Insider Brief
- A Coinbase-convened panel of six leading cryptographers concludes that a quantum computer powerful enough to break blockchain encryption will eventually be built, and the industry must begin migrating to quantum-resistant security now.
- The threat is not imminent — a capable machine remains at least two major engineering leaps away — but the migration will take years, making early preparation essential.
- Every major blockchain faces the same core challenge: replacing today’s compact digital signatures with post-quantum alternatives that are far larger and slower, while resolving what to do with billions of dollars in wallets whose owners may never migrate.
A quantum computer powerful enough to break the cryptography that secures Bitcoin and Ethereum will eventually be built, and the blockchain industry is running out of time to do something about it, according to the Coinbase advisory board’s new position paper.
The paper stops short of setting a doomsday date. No one can say when — or even precisely if — a machine capable of breaking modern encryption will arrive, according to the Coinbase Independent Advisory Board on Quantum Computing and Blockchain, a six-member panel that includes some of the most recognized names in cryptography and computer science, including Prof. Scott Aaronson of the University of Texas at Austin, Prof. Dan Boneh of Stanford University, Justin Drake of the Ethereum Foundation, Prof. Sreeram Kannan of Eigen Labs and the University of Washington, Prof. Yehuda Lindell of Coinbase and Bar-Ilan University, and Prof. Dahlia Malkhi of UC Santa Barbara..
But the paper does not stop short in advocating for immediate preparations.
The National Institute of Standards and Technology, or NIST, recommends that organizations complete their migration to encryption schemes designed to resist quantum attacks — or post-quantum cryptography (PQC) — by 2035. The panel notes that recommendation may itself reflect a judgment by NIST and other government agencies that 2035 is a reasonable planning horizon, not a prediction that a dangerous quantum machine will exist by then. The advisers add, however, that they cannot rule out the threat arriving sooner.
Coinbase analysts write in a blog post about the paper: “The board’s view is straightforward: the time to start preparing is now, not when it’s urgent.”
Why Quantum Threatens Crypto
To understand the threat between blockchain and crypto, it helps to understand how current blockchain security works. Bitcoin, Ethereum and most other major networks rely on a form of public-key cryptography rooted in elliptic-curve mathematics. Each user has a private key — a secret number — and a corresponding public key that others can see. The security of the system rests on the mathematical difficulty of working backward from the public key to recover the private key. For a classical computer, that problem is effectively unsolvable in any reasonable amount of time.
A quantum computer changes the math. In 1994, mathematician Peter Shor demonstrated that a quantum computer could, in principle, solve that problem exponentially faster than any classical machine. The algorithm, known as Shor’s algorithm, does not simply try all possible private keys at once, a common misconception. Instead, it exploits the counterintuitive behavior of quantum mechanics to amplify the probability of finding the correct key while canceling out wrong answers. The result is that a sufficiently powerful quantum machine could — and this is still theoretical — derive the private key from any exposed public key and drain the associated wallet.
The panel is careful to note that not all blockchain cryptography is equally vulnerable. Bitcoin’s proof-of-work system — the energy-intensive puzzle miners solve to add new blocks — relies on hash functions rather than public-key mathematics. Grover’s algorithm, a different quantum technique, could theoretically cut the time needed to solve those puzzles, but the speedup is only quadratic, not exponential. Given the enormous overhead of running a quantum computer compared with the specialized chips miners use today, the panel concludes that Bitcoin’s mining mechanism is effectively quantum-safe, at least for the foreseeable future. The real vulnerability lies in the digital signatures used to authorize transactions.
The paper estimates that roughly 6.9 million Bitcoin — worth hundreds of billions of dollars at current prices — are held in wallets where the public key is visible on the blockchain, making those funds theoretically susceptible to a quantum attack once a capable machine exists. About 1.7 million of those Bitcoin sit in old-style wallet formats where the public key has been permanently exposed. Another roughly 1 million Bitcoin are concentrated in just 11 large addresses, which the advisers suggest could serve as a kind of early warning system. If those wallets are ever drained without explanation, it may signal that a powerful quantum computer has come online.
The Engineering Hurdle
Before any of that can happen, a major engineering challenge must be overcome. Running Shor’s algorithm against real-world encryption requires a fault-tolerant quantum computer, a machine that can perform millions of operations reliably without accumulating enough errors to corrupt the calculation. Today’s quantum computers, including devices from Google and IBM with hundreds of physical qubits, are still far too noisy and error-prone for that task.
Fault tolerance requires encoding each “logical” qubit — the basic unit of quantum information in the computation — as a cluster of many physical qubits, so that errors in individual particles can be detected and corrected without disturbing the underlying calculation. Early estimates suggested that cracking 2048-bit encryption would require millions of physical qubits and trillions of operations. More recent research has revised those estimates downward by perhaps two orders of magnitude, but the panel notes at least another two orders of magnitude of engineering progress remain before any known machine approaches the scale needed to threaten deployed encryption.
The panel identifies several milestones that would signal meaningful progress toward a cryptographic threat. Among them: a demonstration of fault-tolerant two-qubit gates that are more reliable as the system scales; a fault-tolerant execution of Shor’s algorithm on even a small number, such as 21; and a single logical qubit maintained indefinitely through quantum error correction. None of those milestones has been achieved. The team writes that Quantinuum and Google have both demonstrated two-qubit gate accuracy of roughly 99.9% on systems of around 100 physical qubits, a result that, if it can be maintained as systems scale to tens of thousands of qubits, would theoretically suffice for fault-tolerant computation. But whether that accuracy can be sustained at scale is precisely the open engineering question.
The paper also addresses whether a powerful quantum computer might simply be impossible to build for fundamental physical reasons. A small number of prominent skeptics have argued that some unknown principle of nature will prevent quantum computers from scaling. The panel dismisses that position, pointing to years of experimental evidence showing no sign of the “correlated noise” that would undermine quantum error correction. The board reports that from a physics standpoint, a quantum computer working as predicted is actually the conservative expectation.
What Needs to Change — and How
Post-quantum cryptography is not new. In fact, it has been in development for decades. NIST completed its first round of standardization in August 2024, certifying three algorithms, namely the ML-KEM for public-key encryption, ML-DSA for digital signatures based on mathematical structures called lattices and SLH-DSA for hash-based signatures. A fourth standard, FN-DSA, is in the process of being finalized.
The challenge is that none of these schemes can simply replace existing blockchain signatures without significant tradeoffs with the most immediate problem being size. A typical digital signature used in a Bitcoin or Ethereum transaction is 64 bytes. An ML-DSA signature is 2,420 bytes, roughly 38 times larger. A hash-based signature under the SLH-DSA standard can run to 17,000 bytes or more, with signing times thousands of times slower than current methods. Naively substituting these larger signatures into existing blockchain designs could reduce transaction throughput by as much as 90% or more, massively increase fees, and cause what the paper calls “explosive chain growth” in storage requirements.
The panel evaluated three approaches to the execution layer — the part of the blockchain that processes individual transactions — and recommends a strategy it calls “1-of-2 signing.” In this approach, a wallet would register both a classical elliptic-curve key and a post-quantum key, but transactions would only need one valid signature from either key. As long as no quantum threat is imminent, wallets continue signing transactions the usual way at no additional cost. If a quantum computer begins to pose a real danger, the network can flip a switch and demand post-quantum signatures only, disabling the classical option. The paper suggests this approach avoids paying the performance penalty of post-quantum signatures until absolutely necessary, while ensuring the infrastructure is in place to pivot quickly.
For the consensus layer — this is the validator signing and voting mechanisms used by networks like Ethereum to agree on which blocks are added — the panel recommends a phased approach using what it calls post-quantum checkpoints. Rather than immediately replacing all validator signatures, networks could begin periodically signing groups of blocks with a post-quantum signature. Because blockchains “chain” each block to the previous one via a cryptographic hash, a single post-quantum signature applied periodically can effectively anchor the entire history preceding it against quantum forgery. Any fraud within a small window between checkpoints could then be addressed through community agreement rather than requiring every validator to immediately adopt expensive new signature schemes.
The paper also identifies that there is currently no post-quantum equivalent of BLS signatures, the aggregation scheme that allows Ethereum’s one million validators to compress their individual votes into a compact, efficiently verifiable bundle — which the board points to as a significant gap. Existing post-quantum threshold and aggregate signature schemes require validators to communicate interactively during the signing process, adding coordination overhead that classical BLS does not. So far, this is an active area of research with no ready solution, according to the panel.
Perhaps the most contentious governance challenge the paper raises has nothing to do with cryptography. It is what to do about wallets whose owners cannot be reached, or no longer exist.
When blockchains migrate to post-quantum security, they will need to ask every wallet holder to move their assets to new addresses protected by post-quantum keys. Many will not. Some are dead. Some have simply lost their passwords. And some wallets contain coins that were mined in Bitcoin’s earliest days and may never move again, including wallets widely believed to belong to Bitcoin’s pseudonymous creator, Satoshi Nakamoto.
The panel outlines two broad options. The first is to set a hard deadline — sometimes called a “flag day” — after which any wallet that has not migrated will have its funds permanently revoked and destroyed. This would reduce the total supply of coins, potentially making remaining tokens more valuable, but it risks wiping out assets belonging to people who simply did not understand the deadline or lacked the technical means to act. The second option is to leave unmigrated wallets active indefinitely, accepting that a future quantum attacker could eventually drain them, potentially dumping a large supply of coins onto the market and crashing prices.
The paper offers a nuanced middle path specifically for Bitcoin’s exposed Satoshi-era coins. They recommend that a spending rule that would cap the rate at which any such coins could be moved, slowing a potential attacker and using the wallets as a kind of quantum alarm system. If coins in those long-dormant addresses begin moving without explanation, it would alert the broader market that a capable quantum machine has arrived.
The panel is pointed in urging blockchains to resolve the abandoned-asset question quickly and publicly, regardless of which option they choose. Market uncertainty about how these decisions will be made, according to the board, is already deterring institutional investment in cryptocurrency. A clear, publicized plan — even one that has not yet been fully implemented — would, they say, do more good than continued silence.
Right now, blockchain plans and their timelines vary widely. Ethereum has the most detailed public roadmap, involving a migration to hash-based signatures at both the consensus and transaction levels, combined with SNARK-based signature aggregation to manage the larger data footprint. Algorand has already executed its first post-quantum transaction on its main network using a NIST-approved lattice-based signature scheme. Bitcoin’s core developers are taking a more cautious approach, with a proposal called BIP-360 that would allow wallets to hide their public keys behind a hash function — a relatively modest step that reduces exposure without committing to a specific post-quantum signature scheme. Solana has introduced a new quantum-resistant wallet type, and Aptos has outlined plans to allow users to swap their authentication keys with a single transaction. Optimism, a so-called Layer 2 network built on top of Ethereum, has announced a flag day of January 2036 for its users to complete migration.
Overall, the key is focus and cooperation, according to Coinbase.
The company writes in its post: “We’re building our systems to be flexible enough to adopt new cryptographic standards quickly, working with hardware and infrastructure partners on upgrade readiness, and sharing this research publicly because quantum preparedness is a challenge the entire industry needs to tackle together. We’re also working with developers and industry experts to help coordinate these upgrades as an industry. No one player can do this alone, it will take all of us working together.”
