Author|0xjacobzhao @ IOSG
Imagine one early morning in 203X, when an on-chain monitoring alarm suddenly shatters the peace: a batch of early BTC addresses dormant for over a decade begins to transfer assets like ghosts. No hacker intrusion, no private key leakage, only 'legitimate' signatures generated out of thin air. As high-value dormant UTXOs are successively drained, the market finally awakens: some unknown quantum computing entity can already directly derive private keys from historically exposed public keys. Panic instantly rips through the market. In the deep web, public key libraries hoarded for a decade with the strategy 'harvest first, decrypt later' are being frantically auctioned, waiting for computing power to cash in on the wealth. Meanwhile, the Bitcoin community is torn by unprecedented ideological rifts: when facing dormant coins plundered by quantum computing, should they rigidly adhere to the principle of 'code is law' and immutability, or enforce a hard fork to freeze the legacy assets? The collision between the narrative of property rights and the law of survival has ignited a governance deadlock. That day, blocks continue to be produced in order, and the network never pauses for a second. Quantum computing isn't an apocalyptic magic spell that erases everything, but it pushes the entire Web3 ecosystem into the protracted game of cryptographic reconstruction and consensus abyss.
Quantum computing is often interpreted as the apocalyptic 'Sword of Damocles' hanging over the blockchain. Re-examining the biggest 'security debt' the Web3 world is about to face, we find that the impact of the quantum threat on blockchain is essentially an ultimate stress test of its three-layered foundational architecture: 'open ledger, irreversible assets, self-custody of private keys.' As the dawn of Cryptographically Relevant Quantum Computers (CRQC) emerges, the industry faces the challenge of navigating the extremely complex social consensus and governance struggles within the remaining 5 to 8-year 'engineering comfort window' before Q-Day arrives.
Quantum Computing: Technical Principles, Value, and Threats
Quantum computing is a new computational paradigm based on quantum mechanics principles. It uses quantum bits (qubits) as information carriers, breaking through the binary limitation of classical bits which can only represent 0 or 1. By leveraging quantum properties like superposition, entanglement, interference, and measurement, it achieves computational efficiencies difficult to reach with classical computing:
-
Superposition – Expanding the state space: A qubit can exist in a linear combination of 0 and 1.
-
Quantum Entanglement – Establishing global correlation: Strong non-local correlations formed between multiple qubits.
-
Quantum Interference – Manipulating probability amplitudes: The essence of quantum algorithm acceleration, where probability amplitudes for wrong answers cancel each other out (destructive interference), while amplifying the amplitude for the correct answer (constructive interference).
-
Quantum Measurement – Collapsing the quantum state into a single classical result. The core of a quantum algorithm is not 'reading all the answers,' but ensuring the correct answer has a significantly higher probability of appearing upon measurement.

Figure 1: The Four Pillars of Quantum Computing
(①) Superposition expands the state space – a qubit exists as a continuous mixture of |0⟩ and |1⟩ on the Bloch sphere.
(②) Entanglement creates non-local correlations; measuring one qubit instantly determines its partner.
(③) Interference is the engine of acceleration: destructive interference cancels amplitudes for wrong answers, constructive interference amplifies amplitudes for the correct answer.
(④) Measurement collapses the quantum state into a single classical result – the algorithm's task is to ensure the correct result appears with an overwhelming probability beforehand.
The Two Core Algorithms of Quantum Computing: Shor's 'Dimensionality Reduction Attack' and Grover's 'Brute-Force Accelerator'
-
Shor's Algorithm (1994): The 'Dimensionality Reduction Attack' on Public-Key Cryptography: Shor's algorithm can leverage quantum properties to directly 'see through' the mathematical patterns of integer factorization and discrete logarithms, thus completely destroying the trust foundation of the modern internet and blockchain, such as RSA and Elliptic Curve Cryptography (ECC). However, constrained by real-world quantum error correction overhead, cracking mainstream cryptography still requires millions of physical qubits, though aggressive algorithmic optimizations could significantly lower this threshold.
-
Grover's Algorithm (1996): The 'Brute-Force Accelerator' for Symmetric Encryption: Grover's algorithm cannot directly break cryptographic structures. Instead, it provides a square-root speedup for 'guessing passwords' (e.g., reducing the effective security strength of 128-bit encryption to 64-bit). Its threat is far less fatal than Shor's, and the countermeasures are straightforward – typically, increasing the key length, hash output length, or security parameters can restore the safety margin (e.g., upgrading to AES-256 or SHA-512).

Figure 2: The Two Core Algorithms of Quantum Computing: Shor's Algorithm and Grover's Algorithm
The Commercialization Path of Quantum Computing: The 'Battle of the Titans' Among Five Technical Camps
No single qubit technology has established a clear engineering lead. Five distinct approaches are currently being commercially pursued, each with its own advantages and disadvantages.

The Positive Value and Negative Threat of Quantum Computing
The core value of quantum computing lies in breaking through the capability boundaries of classical computing for specific complex problems, driving paradigm-level leaps in fundamental science and engineering. Its positive value primarily focuses on two main directions: first, the simulation of complex quantum systems, including quantum chemistry, drug discovery, new materials, and energy technology; second, solving highly complex optimization problems, including logistics, finance, supply chain, chip design, and industrial scheduling. Among these, quantum simulation is widely considered a long-term application scenario with higher certainty, while complex optimization remains in the exploration and validation phase. Currently, quantum computing is at a critical stage transitioning from lab prototypes to engineering applications, with decoherence, physical noise, error correction overhead, and system scalability remaining the core barriers to crossing the industrialization chasm.
The quantum threat fundamentally targets the foundation of modern public-key cryptosystems, spreading layer by layer along the logic of 'data lifetime × migration difficulty × attack payoff': National security, military, and intelligence systems are the first to face the strategic-level risk of 'Harvest Now, Decrypt Later' (HNDL). Financial and payment infrastructures, deeply reliant on TLS, HSMs, and identity authentication systems, will be the first to enter the compliance migration track. Internet trust roots and the Blockchain/Web3 ecosystem face multiple systemic risks including code signing, cloud-based key management (KMS), the irreversibility of on-chain assets, and governance migration. In contrast, sectors like healthcare, energy, industrial control, and IoT will form long-term, difficult-to-eradicate tail risks due to long device lifecycles and narrow upgrade windows.

Time Window and Planning Rule: Q-Day and Mosca's Inequality
Q-Day refers to the time point when a quantum computer first possesses the practical capability to crack mainstream public-key cryptography. It is not a fixed date but a probability interval influenced jointly by hardware progress, error correction capabilities, algorithmic optimizations, and the secrecy of national projects. The current mainstream expectation is roughly concentrated between 2035 and 2045, with fast scenarios potentially advancing to 2030-2035, while before 2030 is considered a low-probability tail risk.
Mosca's Inequality X + Y > Z explains why post-quantum migration has real urgency even before Q-Day arrives. Here, X is the time data needs to remain confidential, Y is the time required to complete cryptographic migration, and Z is the remaining time until Q-Day. As long as the sum of the data lifecycle and the migration period exceeds the remaining time until Q-Day, the system is already in a migration lag zone: data collected today may be decrypted by quantum computing in the future. Therefore, quantum-resistant security is not an emergency engineering task after Q-Day arrives but a long-term infrastructure migration that must be initiated in advance.

Figure 3: Distribution of Expert Q-Day Predictions in 2026. Each bar shows a single source's plausible window; dots mark central estimates.
Color coding represents speaker category: Red = Aggressive Industry; Orange = Benchmark Survey/Consensus; Blue = Hardware Roadmap; Green = Skeptics.
Post-Quantum Cryptography (PQC): Technical Routes, Standardization, and Industry Migration Overview
Post-Quantum Cryptography (PQC), also known as quantum-resistant cryptography or quantum-safe cryptography, refers to a new generation of cryptographic algorithm systems designed to resist future attacks by quantum computers. Its core feature is that it still runs on existing classical computing architectures, but its security is based on mathematical problems that are also difficult for quantum computers to solve efficiently. PQC has become the most realistic and scalable mainstream approach for quantum-resistant migration of global digital infrastructure.
Main Technical Routes: The Duel Between Lattice-based and Hash-based Signatures
Current PQC research and implementation primarily focus on several major mathematical families:
-
Lattice-based Cryptography: Security is based on hard problems in high-dimensional lattices (e.g., Module-LWE). It combines efficiency and security, making it the core direction for current standardization and engineering implementation. Representative algorithms are ML-KEM and ML-DSA.
-
Hash-based Signatures: Rely solely on the collision resistance of hash functions. The mathematical assumptions are extremely simple and conservative. The representative standard is SLH-DSA.
-
Other Routes: Code-based cryptography (HQC) was selected by NIST as the fifth PQC algorithm in March 2025, serving as a non-lattice backup to ML-KEM, with a draft standard expected in 2026 and a final standard in 2027. Multivariate and Isogeny-based cryptography have not entered NIST's first batch of standardization mainstream due to security or efficiency concerns. The Isogeny route, in particular, suffered a major setback when the SIKE algorithm was broken.
Standardization Milestone: NIST Establishes the 'One KEM, Two Signatures' Landscape
The FIPS standardization process led by the National Institute of Standards and Technology (NIST) is the key turning point driving PQC from theory to application. In August 2024, NIST officially released three core standards, establishing the basic division of labor for PQC migration:
-
FIPS 203 (ML-KEM): A lattice-based Key Encapsulation Mechanism (KEM), responsible for key exchange.
-
FIPS 204 (ML-DSA): A lattice-based digital signature algorithm, responsible for general-purpose digital signatures.
-
FIPS 205 (SLH-DSA): A stateless hash-based digital signature algorithm, serving as a backup option for high-security signatures.
Industry Implementation Ecosystem: A Three-Tier Architecture of Mainstream, Transitional, and Auxiliary
In addition to the core algorithms, building a quantum-resistant security system relies on multi-layered engineering strategies:
-
Hybrid Deployment: Adopting a parallel signature/encryption model of 'Traditional Algorithm (e.g., ECC/RSA) + PQC,' serving as a risk-hedging measure in the early stages of migration, ensuring baseline security is still provided by the traditional algorithm even if the new algorithm has unknown vulnerabilities.
-
Cryptographic Agility: Designing architectures to enable systems to quickly replace, upgrade, or roll back algorithms to respond to future risks of algorithm compromise.
-
Auxiliary Enhancement Technologies: Include Quantum Key Distribution (QKD) (suitable for government/military private networks but cannot replace internet signature verification), Quantum Random Number Generation (QRNG), and Hardware Security Modules (HSM/Secure Enclave), used to enhance random number quality and key storage security.

Figure 4: Panorama of Quantum-Resistant Routes
Quantum Risks and Quantum-Resistant Practices in the Blockchain Industry
Blockchain is not the primary target of quantum threats, but it is one of the most valuable 'stress test' scenarios. Compared to traditional Web2, which relies on centralized mechanisms (like certificate rotation, account freezing) to buffer data breach risks, blockchain directly and instantaneously transforms underlying cryptographic crises into asset loss and governance deadlocks. Its architecture's underlying 'triple irreversibility' – permanent public ledger, irreversible asset transfer, and private key self-custody – means assets with exposed public keys may face private key recovery and signature forgery, with no centralized safety net. More critically, the elliptic curve and BLS signature systems heavily relied upon by mainstream public chains face structural collapse in the face of Shor's algorithm; once a Cryptographically Relevant Quantum Computer (CRQC) emerges, attackers could derive private keys from publicly exposed on-chain public keys and forge signatures, fundamentally shaking the trust foundation of blockchain.

Threat Map of Cryptographic Components in Blockchain Systems
For the blockchain industry, the core proposition is not dealing with immediate hackers but initiating a 'migration countdown' race against time. Quantum computing won't instantly destroy blockchain, but it will force the industry through a more difficult underlying cryptographic reconstruction than Web2. The real risk is not the lack of standardized post-quantum algorithms, but whether the entire ecosystem can complete a full-chain coordinated migration from underlying protocols to existing assets before Q-Day (the critical time point when CRQC gains practical cracking capability).
In this process, the quantum threat does not descend uniformly but propagates level by level along the five-layer architecture: 'Assets, Protocol, Infrastructure, Applications, Governance.' The key insight is that high-value infrastructure layers (e.g., exchanges, custodians, cross-chain bridges) will face pressure before the L1 mainnet protocol. The ultimate bottleneck determining the success of this full-chain migration is not the replacement of cryptographic technology but the extremely complex social consensus and governance struggles.

Bitcoin and Ethereum's Quantum-Resistant Practices
Bitcoin's Quantum Risk: Public Key Exposure, Signature Bloat, and Governance Friction
Bitcoin's quantum risk is not evenly distributed across all BTC but highly depends on whether the public key has already been exposed on-chain. The real high risk is not all UTXOs network-wide but concentrated in early legacy outputs, addresses with exposed public keys that still hold a balance, and long-dormant, high-value UTXOs. Bitcoin's hash components (SHA-256, SHA256d, and RIPEMD-160) mainly face a reduction in security margin due to Grover's algorithm, rather than the structural collapse of ECDSA/Schnorr by Shor's algorithm.
-
High Risk: UTXOs with Statically Exposed Public Keys: Early P2PK, Taproot (P2TR) outputs, and already spent, reused P2PKH/P2WPKH addresses that still hold a balance. Their full public keys are permanently on-chain; they will be the first to be directly broken by Shor's algorithm once CRQCs emerge.
-
Medium Risk: UTXOs with Public Keys Not Yet Exposed but Will Be in the Future: Unspent and unreused P2PKH/P2WPKH addresses. Only the public key hash is exposed on-chain; risk exists only within the brief 'quantum preemption window' from when a future transaction is broadcast until confirmation.
-
Low Risk: Assets Migrated to Quantum-Safe Addresses: Assets migrated to Post-Quantum (PQ) addresses via a soft fork in the future will see significantly reduced risk, but this highly depends on the long-term coordinated upgrade of the entire ecosystem.
Engineering Challenges: Signature Bloat and the 'Soft Fork First' Path
Under Bitcoin's governance structure, the political cost of a one-time hard fork to phase out ECDSA/Schnorr is extremely high. Introducing new quantum-safe output types via a soft fork is a more realistic incremental path. Current discussions include directions like BIP-360 / P2MR (Pay-to-Merkle-Root), but they are still far from full network consensus and activation.
This move must pay a high 'engineering tax': current ECDSA/Schnorr signatures are only about 64–72 bytes, while candidate algorithms like ML-DSA (2.4–4.6 KB) and SLH-DSA (7–49 KB) see their size increase by tens to hundreds of times. This magnitude of bloat triggers systemic chain reactions: directly increasing block weight and transaction fees, exacerbating node storage and bandwidth burdens, significantly worsening the UTXO set and wallet UX, ultimately creating negative feedback that increases resistance to network-wide quantum-resistant migration.
More importantly, Bitcoin lacks rapid algorithm switching capability. Unlike centralized systems that can be upgraded by a single entity replacing certificates or algorithms, Bitcoin requires synchronous adaptation of consensus rules, address formats, wallets, mining pools, exchanges, custodians, and hardware wallets. Therefore, quantum-resistant migration is not a single-point technical upgrade but a long-term coordinated engineering effort across the entire ecosystem.
Governance Dilemma: The 'Values Conundrum' of Legacy UTXOs
Even if PQ addresses are successfully launched, how to handle legacy UTXOs that remain un-migrated for a long time, including what the market generally considers early, long-dormant BTC from the Satoshi era, remains the ultimate dilemma. Two extreme solutions conflict with Bitcoin's core values:
-
Do Nothing: Legacy coins become a 'free lunch' for the first attacker possessing CRQC capability, triggering market panic.
-
Forcibly Freeze/Invalidate: Directly violates the property principle of 'Not your keys, not your coins' and the immutability narrative, easily tearing apart community consensus and potentially causing a chain fork.
A pragmatic compromise path is implementing a multi-year 'Legacy Sunset' mechanism: issuing long-term deprecation warnings, gradually increasing relay policy friction for spending old outputs, and finally imposing constraints via a soft fork under multi-party coordination. Discussions like BIP-361 regarding a legacy signature sunset essentially explore this path.
Therefore, Bitcoin migration is fundamentally not a cryptography problem. PQ algorithms already exist and can be integrated; the real bottleneck lies in the social consensus around issues like immutability, property rights, and the legitimacy of 'declaring assets quantum-unsafe.' In other words, Bitcoin's quantum risk is not a doomsday scenario where everything suddenly goes to zero one day, but a gradual process from theoretical feasibility, economic costliness, to practical executability; what the industry truly needs to strive for is completing migration coordination before the attack economics become viable.

Figure 5: Bitcoin Quantum-Resistant Migration: A Long-Term Governance Process
Ethereum Quantum-Resistant Migration – Full-Stack Refactoring and the 'Lean' Roadmap
Ethereum is actively addressing the quantum threat. Led by the Ethereum Foundation (EF) Post-Quantum team (https://pq.ethereum.org/), research is steadily progressing through open governance processes like All Core Devs. Its core strategy is not 'betting everything on a single PQ algorithm at once' but comprehensively enhancing the network's Cryptographic Agility – ensuring that account authentication, consensus signatures, proof systems, and data layer commitments have long-term replaceable, upgradable, and verifiable capabilities.
Ethereum's quantum risk is highly concentrated in four cryptographic components: EOA accounts (ECDSA/secp256k1), validator consensus (BLS signatures), data availability (KZG commitments), and some ZK proof systems. Accordingly, EF has designed a 'Lean' roadmap advancing in parallel along three tracks: execution, consensus, and data.
-
Execution Layer (User Accounts): Account Abstraction as Buffer and L2 as Testing Ground
Facing the vast number of EOAs, direct hard fork resistance is immense. Ethereum leverages Account Abstraction (e.g., ERC-4337 and EIP-7702) to grant smart contract wallets 'signature agility,' supporting hybrid signatures and incremental migration, avoiding forced full-network coordination. Simultaneously, L2s, with their flexible governance, serve as natural testing grounds for PQ deployment.
-
Consensus Layer (Validator Signatures): The 'One-Two Punch' of leanXMSS and leanVM
Aims to completely replace BLS signatures which rely on elliptic curve pairings. The core strategy is to adopt the hash-based leanXMSS combined with a minimal zkVM (leanVM) for SNARK aggregation. Key engineering breakthrough: leanVM is expected to compress the bulky hash signature data by approximately 250 times, offsetting PQ signature size bloat, preserving the 'multi-signatures aggregated into one' scaling advantage while entering the post-quantum era.
-
Data Layer (Blobs, DA & KZG): Long-Term Refactoring of Underlying Commitments
Under CRQC conditions, the underlying security assumptions of KZG still need to be re-evaluated, with long-term migration to more PQ-friendly commitment or proof systems. Its ultimate direction is evolving towards hash-based STARKs or lattice-based commitment schemes. This is a multi-year, protocol-level refactoring, not an immediate failure.
Furthermore, Ethereum's quantum risk is not evenly distributed. EOAs represent the largest value pool; exchange, bridge, custodial hot wallet, governance/upgrade keys, L2 sequencer, and admin keys are high-value operational keys that may face pressure before the protocol itself. Overall, Ethereum's quantum-resistant migration is not a single-point signature replacement but a multi-year, full-stack engineering effort involving accounts, consensus, DA, ZK, L2s, bridges, custody, and formal verification.

Figure 6: Ethereum Post-Quantum Migration: Execution (User Accounts), Consensus (Validator Signatures), and Data (Commitments & Proofs).

Bitcoin vs. Ethereum Post-Quantum Migration Profile Panoramic Comparison
Theoretically, all public chains relying on traditional public-key cryptography face quantum risks. However, the chains that truly constitute a systemic quantum-resistant migration proposition are primarily Bitcoin and Ethereum: the former involves legacy UTXOs, immutability, and property rights governance; the latter involves full-stack refactoring of accounts, consensus, DA, ZK, and L2s. Other public chains are better suited as supplementary references for technical paths and risk scenarios.
-
Solana represents high-throughput chains' engineering exploration of PQ signature verification costs. Its community has had discussions about validating syscalls for Falcon-512 / FN-DSA, but this scheme remains exploratory and supplemental, not replacing existing Ed25519, nor does it represent an official migration roadmap for Solana.
-
Starknet / STARKs represent the more PQ-friendly ZK route of hash-based proof systems. Compared to SNARK systems relying on pairings/KZG, STARKs' underlying proof mechanisms are more suitable as a post-quantum ZK direction. However, this does not mean the entire Starknet network is already quantum-safe; wallet signatures, hash parameters, bridging mechanisms, and Ethereum L1 settlement still require synchronous migration.
-
QRL, Quantus, Abelian and other native or quasi-native PQ chains provide technical references for clean-slate post-quantum designs: QRL represents the early hash-based signature route, Quantus represents the narrative of native PQ L1 with new-generation NIST PQC, and Abelian leans towards lattice-based privacy-preserving L1. Their path 'building quantum-resistant chains from day one' is feasible, but their network effects, liquidity, and application ecosystems remain far weaker than BTC/ETH, making them better suited as technical samples.
Conclusion: Security Debt Maturity and the Entire Ecosystem's 'Q-Day' Countdown
Quantum computing is not an apocalyptic 'doomsday weapon' to end blockchain but a systemic reset of modern public-key cryptosystems. The core threat lies in future large-scale, fault-tolerant quantum computers (CRQC) possessing strategic-level cracking capabilities. The industry's real risk is not the lack of post-quantum algorithms (PQC), but whether the entire Web3 ecosystem can complete a full-chain coordinated migration before Q-Day (the quantum cracking critical point). In the short to medium term, the risk of current signature systems failing and the high cost of full-stack upgrades constitute a heavy 'security debt.' In the long run, survival pressure will transform into an industrial catalyst, directly spawning new security infrastructure sectors like PQ hybrid wallets, quantum-resistant institutional custody, quantum risk radar, and PQ signature aggregation.
Although the macro preparation period may be as long as 5–15 years, the truly comfortable 'engineering window' may only be 5–8 years left. This requires high-level coordination across the entire chain (from BIP/EIP proposals, node implementations, wallet adaptations, to exchange and custodian compliance upgrades). More importantly, market re-pricing may occur before Q-Day itself: if quantum resource estimates continue to be revised downward, hardware roadmaps significantly accelerate, or regulatory agencies and large custodians first propose PQC compliance requirements, the market may begin re-evaluating the cryptographic security model of blockchain assets earlier. Within this window, the two core ecosystems will face distinctly different ultimate tests:
-
Bitcoin: The core challenge is not cryptography but global social consensus and property rights governance. How to handle long-dormant Legacy UTXOs with exposed public keys is a political battle concerning the foundational narrative of 'immutability.'
-
Ethereum: The core challenge lies in the engineering complexity of multi-layered protocols and the full-stack ecosystem. How to complete cryptographic replacements across account, consensus, DA, and ZK layers without causing network paralysis, while offsetting signature size bloat.
In long-term asset allocation, post-quantum governance friction constitutes a 'structural tail risk' for BTC but is by no means a reason for immediate bearishness. Its 'difficult-to-change' extremely conservative governance presents a double-edged sword effect: it is both the greatest resistance to quantum-resistant migration and the core moat maintaining its value storage narrative and resisting centralized intervention. This requires investors to discard the static belief that 'BTC never needs major upgrades.' In the future, if any of the following scenarios occur – the Q-Day timeline is substantively accelerated, the community refuses to advance PQ migration while the peripheral ecosystem has already taken action, high-value exposed public key UTXOs trigger panic selling, or the handling of legacy assets leads to complete division – the market will re-discount BTC's security model and underlying consensus.








