Somewhere on a blockchain right now, a Bitcoin address that last moved coins in 2015 is sitting with its public key fully exposed, waiting for its owner to return. That owner may have years to act, or may not. A research paper uploaded to arXiv in March 2026 estimates that breaking the elliptic curve signatures protecting wallets like that one would require fewer than 1,200 logical qubits, a figure well below what many cryptographers assumed just five years ago. Meanwhile, the U.S. government has already published the replacement algorithms the crypto industry will need. The gap between “theoretical risk” and “start planning now” is closing faster than most token holders realize.
The new standard is already final
On August 13, 2024, the National Institute of Standards and Technology published three Federal Information Processing Standards capping an eight-year public review of post-quantum cryptography. The most consequential for cryptocurrency is FIPS 204, which establishes the Module-Lattice-Based Digital Signature Standard, known as ML-DSA. Built on the CRYSTALS-Dilithium algorithm, ML-DSA is designed as a direct replacement for ECDSA, Schnorr, and BLS, the three signature schemes that collectively secure nearly every major blockchain in operation.
ECDSA authorizes transactions on Bitcoin and Ethereum. Schnorr signatures arrived on Bitcoin through the 2021 Taproot upgrade. BLS signatures underpin Ethereum’s proof-of-stake consensus layer. All three rely on the difficulty of the elliptic curve discrete logarithm problem, a math puzzle that classical computers cannot solve at scale but that Shor’s algorithm, running on a sufficiently powerful quantum processor, can crack efficiently.
FIPS 204 is not a draft or a recommendation. It is a binding federal standard. U.S. government agencies and their contractors must transition to it, and the broader NIST post-quantum program explicitly encourages private-sector adoption. For blockchain developers, the question of what to migrate to now has an answer backed by years of public cryptanalysis. The harder question is when.
A new paper sharpens the timeline
That question got more urgent in March 2026. A paper titled “Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations,” posted on arXiv, calculates that an attacker running Shor’s algorithm against cryptocurrency-grade elliptic curve cryptography would need fewer than 1,200 logical qubits and fewer than 90 million Toffoli gates. Previous estimates often placed the requirement at several thousand logical qubits or more, pushing the threat horizon comfortably past 2040 in many industry discussions.
The paper has not yet undergone formal peer review, a distinction worth noting. ArXiv, hosted by Cornell University, is a primary distribution channel for physics and computer science research, but preprints there carry less weight than journal-published findings. Still, the authors include a responsible-disclosure discussion, a signal that they consider the timeline serious enough to warrant coordinated industry preparation rather than quiet academic debate.
One critical caveat: logical qubits are not the same as the physical qubits that quantum hardware companies report in press releases. Current error-correction architectures typically require roughly 1,000 physical qubits to produce a single reliable logical qubit, meaning the real hardware threshold could be on the order of a million physical qubits or more. No public quantum computer has reached that scale. IBM’s most advanced processors and Google’s Willow chip operate with physical qubit counts in the low thousands. The gap remains wide, but the trend line over the past decade has moved in only one direction: the estimated resources needed to break elliptic curve cryptography keep falling.
The “harvest now, decrypt later” problem
Even before a quantum computer powerful enough to crack signatures exists, crypto holders face a subtler risk. In a “harvest now, decrypt later” attack, an adversary records blockchain data today, including exposed public keys from past transactions, and stores it until quantum hardware matures enough to derive the corresponding private keys.
This is not hypothetical tradecraft. Intelligence agencies have acknowledged the strategy in the context of encrypted communications, and blockchain data is uniquely vulnerable because it is public by design. Every Bitcoin or Ethereum transaction that has ever been broadcast is permanently recorded and freely accessible. Addresses that have spent funds at least once have already revealed their public keys on-chain.
Moving funds to a fresh address that has never signed a transaction hides the public key temporarily, but the protection evaporates the moment the owner spends from that address. For long-term holders, including corporate treasuries, protocol foundations, and high-net-worth individuals, this creates an uncomfortable calculus: every transaction between now and a post-quantum upgrade carries a small but nonzero risk of future exposure.
Why blockchain upgrades will be slow
If the replacement algorithms already exist, why not just switch? Because blockchain governance is deliberately resistant to rapid change, and the engineering is genuinely hard.
Bitcoin protocol changes require broad consensus among miners, node operators, and developers. The Taproot upgrade, which added Schnorr signatures, took roughly four years from initial proposal to network activation. No primary statements or official roadmaps from Bitcoin Core maintainers regarding ML-DSA adoption have appeared in the public record as of April 2026. Ethereum’s upgrade cadence is faster, but the Ethereum Foundation has likewise not published a concrete post-quantum migration timeline.
The technical friction is real. ML-DSA public keys and signatures are substantially larger than their elliptic curve counterparts. A typical ECDSA signature is 64 bytes; an ML-DSA-65 signature is roughly 3,300 bytes. That difference cascades through block sizes, transaction fees, verification speeds, wallet software, hardware signing devices, and smart contract compatibility. Developers exploring hybrid signature schemes, which require both a classical and a post-quantum signature to authorize a transaction, gain defense in depth but double the complexity and bandwidth cost.
Other major chains face similar challenges. Solana, Cardano, and most Layer 2 networks rely on ECDSA or the closely related Ed25519 scheme, both of which are vulnerable to the same quantum attack vector. None of these projects have announced finalized post-quantum upgrade plans.
What crypto holders can do now
The honest answer is that no one can make their Bitcoin or Ethereum holdings quantum-proof today. The underlying protocols do not yet support post-quantum signatures. But there are concrete steps that reduce exposure while the industry catches up.
First, minimize public key exposure. Use each address only once where practical, and avoid leaving large balances in addresses that have already signed transactions. This does not eliminate the quantum risk, but it removes the easiest target for a future harvest-now attacker.
Second, track upgrade proposals from the specific chains and wallet providers you rely on. Wallet-level changes, such as support for new key types or multi-signature configurations, can ship faster than core protocol upgrades because they do not require network-wide consensus. Hardware wallet vendors and institutional custody platforms are the most likely early movers.
Third, diversify custody arrangements. Spreading holdings across multiple blockchains, wallet types, and custodial structures avoids a single point of quantum failure. This is standard risk management, but the quantum threat gives it new relevance.
Fourth, pay attention to governance discussions. When Bitcoin Improvement Proposals or Ethereum Improvement Proposals addressing post-quantum signatures appear, the community debate around them will determine how quickly protection arrives. Participation in that process, or at minimum awareness of it, is the best early-warning system available.
An open window that will not stay open forever
Two pieces of evidence frame the current moment. NIST’s finalized standards confirm that the cryptographic community has reached consensus on lattice-based signatures as a viable, tested replacement for elliptic curve schemes. The arXiv paper’s resource estimates confirm that the quantum threat to those schemes is closer than many in the industry had assumed. Neither source proves that quantum computers can break cryptocurrency signatures today, and no credible evidence supports that claim.
But the direction is clear. The tools for post-quantum security now exist in standardized form. The estimated cost of an attack keeps dropping. And blockchain governance, by its nature, moves slowly. The window to plan an orderly migration is open. The risk is not that it slams shut tomorrow. The risk is that by the time the industry agrees to walk through it, the margin for an orderly transition has already narrowed to something far less comfortable.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
