A USDC migration project spanning over 30 chains, how is Circle preparing to proceed?

Compiled & Written by: KarenZ, Foresight News

If one day quantum computers become strong enough, the first challenges blockchain will face may be two types of more fundamental security assumptions: whether signatures can still prove "I am me," and whether data that is encrypted today will be decrypted in the future.

The latest paper released by Circle titled "Circle's Post-Quantum Security Roadmap" discusses this very issue. Its core judgment is straightforward: the elliptic curve cryptography widely relied upon by today's blockchain, including ECDSA, Ed25519, and BLS, will fail when faced with sufficiently strong quantum computers. Even more troubling is that on EVM chains, accounts often expose public keys when broadcasting transactions for the first time; on chains like Bitcoin, addresses that have spent, reused, or exposed public keys in particular script forms will also enter a similar risk zone.

The lineup of authors for the paper indicates that this is not an ordinary popular science article. Authors include Circle's Chief Software Engineer Mira Belenkiy, Circle Research Engineer Duc V. Le, Circle's Chief Economist Gordon Liao, Circle's Head of Product Security Vipin Singh Sehrawat, Research Engineer Dragos Rotaru, as well as several Circle engineers, including Sergey Gorbunov, co-founder of Interop Labs, which was originally responsible for developing the Axelar network and is now part of Circle; at the same time, Dan Boneh, a representative scholar in applied cryptography at Stanford University, also participated in the authorship.

The most important aspect of this paper is not the scaremongering narrative of "will quantum computing destroy cryptocurrency," but rather that it breaks down the issue into a practical engineering migration problem. Circle believes that post-quantum migration is not a single upgrade button, but a "long-term move" across wallets, smart contracts, custodians, cloud services, validators, and regulatory rules.

The paper lists several types of risks that blockchain faces from quantum attacks.

The first type is account forgery. As long as the address public key has been exposed, future quantum attackers may be able to recover the private key and directly forge transactions. The paper cites Project Eleven's Bitcoin RisQ Metrics, which states that millions of address balances have been exposed to quantum risks, including an estimated 14 million Bitcoin addresses.

The second type is the "collect now, decrypt later" risk: attackers may store encrypted data today and decrypt it after quantum computing matures in the future.

The third type is consensus layer risk, where if validator signing keys are recovered, it may lead to double signing, censorship, and even history rewriting. The fourth type is network layer risk, where aspects reliant on traditional key exchanges, such as P2P communication and RPC over TLS, also need upgrades.

Circle's Three-Phase Migration Roadmap

The roadmap provided by Circle is not merely swapping one signature algorithm for another; it consists of three steps: "preparation now," "hybrid transition," and "final switch." Each step corresponds to different risk priorities: privacy data needs to be protected first, accounts and smart contracts should migrate gradually, while consensus and infrastructure switches will wait until the ecosystem, hardware, and standards are more mature.

Types of attacks and response phases in the Arc roadmap, source: Circle's Post-Quantum Security Roadmap paper

The first phase is the "preparation now phase." The goal of this phase is not to immediately abolish ECDSA but to leave a migration pathway for developers and users. Arc will support SLH-DSA-SHA2-128s post-quantum signature verification on the mainnet, allowing smart accounts to verify post-quantum signatures on-chain. In simple terms, Arc first equips smart contracts with a door access control system that can recognize new locks, but native transaction signatures will still retain ECDSA in the short term because post-quantum signatures are larger and slower to verify, impacting throughput and user experience.

Meanwhile, Arc will support encrypting transaction memos with X-Wing HPKE and will protect transaction content, contract states, and execution traces through privacy execution environments. Circle puts this part first because the privacy risk of "recorded today, decrypted later" is irreversible; signatures can be upgraded later, but data that has already been leaked cannot return to being private.

At the account level, Circle also proposed several transition tools. For example, using EIP-4337 account abstraction to allow smart accounts to verify post-quantum signatures; using a hash-and-rotate scheme to only store public key hashes on-chain, minimizing the exposure window of plaintext public keys; and creating a post-quantum public key registry to allow users to pre-bind addresses with post-quantum public keys. The common goal of these designs is to enable users to prepare for account migration without having to wait until the underlying protocol is fully revamped.

The second phase is the "hybrid transition stage." This phase is the most realistic and complex. The USDC smart contract will support both traditional and post-quantum signatures for a period of time, and once the ecosystem is ready, it will use a reserved mechanism to disable classic signatures. Circle also plans to migrate cold storage funds to multi-signature smart contracts to simultaneously accommodate the migration pace of different chains and different post-quantum signature algorithms. Since the USDC smart contract is deployed on over 30 chains, it does not face a single chain upgrade problem but rather a fragmentation problem caused by various multi-chain ecosystems choosing algorithms and setting timelines independently.

The paper particularly emphasizes the challenge of ecrecover. Many EVM contracts use ecrecover to verify ECDSA signatures, but many of these contracts are already non-upgradable. If ecrecover is simply disabled, it would disrupt many existing applications; if it continues to operate, it would leave a risk of quantum forgery. Circle proposes a promising potential solution by modifying the behavior of ecrecover at the protocol layer through a hard fork, allowing it to support post-quantum signatures while maintaining the old ABI. This solution holds significant practical value because it doesn't only serve new contracts but attempts to leave a migration path for already deployed, hard-to-modify old contracts.

The transition phase also includes updates to more fundamental infrastructure. Circle needs to review its internal cryptographic stack, assess whether dependencies such as cloud service providers, HSM, KMS, TEE, libp2p, and TLS are post-quantum ready, and rotate keys in the correct order. The paper warns that if key A protects key B, and key B protects key C, then key A must be rotated first, followed by key B, and finally key C. If the order is incorrect, even if a post-quantum algorithm is implemented, previously intercepted encrypted materials may be exposed in the future.

The third phase is the "final switch." Only when the ecosystem, regulations, hardware wallets, cloud service providers, and blockchain infrastructure are all prepared, will Circle implement a true hard switch. At that time, Arc and the USDC smart contract may refuse ECDSA signatures, and validator signatures will transition to post-quantum solutions; if certain chains carrying USDC cannot meet sufficient post-quantum security requirements in the long term, Circle may even consider suspending some contract functions or withdrawing support to avoid exposing user assets to quantum forgery risks.

What to do with old accounts is the hardest problem

However, the final switch will also bring the trickiest problem: what to do with the assets in untransitioned accounts? Circle's stance is that freezing insecure accounts is to prevent theft and should not automatically equate to asset confiscation. In other words, "stopping old signature control" and "denying economic rights of asset holders" must be handled separately. Thus, the paper places a significant emphasis on account recovery, including migration to Arc, recovery via mnemonic phrases and zero-knowledge proofs, recovery through TEE proofs, and in limited cases, recovery via off-chain legal documents, custodian proofs, exchange proofs, or inheritance documents.

This introduces a critical policy issue discussed in the paper: account recovery. In the post-quantum era, traditional signatures may no longer prove ownership, and KYC may not necessarily prove who an anonymous address belongs to. Circle believes regulators need to clarify in advance: how users should be notified before the migration deadline, what evidence is sufficient to prove asset ownership, how long assets should be frozen before being considered unclaimed, and how rules for inheritance, sanctions, anti-money laundering, and court orders apply. The paper concludes that the industry may still have a 5 to 10 year window to establish these rules.

This paper also makes a calm judgment: migrating too quickly could bring even greater risks. For example, if companies currently use HSMs to protect private keys, but hastily export keys to ordinary CPUs for signing to catch up with post-quantum signatures, it could be even easier for traditional hackers to attack and steal them. Circle's stance is that post-quantum migration needs early preparation, but the current security should not be lowered for the sake of appearing "secure."

In simple terms, Circle is not saying, "quantum computers will break blockchain tomorrow," but rather that financial infrastructure cannot wait until it is proven that locks are ineffective to start changing them. Especially for USDC, a stablecoin operating across more than 30 chains, the real challenge is not just selecting a new algorithm but ensuring wallets, contracts, custodians, validators, cloud service providers, regulators, and users complete the migration together.

Quantum attacks have not yet been fully realized, but the costs of migration are already evident.