Complacency is the enemy of security. And when highly influential voices say quantum risks are decades away, investors relax precisely when they should be leaning in.
On that note, at CES 2025, Nvidia's CEO Jensen Huang said that "very useful quantum computers are still a few decades away," and quantum computing stocks promptly swooned as coverage amplified the remark, then later tracked his attempted walkback at a special session. The point is that crypto's core security assumptions will eventually fall through, and no one knows precisely how much sand is left in the hourglass -- not even the tech sector's most-exposed leaders.
Meanwhile, engineering teams keep moving to bring about the quantum future. Google's Willow chip reports improved error correction and device stability that narrows the gap between lab demos and sustained computation. Even if today's devices cannot yet run Shor's algorithm at scale, investors should price the curve of progress rather than a snapshot in time.
But why isn't quantum risk exposure treated with the same discipline used for custody policy, smart contract audits, and regulatory risk? After all, the migration effort already appears on official roadmaps and guidance. Let's dive in and unpack these issues in a bit more detail.
Comforting Narratives Can Be Misleading
It is tempting to wave away the problem of cryptocurrency security relative to quantum computing because a famous executive sounded sanguine.
That's quite risky, considering that policymakers and regulators already behave as if the migration must start now, or else. NIST explains why post-quantum work begins before machines exist and calls "harvest now, decrypt later" a present concern in its PQC migration FAQ. CISA's guidance to operators emphasizes near-term inventory, discovery, and phased transition in its Operational Technology (OT) considerations. And the U.K.'s cyber agency is pursuing a plan for the whole economy, targeting full protection by a 2035 completion deadline.
The thing that matters for crypto is not the average market participant's opinion, nor even the opinion of someone as illustrious as Jensen Huang, but rather the minimum capability of an adversary who can run the right algorithm once. If that adversary gains the capability in five years, those who chose not to adapt in advance based on the dismissive opinions of others will be deprived of their funds, whereas those who were paranoid will be safe. Preparing early means sleeping soundly when eventually, inevitably, others will be scrambling to protect themselves.
With that being said, here are a few of the most common dismissals and why they fall short:
"It's overhyped, so there's nothing to do now." The mathematics behind Shor's algorithm and attacker incentives do not care about hype cycles.
"The risk is at least 10 years out." Security roadmaps from NIST and CISA assume work begins now and flag harvest-now-crack-later as a current risk.
"Google's milestones are just PR." Willow's results are precisely the kind of error-correction advances that compound year over year.
"Active accounts are safe because public keys are hidden." A large set of coins already exposes keys or reveals them upon spend, as shown by Deloitte's chain analysis and River's estimates.
"We'll just upgrade when it is time." Signature-scheme upgrades are complex and slow, which current Bitcoin transition debates make clear.
Those points don't prove that a break is imminent, and there is no evidence to support that idea anyway. What they do show is why the burden of proof sits with complacency. The rational response here is to quantify your exposure and then push migration tracks in parallel with your other workstreams.
What a break would actually look like
Now let's go over a few of the relevant technical details so that you'll have a fuller concept of the risks at hand.
In short, modern blockchains rely on asymmetric cryptography, and for Bitcoin and many others that means ECDSA. Shor's algorithm solves the discrete logarithm problem that ECDSA is based on in polynomial time on a sufficiently capable quantum machine, which means an attacker could derive private keys from public keys and forge signatures with dramatically less effort than such a task would take otherwise. That would in turn enable silent thefts.
The next detail matters for threat modeling. Many early outputs, notably P2PK addresses, expose public keys on chain, and any address of any era reveals its public key when it is spent, which creates windows of vulnerability. Several estimates suggest that roughly a quarter of Bitcoin resides in P2PK or reused addresses with exposed keys, including dormant wallets that may never move. Those coins could be easily separated from their owners in the near future.
Crypto is also exposed to time-shifted risk. Adversaries already practice harvest now, crack later, which involves recording encrypted data and waiting for stronger tools to arrive in the future. That tactic applies to networks and archives today, and it should inform crypto governance -- but on average, it doesn't get discussed.
If a break becomes feasible, an attacker does not need to announce it. They can quietly drain long-dormant UTXOs, sweep aged multisig that reused keys elsewhere, and cause turbulence before anyone agrees on a response.
None of this implies that proof of work breaks first. Hash functions like SHA-256 are affected primarily by Grover's algorithm, which offers a quadratic speedup rather than a collapse, while signatures fall to Shor's structure-breaking. The path of least resistance is signatures, which is why responsible forecasts focus on signature migration rather than mining in peer-reviewed work.
Here's a quick map of the main risk vectors and the associated mitigations:
Risk vector | Example or exposure | Mitigation path | Adoption status |
|---|---|---|---|
P2PK and reused P2PKH with exposed public keys | Early rewards and reused addresses that reveal the key on spend | Move to new outputs and prefer PQ-ready formats once available | Bitcoin contributors discuss freezing vulnerable outputs while migration proceeds |
Signature schemes based on ECDSA or EdDSA | Signatures across BTC and ETH share discrete log assumptions | Adopt lattice signatures such as ML-DSA or hash-based schemes where appropriate | |
Harvest now, crack later exposure | Attackers stockpile encrypted data today | Rotate secrets early and deprecate vulnerable key material | Government guidance urges early action to reduce latent risk |
There are ample security measures to be taken today to guard yourself against tomorrow's threats. The main issue is that investors and users are mostly (though not totally) reliant on others to implement many of the mitigations.
The migration path we already have
The engineering path towards actually implementing mitigations is visible, although it is not fully fleshed out in all cases.
NIST finalized the first post-quantum standards in 2024, including ML-KEM for key establishment and ML-DSA for signatures, and continues to publish migration updates and outreach that help teams plan staged cutovers. Security agencies built parallel roadmaps so organizations can inventory cryptography, prioritize high-value systems, and sequence changes over several budget cycles.
Crypto does not need to reinvent the wheel to become secure, but it does need to map contingencies and new security requirements onto protocol realities. Bitcoin researchers have explored transition mechanics, including proposals to sunset or quarantine quantum-vulnerable outputs and to introduce new output types for post-quantum spending. Academic teams have evaluated hybrid schemes that pair existing signatures with lattice signatures to smooth the cutover at the cost of larger transactions. Those are solvable trade-offs if the community starts early.
It is also useful to separate what breaks from what bends. Grover's algorithm halves effective hash strength, which makes mining slightly easier for a quantum miner but does not grant a magic wand. Signature breaks do grant a magic wand, which is why signature migration comes first.
What investors should do next
Investors cannot push code to Bitcoin Core, but they can control portfolio exposure and governance.
The immediate task is to reward projects and service providers that take this seriously, and to insist on credible migration plans from those that do not. Favor custodians and wallets that can rotate keys and support PQC on upgrade day, backed by a roadmap aligned to FIPS 203 and FIPS 204. Watch for chains that socialize proposals to quarantine vulnerable outputs and introduce post-quantum scripts, then track whether those proposals reach testnet. And treat vendor talk of quantum as pure hype as a red flag unless they can point to NIST, CISA, or NCSC aligned plans for inventory and discovery.
Finally, investors, users, and developers alike should also keep expectations disciplined. The first iterations of quantum-safe signatures will be bulkier, and UX will lag, as even supportive industry commentary acknowledge. Expect larger transactions and higher fees during a transition to PQC security; size your investments accordingly, and avoid single-key treasuries.
Still, don't ever lose sight of the fact that the cost of migration is the premium you pay to keep the option of a decentralized future.
To keep up with the latest in blockchain technology and quantum computing, join us on X and subscribe to our newsletter.
