Managing The Quantum Threat to Blockchains
KEY TAKEAWAYS
- Quantum computing primarily threatens public-key cryptography especially digital signatures that secure authentication identity and blockchain ownership
- The most immediate risk to blockchains is exposed public keys and operational key infrastructure not the underlying blockchain protocol
- Even if cryptographically relevant quantum machines are years away companies must start preparing now because upgrading blockchains takes time
- “Harvest now, decrypt later” does not threaten retroactive theft of blockchain funds but it affects confidentiality encrypted communication and off-chain data
No longer just theoretical, quantum computers pose important questions for blockchains. In our report,Citi: Quantum Threat - The Trillion-Dollar Security Race Is On, we highlight how rapid advances in hardware, improved post-quantum cryptography (PQC) standards and rising regulatory demands are making quantum preparedness a priority.
Ronit Ghose, Head of Citi Institute’s Future of Finance team, recently sat down with Thomas Coratger, Lead of the Post Quantum Team at the Ethereum Foundation, to discuss how quantum could challenge today’s cryptography and where the immediate risks lie.
This is the first in a two-part series on quantum risk and opportunities for blockchains. Part two will explore potential solutions, implementation paths and implications for post-quantum security.
How do advances in quantum computing currently challenge cryptographic security?
Advances in quantum computing primarily challenge the public-key cryptography that underpins authentication, secure communication and identity. Many widely deployed encryption schemes rely on mathematical problems that a sufficiently powerful quantum computer could solve.
Public-key encryption protects data in transit, but encrypted traffic captured today could be decrypted in the future once quantum capabilities exist. This “harvest now, decrypt later” dynamic creates long-term exposure for sensitive information with long lifetimes, such as government data, intellectual property, health records and private communications.
There are also systemic effects. Many protocols assume keys remain secure for decades and that cryptographic building blocks change slowly. Quantum progress challenges those assumptions, forcing organizations to design for faster algorithm replacement, hybrid deployments and long migration timelines. Systems with hard-coded cryptography, embedded devices or limited upgrade paths are particularly vulnerable as they cannot adapt easily.
Preparing for the quantum era is not only about risk mitigation; it is also an opportunity to modernize core infrastructure and address long-standing scalability and security challenges
How do blockchains rely on cryptography, particularly digital signature and key management, to secure ownership, transactions and consensus?
At a high level, blockchains use cryptography to replace centralized trust with verifiable mathematical guarantees. Digital signatures, cryptographic hashing and structured key management help secure ownership, authorize transactions and maintain consensus across independent participants.
In most blockchains, ownership of assets is defined by control of a private key. An address is derived from a public key (or its hash), and possession of the private key gives the holder the exclusive ability to authorize transfers.
When a user transfers assets or interacts with a smart contract, they create a transaction and sign it with their private key. Network participants verify the signature using the public key. This ensures only the legitimate key holder can authorize changes to balances or contract state. Without digital signatures, there would be no reliable way to distinguish valid instructions from malicious ones.
If quantum breaks core cryptographic assumptions, where would the impact be most immediate in blockchain systems, and why?
The immediate impact would be on user keys, because they directly control ownership of assets. If a private key can be derived from a public key, an attacker could sign transactions and transfer funds without changing any protocol rules. This makes user accounts the fastest path from a cryptographic break to visible financial loss.
High-value operational keys would be similarly critical. Keys controlling exchanges, custodians or administrative functions concentrate large amounts of value or authority, so a single compromise could have significant systemic effects.
Protocol rules themselves would not be immediately broken by a quantum attack. They would continue functioning as designed; the problem is that attackers could produce valid-looking signatures within those rules. Governance mechanisms could also be affected indirectly if the keys controlling them were compromised.
In your view, when are we likely to get a quantum computer capable of breaking current encryptions?
A useful distinction is between quantum advantage (already demonstrated for specialized problems) and cryptographic relevance, meaning the ability to break widely deployed public-key systems such as RSA or elliptic-curve cryptography.
Most engineering roadmaps place cryptographic relevance in the early-to-mid 2030s, assuming continued progress in error correction, scaling and manufacturing. Breaking elliptic-curve cryptography would require thousands of stable logical qubits and sustained fault-tolerant operation, far beyond current machines. Most roadmaps estimate quantum systems could break current encryptions in the early-to-mid 2030s.
However, timelines remain uncertain for two reasons.
First, scaling is now largely an engineering challenge rather that a purely scientific one. Once fault-tolerant error-correction thresholds are reliably achieved, development could accelerate rapidly, potentially following industrial manufacturing-style scaling curves.
Second, quantum capability will likely emerge gradually, rather than suddenly. Early machines may only be able to attack a limited number of high-value targets with long runtimes, rather than breaking all encryption overnight.
The important point is lead time. Upgrading global digital infrastructure, especially decentralized systems, takes many years. Even if a cryptographically relevant machine is eight to 12 years away, preparation must begin now.
How should one think about ‘harvest now, decrypt later’ risks for blockchains?
In blockchains, “harvest now, decrypt later” (HNDL) mainly affects confidentiality, not ownership. Blockchains are primarily integrity systems built on digital signatures, so recording transactions today does not allow retroactive theft of funds.
Where HNDL clearly applies is to encrypted data such as private communications and other sensitive off-chain data. If captured today, this information could be decrypted once quantum capabilities exist.
For signatures and user funds, the risk is forward-looking rather than retroactive. Once a cryptographically relevant quantum computer exists, exposed public keys could allow private keys to be derived and new transactions authorized, though past transactions remain unaffected.
How do you expect different blockchains to evolve as the quantum era approaches? Are there blind spots the industry assumes are secure?
In my opinion, most blockchains will likely evolve toward cryptographic agility rather than a one-time switch. This means introducing ways to upgrade authentication, running classical and post-quantum schemes in parallel and prioritizing protection of high-value keys and infrastructure.
A common blind spot is assuming “the protocol will upgrade in time”. For upgrades to succeed, wallets, exchanges, custodians, bridges, hardware devices and users must move together. Systems with hard-coded cryptography or weak upgrade paths may be secure today but difficult to transition safely.
Another blind spot is infrastructure outside the base protocol. External systems such as bridges and multi-signature wallets manage large amounts of value with relatively few keys. If these components are not updated along with the main system, they can become weak points.
Does quantum computing also create new opportunities?
Yes. Preparing for the quantum era is not only about risk mitigation; it is also an opportunity to modernize core infrastructure and address long-standing scalability and security challenges.
Moving to post-quantum cryptography forces systems to be cryptographically agile. This will help make blockchains more resilient to future breaches, not just quantum ones.
The need to handle larger encrypted data efficiently is driving research in signature aggregation and proof-based compression.
Moving to quantum-safe cryptography encourages rethinking network design and data handling.
This creates an opportunity to make systems simpler and faster, rather than just replacing old technology with new ones. Ideally, this transition will also encourage players to share tools and develop standards.
These cryptographic advances, driven by quantum preparedness, could enable new applications such as more secure digital identities, long-term data archives and infrastructure built for decades of security.
Stay tuned for part two, where we examine realistic post-quantum migration paths and the road to resilient blockchains.
Note: Thomas Coratger spoke in his capacity as lead of the post-quantum team within the Ethereum Foundation’s Protocol group. His views reflect the team’s current research and assessment and do not constitute an official position of the Ethereum Foundation as an organization or a statement on behalf of the Ethereum network.