Original: 《Quantum computing and blockchains: Matching urgency to actual threats

Translation: Ken, Chaincatcher

The timeline for achieving cryptography-related quantum computers is often exaggerated—leading to calls for an urgent and comprehensive transition to post-quantum cryptography.

However, these calls often overlook the costs and risks of premature migration and ignore the starkly different risk characteristics between various cryptographic primitives:

• Although post-quantum encryption is expensive, it needs to be deployed immediately: “ Harvest now, decrypt later ” (HNDL) attacks have already begun. Because even if quantum computers are decades away, sensitive data encrypted today will still hold value in the future. The performance overhead and implementation risks of post-quantum encryption do exist, but for data that requires long-term confidentiality, we have no choice but to face HNDL attacks.

• Post-quantum signatures face different considerations. They are not easily susceptible to HNDL attacks, but their costs and risks (larger sizes, performance overhead, immature implementations, and vulnerabilities) require us to adopt a thoughtful rather than immediate migration strategy.

These distinctions are crucial. Misunderstandings can distort cost-benefit analyses, leading teams to overlook more prominent security risks.

The real challenge of post-quantum cryptography lies in matching urgency to actual threats. The following will clarify common misconceptions about quantum threats to cryptography (covering encryption, signatures, and zero-knowledge proofs) and particularly focus on the impact of these threats on blockchains.

Progress Over Time

Despite some prominent figures claiming that cryptographically significant quantum computers may emerge in the 2020s, this assertion is highly unrealistic.

What I mean by “cryptographically significant quantum computers” refers to a fault-tolerant, error-corrected quantum computer that is large enough to run Shor's algorithm within a reasonable timeframe to attack elliptic curve cryptography or RSA (for example, breaking secp256k1 or RSA-2048 with up to a month of continuous computation).

Based on a reasonable interpretation of public milestones and resource estimates, we are far from producing a cryptographically significant quantum computer. Some companies claim that CRQC is likely to emerge before 2030 or 2035, but public progress does not support these claims.

As a backdrop, among all existing architectures—trapped ions, superconducting qubits, and neutral atom systems—there is currently no quantum computing platform that can come close to the hundreds of thousands to millions of physical qubits required to run Shor's algorithm on RSA-2048 or secp256k1 (depending on error rates and error correction schemes).

The limiting factors are not only the number of qubits but also gate fidelity, qubit connectivity, and the depth of error-correcting circuits required to run deep quantum algorithms. While some systems currently have more than 1,000 physical qubits, looking solely at the raw number of qubits is misleading: these systems lack the qubit connectivity and gate fidelity necessary for cryptographic computations.

Recent systems have approached the physical error rates where quantum error correction begins to take effect, but no one has demonstrated more than a handful of logical qubits capable of maintaining the depth of error-correcting circuits… let alone the thousands of high-fidelity, deep-circuit, fault-tolerant logical qubits actually needed to run Shor's algorithm. There remains a vast gap between proving the feasibility of quantum error correction principles and achieving the scale required for cryptanalysis.

In short: unless both the number and fidelity of qubits increase by several orders of magnitude, cryptographically significant quantum computers remain out of reach.

However, corporate press releases and media reports can easily lead to confusion. Some common sources of misunderstanding and confusion include:

• Some demonstrations claim to have “quantum advantage,” but they target artificially designed tasks. These tasks are chosen not for their practical utility but because they can run on existing hardware while superficially showcasing significant quantum speedup—this fact is often obscured in announcements.

• Some companies claim to have thousands of physical qubits. But this often refers to quantum annealers, not gate-model machines required to run Shor's algorithm to attack public-key cryptography.

• Some companies misuse the term “logical qubit.” Physical qubits are noisy. As mentioned, quantum algorithms (like Shor's algorithm) require thousands of logical qubits. Using quantum error correction techniques, many physical qubits (often hundreds to thousands, depending on error rates) can realize one logical qubit. But some companies stretch the term to an unrecognizable extent. For example, a recent announcement claimed to have implemented 48 logical qubits using a distance-2 code, with each logical qubit consisting of only two physical qubits. This is absurd: a distance-2 code can only detect errors, not correct them. Fault-tolerant logical qubits used for cryptanalysis require hundreds to thousands of physical qubits, not two.

More broadly, many quantum computing roadmaps use the term “logical qubit” to refer to qubits that only support Clifford operations. These operations can be efficiently simulated by classical computers, thus are insufficient to run Shor's algorithm, which requires thousands of error-corrected T gates (or more generally, non-Clifford gates).

Even if a roadmap aims to achieve “thousands of logical qubits by a certain year,” it does not mean that the company expects to run Shor's algorithm to break classical cryptography in the same year.

These practices severely distort public perception of “how far we are from a cryptographically significant quantum computer,” even affecting seasoned observers.

That said, some experts are indeed excited about the progress made. For instance, Scott Aaronson recently wrote that given the “currently astonishing pace of hardware development,” he now believes it is possible to have a fault-tolerant quantum computer capable of running Shor's algorithm before the next U.S. presidential election.

But Aaronson later clarified that his statement did not refer to a cryptographically significant quantum computer: even a fully fault-tolerant implementation of Shor's algorithm that factors 15 = 3×5 would be slower than using pencil and paper, and he would consider it achieved. The current standard remains small-scale runs of Shor's algorithm, not cryptographically significant runs, as previous factorizations of 15 on quantum computers used simplified circuits rather than the complete, fault-tolerant Shor's algorithm. There is a reason why 15 has always been chosen as the target for factorization: computations modulo 15 are easy, while factoring slightly larger numbers (like 21) is much more difficult. Therefore, quantum experiments claiming to factor 21 typically rely on additional hints or shortcuts.

In short, expecting a cryptographically significant quantum computer capable of breaking RSA-2048 or secp256k1 (which is most relevant for practical cryptography) to emerge within the next five years is unsupported.

Even ten years remains fraught with uncertainty. Given how far we are from a cryptographically significant quantum computer, excitement about progress is entirely compatible with a timeline of “over ten years.”

So what about the U.S. government's deadline of 2035 for a complete transition of government systems to the post-quantum era? I believe this is a reasonable timeline for completing such a large-scale transition. However, it does not mean that a cryptographically significant quantum computer is expected to emerge by then.

Applicability and Non-Applicability of HNDL Attacks

“Harvest now, decrypt later” (HNDL) attacks refer to adversaries storing encrypted traffic first and then decrypting it later when a cryptographically relevant quantum computer exists. Nation-state adversaries are certainly archiving encrypted communications from the U.S. government on a large scale to decrypt these communications years later when CRQC emerges.

This is why it is said that encryption technology needs to transition today—at least for those with confidentiality needs extending 10-50 years or more.

However, the digital signatures that all blockchains rely on are different from encryption technology: they do not have the confidentiality issues associated with traceable attacks.

In other words, if a cryptographically relevant quantum computer emerges, then from that point on, forging signatures will become possible, but past signatures are not “hiding” secrets like encrypted information. As long as you know that a digital signature was generated before the emergence of CRQC, it cannot be forged.

This makes the transition to post-quantum digital signatures less urgent than the post-quantum transition in the encryption domain.

Major platforms are taking corresponding measures: Chrome and Cloudflare have launched a hybrid X25519 + ML-KEM encryption scheme for Web Transport Layer Security protocol encryption. (For readability, this article uses the term “encryption scheme,” but strictly speaking, secure communication protocols like TLS use key exchange or key encapsulation mechanisms, not public-key encryption.)

The “hybrid” here refers to the combined use of post-quantum secure schemes (i.e., ML-KEM) and existing schemes (X25519) to achieve comprehensive security assurances. This way, it is hoped that ML-KEM can prevent HNDL attacks, while still maintaining the classical security provided by X25519 in case ML-KEM has security vulnerabilities even against today’s computers.

Apple's iMessage has also deployed this hybrid post-quantum encryption technology through its PQ3 protocol, as have Signal's PQXDH and SPQR protocols.

In contrast, the promotion of post-quantum digital signatures in critical network infrastructure is being delayed until a truly cryptographically significant quantum computer is imminent, as current post-quantum signature schemes introduce performance degradation (which will be detailed later in this article).

zkSNARKs (zero-knowledge succinct non-interactive arguments of knowledge) are key to the long-term scalability and privacy of blockchains, and their situation is similar to that of signatures. This is because even for those non-post-quantum secure zkSNARKs (which use elliptic curve cryptography, just like today’s non-post-quantum encryption and signature schemes), their zero-knowledge properties are post-quantum secure.

The zero-knowledge property ensures that no information about the secret witness is leaked during the proof process—even a quantum adversary would not know—so there is no confidential information available to be “harvested” for later decryption.

Thus, zkSNARKs are not susceptible to “harvest now, decrypt later” attacks. Just as today’s non-post-quantum signatures are secure, any zkSNARK proof generated before the emergence of a cryptographically significant quantum computer is trustworthy (i.e., the proven proposition is absolutely true)—even if zkSNARKs used elliptic curve cryptography. Only after the emergence of a cryptographically significant quantum computer can an attacker find a convincing proof of a false statement.

What This Means for Blockchains

Most blockchains will not be affected by HNDL attacks:

Currently, most non-privacy chains, such as Bitcoin and Ethereum, primarily use non-post-quantum cryptography for transaction authorization—that is, they use digital signatures rather than encryption.

To reiterate, these signatures are not at risk from HNDL: “harvest now, decrypt later” attacks apply to encrypted data. For example, the Bitcoin blockchain is public; its quantum threat lies in signature forgery (deriving private keys to steal funds), not in decrypting publicly available transaction data. This eliminates the direct cryptographic urgency posed by HNDL attacks.

Unfortunately, even analyses from trusted sources like the Federal Reserve have issues, incorrectly claiming that Bitcoin is vulnerable to HNDL attacks, which exaggerates the urgency of transitioning to post-quantum cryptography.

That said, a reduced urgency does not mean Bitcoin can wait: it faces different time pressures associated with the significant social coordination required to change protocols. (The unique challenges of Bitcoin will be discussed in detail below.)

The current exception is privacy chains, many of which encrypt or otherwise obscure the recipient and amount. This confidentiality can now be harvested, and once quantum computers can break elliptic curve cryptography, it can be retroactively de-anonymized.

For such privacy chains, the severity of the attack depends on the design of the blockchain. For instance, with Monero's curve-based ring signatures and key images (a linking tag for each output to prevent double spending), the public ledger alone is sufficient to reconstruct spending graphs. However, in other blockchains, the losses are more limited—see the discussion by Zcash cryptographic engineer and researcher Sean Bowe for details.

If users are very concerned about their transactions being exposed to cryptographically significant quantum computers, then privacy chains should transition to post-quantum primitives (or hybrid schemes) as soon as possible. Alternatively, they should adopt architectures that avoid placing decryptable secret information on the chain.

Unique Challenges for Bitcoin: Governance + Abandoned Tokens

For Bitcoin in particular, there are two real-world factors that create an urgent need to begin transitioning to post-quantum digital signatures. Both of these factors are unrelated to quantum technology.

One concerning issue is the speed of governance: Bitcoin's pace of change is slow. Any controversial issue can trigger a destructive hard fork, as the community cannot reach consensus on an appropriate solution.

Another worrying issue is that the transition to post-quantum signatures for Bitcoin cannot be a passive migration: holders must actively migrate their tokens. This means that abandoned tokens, which are vulnerable to quantum attacks, cannot be protected. Some estimates suggest that the number of BTC at risk due to quantum vulnerabilities and potentially abandoned could reach millions, worth hundreds of billions of dollars at current prices (as of December 2025).

However, the threat of quantum technology to Bitcoin is not a sudden disaster but rather a selective, gradual process. Quantum computers cannot simultaneously break all cryptography—Shor's algorithm must attack individual public keys one at a time. Early quantum attacks are extremely costly and time-consuming. Therefore, once quantum computers can break a single Bitcoin signature key, attackers will selectively target high-value wallets.

Moreover, users who avoid address reuse and do not use Taproot addresses (which directly expose public keys on-chain) are fundamentally protected even without protocol changes: their public keys remain hidden behind hash functions until the tokens are spent. When they eventually broadcast a spending transaction, the public key will be exposed, leading to a brief real-time race: one side is the honest spender needing to confirm the transaction, while the other side is any attacker with quantum computing capabilities trying to find the private key and spend those tokens before the true owner's transaction is completed. Thus, the truly vulnerable tokens are those whose public keys have already been exposed: early P2PK outputs, reused addresses, and Taproot holdings.

For those abandoned vulnerable tokens, there is no simple solution. Some feasible options include:

• The Bitcoin community agrees to establish a “flag day,” after which all un-migrated tokens will be considered destroyed.

• Allow abandoned, quantum-vulnerable tokens to be seized by anyone with a cryptographically relevant quantum computer.

The second option would raise serious legal and security issues. Even claiming legitimate ownership or acting in good faith, using a quantum computer to acquire tokens without private keys could trigger severe problems under theft and computer fraud laws in many jurisdictions.

Additionally, “abandoned” itself is a presumption based on inactivity. In reality, no one knows whether these tokens have living owners who can access the keys. Even if evidence shows you once owned these tokens, it may not provide sufficient legal grounds to break the cryptographic protection and retrieve them. This legal ambiguity increases the likelihood of abandoned, quantum-vulnerable tokens falling into the hands of malicious actors, who often disregard legal constraints.

The final unique issue for Bitcoin is its low transaction throughput. Even if a migration plan is ultimately determined, migrating all quantum-vulnerable funds to post-quantum secure addresses would take months at Bitcoin's current transaction rate.

These challenges mean that Bitcoin must now begin planning its transition to the post-quantum era—not because a cryptographically significant quantum computer may emerge before 2030, but because the governance, coordination, and technical logistics involved in migrating tokens worth billions of dollars will take years to resolve.

The quantum threat to Bitcoin does exist, but the time pressure does not come from the impending quantum computers; it arises from Bitcoin's own limitations. Other blockchains also face challenges from quantum-vulnerable funds, but Bitcoin's uniqueness lies in its early transactions using “pay-to-public-key (P2PK)” outputs, which directly place public keys on-chain, making a significant proportion of BTC highly susceptible to attacks from cryptographically relevant quantum computers. This technical difference—combined with Bitcoin's age, value concentration, low throughput, and rigid governance mechanisms—makes the issue particularly severe.

Please note that the vulnerabilities I described above refer to the cryptographic security of Bitcoin digital signatures, not the economic security of the Bitcoin blockchain. This economic security stems from the proof-of-work consensus mechanism, which is not easily attacked by quantum computers for three reasons:

1. PoW relies on hash algorithms, which are only affected by Grover's search algorithm's quadratic quantum speedup, not by Shor's algorithm's exponential speedup.

2. The practical overhead of implementing Grover's search makes it extremely unlikely for any quantum computer to achieve even moderate practical speedup on Bitcoin's proof-of-work mechanism.

3. Even if significant speed improvements were achieved, these improvements would only give large quantum miners an advantage over small miners, without fundamentally undermining Bitcoin's economic security model.

Costs and Risks of Post-Quantum Signatures

To understand why blockchains should not rush to deploy post-quantum signatures, we need to grasp the performance costs and our confidence in post-quantum security (which is still evolving).

Most post-quantum cryptography is based on one of the following five methods:

• Hashing

• Codes

• Lattices

• Multivariate quadratic equations (MQ)

• Isogenies

Why are there five different methods? The security of any post-quantum cryptographic primitive is based on the assumption that quantum computers cannot efficiently solve specific mathematical problems. The more “structured” the problem, the more efficient the cryptographic protocols we build on it.

But this has both advantages and disadvantages: additional structure also provides more exploitable attack surfaces for attacking algorithms. This creates a fundamental tension—stronger assumptions can lead to better performance, but at the cost of potential security vulnerabilities (that is, the likelihood of the assumptions being proven wrong is greater).

Generally speaking, hashing-based methods are the most conservative in terms of security because we are most confident that quantum computers cannot effectively attack these protocols. However, their performance is also the worst. For example, even with minimal parameter settings, the NIST standardized hashing-based signature size is 7-8 KB. In contrast, today’s elliptic curve-based digital signatures are only 64 bytes. This is about a 100-fold size difference.

Lattice schemes are the focus of current deployments. The only cryptographic scheme currently deployed and two of the three signature algorithms selected by NIST are based on lattices. One of these lattice schemes (ML-DSA, formerly known as Dilithium) generates signature sizes ranging from 2.4 KB (128-bit security level) to 4.6 KB (256-bit security level), which is about 40 to 70 times larger than current elliptic curve-based signatures. Another lattice scheme, Falcon, has smaller signatures (Falcon-512 is 666 bytes, Falcon-1024 is 1.3 KB), but it involves complex floating-point operations, and NIST itself has flagged it as having special implementation challenges. One of Falcon's creators, Thomas Pornin, described it as “the most complex cryptographic algorithm I have implemented to date.”

Implementation security in lattice-based signature schemes is also more challenging than in elliptic curve-based schemes: ML-DSA has more sensitive intermediate values, and non-trivial rejection sampling logic requires side-channel and fault protection. Falcon raises concerns about constant-time floating-point operations; in fact, multiple side-channel attacks against Falcon implementations have recovered private keys.

These issues pose direct risks, which are fundamentally different from the more distant threat of a cryptographically significant quantum computer.

It is entirely reasonable to proceed cautiously when deploying post-quantum cryptographic schemes with better performance. Historically, leading candidates like Rainbow (a signature scheme based on MQ) and SIKE/SIDH (a cryptographic scheme based on isogenies) have been broken on classical computers—that is, they were broken using today's computers, not quantum computers.

This occurred in the later stages of the NIST standardization process. It reflects healthy scientific operation but also indicates that premature standardization and deployment can be counterproductive.

As mentioned earlier, internet infrastructure is taking a cautious approach to signature migration. This is particularly noteworthy given that once the transition to internet encryption begins, it takes a long time. The migration of MD5 and SHA-1 hash functions (which network management agencies technically deprecated years ago) actually took years to be fully implemented across the entire infrastructure and is still ongoing in some contexts. Even though these schemes have been completely broken, and are not just potentially vulnerable to future technologies, this situation still occurred.

Unique Challenges of Blockchains Compared to Internet Infrastructure

Fortunately, blockchains actively maintained by open-source developer communities (such as Ethereum or Solana) upgrade faster than traditional network infrastructure. On the other hand, traditional network infrastructure benefits from frequent key rotations, meaning its attack surface moves faster than early quantum computers can target—this is a luxury that blockchains do not have, as tokens and their associated keys can be exposed indefinitely.

But overall, blockchains should still follow the cautious approach taken by the internet regarding signature migration. Neither scenario will be affected by HNDL attacks targeting signatures, and regardless of how long keys are retained, the costs and risks of prematurely migrating to immature post-quantum schemes remain significant.

The unique challenges of blockchains also make premature migration particularly dangerous and complex: for example, blockchains have unique requirements for signature schemes, especially the ability to quickly aggregate a large number of signatures. Today, BLS signatures are widely used because they enable very fast aggregation, but they do not possess post-quantum security features. Researchers are exploring post-quantum signature aggregation based on SNARKs. This work is promising but still in its early stages.

Regarding SNARKs, the community is currently focused on hash-based construction methods, viewing them as the mainstream choice for the post-quantum era. However, a significant shift is on the horizon: I believe that in the coming months and years, lattice-based options will become highly attractive alternatives. These alternatives will outperform hash-based SNARKs in many ways, such as significantly reducing proof lengths—similar to how lattice-based signatures are shorter than hash-based signatures.

The Greater Challenge Now: Implementation Security

In the coming years, implementation vulnerabilities will pose a greater security risk than cryptographically significant quantum computers. For SNARKs, the main issue is vulnerabilities.

Vulnerabilities are already a challenge for digital signature and encryption schemes, and SNARKs are much more complex. In fact, digital signature schemes can be viewed as a very simple zkSNARK that proves the statement, “I know the private key corresponding to my public key, and I have authorized this message.”

For post-quantum signatures, direct risks also include implementation attacks such as “side-channel attacks” and “fault injection attacks.” These types of attacks are well-documented and can extract private keys from deployed systems. The threats they pose are far more urgent than the distant threat of quantum computers.

The community will spend years identifying and fixing vulnerabilities in SNARKs and hardening post-quantum signature implementations against side-channel and fault injection attacks. Since the dust has not yet settled on post-quantum SNARK and signature aggregation schemes, blockchains that transition too early may lock themselves into suboptimal solutions. Once better solutions emerge or implementation vulnerabilities are discovered, they may need to migrate again.

What Should We Do? 7 Recommendations

Based on the above situation, I will finally offer recommendations to all stakeholders, including builders and policymakers. The most important principle is: we need to take quantum threats seriously, but we should not rush to act based on the assumption that “cryptographically significant quantum computers will arrive before 2030.” Current progress does not support this assumption. Nevertheless, there are things we can and should do now:

1. We should immediately deploy hybrid encryption.

Or at least deploy it where long-term confidentiality is crucial and costs are acceptable. Many browsers, CDNs, and instant messaging applications (such as iMessage and Signal) have already deployed hybrid schemes. This hybrid scheme—post-quantum + classical—can defend against HNDL attacks while avoiding potential weaknesses in post-quantum schemes.

2. If larger signature sizes are acceptable, we should immediately adopt hash-based signatures.

Software/firmware updates—and other such low-frequency, size-insensitive scenarios—should now adopt hybrid hash signatures. (The use of hybrid signatures is to guard against implementation vulnerabilities in new schemes, not because there are doubts about the security assumptions of hash-based signatures.) This conservative approach provides society with a clear “lifeboat” in case a cryptographically significant quantum computer unexpectedly appears too early. Without a pre-deployed software update mechanism for post-quantum signatures, we will face a cold start problem once CRQC emerges: we will be unable to securely distribute the necessary patches.

3. Blockchains do not need to rush to implement post-quantum signatures—but they should start planning now.

Blockchain developers should take a cautious approach to deploying post-quantum signatures, emulating the practices of the Web PKI community. This allows post-quantum signature schemes to continue maturing in terms of performance and our understanding of their security. This approach also gives developers time to redesign system architectures to handle larger signatures and develop better aggregation techniques.

For Bitcoin and other L1s: the community needs to establish migration paths and policies for abandoned, quantum-vulnerable funds. Passive migration is not possible, so planning is crucial. Given that Bitcoin faces some unique challenges, most of which are non-technical—slow governance, and a large number of high-value, potentially abandoned, quantum-vulnerable addresses—it is particularly important for the Bitcoin community to start planning now.

Meanwhile, we need to mature research on post-quantum SNARKs and aggregatable signatures (which may take several more years). Again, premature migration could lead to locking into suboptimal solutions or necessitate a second migration to address implementation vulnerabilities.

Regarding the Ethereum account model: Ethereum supports two types of accounts, which have different implications for post-quantum migration—externally owned accounts (EOA), which are traditional account types controlled by secp256k1 private keys; and smart contract wallets with programmable authorization logic.

In non-urgent situations, if Ethereum adds support for post-quantum signatures, upgradable smart contract wallets can switch to post-quantum verification through contract upgrades—while EOAs may need to transfer their funds to new post-quantum secure addresses (although Ethereum will likely also provide a dedicated migration mechanism for EOAs). In quantum emergencies, Ethereum researchers have proposed a hard fork plan to freeze accounts with security vulnerabilities and allow users to recover funds by using post-quantum secure SNARKs to prove knowledge of their mnemonic phrases. This recovery mechanism applies to both EOAs and any smart contract wallets that have not yet upgraded.

For users, the practical implication is that well-audited, upgradable smart contract wallets may offer a slightly smoother migration path—but this difference is minimal and will also involve trade-offs regarding trust in wallet providers and upgrade governance. More important than the account type is that the Ethereum community continues to advance work on post-quantum primitives and emergency response plans.

A broader design experience for builders: Many blockchains today tightly couple account identities with specific cryptographic primitives—such as Bitcoin and Ethereum with ECDSA signatures on secp256k1, while other blockchains couple with EdDSA. The challenges of post-quantum migration highlight the value of decoupling account identities from any specific signature scheme. Ethereum is moving towards smart accounts, and efforts on other chains to abstract accounts reflect this trend: allowing accounts to upgrade their authentication logic without losing their on-chain history and state. This decoupling does not make migration in the post-quantum era easy, but it does provide greater flexibility than hard-coding accounts to a single signature scheme. (This also supports other functionalities such as transaction delegation, social recovery, and multi-signatures.)

4. For privacy chains that encrypt or hide transaction details, if performance is acceptable, prioritize an early transition.

Currently, user privacy on these blockchains faces the risk of HNDL attacks, although the severity varies with different design schemes. Blockchains that can achieve complete retroactive de-anonymization relying solely on public ledgers face the most urgent risks.

Consider adopting hybrid (post-quantum + classical) schemes to prevent superficial post-quantum solutions from ultimately proving insecure at the classical level, or implement architectural changes to avoid placing decryptable secrets on-chain.

5. In the near term, prioritize implementation security over quantum threat mitigation.

Especially for complex cryptographic primitives like SNARKs and post-quantum signatures, vulnerabilities and implementation attacks (side-channel attacks, fault injection) will pose greater security risks than cryptographically significant quantum computers in the coming years.

Invest now in auditing, fuzz testing, formal verification, and depth defense/layered security approaches—do not let quantum concerns overshadow more urgent vulnerability threats!

6. Fund the development of quantum computing.

All of the above factors have significant implications for national security, meaning we need to continue investing in and cultivating talent in quantum computing.

If a major adversary gains cryptographically significant quantum computing capabilities before the United States, it will pose a serious national security risk to us and other countries around the world.

7. Maintain a rational attitude towards announcements related to quantum computing.

As quantum hardware matures, many milestone advancements will emerge in the coming years. Ironically, the frequent release of these announcements itself demonstrates that we still have a long way to go before we achieve truly cryptographically valuable quantum computers: each milestone represents one of the many bridges we must cross before reaching that point, and each milestone's emergence will trigger media headlines and excitement.

Treat press releases as progress reports that require critical assessment, rather than as prompts for hasty action.

Of course, there may be unexpected developments or innovations that accelerate the anticipated timeline, just as there may be serious scaling bottlenecks that extend the timeline.

I do not believe that the emergence of a cryptographically significant quantum computer within five years is literally “impossible,” just that the likelihood is extremely low. The above recommendations are robust against this uncertainty, and following these recommendations can help avoid more direct and likely risks: implementation vulnerabilities, hasty deployments, and various common issues during the cryptographic transition process.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。