Quantum Computing Threat to Cryptography: A Realistic Timeline – Debating the Controversy of "5 Years, 10 Years, or Longer"

We often hear sensational news about breakthroughs in quantum computing. But will quantum computers really crack modern cryptography within five years? Justin Thaler, a research partner at a16z, points out in an in-depth analysis that the timeline for quantum computing threatening cryptosystems is often seriously exaggerated. His research reveals a core fact: while quantum computing does pose long-term risks, its arrival is much later than many claim. More importantly, different cryptographic tools face vastly different levels of threat — a key distinction often overlooked.

The threat of quantum computing to cryptography is not a single event but a complex issue requiring nuanced analysis based on specific applications. This article systematically examines the real timeline, actual risks, and how various industries should respond.

Actual Progress in Quantum Computing: Technical Reality vs. Marketing Hype

When we talk about “quantum computing,” people usually imagine a universal quantum computer capable of breaking RSA-2048 or secp256k1 (the elliptic curve used in Bitcoin). Such a machine would need to meet strict conditions: fault-tolerance, error correction capabilities, running Shor’s algorithm, and enough scale to break encryption within a reasonable time (e.g., a month).

Based on public technical reports and resource assessments, we are still far from such systems. Although some companies claim to achieve this around 2030 or 2035, current technological progress does not support these optimistic estimates. Presently, ion trap, superconducting qubits, or neutral atom platforms cannot approach the scale needed to break RSA-2048. Cracking such encryption would require tens of thousands, possibly millions, of physical qubits — depending on error rates and correction schemes.

The key bottlenecks are not just the number of qubits but also gate fidelity, connectivity between qubits, and the depth of error-correcting circuits needed for deep quantum algorithms. Although some systems have over 1,000 physical qubits, this number is misleading: these systems lack the necessary connectivity and precision to perform cryptanalysis. While modern systems are approaching the threshold for physical error correction, no one can reliably maintain even a few logical qubits, let alone thousands of high-fidelity logical qubits, deep circuits, and fault-tolerance. The gap between proof-of-concept and practical cryptanalysis remains enormous.

Why is news coverage so confusing?

Commercial press and media often create misconceptions. Major sources of confusion include:

Misleading “quantum advantage” demonstrations: Current demonstrations are often carefully designed tasks, not useful applications, just ones that happen to run on existing hardware and appear “fast.” This critical detail is frequently omitted in publicity.

Misleading “thousands of physical qubits” claims: This usually refers to adiabatic quantum computers (quantum annealers), not gate-based models capable of running Shor’s algorithm to break public-key cryptography.

Misuse of “logical qubits” terminology: Physical qubits are susceptible to noise, but practical applications require error correction, which uses multiple physical qubits to form a “logical qubit.” Running Shor’s algorithm needs thousands of such logical qubits, each typically requiring hundreds to thousands of physical qubits. Some companies exaggerate by claiming that using “distance-2” error correction codes (which only detect errors, not correct them) can produce 48 logical qubits with only 2 physical qubits each — which is nonsense.

False promises in roadmaps: Many project roadmaps claim to achieve “logical qubits” capable of supporting “Clifford operations,” which can be efficiently simulated classically and are insufficient for running Shor’s algorithm, which requires many non-Clifford gates (like T gates). So, even if a roadmap claims to reach “thousands of logical qubits” by a certain year, it does not mean they expect to crack cryptography then.

These practices distort public understanding (including many informed observers), leading to misconceptions about quantum progress.

Even experts overstate threat timelines

Even renowned quantum computing researchers like Scott Aaronson have recently discussed this issue, suggesting that “given the astonishing pace of hardware development,” it’s “plausible” that a fault-tolerant quantum computer capable of running Shor’s algorithm could appear before the next U.S. presidential election. He clarifies this does not mean a machine capable of cracking encryption — even a small-scale demonstration factoring 15=3×5 (which is trivial by hand) would meet his criteria. This remains a small-scale proof-of-concept, often targeting 15 because modular arithmetic is simple; larger numbers (like 21) are much more complex.

Core conclusion: The idea that within five years we will see a quantum computer capable of cracking RSA-2048 or secp256k1 — both critical for real-world cryptography — is unsupported by public technical results. Even extending to ten years, this goal remains very ambitious. Therefore, excitement about progress and assessments that “it will take decades” are not contradictory.

Two Types of Cryptographic Threats with Different Risk Levels

Understanding quantum threats hinges on recognizing that different cryptographic tools face vastly different risks. This distinction is crucial but often overlooked.

“Now encrypt, decrypt later” attacks target specific tools

“Harvest now, decrypt later” (HNDL) attacks: Adversaries collect encrypted communications today, store them, and decrypt once quantum computers are available. State actors may have already archived encrypted data from government communications, planning to decrypt in the future.

This attack directly threatens encryption algorithms. Sensitive data encrypted today may still be valuable decades later, and once quantum computers arrive, they could be broken. For long-term confidentiality, post-quantum encryption must be deployed immediately, despite high costs and implementation risks. This is unavoidable.

However, this attack does not apply to digital signatures.

Digital signatures face a completely different risk

Digital signatures (the foundation of all blockchains) do not require confidentiality to prevent recovery attacks. Even if quantum computers emerge, they can only forge signatures after the fact, not decrypt past signatures. As long as you can prove a signature was created before the quantum computer appeared, it cannot be forged.

This means the urgency to migrate to post-quantum signatures is much lower than for encryption. Post-quantum signature schemes come with costs (larger size, performance overhead, immature schemes, potential vulnerabilities) and should be carefully planned rather than rushed.

The unique properties of zero-knowledge proofs

Zero-knowledge proofs (zkSNARKs) are similar to signatures. Even if they use elliptic curve cryptography vulnerable to quantum attacks, their “zero-knowledge” property ensures they reveal no information about secrets, even to quantum adversaries. This guarantees that proofs do not leak secret information, so there is no “now steal, later decrypt” risk. Therefore, zkSNARKs are less susceptible to such threats.

Assessing Quantum Threats in the Blockchain Ecosystem

Most public chains are inherently resistant

Bitcoin, Ethereum, and similar public chains without privacy features: Post-quantum cryptography mainly applies to digital signatures used for transaction authorization, not encryption. These signatures are not threatened by “harvest now, decrypt later” attacks because the data is public — the threat is forging signatures (stealing funds), not decrypting past transactions. This reduces the immediate need for post-quantum migration.

Unfortunately, even authorities like the U.S. Federal Reserve have mistakenly claimed that Bitcoin is vulnerable to such attacks, overstating the urgency.

Of course, Bitcoin is not invulnerable. It faces various timing constraints, mainly related to the social coordination needed for protocol upgrades.

Privacy coins face real risks

Exceptions: privacy-focused chains: Many privacy coins encrypt or hide recipient addresses and amounts. These secret data could be stolen today and later decrypted with quantum-enabled elliptic curve cracking. The severity depends on the design (e.g., Monero’s ring signatures and key images may allow reconstruction of transaction graphs). If users worry about future de-anonymization, privacy chains should migrate quickly to post-quantum primitives or hybrid schemes, or adopt architectures that do not record decryptable secrets on-chain.

Bitcoin’s Unique Challenges: Governance Bottlenecks and “Zombie Coins”

For Bitcoin, two real-world factors create urgency for post-quantum signature plans, unrelated to quantum technology itself:

Slow governance: Bitcoin’s slow evolution and potential disagreements can lead to disruptive hard forks.

Passive migration infeasible: Holders must actively migrate their coins. This means abandoned or unmigrated coins remain vulnerable. It’s estimated that millions of “zombie” coins could be susceptible, worth trillions of dollars at current prices.

However, the threat is not an immediate apocalypse but a gradual, targeted process. Early quantum attacks would be costly and slow, with attackers selectively targeting high-value wallets. Users avoiding address reuse and not using Taproot (which exposes public keys on-chain) remain relatively safe even without protocol upgrades: their public keys are hidden behind hashes until spent. Once a transaction is broadcast, the public key is revealed, and the attacker has a brief window to compute the private key and steal funds.

The most vulnerable are coins with exposed public keys: early P2PK outputs, reused addresses, and assets stored in Taproot outputs. Solutions are complex: either community agrees on a “deadline” after which un-migrated coins are considered burned, or they are left vulnerable, risking future theft by quantum adversaries. The latter could cause legal and technical issues.

Another Bitcoin-specific issue is low transaction throughput. Even with a migration plan, moving all vulnerable funds at current speeds could take months.

These challenges mean Bitcoin must start planning its transition to the post-quantum era now — not because quantum computers might appear in 2030, but because managing, coordinating, and executing such a migration for hundreds of billions of dollars will take years.

Additional note: The vulnerabilities related to signatures do not affect Bitcoin’s security model (proof-of-work consensus). PoW relies on hash functions, and only Grover’s algorithm could provide quadratic speedup, which would still be costly and unlikely to compromise security significantly. Even if it did, it would favor large miners but not break the economic security.

Costs and Risks of Post-Quantum Signatures

Why shouldn’t blockchains rush to implement post-quantum signatures? We need to understand the performance costs and the trustworthiness of these emerging solutions.

Post-quantum cryptography mainly relies on five classes of hard problems: hash-based, code-based, lattice-based, multivariate quadratic, and elliptic-curve isogenies. The diversity stems from the efficiency vs. the structure of the underlying problems: more structure often means higher efficiency but potentially more attack vectors — a fundamental trade-off.

Hash-based schemes: the most conservative (highest security confidence) but with the worst performance. NIST-standardized hash signatures are around 7-8 KB, compared to 64-byte elliptic curve signatures — a difference of hundreds of times.

Lattice-based schemes: currently the focus of deployment. NIST’s selected ML-KEM and two of the three signature schemes (ML-DSA, Falcon) are lattice-based.

• ML-DSA signatures are about 2.4–4.6 KB, 40–70 times larger than current signatures.
• Falcon signatures are smaller (0.7–1.3 KB) but extremely complex to implement, involving constant-time floating-point operations, with successful side-channel attacks. Its creators call it “the most complex cryptographic algorithm I have ever implemented.”
• Implementation security is harder: lattice signatures involve more intermediate values and complex rejection sampling, requiring stronger side-channel and fault-injection protections than elliptic signatures.

Compared to the distant threat of quantum computers, these implementation challenges are more urgent. Historical experience warns us: NIST’s main candidates like Rainbow (multivariate signatures) and SIKE/SIDH (isogeny-based encryption) have been broken on classical computers, illustrating the risks of premature standardization and deployment.

Internet infrastructure has been cautious with new signatures, as the transition can take years (e.g., the ongoing migration from MD5/SHA-1). Similar caution applies to blockchain.

Common Challenges for Internet Infrastructure and Blockchains

Positive factors: open-source blockchain communities (like Ethereum, Solana) can upgrade faster than traditional networks.

Negative factors: traditional networks can rotate keys frequently to reduce attack surface, but blockchain addresses and keys may remain vulnerable for long periods.

Overall, blockchains should adopt a cautious approach similar to the PKI community’s, planning for signature migration carefully. Both are not immediately vulnerable to “harvest now, decrypt later” attacks, but the costs and risks of migration are high.

Certain blockchain features make early migration especially risky:

Signature aggregation: blockchains often require fast aggregation of many signatures (e.g., BLS). BLS is fast but not post-quantum secure. Research into SNARK-based post-quantum signature aggregation is promising but still early.

Future of SNARKs: current community favors hash-based post-quantum SNARKs, but I expect lattice-based SNARKs to emerge in the coming months and years, offering better proof sizes and efficiency.

Ensuring implementation security: in the next few years, implementation bugs and side-channel attacks on SNARKs and post-quantum signatures pose greater threats than quantum computers themselves. The community must invest in audits, fuzzing, formal verification, and layered defenses.

Premature migration — before the dust settles — could lead to suboptimal solutions or require re-migration later.

Moving Forward: Seven Strategic Recommendations

Based on the above realities, I propose the following guidance for stakeholders (developers, policymakers, etc.). The guiding principle: take quantum threats seriously but do not assume that a quantum computer capable of breaking cryptography will appear before 2030 (current results do not support this). Still, there are actions we can and should take now:

1. Deploy hybrid encryption immediately: at least in scenarios where long-term confidentiality is critical and costs are acceptable. Many browsers, CDNs, and messaging apps (e.g., iMessage, Signal) have begun doing so. Hybrid schemes (post-quantum + classical) protect against both current and future threats.

2. Use hash-based signatures in low-frequency scenarios: e.g., firmware updates, where size is less critical. Hybrid hash-based signatures now provide a cautious “lifeboat” if quantum computers appear unexpectedly early.

3. Blockchain does not need to rush post-quantum signatures but should start planning now.

4. Developers should adopt a cautious approach similar to PKI, ensuring solutions are mature before deployment.

5. Major public chains like Bitcoin must define migration paths and policies for “zombie” vulnerable coins now. The slow governance and large value at stake make this urgent.

6. Allocate time for research and development of lattice-based SNARKs and aggregate signatures to avoid fixing suboptimal solutions prematurely.

7. For Ethereum accounts: smart contract wallets (upgradable) can facilitate smoother transitions, but the key is community-driven research and contingency planning. Decoupling account identities from specific signature schemes (e.g., account abstraction) offers flexibility, supporting post-quantum migration, transaction sponsorship, and social recovery.

8. Privacy chains should prioritize migration (if performance permits): current privacy schemes are vulnerable to future quantum attacks. Hybrid or architecture changes can mitigate on-chain decryption risks.

9. In the short term, focus on securing implementation correctness: vulnerabilities and side-channel attacks on SNARKs and post-quantum signatures pose greater immediate threats than quantum computers. Invest in audits, testing, and layered defenses.

10. Continue funding quantum computing R&D: from national security perspectives, sustained investment and talent cultivation are essential. If adversaries gain early access to cryptographically relevant quantum capabilities, risks escalate.

11. Maintain a rational perspective on quantum news: milestones will be announced, but each confirms that we are still far from practical quantum threats. Treat news reports critically, and avoid rushing actions based solely on hype. Technological breakthroughs may accelerate progress, but bottlenecks are real.

Following these recommendations will help us avoid more direct and likely risks: cryptographic vulnerabilities, rushed deployments, and flawed migrations.