There is still plenty of work to do to get from today’s noisy machines to a system that can run stable, error-corrected Shor at scale. However, the threat is real. Attackers can harvest public keys now and run Shor’s algorithm later. The latest estimates show we may have a cryptographically relevant quantum computer (CRQC) as soon as 2028.
Sources:
- https://scottaaronson.blog/?p=9325
- https://ionq.com/blog/ionqs-accelerated-roadmap-turning-quantum-ambition-into-reality
It is not a drop-in replacement. Post-quantum (PQ) signatures are larger, potentially slower, and require new signing and verification logic to be rolled out. Wallets, clients, contracts, hardware, consensus, gas limits, and recovery flows all need changes. Most systems were never designed for crypto-agility.
Sources:
- https://www.howbigistoobig.com/
- https://blog.projecteleven.com/posts/quantum-attack-vectors-in-ethereum
- https://blog.projecteleven.com/posts/are-emerging-pq-signature-schemes-better-for-blockchains
Anything signed in the past, today, or in the future with ECDSA or EdDSA is vulnerable to harvest-now-forge-later attacks. Public keys and signatures are already on-chain. Once a CRQC exists, attackers can recover the private keys linked to those signatures.
Sources:
- https://www.projecteleven.com/bitcoin-risq-list
- https://blog.projecteleven.com/posts/quantum-vulnerability-of-bitcoin-addresses
SHA-256 and hashes in general being safe does not protect signatures, accounts, or identities. Blockchains rely on signatures (Elliptic Curves) for ownership, transactions, and updates. If an attacker can derive your private key from your public key, they can move your assets, no matter how strong the hash function is.
Sources:
- https://www.ncsc.gov.uk/whitepaper/next-steps-preparing-for-post-quantum-cryptography
- https://x.com/elonmusk/status/1951596018438373740
If each signer uses ECDSA or EdDSA, the multi-sig is still quantum-breakable. Requiring more vulnerable keys does not create a stronger system. The security of a multi-sig is capped by its weakest underlying scheme.
Sources:
- https://blog.projecteleven.com/posts/quantum-attack-vectors-in-ethereum
- https://blog.projecteleven.com/posts/quantum-vs-usdc-a-threat-analysis-of-circles-smart-contract
There is no global upgrade switch. Every chain, client, VM, wallet, exchange, contract, and key system, and user must migrate. Even if the protocol upgrades, users will still hold weak keys until their wallets and contracts move.
Sources:
- https://blog.projecteleven.com/posts/are-emerging-pq-signature-schemes-better-for-blockchains
- https://blog.projecteleven.com/posts/quantum-attack-vectors-in-ethereum
Migration takes years. You need new wallets, new derivation paths, new validators, new recovery rules, new contract patterns, and new infra. Waiting puts you in a position where your users’ keys are already harvested.
On top of this, once a CRQC exists, you can no longer trust ECC signatures at all. That means you cannot safely rotate keys, upgrade contracts, or sign the transactions required to migrate. The moment quantum arrives, the window for a safe transition closes. If you start the rollout after Q-Day, it is already too late.
Sources:
Current PQ algorithms like ML-KEM and ML-DSA are fast enough today. With correct engineering, they match or beat many legacy algorithms. Performance is not quite the blocker. Integration and signature/public sizes are. On top of this, at Project Eleven, we are working to further optimize the performance of some of these algorithms. However, PQ algorithms as a whole are nascent and require audits, formal verification, and thorough review before being rolled out to production systems like blockchains.
Sources:
- https://github.com/PQC-Suite-B/
- https://blog.projecteleven.com/posts/announcing-ml-dsa-b-optimizing-post-quantum-signatures-with-blake3
- https://blog.projecteleven.com/posts/the-state-of-post-quantum-cryptography-in-rust-the-belt-is-vacant
Being quantum-resistant means using a PQ algorithm for signatures. Being quantum-ready means having crypto-agility, upgrade/migration paths, recovery rules, cross-chain consistency, and a plan for long-term key rotation. Most systems lack all of this.
Sources:
The work has already started. NIST, Ethereum researchers, and leading cryptographers have been pushing post-quantum for the last few years. At Project Eleven, we are building the canonical tools for digital asset protocols to migrate safely to a post-quantum world. The ecosystem is moving, but it needs far broader adoption.
Source:
- https://www.projecteleven.com/
- https://csrc.nist.gov/projects/post-quantum-cryptography
- https://leanroadmap.org/
- https://blog.projecteleven.com/posts/a-look-at-post-quantum-proposals-for-bitcoin
A hardware wallet protects how your private key is stored. It does not change the cryptography behind that key. If the wallet uses ECDSA or EdDSA, the public keys on-chain are still vulnerable to a future CRQC. A quantum attacker never needs to touch your device. They only need the public data already published.
Hardware wallets are excellent for today’s threats. They do nothing against the quantum threat unless they natively support post-quantum keys and full crypto-agility.
Sources