Quantum risk targets the structure beneath blockchains
IOSG says quantum computing should not be read as a single event that wipes out cryptocurrencies overnight. In a reposted article written by 0xjacobzhao, the firm argues that the real pressure point is deeper: public blockchains depend on permanently visible ledgers, irreversible transfers, and self-managed private keys.
The article opens with a hypothetical scenario. Early Bitcoin addresses that had been dormant for more than a decade suddenly begin moving funds. There is no exchange hack, no wallet breach, and no leaked key material. The only sign is a set of apparently valid signatures. In that case, the market would have to consider a more serious possibility: a quantum-capable actor may have recovered private keys directly from historically exposed public keys.
That outcome would not mean the chain stops producing blocks. It would mean Web3 enters a long phase of cryptographic reconstruction and governance conflict. IOSG says the industry still has a limited “engineering comfort window” of 5 to 8 years before that pressure becomes much harder to absorb.
Why quantum computing matters
The article describes quantum computing as a computing model built on quantum mechanics, using qubits rather than classical bits. It highlights four core properties: superposition, entanglement, interference, and measurement.
It then focuses on two algorithms that matter most for security:
- Shor’s algorithm, introduced in 1994, threatens public-key cryptography by attacking the mathematical problems behind systems such as RSA and elliptic curve cryptography.
- Grover’s algorithm, introduced in 1996, speeds up brute-force search at a square-root rate and weakens the security margin of symmetric systems rather than breaking their structure outright.
IOSG says Shor’s algorithm is the more serious issue for blockchains because major networks rely heavily on elliptic curve and BLS-based signatures. Grover’s impact is more manageable, since longer keys, larger hash outputs, or higher security parameters can restore much of the lost margin.
The piece also lays out quantum computing’s positive uses. It points to quantum simulation in chemistry, drug discovery, new materials, and energy, along with optimization problems in logistics, finance, supply chains, chip design, and industrial scheduling. Of those, quantum simulation is presented as the more durable long-term use case, while complex optimization is still in an exploratory stage.
Q-Day is a window, not a date
IOSG defines Q-Day as the point at which a quantum computer can practically break mainstream public-key cryptography. The article says this should not be treated as a fixed date. Hardware progress, error correction, algorithmic improvements, and the secrecy of state-backed programs all shape the timeline.
Its baseline range for expert expectations is 2035 to 2045. A faster path could bring that forward to 2030 to 2035, while a date before 2030 is described as a low-probability tail risk.
The article also cites Mosca’s inequality, X + Y > Z. In that framing, X is the length of time data must remain confidential, Y is the time required to complete a migration, and Z is the remaining time before Q-Day. If X plus Y exceeds Z, the system is already behind. That is why IOSG says post-quantum migration cannot be treated as a last-minute response after the threat becomes visible.
Post-quantum cryptography is already the main path
IOSG says post-quantum cryptography, or PQC, is the most practical route for large-scale migration because it runs on existing classical systems while relying on mathematical problems believed to resist quantum attacks.
The article identifies two main technical tracks:
- Lattice-based cryptography, with ML-KEM and ML-DSA named as key examples.
- Hash-based signatures, with SLH-DSA listed as the main standardized option.
It also notes that code-based HQC was selected by the US National Institute of Standards and Technology, or NIST, in March 2025 as a fifth PQC algorithm and a non-lattice backup for ML-KEM. A draft standard is expected in 2026, followed by a formal standard in 2027.
On standardization, the article points to three core NIST standards released in August 2024:
- FIPS 203 for ML-KEM
- FIPS 204 for ML-DSA
- FIPS 205 for SLH-DSA
It also says practical deployment depends on hybrid designs that combine legacy algorithms with PQC, cryptographic agility that allows systems to change algorithms when needed, and support technologies such as quantum key distribution, quantum random number generation, and hardware security modules.
Why blockchains are a hard test case
IOSG does not call blockchains the first sector likely to be hit by quantum attacks. It calls them one of the clearest stress-test environments. In Web2, centralized controls such as certificate rotation or account freezes can soften the impact of key compromise. Public blockchains do not have that cushion.
The article says the sector’s vulnerability comes from a three-part structure: the ledger is public forever, asset transfers are final, and users hold their own keys. If a fault-tolerant quantum computer can derive private keys from exposed public keys, valid signatures could be forged and the trust model behind major chains would be shaken at its base.
IOSG adds that quantum pressure is unlikely to hit every layer at once. It expects the risk to move through five levels: assets, protocols, infrastructure, applications, and governance. Exchanges, custodians, and bridges may face pressure before base-layer protocols do.
Bitcoin: exposed public keys and governance friction
For Bitcoin, IOSG says quantum risk is not spread evenly across all BTC. The main variable is whether a public key has already been exposed on-chain. That puts the focus on early legacy outputs, addresses with exposed public keys that still hold balances, and dormant high-value UTXOs.
The article breaks the risk into three groups:
- High risk: statically exposed public-key UTXOs, including early P2PK outputs, Taproot (P2TR) outputs, and reused P2PKH or P2WPKH addresses with remaining balances.
- Medium risk: UTXOs whose public keys are not yet exposed but will be exposed when they are spent, such as unspent and unreused P2PKH or P2WPKH outputs.
- Low risk: assets that are eventually moved to quantum-safe address types.
The article says Bitcoin’s hash components, including SHA-256, SHA256d, and RIPEMD-160, mainly face a reduction in security margin from Grover’s algorithm rather than the direct structural break that Shor’s algorithm poses to ECDSA and Schnorr.
On migration, IOSG says a soft-fork path is more realistic than a hard fork that removes ECDSA or Schnorr at once. It mentions discussions such as BIP-360 and P2MR, but says broad activation is still far away.
There is also a steep engineering cost. The article compares current ECDSA or Schnorr signatures at roughly 64 to 72 bytes with candidate post-quantum signatures: 2.4 to 4.6 KB for ML-DSA and 7 to 49 KB for SLH-DSA. That increase would raise block weight and fees, push up bandwidth and storage costs for nodes, and worsen UTXO-set and wallet user experience.
Governance is the harder problem. Even if quantum-safe addresses are introduced, the network still has to decide what to do with legacy UTXOs that do not migrate, including long-dormant early BTC often associated by the market with the Satoshi era. Doing nothing would leave those coins available to the first actor with practical CRQC capability. Freezing or invalidating them would collide with Bitcoin’s property-rights narrative and the principle captured by “Not your keys, not your coins.”
IOSG describes a more pragmatic middle ground as a “legacy sunset” path, with years of deprecation warnings, increasing relay friction for older output types, and eventual soft-fork constraints. It links that discussion to BIP-361-style legacy signature sunset proposals.
Ethereum: a broader protocol rebuild
Ethereum is described as taking a more active approach. IOSG says the Ethereum Foundation’s Post-Quantum team is studying the issue through open governance channels including All Core Devs, with a focus on cryptographic agility rather than a one-time switch to a single algorithm.
The article identifies four main areas of exposure: externally owned accounts using ECDSA/secp256k1, validator consensus based on BLS signatures, data availability tied to KZG commitments, and parts of the zero-knowledge proof stack.
It says the Ethereum Foundation is working on a “Lean” roadmap across three tracks:
- Execution layer: account abstraction, including ERC-4337 and EIP-7702, gives smart contract wallets more flexibility for mixed-signature and gradual migration paths, while L2s can serve as testing grounds.
- Consensus layer: the roadmap explores replacing BLS with hash-based leanXMSS, paired with a minimal zkVM called leanVM for SNARK aggregation. The article says leanVM is expected to compress large hash-signature data by about 250x.
- Data layer: Blob, data availability, and KZG-related commitments would need a longer-term redesign toward more post-quantum-friendly systems such as STARK-based or lattice-based commitments.
IOSG adds that Ethereum’s quantum exposure is also uneven. EOAs hold the largest value pool, while exchanges, bridges, custodial hot wallets, governance and upgrade keys, L2 sequencers, and admin keys may be the first operational targets.
Other chains are reference points, not the main migration case
The article says all public chains that depend on conventional public-key cryptography face some level of quantum risk, but the main system-wide migration problem still centers on Bitcoin and Ethereum.
Solana is presented as an example of a high-throughput chain exploring verification costs for post-quantum signatures. IOSG mentions community discussions around Falcon-512 and FN-DSA verification syscalls, but says these remain exploratory and do not replace Ed25519 or amount to an official migration roadmap.
Starknet and the STARK model are described as more post-quantum-friendly from a proof-system perspective than pairing or KZG-heavy SNARK systems. Even so, the article says that does not make the full network quantum-safe, since wallet signatures, hash parameters, bridges, and Ethereum L1 settlement still need to migrate.
It also names QRL, Quantus, and Abelian as native or near-native post-quantum chain examples. IOSG treats them as useful technical samples rather than direct competitors to BTC or ETH, since network effects, liquidity, and application ecosystems are still much smaller.
Market repricing could arrive before Q-Day
IOSG’s conclusion is direct. Quantum computing is not the end of blockchains, but it is a system-level reset for public-key cryptography. The limiting factor is not the existence of PQC. It is whether the Web3 stack can coordinate a migration before Q-Day, from BIP and EIP proposals to client implementation, wallet support, exchange integration, and custody compliance.
The article says the broader preparation period may run 5 to 15 years, yet the true engineering comfort window is only 5 to 8 years. It also argues that markets may begin repricing crypto security assumptions before Q-Day itself if quantum resource estimates keep falling, hardware roadmaps move forward sharply, or regulators and large custodians begin imposing PQC-related compliance demands.
In that framing, Bitcoin faces a social consensus and property-rights problem, while Ethereum faces a multi-layer engineering problem. IOSG says post-quantum governance friction is a structural tail risk for BTC, but not a reason for an immediate bearish view.

