Written by: Justin Thaler, a16z crypto research partner and associate professor of computer science at Georgetown University Translated by: Yangz, Techub News

Predictions about the emergence of cryptography-related quantum computers are often exaggerated, leading to calls for an urgent and comprehensive shift to post-quantum cryptography. These calls often overlook the costs and risks of premature migration and ignore the distinctly different risk characteristics of various cryptographic primitives:

• Post-quantum encryption, despite its high costs, needs to be deployed immediately: The "Harvest Now, Decrypt Later" (HNDL) attack is already underway, and the sensitive data currently encrypted will still hold value when quantum computers truly arrive (even if it takes decades). Moreover, while there are indeed performance overheads and implementation risks associated with post-quantum encryption, the HNDL attack leaves us with no choice for data that needs to remain confidential for a long time.

• Post-quantum signatures face different considerations. They are not easily affected by HNDL attacks, and their costs and risks (larger scale, performance overhead, immature implementation, and potential vulnerabilities) require us to act cautiously rather than migrate immediately.

These distinctions are crucial. Misunderstandings can distort cost-benefit analyses, leading teams to overlook more pressing security risks—such as system vulnerabilities.

The real challenge in successfully transitioning to post-quantum cryptography is matching urgency with actual threats. Below, I will clarify common misconceptions about the threat of quantum computing to cryptography, covering encryption, signatures, and zero-knowledge proofs, with a particular focus on their impact on blockchain.

What stage are we at?

Despite much hype, the likelihood of cryptography-related quantum computers (CRQC) emerging within the 2020s is extremely low.

By "cryptography-related quantum computers," I mean a fault-tolerant, error-corrected quantum computer capable of running a sufficiently scaled Shor's algorithm to attack elliptic curve cryptography or RSA within a reasonable timeframe (for example, breaking secp256k1 or RSA-2048 with at most a month of continuous computation). According to any reasonable interpretation of publicly known milestones and resource estimates, we are far from achieving a cryptography-related quantum computer. Some companies occasionally claim that CRQC may appear before 2030 or as far out as 2035, but publicly known progress does not support these claims.

Across all current architectures, including ion traps, superconducting qubits, and neutral atom systems, no quantum computing platform is close to running Shor's algorithm to break RSA-2048 or secp256k1, which requires hundreds of thousands to millions of physical qubits (depending on error rates and error correction schemes). The limiting factors are not only the number of qubits but also gate fidelity, qubit connectivity, and the depth of error-correcting circuits required to run deep quantum algorithms. While some systems now have over 1,000 physical qubits, relying solely on the raw number of qubits is misleading: these systems lack the qubit connectivity and gate fidelity necessary for cryptography-related computations. The latest systems are approaching the physical error rates where quantum error correction starts to be effective, but no one has yet demonstrated more than a handful of logical qubits with sustained error-correcting circuit depth… let alone the thousands of high-fidelity, deep-circuit, fault-tolerant logical qubits required to actually run Shor's algorithm.

There remains a vast gap between proving the feasibility of quantum error correction and reaching the scale needed for cryptanalysis. In short, until the number and fidelity of qubits improve by several orders of magnitude, cryptography-related quantum computers remain out of reach. Publicly known progress does not support the expectation of a cryptography-related quantum computer emerging within the next five years that could break RSA-2048 or secp256k1. As for the U.S. government setting 2035 as the deadline for a full transition of government systems to post-quantum (PQ) cryptography? I believe this is a reasonable timeline for completing such a large-scale transformation. However, this does not predict that a cryptography-related quantum computer will exist by then.

In what scenarios do HNDL attacks apply?

The "Harvest Now, Decrypt Later" (HNDL) attack refers to attackers storing encrypted traffic now to decrypt it later when cryptography-related quantum computers become available. Nation-state attackers have certainly archived large amounts of encrypted communications from the U.S. government to decrypt these communications many years later when CRQC truly exists. This is why encryption technology needs to shift immediately—at least for anyone with confidentiality needs extending 10-50 years.

However, digital signatures (the technology all blockchains rely on) are different from encryption. If a cryptography-related quantum computer emerges, it indeed becomes possible to forge signatures from that moment on, but past signatures do not "hide" secrets in the same way encrypted messages do. As long as you know that a digital signature was generated before the CRQC appeared, it cannot be forged. This makes the transition to post-quantum digital signatures less urgent than that to post-quantum encryption.

Currently, mainstream platforms are taking action accordingly: Chrome and Cloudflare have launched hybrid X25519+ML-KEM schemes for Transport Layer Security (TLS) encryption; Apple's iMessage has also deployed this hybrid post-quantum encryption through its PQ3 protocol; Signal has done the same with its PQXDH and SPQR protocols.

In contrast, the deployment of post-quantum digital signatures in critical network infrastructure has been postponed until the emergence of cryptography-related quantum computers, as current post-quantum signature schemes would result in performance regressions (which will be discussed in more detail later in this article).

zkSNARKs (which are crucial for the long-term scalability and privacy of blockchains) are in a similar situation to signatures. This is because, even for those zkSNARKs that are not post-quantum secure (which use elliptic curve cryptography, just like today's non-post-quantum encryption and signature schemes), their zero-knowledge properties are post-quantum secure. The zero-knowledge property ensures that no information about the secret witness is leaked in the proof—even to quantum attackers—so there is no confidential information that needs to be "harvested now" for future decryption.

Thus, zkSNARKs are not easily affected by HNDL attacks. Just as non-post-quantum signatures generated today are secure, any zkSNARK proof generated before the emergence of cryptography-related quantum computers is trustworthy (i.e., the proven statement is certainly true), even if the zkSNARK uses elliptic curve cryptography. Only after the emergence of cryptography-related quantum computers can attackers find convincing proofs for false statements.

What does this mean for blockchain?

Most blockchains are not easily affected by HNDL attacks: most non-privacy chains (like current Bitcoin and Ethereum) primarily use non-post-quantum cryptography for transaction authorization. In other words, they use digital signatures rather than encryption. To reiterate, these signatures do not pose HNDL risks: HNDL attacks apply to encrypted data. For example, the Bitcoin blockchain is public; the quantum threat lies in signature forgery (deriving private keys to steal funds), not in decrypting already public transaction data. This alleviates the urgent cryptographic pressure from HNDL attacks.

Unfortunately, even analyses from trusted sources like the Federal Reserve incorrectly claim that Bitcoin is vulnerable to HNDL attacks, which exaggerates the urgency of transitioning to post-quantum cryptography. Of course, a reduced urgency does not mean Bitcoin can wait: it faces different time pressures from the significant social coordination required for protocol changes. (More on Bitcoin's unique challenges below.)

The current exception is privacy chains, many of which encrypt or otherwise obscure the recipient and amount. This confidentiality can now be collected, and once quantum computers can break elliptic curve cryptography, retroactive de-anonymization can occur.

For such privacy chains, the severity of the attack varies by blockchain design. For example, for Monero's curve-based ring signatures and key images (which prevent double-spending by linking each output), the public ledger alone is sufficient to retroactively reconstruct the spending graph. But in other chains, the damage is more limited—see Zcash cryptographic engineer and researcher Sean Bowe's discussion for details.

If users believe it is important that their transactions are not exposed to cryptography-related quantum computers, then privacy chains should transition to post-quantum primitives (or hybrid schemes) as soon as feasible. Alternatively, they should adopt architectures that avoid placing decryptable secrets on the chain.

Bitcoin's Unique Challenges: Governance and Abandoned Coins

For Bitcoin, two realities drive the urgency to begin transitioning to post-quantum digital signatures. Both are unrelated to quantum technology:

1. First is the speed of governance: Bitcoin changes slowly. If the community cannot reach a consensus on an appropriate solution, any contentious issue could lead to a destructive hard fork.

2. Second, the switch to post-quantum signatures for Bitcoin cannot be a passive migration: owners must actively migrate their coins. This means that abandoned coins, which are vulnerable to quantum attacks, cannot be protected. According to some estimates, the number of Bitcoin that are vulnerable to quantum attacks and may be abandoned could reach millions.

However, the quantum threat facing Bitcoin will not be a sudden, overnight apocalypse; rather, it will resemble a selective, gradual target-locking process. Quantum computers will not simultaneously break all encryption—Shor's algorithm must target one public key at a time. Early quantum attacks will be extremely costly and slow. Therefore, once quantum computers can break a single Bitcoin signature key, attackers will selectively plunder high-value wallets.

Moreover, users who avoid address reuse and do not use Taproot addresses (which directly expose public keys on-chain) are fundamentally protected even without protocol changes: their public keys remain hidden behind hash functions until the coins are spent. When they eventually broadcast a spending transaction, the public key becomes visible, leading to a brief real-time race: on one side, honest spenders need to get their transactions confirmed, while on the other, any attacker equipped with quantum devices hopes to find the private key and spend those coins before the legitimate owner's transaction is confirmed. Thus, the truly vulnerable coins are those whose public keys have already been exposed: early P2PK outputs, reused addresses, and coins held in Taproot.

As for the abandoned coins that are vulnerable, there are no simple solutions. Some options include:

1. The Bitcoin community could agree on a "deadline," after which any un-migrated coins would be declared destroyed.

2. Allow the abandoned quantum-vulnerable coins to be seized by those with cryptography-related quantum computers.

The second option would raise serious legal and security issues. Using a quantum computer to gain ownership of coins without the private key, even if claiming to have legitimate ownership or acting in good faith, could trigger serious problems under theft and computer fraud laws in many jurisdictions.

Additionally, "abandoned" is itself based on the presumption of inactivity. But no one truly knows whether these coins lack living owners with the holding keys. Evidence that you once owned these coins may not be sufficient to provide legal authorization to break cryptographic protections to reclaim them. This legal ambiguity increases the likelihood that abandoned quantum-vulnerable coins will fall into the hands of malicious actors willing to ignore legal constraints.

The final Bitcoin-specific issue is its low transaction throughput. Even if a migration plan is ultimately determined, at Bitcoin's current transaction rate, migrating all quantum-vulnerable funds to post-quantum secure addresses would take months.

These challenges make it crucial for Bitcoin to start planning its post-quantum transition now—not because cryptography-related quantum computers may appear before 2030, but because the governance, coordination, and technical logistics required to migrate billions of dollars' worth of coins will take years to resolve.

The quantum threat facing Bitcoin is real, but the time pressure comes from Bitcoin's own limitations, not from the imminent arrival of quantum computers. Other blockchains also face their own challenges in dealing with quantum-vulnerable funds, but Bitcoin's risks are particularly pronounced: its earliest transactions placed public keys directly on-chain, making a particularly large proportion of Bitcoin vulnerable to cryptography-related quantum computer attacks. This technical difference, combined with Bitcoin's long history, value concentration, low throughput, and governance rigidity, exacerbates the issue.

Note that the vulnerabilities I described above apply to the cryptographic security of Bitcoin digital signatures but not to the economic security of the Bitcoin blockchain. This economic security stems from the proof-of-work consensus mechanism, which is not easily attacked by quantum computers for three reasons:

1. PoW relies on hash operations, thus only being affected by the quadratic quantum speedup of Grover's search algorithm, rather than the exponential speedup of Shor's algorithm.

2. The practical overhead of implementing Grover's search makes it extremely unlikely for any quantum computer to achieve even moderate real-world acceleration on Bitcoin's proof-of-work mechanism.

3. Even if significant acceleration were achieved, it would only give large quantum miners an advantage over smaller miners, without fundamentally undermining Bitcoin's economic security model.

The Costs and Risks of Post-Quantum Signatures

To understand why blockchains should not rush to deploy post-quantum signatures, we need to grasp the performance costs and our evolving confidence in post-quantum security.

Most post-quantum cryptography is based on one of five methods: hash, code, lattice, multivariate quadratic equations (MQ), and isogeny. The security of any post-quantum cryptographic primitive is based on an assumption: that quantum computers cannot efficiently solve specific mathematical problems. The more "structured" the problem is, the more efficient the cryptographic protocols we can build. But this has both advantages and disadvantages: additional structure also provides more exploitable surface for attack algorithms. This creates a fundamental tension—stronger assumptions can lead to better performance, but at the cost of potential security vulnerabilities (i.e., an increased likelihood of the assumptions being falsified).

In general, hash-based methods are the most conservative in terms of security because we are most confident that quantum computers cannot effectively attack these protocols. However, their performance is also the worst. For example, NIST-standardized hash-based signatures, even at their minimal parameter settings, have sizes of 7-8 kilobytes. In contrast, today's elliptic curve-based digital signatures are only 64 bytes. This represents about a 100-fold scale difference.

Lattice schemes are the main focus of deployment today. NIST has selected two of the three signature algorithms and the only encryption scheme for standardization, both based on lattices. One lattice scheme (ML-DSA, formerly known as Dilithium) produces signatures ranging from 2.4 KB (128-bit security level) to 4.6 KB (256-bit security level), making it about 40-70 times larger than today's elliptic curve-based signatures. Another lattice scheme, Falcon, has slightly smaller signatures (Falcon-512 is 666 bytes, Falcon-1024 is 1.3 KB), but involves complex floating-point operations, which NIST has flagged as special implementation challenges. One of Falcon's creators, Thomas Pornin, described it as "the most complex cryptographic algorithm I have implemented to date."

Compared to elliptic curve-based signature schemes, lattice-based schemes also present greater challenges in implementation security: ML-DSA has more sensitive intermediate values and non-trivial rejection sampling logic, requiring side-channel and fault protection. Falcon also raises concerns about constant-time floating-point operations; in fact, several side-channel attacks on Falcon implementations have successfully recovered keys.

These issues pose direct risks, unlike the much more distant threat of cryptography-related quantum computers.

There are good reasons to remain cautious when deploying higher-performance post-quantum cryptographic methods. Historically, leading candidate schemes like Rainbow (an MQ-based signature scheme) and SIKE/SIDH (an isogeny-based encryption scheme) have been classically broken, meaning they were broken by today's computers rather than quantum computers. These breakages occurred deep into the NIST standardization process. This is a sign of healthy scientific operation, but it also illustrates that premature standardization and deployment can be counterproductive.

As mentioned earlier, internet infrastructure is taking a cautious approach to signature migration. This is particularly noteworthy given how long it takes for internet cryptographic transformations to become practically implemented once they begin. The migration from MD5 and SHA-1 hash functions, which were technically deprecated by network authorities years ago, has taken many more years to implement in actual infrastructure, and in some environments, it is still ongoing. Despite these schemes being completely broken, and not just potentially vulnerable to future technologies, the situation remains the same.

Unique Challenges of Blockchains Compared to Internet Infrastructure

Fortunately, blockchains actively maintained by open-source developer communities—such as Ethereum or Solana—can upgrade faster than traditional network infrastructure. On the other hand, traditional network infrastructure benefits from frequent key rotations, meaning its attack surface moves faster than early quantum machines might lock onto. This is an advantage that blockchains do not have, as coins and their associated keys may be exposed indefinitely.

However, overall, blockchains should still follow the cautious practices of the internet regarding signature migration. Both are not easily affected by HNDL attacks in terms of signatures, and regardless of how long the keys persist, the costs and risks of prematurely migrating to immature post-quantum schemes remain significant.

The unique challenges of blockchains also make premature migration particularly dangerous and complex: for example, blockchains have unique requirements for signature schemes, especially the ability to quickly aggregate multiple signatures. The widely used BLS signatures are favored because they allow for extremely fast aggregation, but they are not post-quantum secure. Researchers are exploring post-quantum signature aggregation based on SNARKs. This work holds great promise but is still in its early stages.

Specifically regarding SNARKs, the community currently considers hash-based structures as the primary post-quantum choice. However, a significant shift is on the horizon: I believe that in the coming months and years, lattice-based solutions will become an attractive alternative. These alternatives will outperform hash-based SNARKs in various aspects, such as significantly shorter proof lengths—similar to how lattice-based signatures are shorter than hash-based signatures.

The Bigger Current Issue: Implementation Security

In the coming years, implementation vulnerabilities will pose a far greater security risk than cryptography-related quantum computers. For SNARKs, the primary concern is vulnerabilities.

Vulnerabilities are already a challenge for digital signatures and encryption schemes, and SNARKs are much more complex. In fact, digital signature schemes can be viewed as a very simple zkSNARK that states, "I know the private key corresponding to my public key, and I authorize this message."

For post-quantum signatures, direct risks also include implementation attacks, such as side-channel attacks and fault injection attacks. These types of attacks are well-documented and can extract keys from deployed systems. The threats they pose are far more urgent than the distant threat of quantum computers.

The community will spend years identifying and fixing vulnerabilities in SNARKs and strengthening post-quantum signature implementations to resist side-channel and fault injection attacks. Since post-quantum SNARKs and signature aggregation schemes have not yet settled, blockchains that transition too early may lock themselves into suboptimal solutions. When better options emerge or implementation vulnerabilities are discovered, they may need to migrate again.

What Should We Do? Seven Recommendations

Given the realities outlined above, I will summarize some recommendations for various stakeholders. The overarching principle is: take the quantum threat seriously, but do not act based on the assumption that cryptography-related quantum computers will appear before 2030. Current progress does not support this assumption, but there are still things we can and should do now:

1. We should immediately deploy hybrid encryption, or at least deploy it where long-term confidentiality is important and costs are acceptable. Many browsers, CDNs, and messaging applications (such as iMessage and Signal) have already deployed hybrid methods. Hybrid methods (post-quantum + classical) can defend against HNDL attacks while hedging against potential weaknesses in post-quantum schemes.

2. Immediately use hash-based signatures where large-scale adoption is acceptable. Software/firmware updates and other such low-frequency, scale-insensitive scenarios should adopt hybrid hash-based signatures now. (The hybrid approach is to hedge against implementation vulnerabilities in new schemes, not because of doubts about the security assumptions of hash-based signatures.) This approach is conservative and provides society with a clear "lifeboat" in case cryptography-related quantum computers unexpectedly emerge in this unlikely scenario. Without post-quantum signature software updates already in place, we will face a bootstrap problem after CRQC appears: we will be unable to securely distribute the necessary post-quantum cryptographic fixes to defend against it.

3. Blockchains need not rush to deploy post-quantum signatures, but they should start planning now. Blockchain developers should follow the practices of the network PKI community and take a cautious approach to deploying post-quantum signatures. This allows post-quantum signature schemes to mature in both performance and our understanding of their security. This approach also gives developers time to restructure systems to handle larger signatures and develop better aggregation techniques.

For Bitcoin and other L1s: The community needs to define migration paths and policies for abandoned quantum-vulnerable funds. Passive migration is not possible, so planning is crucial. Moreover, since Bitcoin faces primarily non-technical unique challenges, including slow governance and a large number of high-value, potentially abandoned quantum-vulnerable addresses, it is especially important for the Bitcoin community to start this planning now.

Meanwhile, we need to continue maturing research on post-quantum SNARKs and aggregatable signatures (which may take a few more years). To reiterate, premature migration may lock in suboptimal solutions or require a second migration to address implementation vulnerabilities.

Regarding Ethereum's account model: Ethereum supports two types of accounts (Externally Owned Accounts (EOA), which are traditional account types controlled by secp256k1 private keys; and smart contract wallets with programmable authorization logic), which have different implications for post-quantum migration. In non-urgent situations, if Ethereum adds support for post-quantum signatures, upgradable smart contract wallets can switch to post-quantum verification through contract upgrades, while EOAs may need to transfer their funds to new post-quantum secure addresses (although Ethereum may also provide a dedicated migration mechanism for EOAs). In a quantum emergency, Ethereum researchers have proposed a hard fork plan to freeze vulnerable accounts and allow users to recover funds by proving their knowledge of the mnemonic phrase using post-quantum secure SNARKs. This recovery mechanism would apply to EOAs and any smart contract wallets that have not yet upgraded.

Practical Implications for Users: Well-audited, upgradable smart contract wallets may provide a somewhat smoother migration path, but the differences are minimal and require trade-offs in trusting wallet providers and upgrade governance. More important than the account type is for the Ethereum community to continue working on post-quantum primitives and emergency plans.

Broader Design Insights for Builders: Many current blockchains tightly couple account identities with specific cryptographic primitives—Bitcoin and Ethereum couple with ECDSA signatures on secp256k1, while other chains couple with EdDSA. The challenges of post-quantum migration highlight the value of decoupling account identities from any specific signature scheme. The development of Ethereum towards smart accounts and similar account abstraction efforts on other chains reflect this trend: allowing accounts to upgrade their authentication logic without sacrificing their on-chain history and state. This decoupling does not make post-quantum migration easy, but it does provide greater flexibility than hard-coding accounts to a single signature scheme. (This also enables unrelated functionalities, such as sponsored transactions, social recovery, and multi-signatures.)

4. For privacy chains that encrypt or obscure transaction details, prioritize early transition if performance is acceptable. Users' privacy on these chains currently faces the threat of HNDL attacks, although the severity varies by design. Chains that can achieve complete traceability and de-anonymization solely through public ledgers face the most urgent risks. Consider adopting hybrid (post-quantum + classical) solutions to guard against superficially post-quantum schemes that may not be secure even under classical computation; or implement architectural changes to avoid placing solvable secrets on-chain.

5. In the short term, prioritize implementation security over mitigating quantum threats. Especially for complex cryptographic primitives like SNARKs and post-quantum signatures, vulnerabilities and implementation attacks (side-channel attacks, fault injection) will pose a far greater security risk for many years than cryptography-related quantum computers. Now is the time to invest in auditing, fuzz testing, formal verification, and depth defense/layered security approaches; do not let concerns about quantum overshadow the more urgent threat of vulnerabilities!

6. Fund the development of quantum computing. A significant national security implication of all the above discussions is that we need to continuously fund quantum computing and cultivate related talent. If any one country gains cryptography-related quantum computing capabilities, it will pose a national security risk to the rest of the world.

7. Maintain a clear awareness of quantum computing announcements. As quantum hardware gradually matures, many milestones will emerge in the coming years. Ironically, the frequency of these announcements itself demonstrates how far we are from cryptography-related quantum computers: each milestone represents one of the many bridges that must be crossed before reaching the goal, each of which will trigger a wave of headlines and excitement. News releases should be viewed as progress reports that require careful assessment, rather than prompts for hasty action.

Of course, unexpected advancements or innovations could accelerate the expected timeline, just as there may be significant bottlenecks that extend the timeline. I do not assert that the emergence of cryptography-related quantum computers within five years is entirely impossible, only that the probability is extremely low. The above recommendations can effectively address this uncertainty, and following these recommendations can help avoid more direct and likely risks: implementation vulnerabilities, hasty deployments, and common mistakes in cryptographic transitions.

(Note: Due to length and the complexity of cryptographic expertise, this translation has been abridged.)

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。