A new a16z crypto research paper argues that apocalyptic narratives about quantum computers instantly killing Bitcoin are badly misaligned with reality, and that the real risk for blockchains lies in long, messy migrations rather than a sudden “Q-Day” collapse. The piece has already triggered a sharp rebuttal on X from investors who say the threat is closer and harder than a16z suggests.
Bitcoin Isn’t Doomed By Quantum Computing: a16z
In the article “Quantum computing and blockchains: Matching urgency to actual threats,” a16z research partner and Georgetown computer science professor Justin Thaler sets the tone early, writing that “Timelines to a cryptographically relevant quantum computer are frequently overstated — leading to calls for urgent, wholesale transitions to post-quantum cryptography.” He argues that this hype distorts cost–benefit analyses and distracts teams from more immediate risks such as implementation bugs.
Thaler defines a “cryptographically relevant quantum computer” (CRQC) as a fully error-corrected machine capable of running Shor’s algorithm at a scale where it can break RSA-2048 or elliptic-curve schemes like secp256k1 in roughly a month of runtime. In his assessment, a CRQC in the 2020s is “highly unlikely,” and public milestones do not justify claims that such a system is probable before 2030.
He stresses that across trapped-ion, superconducting and neutral-atom platforms, no device is close to the hundreds of thousands to millions of physical qubits, with the required error rates and circuit depth, that would be needed for cryptanalysis.
Instead, the a16z piece draws a sharp line between encryption and signatures. Thaler argues that harvest-now-decrypt-later (HNDL) attacks already make post-quantum encryption urgent for data that must remain confidential for decades, which is why large providers are rolling out hybrid post-quantum key establishment in TLS and messaging.
But he insists that signatures, including those securing Bitcoin and Ethereum, face a different calculus: they do not protect hidden data that can be retroactively decrypted, and once a CRQC exists, the attacker can only forge signatures going forward.
On that basis, the paper claims that “most non-privacy chains” are not exposed to HNDL-style quantum risk at the protocol level, because their ledgers are already public; the relevant attack is forging signatures to steal funds, not decrypting on-chain data.
Bitcoin-Specific Headaches
Thaler still flags Bitcoin as having “special headaches” due to slow governance, limited throughput and large pools of exposed, potentially abandoned coins whose public keys are already on-chain, but he frames the time window for a serious attack in terms of at least a decade, not a few years.
“Bitcoin changes slowly. Any contentious issues could trigger a damaging hard fork if the community cannot agree on the appropriate solution,” Thaler writes, adding “another concern is that Bitcoin’s switch to post-quantum signatures cannot be a passive migration: Owners must actively migrate their coins.”
Moreover, Thalen flags a “final issue specific to Bitcoin” which is its low transaction throughput. “Even once migration plans are finalized, migrating all quantum-vulnerable funds to post-quantum-secure addresses would take months at Bitcoin’s current transaction rate,” Thaler says.
He is equally skeptical of rushing into post-quantum signature schemes at the base-layer. Hash-based signatures are conservative but extremely large, often several kilobytes, while lattice-based schemes such as NIST’s ML-DSA and Falcon are compact but complex and have already produced multiple side-channel and fault-injection vulnerabilities in real-world implementations. Thaler warns that blockchains risk weakening their security if they jump too early into immature post-quantum primitives under headline pressure.
Industry Split On The Risk
The most forceful pushback has come from Castle Island Ventures co-founder Nic Carter and Project 11 CEO Alex Pruden. Carter summed up his view on X by saying the a16z work “wildly underestimates the nature of the threat and overestimates the time we have to prepare,” pointing followers to a long thread from Pruden.
Pruden begins by stressing respect for Thaler and the a16z team, but adds, “I disagree with the argument that quantum computing is not an urgent problem for blockchains. The threat is closer, the progress faster, and the fix harder than how he’s framing it & than most people realize.”
He argues that recent technical results, not marketing, should anchor the discussion. Citing neutral-atom systems that now support more than 6,000 physical qubits, Pruden points out that “we now have a non annealing system with more than 6000 physical qubits in the neutral atom architecture,” directly contradicting any implication that only non-scalable annealing architectures have reached that scale. He notes that work such as Caltech’s 6,100-qubit tweezer array shows large, coherent, room-temperature neutral-atom platforms are already a reality.
On error correction, Pruden writes that “surface code error correction was experimentally demonstrated last year, moving it from a research problem into an engineering problem,” and points to rapid advances in color codes and LDPC codes.
He highlights Google’s updated “Tracking the Cost of Quantum Factoring” estimates, which show that a quantum computer with about one million noisy physical qubits running for roughly a week could, in principle, break RSA-2048 — a twenty-fold reduction from Google’s own 2019 estimate of twenty million qubits.
“Resource estimates for a CRQC running Shor’s algorithm have dropped by two orders of magnitude in six months,” he notes, concluding, “To say that this trajectory of progress might potentially deliver a quantum computer before 2030 is not an overstatement.”
Where Thaler emphasizes HNDL as an encryption problem, Pruden reframes blockchains as uniquely attractive quantum targets. He stresses that “public keys used in digital signatures are just as easy to harvest as encrypted messages,” but in blockchains those keys are directly tied to visible value. He points out that “these public keys are distributed & directly associated with value ($150B for Satoshi’s BTC alone),” and that once a quantum adversary can forge signatures, “If you can forge a signature, you can steal the asset regardless of when that original UTXO/account was created.”
For Pruden, this economic reality means “the economic incentives simply and clearly point to blockchains as being the first cryptographically relevant quantum use case,” even if other sectors also face HNDL risks. He adds that “blockchains will be far slower to migrate than centralized systems. A bank can upgrade its stack. Blockchains must reach global consensus, absorb performance trade-offs from PQ signatures, and coordinate millions of users to migrate their keys.”
Invoking Ethereum’s multi-year shift from proof of work to proof of stake, he writes, “The closest thing was the ETH 1.0 to 2.0 transition which took years, and as complex as that was, a PQ migration is much harder. Anyone who thinks this is a matter of swapping a few lines of signature code has simply never shipped, deployed, or maintained a production blockchain.”
Pruden agrees with Thaler that panic is dangerous, but flips the conclusion: “I agree that rushing is dangerous. But that is exactly why work must begin now. The most likely failure mode is that the industry waits too long, and then a major QC milestone triggers a panic.” He closes by saying he disagrees that “quantum computing is progressing slowly,” that “blockchains are less vulnerable than systems exposed to HNDL risk,” or that “the industry has years of slack before action is needed,” arguing that “All three assumptions are at odds with reality.”
At press time, Bitcoin stood at $91,616.
