What Does Quantum Computing Actually Threaten? A Crypto User's Guide to the Post-Quantum Era

Just last week, the Google Quantum AI team published a groundbreaking paper, indicating that under specific superconducting architectures, error correction, and hardware assumptions, future quantum computers could potentially crack the 256-bit elliptic curve cryptography (ECDLP-256) widely used by current cryptocurrencies and blockchains in a matter of minutes, using fewer than 500,000 physical qubits. This represents a reduction of approximately 20 times compared to previous estimates.

This directly targets ECDSA, the core signature scheme for almost all major public chains like Bitcoin and Ethereum. Once the news broke, talk of "quantum computers cracking Bitcoin private keys" began to spread rapidly online.

In reality, it's necessary to calm down first and clarify this matter—the threat is real, but it's still far from "your wallet being unsafe tomorrow."

More importantly, the entire industry has actually already begun to take action.

1. What Exactly is Quantum Computing Threatening?

To understand this issue, let's start from the very basics: how exactly are your crypto assets protected?

As is well known, on Bitcoin or Ethereum, each account is backed by a pair of keys: a private key and a public key. The private key is a large, randomly generated number, kept extremely secret—it's essentially the password to your safe. The public key is derived from the private key through elliptic curve multiplication. Your wallet address is then a string obtained by compressing the public key through a hash function.

The security foundation of this entire system lies precisely in the fact that this process is one-way.

Ultimately, calculating the public key from the private key is easy. However, deriving the private key from the public key on a classical computer would take time exceeding the age of the universe. This is the essence of the "Elliptic Curve Discrete Logarithm Problem" (ECDLP)—forward computation is simple, reverse cracking is impossible.

But quantum computers break this assumption. They can solve integer factorization and discrete logarithm problems in polynomial time. In other words, a sufficiently powerful quantum computer could, in theory, derive your private key from your public key.

So the question arises: when does the public key get exposed?

Every time you initiate a transaction on the blockchain, you need to sign the transaction data with your private key while broadcasting your public key for verification. This means that as soon as you've sent a transaction, your public key is already publicly available on-chain.

The significance of Google's paper is that it moves the concept of "cracking private keys from public keys" from a theoretically possible but absurd notion to a target that can be planned on a quantum hardware roadmap. For instance, the paper estimates that cracking 256-bit ECDLP would require a fault-tolerant quantum computer with about 500,000 physical qubits, a significant reduction from prior estimates.

In the final analysis, quantum computing isn't about cracking the blockchain itself; it first targets the signature systems within blockchains that are still built upon the elliptic curve discrete logarithm problem.

Therefore, the threat is real, but strictly speaking, the term "imminent" is not accurate. Mainstream industry estimates suggest a window period, with the earliest being around 2030 (Further reading: Native Account Abstraction + Quantum Resistance: Why Hasn't EIP-8141 Become the Star of Ethereum's Hegotá Upgrade Yet?).

2. What Preparations Are Various Public Chains Making?

Of course, objectively speaking, there is a crucial distinction that many reports fail to clarify: many Bitcoin addresses do not directly expose their public keys on-chain from the outset.

Taking common formats like P2PKH and P2WPKH as examples, the address itself is usually just a hash of the public key. The public key often isn't exposed until the "first spend" occurs. This means if your address has never sent a transaction, only your wallet address is on-chain, not your public key.

Consequently, the most direct attack surface for quantum computing leans more towards the public keys of addresses that have already sent transactions. This detail, of course, directly leads to the first thing users can do at their level, which we'll discuss later.

The industry is not unaware of this issue. In fact, preparations for post-quantum cryptographic migration are already advancing on multiple fronts simultaneously.

Ethereum's approach is to decouple the account layer from the signature scheme. For example, the advancement of EIP-7702 and Account Abstraction (AA) allows Ethereum accounts to define what constitutes a valid signature through smart contract logic. This means that one day in the future, when post-quantum signature schemes are introduced, there won't be a need to rewrite the protocol's underlying layer; only the account's signature verification module needs to be replaced.

Going further, Ethereum Foundation cryptography researcher Antonio Sanso updated the latest progress on Ethereum's quantum resistance at the EthCC9 conference. He pointed out that quantum computers could pose a practical threat to the ECDSA signature algorithm by the mid-2030s. Ethereum has currently completed about 20% of its quantum-resistant preparations and plans to achieve comprehensive quantum resistance through the Lean Ethereum upgrade between 2028 and 2032.

However, the main technical challenge currently faced is the signature size issue. For instance, the signature size of the most lightweight post-quantum signature algorithm, Falcon, is still over 10 times larger than ECDSA. Directly verifying lattice-based signatures in Solidity incurs extremely high Gas costs. Therefore, the research team has established two core technical paths:

• First, using account abstraction to allow users to upgrade their wallet's signature algorithm to a quantum-resistant scheme without modifying the underlying protocol.
• Second, introducing LeanVM to handle complex hash computations and combining it with zero-knowledge proofs to verify address mnemonic ownership, ensuring asset security during the migration process.

Antonio stated that he will chair bi-weekly ACD post-quantum special meetings starting from February 2026. Currently, experimental post-quantum testnets have been launched on consensus clients like Lighthouse and Grandine.

In addition, the Bitcoin community's style is noticeably more conservative. The recently added BIP360 in the BIPs repository proposes a new output type, P2MR (Pay-to-Merkle-Root). One of its design goals is to remove the quantum-vulnerable key-path spend in Taproot, reserving a more friendly structure for potential future post-quantum signature migration.

Of course, a proposal entering the BIPs repository does not mean it has reached community consensus, let alone that it will be adopted soon. Therefore, it can only be said that discussions within the Bitcoin community have begun around more specific proposals concerning quantum exposure surfaces and potential output type changes. This aligns with Bitcoin's consistent style: first clearly define the problem, then form consensus very slowly.

It's worth noting that as early as 2024, the U.S. National Institute of Standards and Technology (NIST) officially released three post-quantum cryptography standards. This means the blockchain ecosystem now has a clear migration target, no longer needing to wait for debates on which algorithm is better to converge. Engineering implementation has essentially already begun.

3. What Should Ordinary Users Do?

Although the threat from quantum computers is years away, future concerns don't mean we should ignore them today. Cultivating some good habits now comes at almost zero cost.

First and foremost is avoiding address reuse, which is also the most direct and effective self-protection measure.

The reason, as mentioned above, is clear—if you are a user of UTXO-based chains like Bitcoin, your public key is exposed on-chain every time you initiate a transaction. If you use the same address every time, your public key is publicly available long-term. Once quantum computing power matures, attackers could leisurely derive your private key from your public key.

Currently, mainstream wallets like imToken already provide HD wallet functionality by default. A good habit is to use a new address to receive funds for each transfer, not treating one address as a permanent identity to be reused repeatedly. For addresses that have never sent a transaction, the public key has never been exposed, making the current quantum threat almost inapplicable.

Secondly, pay attention to your wallet's post-quantum upgrade roadmap.

If you primarily use account-model chains like Ethereum, the focus isn't mechanically changing addresses constantly, but rather monitoring whether the wallet you use and the public chain you're on will provide a clear migration path in the future.

For account-model chains, the bigger problem in the quantum era often isn't a single exposure, but the long-term binding of active accounts, public key history, on-chain identities, and application permissions. Once the actual migration window arrives in the future, accounts that are more upgradeable and wallets that can more smoothly replace signature logic will be more secure.

Finally, from a human nature perspective, it's predictable that as the topic heats up, more and more wallets or protocols claiming to be "quantum-safe" will appear on the market. We should be wary of these wallets, protocols, and infrastructure products waving the "quantum-safe" banner.

When faced with such claims, the most important questions to ask aren't about the marketing copy, but three harder questions:

• Is the algorithm it relies on a finalized NIST standard?
• Has its security undergone independent audits and sufficient implementation verification?
• Is the quantum safety it claims a chain-level migration, an account-level upgrade, or merely an application-layer wrapper?

After all, true post-quantum security ultimately needs to cover not just an app's label, but the entire path from signing and verification to on-chain compatibility.

Overall, the threat quantum computing poses to blockchain is real. The importance of Google's latest whitepaper indeed lies in pushing the threat from a distant theory closer to a plannable risk.

But this is still not a signal that "wallets will be hacked tomorrow." A more accurate understanding is that post-quantum migration is no longer a topic confined to academic circles; it will gradually become a practical issue in protocol upgrades, wallet design, and user asset management over the coming years.

In Conclusion

For the industry, what truly matters next isn't who first shouts "the quantum era is coming," but who can first clearly design the migration path.

For users, it's not about panicking now, but first establishing the most basic risk awareness: which assets are exposed first, which operations amplify the exposure surface, and which wallets and public chains are more likely to provide smooth upgrades in the future.

What we need is early action, not excessive anxiety.

Let's encourage each other.