrounding ecosystem moves first, high-value exposed-public-key UTXOs triggering panic selling, or legacy asset disposal falling into complete division—the market will reprice BTC's security model and underlying consensus.





