Quantum computing is no longer a science-fiction abstraction for the crypto industry. With the publication of a research paper by Google suggesting that a sufficiently powerful quantum computer could crack Bitcoin’s cryptography in under nine minutes, blockchain developers can no longer afford to delay their thinking. The race toward quantum resistance is now underway, and the stakes are measured in trillions of dollars.
Beyond individual blockchain networks, the broader decentralized finance (DeFi) ecosystem faces equally daunting challenges. Bridges connecting different blockchains, decentralized exchanges, lending protocols, and smart contract platforms all rely on the same elliptic curve cryptography that quantum computers threaten. A successful attack would not only compromise individual wallets but could cascade through interconnected protocols, amplifying the damage far beyond the initial breach. The crypto industry must therefore treat post-quantum migration as a systemic priority, not a isolated technical exercise for a single network.
Industry participants are increasingly calling for international coordination on quantum-resistant standards. Just as the Year 2000 (Y2K) bug required coordinated action across governments and corporations worldwide, the quantum threat to cryptographic infrastructure demands a similar level of global mobilization. Some are proposing that standards bodies, central banks, and cryptocurrency foundations work together to establish common timelines and technical requirements for the transition to post-quantum cryptography.
Quantum computing is no longer a science-fiction abstraction for the crypto industry. With the publication of a research paper by Google suggesting that a sufficiently powerful quantum computer could crack Bitcoin’s cryptography in under nine minutes, blockchain developers can no longer afford to delay their thinking. The race toward quantum resistance is now underway, and the stakes are measured in trillions of dollars.
Beyond individual blockchain networks, the broader decentralized finance (DeFi) ecosystem faces equally daunting challenges. Bridges connecting different blockchains, decentralized exchanges, lending protocols, and smart contract platforms all rely on the same elliptic curve cryptography that quantum computers threaten. A successful attack would not only compromise individual wallets but could cascade through interconnected protocols, amplifying the damage far beyond the initial breach. The crypto industry must therefore treat post-quantum migration as a systemic priority, not a isolated technical exercise for a single network.
Industry participants are increasingly calling for international coordination on quantum-resistant standards. Just as the Year 2000 (Y2K) bug required coordinated action across governments and corporations worldwide, the quantum threat to cryptographic infrastructure demands a similar level of global mobilization. Some are proposing that standards bodies, central banks, and cryptocurrency foundations work together to establish common timelines and technical requirements for the transition to post-quantum cryptography.
Approximately 6.5 million Bitcoin — nearly $450 billion at current prices — sit in addresses whose public keys are already exposed on the blockchain. Among them, some 1.7 million BTC belong to Satoshi Nakamoto and the earliest miners, coins that have never moved since the network’s first days. For these funds, the quantum countdown may have already begun. This is not a question of if, but of when.
This article reviews the main initiatives deployed by the blockchain ecosystem to prepare for this threat, with a particular focus on Bitcoin, Ethereum, and Solana, which collectively represent over $1.3 trillion in market capitalization.
Before examining solutions, it is essential to understand why quantum computers represent such a particular threat to cryptocurrencies. Bitcoin and Ethereum rely on the ECDSA algorithm (Elliptic Curve Digital Signature Algorithm) to secure transactions. This system works because classical computers would take billions of years to recover a private key from a public key. This is called computational difficulty — the very foundation of blockchain security.
Quantum computers completely change this equation. By using quantum physics principles such as superposition and entanglement, they can execute Shor’s algorithm, which makes this reverse-engineering operation practically trivial for a sufficiently powerful machine. Google’s paper, published in March 2026, revealed that cracking Bitcoin could require fewer than 500,000 qubits — far less than the millions previously estimated. Some analysts place the possible deadline as early as 2029.
Two attack vectors stand out. The long-exposure attack targets P2PK addresses used originally by Satoshi and Taproot (P2TR) addresses, the current format. For these addresses, the public key is readable by everyone directly on the blockchain — it has already been exposed. A short-exposure attack targets transactions pending in the mempool: the time between submitting a transaction and confirming it in a block offers a window, however brief, for a quantum machine to derive the private key and forge a competing transaction to steal the funds.
The Bitcoin community, accustomed to mourning the glacial pace of its decentralized governance processes, suddenly sees an urgency it can no longer ignore. Several technical proposals are currently circulating.
BIP 360: Removing the Public Key from the Chain
The Bitcoin Improvement Proposal 360 represents perhaps the most fundamental approach. Its author proposes introducing a new type of output called Pay-to-Merkle-Root (P2MR), which permanently removes the public key from the visible chain. Instead of publishing the public key itself, only a Merkle hash would be inscribed — a digital fingerprint that reveals no information exploitable by a quantum computer.
The idea is elegant in its simplicity: if the quantum computer has nothing to study, it cannot reverse-engineer the private key. The protocol would retain all its current features, including Lightning payments and multi-signature setups. The major problem is that BIP 360 only protects new transactions — not the 1.7 million BTC already vulnerable in old addresses.
SPHINCS+ and Hash-Based Post-Quantum Signatures
The US National Institute of Standards and Technology (NIST) standardized the SPHINCS+ signature scheme in August 2024 under the name FIPS 205 (SLH-DSA). Unlike ECDSA, SPHINCS+ relies on hash functions — calculations that even a quantum computer cannot efficiently reverse using Shor’s algorithm.
However, this security comes at a cost: size. Where a current Bitcoin signature weighs 64 bytes, an SLH-DSA signature can occupy 8 kilobytes or more. At the scale of a blockchain where millions of transactions are processed every day, this increased demand for block space would translate into significantly higher transaction fees for all users.
Variants like SHRIMPS and SHRINCS have already been proposed to reduce this footprint without sacrificing security. These schemes aim to retain SPHINCS+ guarantees while making it practical for large-scale blockchain use. The debate remains open as to which of these candidates will be adopted first.
Hourglass V2: Slowing the Pillaging of Old Coins
Developed by contributor known as Hunter Beast, Hourglass V2 tackles the problem of already-vulnerable BTC. Rather than preventing quantum theft, the proposal accepts this eventuality and seeks to limit the damage. The idea: authorize the sale of these old coins at a maximum rate of one Bitcoin per block — equivalent to approximately ten minutes — to avoid a catastrophic liquidation in a single night.
The analogy is that of a bank run: one cannot prevent people from withdrawing their funds, but one can limit the flow to avoid the system’s instantaneous collapse. This proposal is controversial: part of the Bitcoin community sees it as a violation of the fundamental principle that no one — not government, not developer, not any protocol — should ever be able to interfere with a user’s right to spend their own funds.
The Commit/Reveal Scheme by Tadge Dryja
Co-creator of the Lightning Network, Tadge Dryja proposed a soft fork scheme that specifically protects pending transactions in the mempool. The mechanism separates execution into two phases: the commit, where only a hash of the transaction intent is published — nothing exploitable by an attacker — and the reveal, where the actual transaction is broadcast. A quantum computer observing the network could well derive the private key in time, but could not forge a valid transaction: the network would reject the competing transaction because it does not have the prior commitment recorded on the chain.
The cost of this solution is twofold: each transaction now requires two distinct operations, and protocol complexity increases. For its defenders, it is a practical stopgap while waiting for more complete solutions.
If Bitcoin faces a considerable challenge with its old exposed addresses, Solana presents an even more vulnerable structure. Unlike Bitcoin and Ethereum where addresses are derived from public keys by a hash function — which remains safe against quantum computers — Solana exposes public keys directly. In other words: on Solana, every wallet is potentially accessible.
On Solana, 100% of the network is vulnerable, said Alex Pruden, CEO of Project Eleven, in an interview with CoinDesk. A quantum computer could pick any wallet and immediately start trying to recover the private key.
This structural difference has pushed the Solana Foundation to ally with Project Eleven to actively test quantum-resistant cryptography. The team deployed a test environment on a modified Solana network, using quantum-resistant signatures to evaluate the real impact on the network.
The results are clear: the new quantum signatures weigh 20 to 40 times more than current signatures, and the network runs approximately 90% slower than in standard configuration. For a blockchain that has built its reputation on speed — hundreds of thousands of transactions per second with minimal latency — this compromise is painful. It illustrates the fundamental tension between quantum resistance and performance.
Some Solana developers are exploring alternative solutions for individual users, such as Winternitz Vaults, which use a different type of cryptography to protect funds without requiring a modification of the entire network. For Pruden, Solana’s merit lies in moving from words to deeds: There is something tangible. We actually have a testnet with post-quantum signatures. The Solana Foundation deserves credit for engaging and wanting to do the work.
Among the major blockchains, Ethereum appears to be the best prepared. The Ethereum Foundation launched pq.ethereum.org with eight years of post-quantum research, more than ten development teams shipping weekly devnets, and a multi-fork migration roadmap.
Justin Drake, researcher at the Ethereum Foundation and co-author of the Google paper, stated that his confidence in a Q-Day by 2032 has considerably increased, estimating at least a 10% probability that a quantum computer recovers a secp256k1 private key from an exposed public key by that date. He noted that the optimized quantum circuit requires only 100 million Toffoli gates — astonishingly shallow — and that logical qubit counts could plausibly fall under 1,000 soon. The integration of AI in circuit optimization has not yet been systematically explored, suggesting current estimates could be further revised downward.
Ethereum developers are also exploring implications for zero-knowledge (ZK) proofs, which are at the heart of many layer-two applications. Systems like KZG trusted setups and Zcash’s Sapling protocol both embed ECDLP hardness into fixed public parameters — an architecture that, once cracked by a quantum computer, becomes an indefinitely reusable exploit.
Beyond the technical aspects, upgrading cryptography in a decentralized system poses a major governance challenge. Unlike a company or government that can decree an update and deploy it, a blockchain requires consensus between developers, miners or validators, applications, and end users — with no party able to impose or enforce a decision.
On Bitcoin, the controversy around Hourglass V2 perfectly illustrates this dilemma. For some, slowing old-fund withdrawals is a common-sense measure to avoid systemic crash. For others, it is an unacceptable breach of the fundamental principles of decentralization: code is law, and no one should be able to tell someone how much of their own bitcoins they can spend and at what rate.
Ethereum partially avoids this trap by opting for voluntary migrations with incentives rather than restrictions. Users are encouraged to migrate to new address formats, but nothing forces them to do so. The difficulty is that funds from users who do not migrate remain vulnerable, even if the majority has migrated.
This is a tomorrow problem — until it becomes today’s problem, summarizes Alex Pruden. And then it takes four years to fix. This four-year window is crucial. Even if a quantum computer capable of threatening Bitcoin did not exist today, the public key exposure window is already open for old addresses. And once such a quantum computer exists, migrating hundreds of billions of dollars in cryptocurrencies will have to be done in a rush — a scenario reminiscent of the worst panic sales in financial history.
The last intersection: the industry cannot afford to wait for perfect consensus before acting. Solutions must be developed, tested, and ready for deployment well before the threat becomes reality. The results of Google’s paper in March 2026 were not an isolated event — it is a signal that the race is now fully underway.
The implications of failing to prepare are vertiginous. Beyond simple cryptocurrency thefts, a successful quantum attack on Bitcoin would shake confidence in the entire crypto ecosystem — billions of dollars in digital assets depend on the same cryptography that protects the network today. The reaction of markets to such news would likely be brutal and immediate. This is why the most cautious voices in the industry are calling to act now, even if the threat still seems distant. As Alex Pruden rightly points out, this is a tomorrow problem — until it becomes today’s problem. The time required to migrate cryptographic systems at the scale of a major blockchain is measured in years, not months. Starting today is not an option — it is a necessity.
Approximately 6.5 million Bitcoin — nearly $450 billion at current prices — sit in addresses whose public keys are already exposed on the blockchain. Among them, some 1.7 million BTC belong to Satoshi Nakamoto and the earliest miners, coins that have never moved since the network’s first days. For these funds, the quantum countdown may have already begun. This is not a question of if, but of when.
This article reviews the main initiatives deployed by the blockchain ecosystem to prepare for this threat, with a particular focus on Bitcoin, Ethereum, and Solana, which collectively represent over $1.3 trillion in market capitalization.
Before examining solutions, it is essential to understand why quantum computers represent such a particular threat to cryptocurrencies. Bitcoin and Ethereum rely on the ECDSA algorithm (Elliptic Curve Digital Signature Algorithm) to secure transactions. This system works because classical computers would take billions of years to recover a private key from a public key. This is called computational difficulty — the very foundation of blockchain security.
Quantum computers completely change this equation. By using quantum physics principles such as superposition and entanglement, they can execute Shor’s algorithm, which makes this reverse-engineering operation practically trivial for a sufficiently powerful machine. Google’s paper, published in March 2026, revealed that cracking Bitcoin could require fewer than 500,000 qubits — far less than the millions previously estimated. Some analysts place the possible deadline as early as 2029.
Two attack vectors stand out. The long-exposure attack targets P2PK addresses used originally by Satoshi and Taproot (P2TR) addresses, the current format. For these addresses, the public key is readable by everyone directly on the blockchain — it has already been exposed. A short-exposure attack targets transactions pending in the mempool: the time between submitting a transaction and confirming it in a block offers a window, however brief, for a quantum machine to derive the private key and forge a competing transaction to steal the funds.
The Bitcoin community, accustomed to mourning the glacial pace of its decentralized governance processes, suddenly sees an urgency it can no longer ignore. Several technical proposals are currently circulating.
BIP 360: Removing the Public Key from the Chain
The Bitcoin Improvement Proposal 360 represents perhaps the most fundamental approach. Its author proposes introducing a new type of output called Pay-to-Merkle-Root (P2MR), which permanently removes the public key from the visible chain. Instead of publishing the public key itself, only a Merkle hash would be inscribed — a digital fingerprint that reveals no information exploitable by a quantum computer.
The idea is elegant in its simplicity: if the quantum computer has nothing to study, it cannot reverse-engineer the private key. The protocol would retain all its current features, including Lightning payments and multi-signature setups. The major problem is that BIP 360 only protects new transactions — not the 1.7 million BTC already vulnerable in old addresses.
SPHINCS+ and Hash-Based Post-Quantum Signatures
The US National Institute of Standards and Technology (NIST) standardized the SPHINCS+ signature scheme in August 2024 under the name FIPS 205 (SLH-DSA). Unlike ECDSA, SPHINCS+ relies on hash functions — calculations that even a quantum computer cannot efficiently reverse using Shor’s algorithm.
However, this security comes at a cost: size. Where a current Bitcoin signature weighs 64 bytes, an SLH-DSA signature can occupy 8 kilobytes or more. At the scale of a blockchain where millions of transactions are processed every day, this increased demand for block space would translate into significantly higher transaction fees for all users.
Variants like SHRIMPS and SHRINCS have already been proposed to reduce this footprint without sacrificing security. These schemes aim to retain SPHINCS+ guarantees while making it practical for large-scale blockchain use. The debate remains open as to which of these candidates will be adopted first.
Hourglass V2: Slowing the Pillaging of Old Coins
Developed by contributor known as Hunter Beast, Hourglass V2 tackles the problem of already-vulnerable BTC. Rather than preventing quantum theft, the proposal accepts this eventuality and seeks to limit the damage. The idea: authorize the sale of these old coins at a maximum rate of one Bitcoin per block — equivalent to approximately ten minutes — to avoid a catastrophic liquidation in a single night.
The analogy is that of a bank run: one cannot prevent people from withdrawing their funds, but one can limit the flow to avoid the system’s instantaneous collapse. This proposal is controversial: part of the Bitcoin community sees it as a violation of the fundamental principle that no one — not government, not developer, not any protocol — should ever be able to interfere with a user’s right to spend their own funds.
The Commit/Reveal Scheme by Tadge Dryja
Co-creator of the Lightning Network, Tadge Dryja proposed a soft fork scheme that specifically protects pending transactions in the mempool. The mechanism separates execution into two phases: the commit, where only a hash of the transaction intent is published — nothing exploitable by an attacker — and the reveal, where the actual transaction is broadcast. A quantum computer observing the network could well derive the private key in time, but could not forge a valid transaction: the network would reject the competing transaction because it does not have the prior commitment recorded on the chain.
The cost of this solution is twofold: each transaction now requires two distinct operations, and protocol complexity increases. For its defenders, it is a practical stopgap while waiting for more complete solutions.
If Bitcoin faces a considerable challenge with its old exposed addresses, Solana presents an even more vulnerable structure. Unlike Bitcoin and Ethereum where addresses are derived from public keys by a hash function — which remains safe against quantum computers — Solana exposes public keys directly. In other words: on Solana, every wallet is potentially accessible.
On Solana, 100% of the network is vulnerable, said Alex Pruden, CEO of Project Eleven, in an interview with CoinDesk. A quantum computer could pick any wallet and immediately start trying to recover the private key.
This structural difference has pushed the Solana Foundation to ally with Project Eleven to actively test quantum-resistant cryptography. The team deployed a test environment on a modified Solana network, using quantum-resistant signatures to evaluate the real impact on the network.
The results are clear: the new quantum signatures weigh 20 to 40 times more than current signatures, and the network runs approximately 90% slower than in standard configuration. For a blockchain that has built its reputation on speed — hundreds of thousands of transactions per second with minimal latency — this compromise is painful. It illustrates the fundamental tension between quantum resistance and performance.
Some Solana developers are exploring alternative solutions for individual users, such as Winternitz Vaults, which use a different type of cryptography to protect funds without requiring a modification of the entire network. For Pruden, Solana’s merit lies in moving from words to deeds: There is something tangible. We actually have a testnet with post-quantum signatures. The Solana Foundation deserves credit for engaging and wanting to do the work.
Among the major blockchains, Ethereum appears to be the best prepared. The Ethereum Foundation launched pq.ethereum.org with eight years of post-quantum research, more than ten development teams shipping weekly devnets, and a multi-fork migration roadmap.
Justin Drake, researcher at the Ethereum Foundation and co-author of the Google paper, stated that his confidence in a Q-Day by 2032 has considerably increased, estimating at least a 10% probability that a quantum computer recovers a secp256k1 private key from an exposed public key by that date. He noted that the optimized quantum circuit requires only 100 million Toffoli gates — astonishingly shallow — and that logical qubit counts could plausibly fall under 1,000 soon. The integration of AI in circuit optimization has not yet been systematically explored, suggesting current estimates could be further revised downward.
Ethereum developers are also exploring implications for zero-knowledge (ZK) proofs, which are at the heart of many layer-two applications. Systems like KZG trusted setups and Zcash’s Sapling protocol both embed ECDLP hardness into fixed public parameters — an architecture that, once cracked by a quantum computer, becomes an indefinitely reusable exploit.
Beyond the technical aspects, upgrading cryptography in a decentralized system poses a major governance challenge. Unlike a company or government that can decree an update and deploy it, a blockchain requires consensus between developers, miners or validators, applications, and end users — with no party able to impose or enforce a decision.
On Bitcoin, the controversy around Hourglass V2 perfectly illustrates this dilemma. For some, slowing old-fund withdrawals is a common-sense measure to avoid systemic crash. For others, it is an unacceptable breach of the fundamental principles of decentralization: code is law, and no one should be able to tell someone how much of their own bitcoins they can spend and at what rate.
Ethereum partially avoids this trap by opting for voluntary migrations with incentives rather than restrictions. Users are encouraged to migrate to new address formats, but nothing forces them to do so. The difficulty is that funds from users who do not migrate remain vulnerable, even if the majority has migrated.
This is a tomorrow problem — until it becomes today’s problem, summarizes Alex Pruden. And then it takes four years to fix. This four-year window is crucial. Even if a quantum computer capable of threatening Bitcoin did not exist today, the public key exposure window is already open for old addresses. And once such a quantum computer exists, migrating hundreds of billions of dollars in cryptocurrencies will have to be done in a rush — a scenario reminiscent of the worst panic sales in financial history.
The last intersection: the industry cannot afford to wait for perfect consensus before acting. Solutions must be developed, tested, and ready for deployment well before the threat becomes reality. The results of Google’s paper in March 2026 were not an isolated event — it is a signal that the race is now fully underway.
The implications of failing to prepare are vertiginous. Beyond simple cryptocurrency thefts, a successful quantum attack on Bitcoin would shake confidence in the entire crypto ecosystem — billions of dollars in digital assets depend on the same cryptography that protects the network today. The reaction of markets to such news would likely be brutal and immediate. This is why the most cautious voices in the industry are calling to act now, even if the threat still seems distant. As Alex Pruden rightly points out, this is a tomorrow problem — until it becomes today’s problem. The time required to migrate cryptographic systems at the scale of a major blockchain is measured in years, not months. Starting today is not an option — it is a necessity.
