Five Years, Ten Years, or Even Longer? A Timeline Assessment of the Quantum Computing Threat

Original Author: Justin Thaler (@SuccinctJT), a16z Research Partner

Original Compilation: AididiaoJP, Foresight News

When will quantum computers be able to break cryptography? The timeline for this question is often exaggerated, leading to calls for an "urgent, comprehensive shift to post-quantum cryptography."

However, these calls often overlook the costs and risks of premature migration, as well as the fundamentally different nature of threats posed by different cryptographic tools:

• Post-quantum encryption needs to be deployed immediately, regardless of the cost. This is because "steal now, decrypt later" attacks already exist. Sensitive data encrypted today remains highly valuable even if quantum computers only appear decades later. Although post-quantum encryption has performance costs and implementation risks, for data requiring long-term confidentiality, we have no other choice.
• Post-quantum digital signatures are a different story. They are not susceptible to the aforementioned "steal and decrypt" attacks, and their own costs and risks (increased size, performance overhead, immature schemes, potential vulnerabilities) call for prudent planning, not immediate action.

Distinguishing this is crucial. Misunderstanding can distort cost-benefit analysis, causing teams to overlook more pressing security risks like software vulnerabilities.

The real challenge of a successful transition to post-quantum cryptography lies in matching the urgency of action with the real threat. The following will clarify common misconceptions about quantum computing threats to cryptography, covering encryption, signatures, and zero-knowledge proofs, with a special focus on its implications for blockchain.

Timeline: How Far Are We from Quantum Computers Capable of Breaking Cryptography?

Despite no shortage of hype, the likelihood of a "cryptographically relevant quantum computer" (CRQC) appearing in the 2020s is extremely low.

By "cryptographically relevant quantum computer," I mean a fault-tolerant, error-corrected quantum computer capable of running Shor's algorithm at a scale sufficient to break elliptic curve cryptography (e.g., secp256k1) or RSA (e.g., RSA-2048) within a reasonable timeframe (e.g., continuous computation not exceeding a month).

Based on public technical milestones and resource assessments, we are still very far from such a computer. Although some companies claim it might be possible before 2030 or even 2035, known progress does not support these claims.

Currently, no quantum computing platform—whether trapped ions, superconducting qubits, or neutral atom systems—is anywhere close to the hundreds of thousands or even millions of physical qubits required to break RSA-2048 or secp256k1 (the exact number depends on error rates and error correction schemes).

The bottleneck is not just the number of qubits, but also gate fidelity, connectivity between qubits, and the sustained error-corrected circuit depth required to run deep quantum algorithms. Some current systems have over 1000 physical qubits, but this number alone is misleading: they lack the connectivity and fidelity required for cryptographic computations.

While recent systems are approaching the physical error rate threshold needed for quantum error correction, no one has yet been able to stably operate more than a few logical qubits, let alone the thousands of high-fidelity, deep-circuit, fault-tolerant logical qubits needed to run Shor's algorithm. The gap from proof-of-principle to the scale required for cryptanalysis remains vast.

In short: a cryptographically relevant quantum computer remains out of reach until qubit counts and fidelity improve by several orders of magnitude.

However, corporate press releases and media reports are often confusing. The main points of confusion include:

1. "Quantum advantage" demonstrations: Current demonstrations are mostly carefully designed tasks that are not practically useful, chosen only because they can run on existing hardware and "appear" fast. This nuance is often downplayed in publicity.
2. Promotion of "thousands of physical qubits": This usually refers to quantum annealers, not the gate-model quantum computers needed to run Shor's algorithm to attack public-key cryptography.
3. Misuse of "logical qubits": Physical qubits are noisy; practical algorithms require "logical qubits" composed of many physical qubits through error correction. Running Shor's algorithm requires thousands of such logical qubits, each typically requiring hundreds to thousands of physical qubits. But some companies exaggerate, for example, a recent claim of achieving 48 logical qubits with a "distance-2" error-correcting code (which can only detect errors, not correct them) using only 2 physical qubits per logical qubit is meaningless.
4. Misleading roadmaps: Many roadmaps' "logical qubits" only support "Clifford operations," which can be efficiently simulated by classical computers and are insufficient to run Shor's algorithm, which requires many "non-Clifford gates" (like T-gates). Therefore, even if a roadmap claims "thousands of logical qubits by year X," it does not mean the company expects to break classical cryptography by then.

These practices severely distort the public's (including seasoned observers') perception of quantum computing progress.

Of course, progress is indeed exciting. For example, Scott Aaronson recently wrote that given "hardware progress is moving at a breathtaking pace," he considers it "a real possibility that we'll have a fault-tolerant quantum computer running Shor's algorithm before the next US presidential election." But he later clarified this does not refer to a cryptographically relevant quantum computer—he counts even fault-tolerantly factoring 15=3×5 (which is faster with pen and paper) as fulfilling the promise. This is still a small-scale demonstration, and such experiments always target 15 because modulo 15 arithmetic is simple; slightly larger numbers (like 21) are much harder.

Key takeaway: Predicting a cryptographically relevant quantum computer capable of breaking RSA-2048 or secp256k1 within the next 5 years—which is crucial for practical cryptography—lacks support from public progress. Even 10 years remains ambitious.

Therefore, excitement about progress is not contradictory to a "still more than a decade away" timeline judgment.

So, what about the US government setting 2035 as the final deadline for a complete post-quantum migration for government systems? I believe this is a reasonable timeline for completing such a massive transformation, but it is not a prediction that a CRQC will definitely appear by then.

"Steal Now, Decrypt Later" Attacks: Who is Vulnerable? Who is Not?

A "steal now, decrypt later" (SNDL) attack refers to an attacker storing encrypted traffic now and decrypting it later when a cryptographically relevant quantum computer emerges. Nation-state adversaries are likely already archiving massive amounts of encrypted communications from governments like the US for future decryption.

Therefore, encryption must be upgraded immediately, at least for data requiring confidentiality for 10-50+ years.

But digital signatures (the cornerstone of all blockchains) are different from encryption: they have no confidentiality that can be attacked retroactively. Even if a quantum computer emerges in the future, it can only forge signatures from that point forward; it cannot "decrypt" past signatures. As long as you can prove a signature was generated before the quantum computer's arrival, it is unforgeable.

This makes the transition to post-quantum digital signatures far less urgent than the encryption transition.

This is precisely how major platforms are acting:

• Chrome and Cloudflare have deployed hybrid X25519+ML-KEM schemes for web TLS encryption. "Hybrid" means using both a post-quantum secure scheme (ML-KEM) and the existing scheme (X25519), inheriting the security of both, protecting against SNDL attacks while retaining classical security if the post-quantum scheme fails.
• Apple's iMessage (PQ3 protocol) and Signal (PQXDH and SPQR protocols) have also deployed similar hybrid post-quantum encryption.

In contrast, the deployment of post-quantum digital signatures on critical network infrastructure is being postponed until a CRQC is truly imminent. This is because current post-quantum signature schemes incur performance penalties (detailed below).

Zero-knowledge proofs (zkSNARKs) are in a similar situation to signatures. Even those zkSNARKs that are not post-quantum secure (they use elliptic curve cryptography), their "zero-knowledge" property itself is post-quantum secure. This property ensures the proof does not leak any information about the secret (quantum computers can't do anything about it), so there is no confidentiality to "steal now" for future decryption. Therefore, zkSNARKs are also not vulnerable to SNDL attacks. Any zkSNARK proof generated before a quantum computer's arrival is trustworthy (even if it uses elliptic curve cryptography); attackers can only forge fake proofs after a quantum computer emerges.

What Does This Mean for Blockchain?

Most blockchains are not vulnerable to SNDL attacks.

For non-privacy chains like current Bitcoin and Ethereum, their non-post-quantum cryptography is primarily used for transaction authorization (i.e., digital signatures), not encryption. These signatures do not constitute an SNDL risk. For example, the Bitcoin blockchain is public; the quantum threat lies in signature forgery (stealing funds), not decrypting already public transaction data. This removes the immediate cryptographic urgency from SNDL.

Unfortunately, even analyses by authoritative bodies like the Federal Reserve have incorrectly claimed Bitcoin is vulnerable to SNDL attacks, exaggerating the urgency of transition.

Of course, reduced urgency does not mean Bitcoin can rest easy. It faces different time pressures from the massive social coordination required for protocol changes (detailed below).

The current exceptions are privacy chains. Many privacy chains encrypt or hide recipient addresses and amounts. This confidential information can be stolen now and deanonymized retroactively after a future quantum computer breaks elliptic curve cryptography. Attack severity varies by design (e.g., Monero's ring signatures and key images might allow complete transaction graph reconstruction). Therefore, if users care about their transactions not being exposed by future quantum computers, privacy chains should transition to post-quantum primitives (or hybrid schemes) as soon as possible, or adopt architectures that do not put decryptable secrets on-chain.

Bitcoin's Special Challenge: Governance Gridlock and "Sleeping Coins"

For Bitcoin, two practical factors drive the urgency to start planning for post-quantum signatures, both unrelated to quantum technology itself:

• Slow governance: Bitcoin changes slowly; any controversy can trigger a destructive hard fork.
• No passive migration: Coin owners must actively migrate their coins. This means abandoned, quantum-vulnerable coins cannot be protected. Estimates suggest such "sleeping" and quantum-vulnerable BTC could number in the millions, worth hundreds of billions of dollars at current value.

However, the quantum threat to Bitcoin is not an "overnight" doomsday; it's more like a selective, gradual targeting process. Early quantum attacks will be extremely expensive and slow; attackers will selectively target high-value wallets.

Furthermore, users who avoid address reuse and do not use Taproot addresses (the latter expose public keys directly on-chain) are largely safe even without a protocol upgrade—their public keys remain hidden behind a hash until spent. Only when a spending transaction is broadcast does the public key become exposed, triggering a brief real-time race: honest users want to confirm the transaction as quickly as possible, while a quantum attacker tries to compute the private key and steal the coins before that happens.

Therefore, the truly vulnerable coins are those whose public keys are already exposed: early P2PK outputs, reused addresses, and Taproot-held assets.

For already abandoned vulnerable coins, solutions are tricky: either the community agrees on a "cut-off date" after which un-migrated coins are considered burned, or they are left to be seized by future owners of quantum computers. The latter poses serious legal and security problems.

A final Bitcoin-specific challenge is low transaction throughput. Even if a migration plan is finalized, migrating all vulnerable funds at current rates would take months.

These challenges mean Bitcoin must start planning its post-quantum transition now—not because a quantum computer might appear before 2030, but because the governance, coordination, and technical logistics required to migrate hundreds of billions of dollars in assets themselves require years.

Bitcoin's quantum threat is real, but the time pressure stems primarily from its own constraints, not from an imminent quantum computer.

Note: The above vulnerabilities regarding signatures do not affect Bitcoin's economic security (i.e., Proof-of-Work consensus). PoW relies on hashing, which is only subject to quadratic speedup from Grover's search algorithm, with practical overhead so large that significant acceleration is unlikely. Even if possible, it would only give larger miners an advantage, not overturn its economic security model.

Costs and Risks of Post-Quantum Signatures

Why shouldn't blockchains hastily deploy post-quantum signatures? We need to understand their performance costs and our still-evolving confidence in these new schemes.

Post-quantum cryptography is primarily based on five classes of mathematical problems: hash-based, code-based, lattice-based, multivariate quadratic equations, and isogenies of elliptic curves. This diversity exists because scheme efficiency is related to the "structure" of the underlying problem: more structure usually means higher efficiency, but may also leave more openings for attack algorithms—a fundamental trade-off.

• Hash-based schemes are the most conservative (highest confidence in security) but perform the worst. For example, NIST-standardized hash-based signatures are at least 7-8KB, while current elliptic curve signatures are only 64 bytes—a difference of about 100x.
• Lattice-based schemes are the current deployment focus. NIST's selected sole post-quantum encryption scheme (ML-KEM) and two of its three signature schemes (ML-DSA, Falcon) are lattice-based.
• ML-DSA signature size is about 2.4-4.6KB, 40-70 times larger than current signatures.
• Falcon signatures are smaller (0.7-1.3KB) but extremely complex to implement, involving constant-time floating-point operations, with successful side-channel attacks already documented. One of its founders called it "the most complex cryptographic algorithm I've ever implemented."
• Implementation security challenges are greater: lattice-based signatures have more sensitive intermediate values and complex rejection sampling logic than elliptic curve signatures, requiring stronger side-channel and fault injection protection.

The direct risks posed by these issues are far more real than a distant quantum computer.

Historical lessons also warrant caution: leading candidates in NIST's standardization process, like Rainbow (MQ-based signatures) and SIKE/SIDH (isogeny-based encryption), have been broken by classical computers. This illustrates the risks of premature standardization and deployment.

The cautious approach to signature migration taken by internet infrastructure is particularly noteworthy, given that cryptographic transitions themselves take a long time (e.g., the migration from MD5/SHA-1 took years and is still not fully complete).

Blockchain vs. Internet Infrastructure: Unique Challenges

On the positive side, blockchains maintained by open-source communities (like Ethereum, Solana) can upgrade faster than traditional network infrastructure. On the negative side, traditional networks can shrink their attack surface through frequent key rotation, while blockchain coins and associated keys may be exposed for long periods.

But overall, blockchains should still emulate the network's cautious signature migration strategy. Both are not subject to SNDL attacks for signatures, and the costs and risks of premature migration are high.

Blockchains also have some unique complexities that make premature migration particularly dangerous:

• Signature aggregation needs: Blockchains often need to quickly aggregate many signatures (e.g., BLS signatures). BLS is fast but not post-quantum secure. Research into SNARK-based post-quantum signature aggregation is promising but still early.
• Future of SNARKs: The community currently favors hash-based post-quantum SNARKs, but I believe lattice-based SNARK alternatives will emerge in the coming months to years, offering better performance in several aspects (e.g., proof length).

A more serious current problem is: implementation security.

For years to come, implementation vulnerabilities will pose a greater security risk than quantum computers. For SNARKs, the main threat is software bugs. Digital signatures and encryption already have challenges, but SNARKs are far more complex. In fact, a digital signature can be viewed as an extremely minimal zkSNARK.

For post-quantum signatures, implementation attacks like side-channels and fault injection are more pressing threats. The community needs years to harden these implementations.

Therefore, transitioning too early before the dust settles may lock you into a suboptimal scheme or force a second migration to fix vulnerabilities.

What Should We Do? Seven Recommendations

Based on the above realities, I offer the following recommendations for all parties (from builders to policymakers). The overarching principle is: take the quantum threat seriously, but do not assume a cryptographically relevant quantum computer will appear before 2030 (existing progress does not support this assumption). At the same time, there are things we can and should do now:

1. Deploy hybrid encryption immediately: At least where long-term confidentiality is needed and cost is acceptable. Many browsers, CDNs, and messaging apps (like iMessage, Signal) have begun deployment. Hybrid schemes (post-quantum + classical) protect against SNDL attacks and hedge against potential weaknesses in post-quantum schemes.
2. Use hash-based signatures immediately in scenarios tolerant of large sizes: For example, low-frequency, size-insensitive scenarios like software/firmware updates can adopt hybrid hash-based signatures now (hybrid to hedge against implementation bugs in new schemes). This provides a conservative "lifeboat" in case a quantum computer appears unexpectedly early.
3. Blockchains need not rush to deploy post-quantum signatures but should start planning immediately:
4. Developers should emulate the cautious attitude of the network PKI community, allowing schemes to mature.
5. Public chains like Bitcoin need to define migration paths and policies for "sleeping" vulnerable funds. Bitcoin especially needs to start planning now, as its challenges are primarily non-technical (slow governance, many high-value