
Author|0xjacobzhao @ IOSG
Assuming in the early hours of a certain day in 203X, the chain monitoring alarms suddenly tear apart the tranquility: a batch of early BTC addresses that had been dormant for over a decade begin to ghostly transfer assets. There is no hacker intrusion, no private key leakage, only "legitimate" signatures generated out of thin air. As high-value dormant UTXOs are consecutively emptied, the market finally awakens from its dream: an unknown quantum computing entity has been able to reverse engineer private keys from historically exposed public keys. Panic instantly pierces the market, deep in the dark web, a ten-year stockpile of "harvest first, decrypt later" public key databases is being frantically auctioned, waiting for computational power to manifest wealth. Meanwhile, the Bitcoin community finds itself in an unprecedented faith schism: in the face of dormant coins plundered by quantum computing, should one stick to the immutable bottom line of "code is law," or impose soft forks to forcibly freeze residual assets? The collision between property rights narratives and survival principles completely ignites the governance deadlock. On that day, blocks are still produced in sequence, the network has not paused for a second, quantum computing has not erased everything's apocalyptic magic, but it pushes the entire Web3 ecosystem into a long game of cryptographic reconstruction and consensus abyss.
Quantum computing is often interpreted as the "Sword of Damocles" hanging over blockchain. Rethinking the greatest "security debt" the Web3 world is about to face, we find that the impact of quantum threats on blockchain is essentially an extreme stress test of its three foundational architectures: "ledger transparency, irreversible assets, and self-managed private keys." As the dawn of fault-tolerant quantum computers (CRQC) begins to shine, the industry faces the challenge of how to traverse the extremely complex social consensus and governance game within the remaining 5 to 8 years of "engineering comfort window" before Q-Day arrives.
Quantum Computing: Technical Principles, Value, and Threats
Quantum computing is a new computing paradigm based on the principles of quantum mechanics. It uses quantum bits (qubits) as information carriers, breaking through the binary limit that classical bits can only represent 0 or 1, utilizing quantum properties such as superposition, entanglement, interference, and measurement to achieve computational efficiencies unattainable by classical computation:
Superposition — Expanding state space: Qubits can exist in a linear combination of 0 and 1.
Quantum Entanglement — Establishing global correlations: The non-local strong correlation formed between multiple qubits.
Quantum Interference — Manipulating probability amplitudes: The essence of quantum algorithm acceleration, making the probability amplitude of incorrect answers cancel (destructive interference), while amplifying the probability amplitude of correct answers (constructive interference).
Quantum Measurement — Converging quantum states into a classical result; the core of the quantum algorithm is not to "read out all answers" but to make the correct answer appear with a higher probability during measurement.

Figure 1: The Four Pillars of Quantum Computing
(①) Superposition extends the state space — Qubits exist in a continuous mixture of |0⟩ and |1⟩ on the Bloch sphere.
(②) Entanglement creates non-local correlations; measuring one qubit immediately determines its partner.
(③) Interference is the engine of acceleration: the amplitude of incorrect answers cancels, while the amplitude of correct answers increases.
(④) Measurement collapses the quantum state into a single classical result — the algorithm's task is to make the correct result appear with overwhelming probability beforehand.
The Two Core Algorithms of Quantum Computing: Shor’s “Dimensionality Reduction” and Grover’s “Brute Force Acceleration”
Shor's Algorithm (1994): “Dimensionality Reduction” for Public Key Cryptography: Shor's algorithm can directly "see through" the mathematical rules of large integer factorization and discrete logarithms using quantum properties, thereby completely destroying the trust cornerstones of modern internet and blockchain systems like RSA and elliptic curves (ECC); however, due to the overhead of quantum error correction in practice, cracking mainstream encryption still requires millions of physical qubits, and the threshold may be significantly lowered under more aggressive algorithm optimizations.
Grover’s Algorithm (1996): The “Brute Force Accelerator” for Symmetric Encryption: Grover's algorithm does not directly break cryptographic structures; instead, it accelerates the speed of a computer "guessing the password" to a square root level (for example, directly halving the security strength of 128-bit encryption to 64 bits); its threat is far less lethal than Shor's and can be simply and roughly countered — usually by using longer keys, longer hash outputs, or higher security parameters to restore security margins (e.g., upgrading to AES-256 or SHA-512).

Figure 2: The Two Core Algorithms of Quantum Computing: Shor’s Algorithm and Grover’s Algorithm
The Commercialization Path of Quantum Computing: Five Major Technological Camps Competing
No single quantum bit technology has established a clear engineering advantage. Currently, there are five routes for commercialization, each with its strengths and weaknesses.

The Positive Value and Negative Threats of Quantum Computing
The core value of quantum computing lies in breaking through the capability boundaries of classical computing in specific complex problems, driving foundational scientific and engineering fields to achieve paradigm-level leaps. Its positive value mainly focuses on two major directions: one is the simulation of complex quantum systems, including quantum chemistry, drug development, new materials, and energy technologies; the second is solving high-complexity optimization problems, including logistics, finance, supply chains, chip design, and industrial scheduling. Among these, quantum simulation is widely regarded as a more deterministic long-term application scenario, while complex optimization is still in the exploration and validation stage. Currently, quantum computing is at a critical stage of transitioning from laboratory prototypes to engineering applications, where decoherence, physical noise, error correction overhead, and system scalability are still the core barriers to crossing the industrialization chasm.
Quantum threats fundamentally target the foundation of modern public key cryptography and spread layer by layer along the logic of "data lifespan × migration difficulty × attack yield": national security, military, and intelligence systems are the first to bear the brunt, facing the strategic-level risk of "collect now, decrypt later" (HNDL); financial and payment infrastructures, due to their deep reliance on TLS, HSM, and identity authentication systems, will be the first to enter the compliance migration track; the root of internet trust and the blockchain/Web3 ecosystem face multiple systemic risks including code signing, cloud key management (KMS), irreversible on-chain assets, and governance migration; while fields such as healthcare, energy, industrial controls, and IoT, due to long device lifecycles and narrow upgrade windows, will create long-term and difficult-to-reduce tail risks.

Time Window and Planning Rule: Q-Day and Mosca Inequality
Q-Day refers to the time when quantum computers first acquire practical capabilities to break mainstream public key cryptography. It is not a fixed date but a probabilistic range influenced by hardware advances, error correction capabilities, algorithm optimization, and the confidentiality of national projects. Current mainstream expectations are largely concentrated between 2035–2045, with rapid scenarios possibly bringing it to 2030–2035, and before 2030, it remains a low-probability tail risk.
Mosca Inequality X + Y > Z explains why even if Q-Day is not near, post-quantum migration still has real urgency. Here, X is the time for data to remain confidential, Y is the time required to complete encryption migration, and Z is the remaining time until Q-Day. As long as the sum of the data lifecycle and migration cycle exceeds the remaining time until Q-Day, the system has already entered a migration lag zone: today’s collected data could potentially be decrypted by quantum computing in the future. Therefore, quantum-resistant security is not an emergency project after Q-Day arrives, but a long-term infrastructure migration that must be initiated in advance.

Figure 3: Expert Q-Day forecast distribution in 2026. Each bar shows a reasonable window from a single source; dots mark central estimates.
Color coding represents speaking categories: red = radical industry; orange = benchmark survey/consensus; blue = hardware roadmap; green = skeptics.
Post-Quantum Cryptography (PQC): Technical Routes, Standardization, and Industry Migration Overview
Post-Quantum Cryptography (PQC), also known as quantum-resistant or quantum-safe cryptography, is a new generation of cryptographic algorithm systems designed to withstand attacks from future quantum computers. Its core characteristics include operating on existing classical computing architectures while ensuring security based on mathematical problems that quantum computers would also struggle to solve efficiently. PQC has become the most realistic and scalable deployment potential for quantum migration in global digital infrastructures.
Mainstream Technical Routes: Lattice-Based and Hash-Based Signatures Stand Strong
Current research and implementation of PQC mainly focus on several major mathematical camps:
Lattice-Based Cryptography: Security is established on high-dimensional lattice problems (such as Module-LWE), providing both efficiency and security; this is the core direction for standardization and engineering implementation, with representative algorithms being ML-KEM and ML-DSA.
Hash-Based Signatures: Relying solely on the collision resistance of hash functions, with minimal and extremely conservative mathematical assumptions, the standard for this is SLH-DSA.
Other Routes: Code-Based Cryptography (HQC) was selected by NIST as the fifth PQC algorithm in March 2025, serving as a non-lattice-based backup for ML-KEM, with draft standards expected in 2026 and formal standards in 2027; while multivariate and isogeny-based cryptography have not yet entered the first batch of NIST standardization due to security or efficiency issues, with the isogeny route facing significant setbacks due to the attack on the SIKE algorithm.
Standardization Milestones: NIST Establishes "One Encapsulation, Two Signatures" Pattern
The FIPS standardization process led by the National Institute of Standards and Technology (NIST) is a key turning point in advancing PQC from theory to application. In August 2024, NIST officially released three core standards, establishing the basic divisions of PQC migration:
FIPS 203 (ML-KEM): Key encapsulation mechanism (KEM) based on lattice problems, responsible for key exchange;
FIPS 204 (ML-DSA): Digital signature algorithm based on lattice cryptography, responsible for general digital signatures;
FIPS 205 (SLH-DSA): Digital signature algorithm based on stateless hashing, provided as an alternative for high-security level signatures.
Industry Implementation Eco-System: Three-Layer Architecture of Mainstream, Transitional, and Auxiliary
In addition to core algorithms, the construction of a quantum-resistant security system also relies on multi-level engineering strategies:
Hybrid Deployment: Utilizing a "traditional algorithm (such as ECC/RSA) + PQC" parallel signing/encryption model as a risk hedging approach in the early stages of migration, ensuring that even if the new algorithm has unknown vulnerabilities, traditional algorithms still provide baseline security.
Crypto-agility: By architectural design, enabling systems to have the capability to quickly replace, upgrade, or roll back algorithms to address potential risks of algorithm breaches in the future.
Auxiliary Enhancement Technologies: Including Quantum Key Distribution (QKD) (suitable for governmental/military intranets, but cannot replace internet signature verification), Quantum Random Number Generation (QRNG), and Hardware Security Modules (HSM/Secure Enclave), used to enhance the quality of random numbers and the security of key storage.

Figure 4: Overview of the Quantum Resistant Route
Quantum Risks and Quantum Practices in the Blockchain Industry
Blockchain is not the primary target of quantum threats, but it is the most valuable "stress test" scenario for research. Compared to traditional Web2, which relies on centralized mechanisms (such as certificate rotation and account freezing) to buffer data leak risks, blockchain directly and immediately transforms the underlying cryptographic crisis into asset loss and governance deadlock. Its underlying architecture's "triple irreversibility" — permanently public ledgers, irreversible asset transfers, and self-managed private keys, has exposed assets with public keys to the potential of private key recovery and signature forgery, with no centralized fallback. More critically, the elliptic curves and BLS signature systems heavily relied upon by mainstream public chains face structural collapse in the face of Shor's algorithm; once fault-tolerant quantum computers (CRQC) emerge, attackers can derive private keys and forge signatures from the publicly exposed keys on the chain, fundamentally shaking the trust cornerstone of blockchain.

Threat Map of Cryptographic Components in Blockchain Systems
For the blockchain industry, the core proposition is not to deal with current hackers but to initiate a "migration countdown" in a race against time. Quantum computing will not instantaneously destroy blockchain, but it will force the industry to undergo a more arduous underlying cryptographic reconstruction than Web2. The real risk lies not in the absence of standardized post-quantum algorithms but in whether the entire ecosystem can complete a full-link coordinated migration from the underlying protocols to existing assets before Q-Day (the time critical point when fault-tolerant quantum computers have practical hacking capabilities).
In this process, quantum threats do not arrive uniformly but sequentially propagate along the five-layer architecture of "assets, protocols, infrastructure, applications, governance." The most critical insight is: high-value infrastructure layers (like exchanges, custodians, cross-chain bridges) will feel pressure before L1 main net protocols; while the ultimate bottleneck determining the success or failure of this full-link migration is not the replacement of cryptographic technology, but the extremely complex social consensus and governance game.

Bitcoin and Ethereum's Quantum Practices
Bitcoin's Quantum Risk: Public Key Exposure, Signature Inflation, and Governance Friction
The quantum risk of Bitcoin is not evenly distributed across all BTC but highly depends on whether the public key has been exposed on-chain. The real high risk is not all UTXOs on the network but is concentrated on early legacy outputs, addresses with exposed public keys that still have balances, and high-value UTXOs that have been dormant for a long time. Bitcoin's hash components (SHA-256, SHA256d, and RIPEMD-160) primarily face a lowering of security margins due to Grover's algorithm, rather than a structural collapse like ECDSA / Schnorr facing Shor's algorithm.
High Risk: UTXOs with Static Public Key Exposure: Early P2PK, Taproot (P2TR) outputs, and P2PKH/P2WPKH addresses that have been spent, reused, and still hold balances. Their complete public keys have been permanently exposed on-chain and will be directly breached by Shor's algorithm once CRQC emerges.
Medium Risk: UTXOs whose public keys are not yet exposed but will be in the future: Unspent and unreused P2PKH/P2WPKH addresses, which only have their public key hashes exposed on-chain; the risk exists only within a short "quantum sprint window" of future transaction broadcasts until confirmation.
Low Risk: Assets migrated to quantum-resistant addresses: Future assets migrated to quantum-resistant (PQ) addresses through soft forks will significantly reduce risk, but this largely depends on the long-term collaborative upgrades of the entire ecosystem.
Engineering Challenges: Signature Inflation and the "Soft Fork Priority" Pathway
Under Bitcoin's governance structure, a one-time hard fork to eliminate ECDSA / Schnorr has extremely high political costs. Introducing new quantum-safe output types through soft forks is one of the more realistic progressive paths. Current discussions related to this include draft proposals such as BIP-360 / P2MR (Pay-to-Merkle-Root), but it still has a long way to go before achieving consensus and activation across the network.
This approach incurs high "engineering taxes": the current ECDSA / Schnorr signature is about 64–72 bytes, while the candidate ML-DSA (2.4–4.6 KB) and SLH-DSA (7–49 KB) see massive growth in size. This magnitude of inflation will trigger systemic chain reactions: directly increasing block weights and fees, exacerbating node storage and bandwidth burdens, leading to a significantly worsened UTXO set and wallet UX, ultimately creating negative feedback that further increases resistance to the quantum migration across the network.
More importantly, Bitcoin lacks rapid algorithm switching capabilities. It cannot update certificates or replace algorithms as a single entity like centralized systems can, but requires consensus rules, address formats, wallets, mining pools, exchanges, custodians, and hardware wallets to synchronously adapt. Therefore, quantum migration is not a single-point technological upgrade but a long-term coordinated engineering effort across the entire ecosystem.
Governance Game: The "Value Dilemma" of Legacy UTXOs
Even if PQ addresses are successfully launched, how to deal with long-term un-migrated legacy UTXOs, including those typically considered to belong to Satoshi Nakamoto's era of early long-dormant BTC, remains the ultimate challenge. Both extreme proposals conflict with Bitcoin's core values:
Inaction: Legacy coins will become "free lunch" for the first attacker who possesses CRQC capabilities, triggering market panic.
Forced freeze/cancellation: Directly contradicts the property principle and immutable narrative of "Not your keys, not your coins," easily tearing community consensus and even leading to chain forks.
A pragmatic middle path is to promote a long-term "Legacy Sunset" mechanism: through long-term warnings about deprecation, gradually increasing friction in spending old outputs, ultimately imposing constraints through soft forks under multi-party coordination. Discussions like BIP-361 regarding legacy signature sunset are essentially exploring this path.
Therefore, Bitcoin's migration is fundamentally not a cryptographic issue. PQ algorithms already exist and can be integrated; the real bottleneck lies in social consensus around immutability, property rights, and the legality of "declaring assets as quantum insecure." In other words, Bitcoin's quantum risk is not an apocalyptic scenario of sudden zeroing out one day, but a gradual process from theoretically feasible and economically expensive to realistically executable; what the industry truly needs to strive for is completing the migration coordination before the attack economics become viable.

Figure 5: Bitcoin Quantum Migration: A Long-Term Governance Process
Ethereum's Quantum Migration — Full Stack Reconstruction and "Lean" Roadmap
Ethereum is actively responding to quantum threats. Led by the Ethereum Foundation (EF) Post-Quantum team (https://pq.ethereum.org/), it is steadily advancing through open governance processes such as All Core Devs. Its core strategy is not to "place a one-time bet on a single quantum-resistant (PQ) algorithm," but to comprehensively enhance the network’s cryptographic agility — ensuring that account authentication, consensus signatures, proof systems, and data layer commitments have long-term replaceable, upgradable, and verifiable capabilities.
Ethereum's quantum risk is highly concentrated on four major cryptographic components: EOA accounts (ECDSA/secp256k1), validator consensus (BLS signatures), data availability (KZG commitments), and some ZK proof systems. To address this, EF has designed a "Lean" roadmap that progresses in parallel along execution, consensus, and data tracks.
Execution Layer (User Accounts): AA Buffers and L2 Testbeds
Faced with massive EOAs, direct hard forks encounter great resistance. Ethereum utilizes account abstraction (e.g., ERC-4337 and EIP-7702) to grant smart contract wallets "signature agility," supporting hybrid signatures and progressive migration, avoiding a forced coordination across the network. At the same time, L2 has become a natural testbed for PQ deployment due to its flexible governance;
Consensus Layer (Validator Signatures): leanXMSS and leanVM's "Combination Attack"
Aiming to completely replace BLS signatures that rely on elliptic curve pairing. The core strategy is to use hash-based leanXMSS, combined with a minimalist zkVM (leanVM) for SNARK aggregation. A key engineering breakthrough: leanVM is expected to compress the massive hash signature data by about 250 times, mitigating PQ signature volume inflation while maintaining the expansion advantages of "multi-signature integration" as it enters the post-quantum era.
Data Layer (Blob, DA, and KZG): Long-Term Reconstruction of Underlying Commitments
Under CRQC conditions, the underlying security assumptions of KZG still need to be reassessed and gradually migrated to more PQ-friendly commitments or proof systems. The ultimate direction is to evolve towards hash-based STARK or lattice-based commitment schemes. This is a multi-year protocol-level bottom reconstruction rather than an immediate failure.
Additionally, Ethereum's quantum risks are not evenly distributed. EOAs form the largest value pool; exchanges, bridges, custodial hot wallets, governance/upgrade keys, L2 sequencers, and admin keys represent high-value operational keys that may come under pressure before the protocols themselves. Overall, Ethereum's quantum migration is not a single-point signature replacement but a multi-year full stack engineering effort involving accounts, consensus, DA, ZK, L2, bridges, custodians, and formal verification.

Figure 6: Ethereum Post-Quantum Migration: Execution (User Accounts), Consensus (Validator Signatures), and Data (Commitments and Proofs).

Comparative Overview of Bitcoin and Ethereum Post-Quantum Migrations
Theoretically, all public chains reliant on traditional public key cryptography face quantum risks. However, those that pose systemic challenges for quantum migration are mainly Bitcoin and Ethereum: the former involves legacy UTXOs, immutability, and property governance, while the latter involves full stack reconstruction of accounts, consensus, DA, ZK, and L2. Other public chains are better suited as complementary references for technological pathways and risk scenarios.
Solana represents engineering explorations of PQ signature verification costs for high-throughput chains; its community has discussed Falcon-512 / FN-DSA verification syscall, but this remains an exploratory complement and does not replace the existing Ed25519 nor represent an official migration route for Solana;
Starknet / STARK represents a more PQ-friendly ZK route for hash-based proof systems. Compared to SNARK systems relying on pairing / KZG, STARK's underlying proof mechanism is better suited for post-quantum ZK directions; however, this does not mean the entire Starknet network is quantum-safe, as wallet signatures, hash parameters, bridging mechanisms, and Ethereum L1 settlement still need synchronous migration.
QRL, Quantus, Abelian and other native or quasi-native PQ chains provide clean-slate post-quantum design references: QRL represents early hash-based signature routes, Quantus represents a native PQ L1 in the new generation of NIST PQC narrative, while Abelian is inclined towards lattice-based privacy-preserving L1. They offer feasible pathways to "build quantum-resistant chains from day one," but the network effects, liquidity, and application ecology are still far weaker than BTC / ETH, making them better suited as technical specimens.
Conclusion: Maturity of Security Debt and the Entire Ecosystem's "Q-Day" Countdown
Quantum computing is not the "apocalyptic weapon" that ends blockchain, but a systematic reset of modern public key cryptography. The core threat lies in the large-scale fault-tolerant quantum computers (CRQC) that will have strategic-level cracking capabilities in the future. The real risk for the industry does not stem from a lack of post-quantum algorithms (PQC) but from whether the entire Web3 ecosystem can complete a full-link coordinated migration before Q-Day (the critical point for quantum cracking). In the short to medium term, the risk of existing signature systems becoming ineffective and the high costs of full-stack upgrades compose a heavy "security debt"; in the long run, survival pressures will transform into industry catalysts, directly driving new safety infrastructure tracks such as PQ hybrid wallets, quantum-resistant institutional custody, quantum risk radar, and PQ signature aggregation.
Although the macro preparation period may last 5–15 years, the truly comfortable "engineering comfort window" is only 5–8 years remaining. This requires the entire link (from BIP/EIP proposals, node implementation, wallet adaptation to exchanges and custodial institution compliance upgrades) to be highly coordinated. More importantly, market repricing may occur before Q-Day itself: once predictions for quantum resources continuously lower, hardware roadmaps accelerate significantly, or regulatory agencies and large custodians raise PQC compliance requirements, the market may preemptively reassess the cryptographic security models of blockchain assets. During this window period, the two main ecosystems will face entirely different ultimate tests:
Bitcoin: The core challenge is not cryptography but global social consensus and property governance. How to handle long-dormant legacy UTXOs with exposed public keys is a political game concerning the baseline of the "immutability" narrative.
Ethereum: The core challenge lies in the engineering complexity of multi-layer protocols and the full-stack ecosystem. How to complete cryptographic replacements across layers of accounts, consensus, DA, and ZK without causing network paralysis, while mitigating signature volume inflation.
In long-term asset allocation, post-quantum governance friction constitutes BTC's "structural tail risk," but it is by no means a reason to be bearish at present. Its "difficulty to change" conservative governance presents a double-edged sword effect: it is both the greatest resistance to quantum migration and the core moat that preserves its narrative of value storage and defends against centralized interventions, requiring investors to abandon the static belief that "BTC never needs major upgrades." In the future, if any of the following scenarios occur — the Q-Day timeline is significantly advanced, the community refuses to promote PQ migration while the peripheral ecosystem has already acted first, high-value exposed public key UTXOs trigger panic sell-offs, or the disposal of legacy assets becomes completely split — the market will reassess BTC's security model and underlying consensus.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。