The cryptocurrency industry should stop debating exactly when quantum computers will be able to crack the encryption guarding digital assets and start preparing for that day now, a report commissioned by Coinbase concluded on the quantum threat, even as the experts behind it agreed the danger is likely years away.
The report, released by the Coinbase Independent Advisory Board on Quantum Computing and Blockchain, found that powerful, error-corrected quantum machines capable of breaking today’s most widely used encryption will likely be built eventually, despite the steep engineering hurdles that remain. For that reason, the advisers said, blockchains, exchanges, custodians and digital wallet providers should begin moving toward quantum-resistant security rather than waiting for an emergency.
The panel assembled several prominent names in cryptography and quantum computing, among them University of Texas professor Scott Aaronson, Stanford University professor Dan Boneh, Ethereum Foundation researcher Justin Drake, University of Washington professor Sreeram Kannan, Coinbase research scientist Yehuda Lindell and University of California, Santa Barbara professor Dahlia Malkhi.
At the center of the concern is a quantum method known as Shor’s algorithm, which a sufficiently powerful machine could use to defeat public-key cryptography — the mathematical system that lets a user prove ownership of funds without revealing a secret key. Today’s cryptocurrencies depend on a version called elliptic-curve cryptography. A machine able to break it does not yet exist, the report stressed, but the advisers said the prospect is credible enough that delaying preparation invites avoidable risk.
Quantum Threat: What it Would Take
The report called out the important differences between today’s experimental quantum computers and the kind that could threaten cryptocurrency. Current devices are error-prone and small in scale. Breaking modern encryption, the report said, would require so-called logical qubits — stable units of quantum information protected by error correction — performing millions of operations reliably over long stretches of time.
Some of those building blocks of the quantum threat are starting to appear. The board noted that several hardware platforms have reached two-qubit accuracy of roughly 99.9%, a threshold theorists believe could support error-corrected computing if it holds as machines grow far larger. Scaling up that far, the advisers cautioned, remains a formidable problem.
The board warned against judging progress by headline figures such as raw qubit counts. Instead it laid out clearer milestones: demonstrations of logical qubits that outperform the physical parts they are built from, working versions of Shor’s algorithm on small problems, and quantum machines proving their worth on commercially valuable simulation tasks.
The advisers pointed to simulation — not code-breaking — as the main economic engine driving quantum investment. Applications in chemistry, materials science and physics are the most plausible near-term sources of profit, the report said, and success there could create a cycle in which useful tools generate revenue, revenue funds better hardware, and better hardware eventually yields machines capable of breaking encryption. Should that commercial momentum stall, the timeline for a quantum threat could stretch much further out.
A Storage Problem
The tools to defend against the quantum threat already exist because, unlike approaches that require specialized quantum hardware, post-quantum cryptography runs on ordinary computers while resisting future quantum adversaries. The National Institute of Standards and Technology has already approved several such algorithms, including one called ML-KEM for exchanging keys and two, ML-DSA and SLH-DSA, for digital signatures, with more under review.
The difficulty is fitting them into blockchains without wrecking performance, decentralization or usability, according to the report. A recurring theme is size: post-quantum signatures are far bulkier than the ones in use today. An ML-DSA signature can exceed 2,400 bytes, compared with about 64 bytes for the widely used Ed25519 standard, and some hash-based methods are larger still.
Because blockchains are constrained by storage, bandwidth and computing cost, the report estimated that adopting the new signatures carelessly could sharply cut the number of transactions a network can handle, raise fees and swell the size of the chain. In a hypothetical example, the board found that switching Bitcoin to ML-DSA signatures could reduce transaction capacity severalfold, even after accounting for the network’s existing efficiency measures.
The problem compounds in networks that bundle signatures together. Many proof-of-stake systems, including Ethereum, use a method called BLS signatures to compress thousands of validator approvals into a single, efficient package. No post-quantum equivalent matches that efficiency yet, the report said, and the alternatives researchers are developing tend to be larger, slower and reliant on more back-and-forth communication that could complicate the consensus process. The board urged communities whose security leans heavily on such bundling to begin planning immediately.
The Dormant-Wallet Dilemma
The advisers recommended a gradual path rather than an abrupt overhaul. One option is to add periodic post-quantum checkpoints, in which selected blocks receive quantum-resistant signatures that lock in the earlier history of a chain against future forgery. The board also stressed the value of crypto-agility — building systems that can swap in new algorithms without a costly redesign. Networks that bake in that flexibility now, it said, may find later migrations far easier.
Ecosystems differ in how readily they can adapt. Ethereum’s programmable design may give developers room to add new signing methods without network-wide governance fights, the report said, while Bitcoin’s more cautious culture, which demands broad agreement before changes, makes migration harder.
The thorniest issues of the quantum threat may be human. Moving millions of users to new standards would demand coordination across exchanges, custodians and wallet makers, the report said, and some users may never move at all. That raises a difficult question about dormant wallets: if owners do not shift their coins to quantum-safe addresses in time, networks may have to choose between leaving those funds exposed to theft indefinitely or burning them, rendering them permanently inaccessible. Neither choice would satisfy everyone, the board said, which is why it urged communities to debate the matter publicly now rather than during a crisis.
The report rejected both complacency and alarm with the advisers expressing high confidence that large-scale, error-corrected quantum computers will eventually arrive and warning against the assumption that engineering difficulties will block them forever. At the same time, they stressed that no machine capable of threatening today’s blockchains exists and that major scientific advances are still needed. The uncertain timeline, the board argued, is a reason to act sooner rather than later, allowing the industry to adapt deliberately instead of scrambling — much as it has weathered earlier technical transitions in scaling and consensus.
