The quantum algorithm that would break certain kinds of public key cryptography schemes (not even the core part of Bitcoin blockchains, which are not vulnerable to quantum computers) will take days to weeks to break a single key [0]. This is another reason why we will have plenty of warning before quantum computing causes any major disruptions to daily life.
What I would start worrying about is the security of things like messages sent via end-to-end encrypted services like WhatsApp and Signal. Intercepted messages can be saved now and decrypted any time in the future, so it's better to switch to more robust cryptography sooner rather than later. Signal has taken steps in this direction recently: https://arstechnica.com/security/2025/10/why-signals-post-qu....
Usually, the crypto should have Forward Secrecy already even without being PQ-safe (e.g., via https://en.wikipedia.org/wiki/Double_Ratchet_Algorithm) so in practice the attacker would need to break many successive session keys - which rotates every time a new message is sent.
> not even the core part of Bitcoin blockchains, which are not vulnerable to quantum computers
Um, what? Shor’s algorithm can take the public key of a wallet (present on any outgoing transaction in the ledger) and produce its private key. So now you can hijack any wallet that has transferred any Bitcoin. Notably only one successful run of the algorithm is needed per wallet, so you could just pick a big one if it takes weeks.
It probably wouldn’t help you mine in practice, sure. Technically it would give you better asymptotic mining performance (via Grover’s algorithm) but almost certainly worse in practice for the foreseeable future.
> public key of a wallet (present on any outgoing transaction in the ledger)
Genuine question: is this true? I only know a little bit about Bitcoin, but I thought there was a notion of an "extended public key" that's not exposed to the ledger, where each individual public key on the ledger is only used once, or something like that.
I'm not at all confident in my understanding, so I'd love if you or someone else knowledgeable could help fill in the gaps.
Extended public keys can be used to generate a family of addresses, but each transaction still needs the public key for any address that has sent money. Someone who uses it religiously can keep most of their money in addresses with no outgoing transactions, meaning their public key is actually secret and therefore cannot be attacked. But there’s so many addresses that have outgoing transactions and huge balances that it wouldn’t make a difference to an attacker - they could skim a fortune and cash out from wallets that are not so well protected.
The real issue is as soon as this is done once Bitcoin's value plummets to a fraction of what it was today while people scramble to fix the algorithms.
Quantum is a known threat. There is enough time to fix it. Folks are working on the fixes.
Cryptocurrencies would be the last thing I worry about w.r.t Quantum crypto attacks. Everything would be broken. Think banks, brokerage accounts, email, text messages - everything.
I think that’s backwards: most of the stuff you mentioned is using TLS and can switch to post-quantum algorithms with a config change, and do so incrementally with no user-visible impact - e.g. right now I’m already using PQC for many sites and about half of the traffic Cloudflare sees is using PQC:
In contrast, cryptocurrencies have to upgrade the entire network all at once or it’s effectively a painful fork. That effort appears to just be getting talked about now, without even starting to discuss timing:
> In contrast, cryptocurrencies have to upgrade the entire network all at once or it’s effectively a painful fork
Bitcoin is much more centralized than the popular imagination would have you believe, both in terms of the small number of controlling interests behind the majority of the transaction capacity, and just as importantly the shared open source software running those nodes. Moreover, the economic incentives for the switch are strongly, perhaps even perfectly, aligned among the vast majority of node operators. Bitcoin is already dangerously close to, if not beyond, the possibility of a successful Byzantine attack; it just doesn't happen precisely because of the incentive alignment--if you're that large, you don't want to undermine trust in the network, and you're an easy target for civil punishment.
(I know that you understand this, but just highlighting it)
In fairness, the original Bitcoin white paper referenced both (1) distributed compute and (2) the self-defeating nature of a Byzantine attack as the means of protection. It's not as though (2) is just lucky happenstance.
I definitely agree that the major players will want to move forward, but it seems like there's a legacy system kind of problem where it can stall if you get some slackers who either don't update (what happens to cold wallets?) or if some group has ideological disagreements about the solution. None of that is insurmountable, of course, but it seems like it has to be slower than something where you personally can upgrade your HTTPS servers to support PQC any time you want without needing to coordinate with anyone else on the internet.
I can't remember which chain it was but I'm sure I've seen stats on in-progress rollouts of protocol changes where the network took something like weeks or months to all get upgraded to the new version. You can design for tolerating both for a time.
Yes - definitely not impossible, just something which requires coordinated deployment as opposed something the two parties to a connection can do themselves.
Clients need to be updated, too, since what's happening is that the server and client need to agree on a common algorithm they both support, but that's been in progress for years and support is now pretty widespread in the current versions of most clients.
Stragglers are a problem, of course, but that's why I thought this would be a harder problem for Bitcoin: for me to use PQC for HTTPS, only my browser and the server need to support it and past connections don't matter, whereas for a blockchain you need to upgrade the entire network to support it for new transactions _and_ have some kind of data migration for all of the existing data. I don't think that's insurmountable – Bitcoin is rather famously not as decentralized as the marketing would have you believe — but it seems like a harder level of coordination.
The world has already migrated through so many past now-insecure cryptography setups. If quantum computers start breaking things, people will transition to more secure systems.
In HTTPS for example, the server and client must agree on how to communicate, and we’ve already had to deprecate older, now-insecure cryptography standards. More options get added, and old ones will have to be deprecated. This isn’t a new thing, just maybe some cryptographic schemes will get rotated out earlier than expected.
> If quantum computers start breaking things, people will transition to more secure systems.
that's not really the issue, the real interesting part is existing encrypted information that three letter agencies likely have dutifully stored in a vault and that's going to become readable. A lot of that communication was made under the assumption that it's secure.
Yeah, all the encrypted messages collected when illegal markets got seized will be decrypted. Many of them uses RSA 2048 so by 2030 its gonna be broken according to the timelines.
Its actually something we will notice. Arrests will be announced.
I feel bad about the quantum guru, elder of the quantum village. He starts of his talk by complaining that people assumed "we would have 10 to 20 years" when news about quantum computing hit. The quantum computing hype was 10 years ago. Microsofts attempt to sell people the Quantum computing cloud with Q# is already 8 years old by now. The people who said we had at least 10 years were right. Guy is in denial either about his age or how much of his life he spend trying to sell people on second hand hot air.
I would be more worried about everything else before Crypto... I would be worried about SSH, about blowfish (and all the dumped password databases) and TLS, and oh so many things.
Every time I mention quantum computing as a threat to crypto (which I have been for years), I get downvoted to oblivion. I guess we have a lot of HODLers here. A bet on crypto is a bet against quantum computing.
I haven't once even thought of investing in crypto, and think that the technology is mostly useless and proof of work schemes should be banned on environmental grounds.
Even so, I don't agree that quantum is a threat to crypto. There are already well known quantum-resistant encryption schemes being deployed live in browsers, today. Crypto can just start adopting one of these schemes today, and we're still probably decades away from a QC that can factor the kinds of primes that crypto security uses. The transition will be slightly more complex for proof of work schemes, since those typically have dedicated hardware - but other types of crypto coins can switch in months, most likely, if they decide to, at least by offering new wallet types or something.
>There are already well known quantum-resistant encryption schemes being deployed live in browsers, today. Crypto can just start adopting one of these schemes today, and we're still probably decades away from a QC that can factor the kinds of primes that crypto security uses.
It's very strange that some people act like switching over to a post quantum cryptography scheme is trivial. Did you watch the video I replied to, which is a talk by an actual quantum computing researcher?
I hadn't watched the video, but I cam away even more confused by your comment. The video, while very alarmist about the threat of QC, is also very explicit that switching to PQE is very easy. The whole point of the talk is "switching is easy, the costs are huge, start doing it today".
I also think the talk vastly overestimates the urgency of this, based on little more than marketing projections. The reality is that many of those claims are hugely optimistic, and ignore some fundamental difficulties. Mainly, the qubits / quantum gates being produced today are not at all as programmable as the logical qubits used in the theoretical results presented in those papers. So, even if they do achieve the projected marketing numbers, it's likely that they won't be able to run Shor's or Grover's algorithm on those QCs.
Not to mention, we've had many periods of flimsy encryption being used for important infrastructure, and it has not resulted in wide scale disasters. Of course we should be responsible and avoid this, but I think the doomsday scenario suggested is way overblown, even if it were true that a 1500 logical qbit programmable QC would be available in 2030.
I haven't seen anyone post any progress on factoring large numbers with quantum computers in a while. Annealers won't do it efficiently, but probably still hold the record anyway, for a relatively small number you could do classical hardware. Gate model machines with enough qubits to do it are still ages off. Bitcoin should find a way to transition to a post-quantum algorithm, but that's about it. As long as they do it before anyone has a big enough QPU, they're fine, and nobody is even close, it seems.
Unless advances in QC could rewrite the blockchain then there's not much to worry about. If the crypto algorithms are compromised, you coins are pretty much frozen on the chain until a new algorithms are implemented. Are you're arguing QC makes signatures/verification/mining impossible?
Before things were frozen you would have the biggest crash in market history. Then it would be like a futures market that has gone limit down. The panic during this time would be unbelievable.
Then when it reopens it would crash further and effectively end trust in crypto.
Think twice. Everyone who hosts the blockchain would decide to stop because he invested in crypto, at least with some hardware costs. Beside of the small group of people that owns a quantum computer. I don't expect that this group is >50% of the people that hosts the blockchain.
You don't need >50% of bad actors to compromise the blockchain, but rather >50% of the total hashing power. This could very well be achievable by a small group of people with QC at some point.
