The Quantum Threat to Web3: Shor’s Algorithm, Harvest Now Decrypt Later, and How to Prepare
Attackers are collecting encrypted blockchain data today with the explicit intention of decrypting it once quantum computers mature. This is not speculation. Here is what you need to know and how to prepare.
The Concrete Threat: What Happens When Shor’s Algorithm Meets ECDSA
Bitcoin and Ethereum rely on ECDSA (Elliptic Curve Digital Signature Algorithm) to secure transactions. When you send cryptocurrency, your private key signs the transaction using ECDSA. The network verifies that signature using your public key—a mathematical one-way function that is impossible to reverse with classical computers.
Until now.
In 1994, mathematician Peter Shor published an algorithm that, if run on a sufficiently powerful quantum computer, could solve the discrete logarithm problem in polynomial time. This is the mathematical foundation that ECDSA relies on.
Breaking a 256-bit ECDSA key requires approximately 2^128 operations—roughly 340 undecillion attempts. Even with every supercomputer on Earth, this would take longer than the age of the universe.
Shor’s algorithm reduces this to approximately 256^3 (~16 million) quantum operations. A sufficiently powerful quantum computer could accomplish this in hours or minutes.
The implications are stark: any transaction where the public key has been exposed (which on transparent blockchains like Bitcoin and Ethereum, is most transactions) becomes vulnerable. An attacker with a quantum computer could forge signatures, drain wallets, and redirect funds without needing the private key.
What a Quantum Attack Actually Looks Like
Imagine an attacker with a quantum computer capable of executing Shor’s algorithm gains access to a historical Bitcoin or Ethereum transaction. They:
Extract the public key from the transaction (already visible on-chain)
Run Shor’s algorithm to recover the private key
Use that private key to forge new transactions
Drain the wallet entirely
Shor’s Algorithm: The Mechanics (Explained Accessibly)
Superposition and Quantum Parallelism
A classical bit is either 0 or 1. A quantum bit (qubit) can exist in both states at once until measured. This allows a quantum computer to evaluate multiple computational paths in parallel.
Shor’s algorithm leverages this by:
- Creating a superposition of all possible values a private key might be
- Using quantum interference to amplify the probability of the correct answer
- Measuring the qubits—which collapses the superposition and reveals the private key with high probability
Why ECDSA Is More Vulnerable Than RSA
ECDSA (Bitcoin, Ethereum)
256-bit keys require ~1,500 logical qubits to break
RSA-2048 (Less common in Web3)
Requires ~8 million qubits to factor
The difference matters for the timeline, but not for the outcome: both are vulnerable.ECDSA’s smaller key size actually makes it a more attractive target for attackers with limited quantum resources.
Harvest Now, Decrypt Later: Why the Threat Is Active Today
"Harvest Now, Decrypt Later" is a long-term attack strategy where an adversary:
- 1Collects encrypted or digitally signed blockchain data today (transaction records, validator communications, wallet interactions, state commitments)
- 2Stores that data with the expectation that quantum computers will eventually break it
- 3Decrypts or forges the data in the future once quantum capabilities mature
Who Is Affected?
Entities at Risk from Harvest Now, Decrypt Later
- Cryptocurrency exchanges storing customer funds with exposed public keys
- Early Bitcoin holders with large balances and historical transactions
- Ethereum stakers whose validator keys are partially exposed through consensus layer data
- Long-term hodlers with legacy wallets that have reused addresses
- Smart contract protocols with exposed deployer addresses
- DAOs with treasury addresses in the clear
- Layer 2 solutions relying on classical cryptography assumptions
NIST’s Post-Quantum Cryptography Standardization
The world’s cryptography experts recognize this threat. In response, the U.S. National Institute of Standards and Technology (NIST) has been working since 2016 to identify and standardize quantum-resistant algorithms.
The NIST PQC Timeline
NIST selected four algorithms for standardization.
NIST finalized and published two critical standards:
- FIPS 204 (ML-DSA) — standardized version of CRYSTALS-Dilithium for digital signatures
- FIPS 203 (ML-KEM) — standardized version of CRYSTALS-Kyber for key encapsulation
ML-DSA and ML-KEM Explained
ML-DSA
Module-Lattice-Based Digital Signature Algorithm
- Purpose: Replaces ECDSA and RSA for digital signatures
- Security: Hardness of finding short vectors in lattices
- Public key: ~1,312 bytes
- Signature: 2,420 bytes
- Speed: Fast verification, suitable for consensus layers
ML-KEM
Module-Lattice-Based Key Encapsulation Mechanism
- Purpose: Replaces RSA and ECDH for key agreement
- Security: Same lattice hardness assumption as ML-DSA
- Public key: ~1,184 bytes
- Encapsulated key: 1,088 bytes
- Web3 use: Node comms, wallet-protocol interaction, off-chain encryption
| Property | ECDSA (Current) | ML-DSA (PQC) | Hybrid ECDSA+ML-DSA |
|---|---|---|---|
| Quantum Safe | No — Shor's breaks it | Yes — lattice-based | Yes — if either holds |
| Public Key Size | 33 bytes | ~1,312 bytes | ~1,345 bytes |
| Signature Size | 64 bytes | 2,420 bytes | ~2,484 bytes |
| Signing Speed | Fast (microseconds) | Fast (comparable) | 2x operations |
| Verification | Fast | Slightly slower | 2x operations |
| NIST Standard | Legacy (pre-quantum) | FIPS 204 (Aug 2024) | Recommended transition |
| Harvest-Now-Decrypt-Later | Fully vulnerable | Resistant | Resistant |
The PQC Migration Path for Web3
The challenge is not whether to migrate. The challenge is how, given the complexity and decentralized nature of blockchain systems.
Layer 1: Protocol-Level Upgrades
Signature Scheme Replacement Requirements
- Update consensus layer to verify ML-DSA signatures
- Modify transaction formats to accommodate larger signatures
- Update state machines to validate PQC signatures
- Coordinate a network-wide upgrade (hard fork)
Example: Ethereum would need to modify its transaction structure (currently ~110 bytes for signatures) to support ML-DSA signatures (2,420 bytes). This increases transaction size by roughly 22x, with ripple effects on block size, gas costs, and validator requirements.
Layer 2: Hybrid Signatures (The Transition Strategy)
Rather than switching directly from ECDSA to ML-DSA, most blockchains will likely implement hybrid signatures for a transitional period. A transaction is signed by both an ECDSA key and an ML-DSA key, and the network verifies both.
Advantages
- Security even if one assumption breaks
- Gradual rollout for early adopters
- Buys time for PQC infrastructure
- Reduces risk of a single failed migration
Disadvantages
- Transaction sizes roughly double (~2,484 bytes)
- Two cryptographic operations per transaction
- Added wallet and client complexity
- 2–5 year transition phase
Layer 3: Wallet and Exchange Migration
Exchange Migration Requirements
- Generate new ML-DSA keys for all stored assets
- Migrate user funds to PQC-protected addresses
- Maintain backward compatibility during transition
- Implement clear user communication around key rotation
The Hard Question: Retroactive Key Recovery
The only mitigation is a coordinated key rotation before quantum computers achieve cryptographic break:
- All users must move funds from addresses with exposed public keys to new PQC addresses
- This must happen before quantum computers are capable of breaking ECDSA
- Any funds not rotated will be vulnerable
This is both a technical challenge and a social challenge. It requires security awareness, wallet updates, and coordinated action across millions of users.
QRNG and Entropy: Why PQC Alone Isn’t Enough
Post-quantum cryptography solves the algorithm problem: it replaces ECDSA with a scheme not vulnerable to Shor’s algorithm. But PQC does not solve the entropy problem.
Cryptographic Security Depends On Two Things
Strong Algorithms
Which PQC provides
True Randomness
Which classical entropy sources struggle to provide
Historical Failures from Weak Randomness
- Sony’s PlayStation 3 used weak RNG for ECDSA keys, allowing researchers to recover private keys
- Android’s Bitcoin wallet (BitcoinSpinner) had RNG vulnerabilities that exposed private keys
- Numerous IoT devices have been compromised due to insufficient entropy in key generation
QBIT’s Quantum-Native Infrastructure
QBIT QaaS Enables
- Wallet providers to generate keys using true quantum randomness
- Smart contract systems to use quantum-random values for security parameters
- Validators to secure their credentials with quantum-backed entropy
- DeFi protocols to generate cryptographic challenges from verified random sources
The PQC Migration Timeline for Web3
Standards Published
NIST finalizes FIPS 204 (ML-DSA) and FIPS 203 (ML-KEM). Initial PQC research by blockchain teams.
Testnet Deployments
PQC-compatible blockchain testnets. Wallets begin supporting PQC key generation.
Hybrid Signatures
Mainnet upgrades supporting hybrid ECDSA + ML-DSA. Major exchanges begin PQC key support.
Industry Transition
Most active funds move to PQC addresses. Remaining ECDSA faces increasing risk.
Post-Quantum Standard
New protocols assume PQC from inception. Legacy ECDSA infrastructure largely deprecated.
FAQ: Quantum Threats and PQC Migration
Q1: Could quantum computers break ECDSA next year?
No. Practical quantum computers capable of running Shor’s algorithm against 256-bit ECDSA likely require 1,000–10,000 logical qubits. Current quantum computers have 100–1,000 physical qubits with high error rates. However, the harvest-now-decrypt-later threat means the clock starts today.
Q2: Why can’t blockchains just upgrade to PQC overnight?
Blockchains are decentralized systems. An ECDSA-to-ML-DSA migration requires protocol specification (months), client implementation and testing (months), community consensus (months), coordinated network upgrade (weeks), and user key rotation (months to years). Hybrid signatures allow a gradual transition.
Q3: Will PQC signatures slow down my wallet or smart contracts?
ML-DSA signing is roughly as fast as ECDSA (microseconds to milliseconds). However, ML-DSA signatures are ~2,400 bytes vs. ECDSA’s ~64 bytes, meaning larger transactions and potentially higher gas costs. Solutions include signature aggregation and Layer 2 off-chain verification.
Q4: How do I protect my current cryptocurrency against quantum threats?
Move funds to fresh addresses, use quantum entropy for new key generation, monitor your blockchain’s PQC migration roadmap, avoid address reuse, and consider custodians with published PQC plans.
Q5: What role does quantum entropy (QRNG) play in post-quantum security?
PQC algorithms are quantum-safe in their mathematical structure. However, cryptographic keys must be generated from random sources. Weak randomness can undermine even the strongest algorithm. QRNG provides true, unpredictable randomness. Combined with PQC, QRNG + PQC provides defense in depth.
Conclusion: The Quantum Era Requires Action Now
The quantum threat to Web3 is not a distant concern. Attackers are harvesting encrypted blockchain data today, with explicit intent to decrypt it once quantum computers mature.
The cryptographic migration path is clear: NIST has standardized post-quantum algorithms. Blockchains must implement hybrid signature schemes, execute coordinated protocol upgrades, and guide users through key rotation.
The timeline is tight: 8–15 years to migrate before quantum computers achieve cryptographic break. The work must begin now.
For Builders
- Start planning PQC integration
- Test hybrid signatures on testnet
- Educate users about quantum threats
For Users
- Move funds from exposed addresses
- Generate keys from trusted entropy sources
- Monitor wallet for PQC support
For Infrastructure
- Integrate quantum entropy
- Publish quantum-safe roadmaps
- Support the transition
The question is not whether quantum computers will arrive. The question is whether Web3 will be ready.
Prepare for the quantum era
Explore QBIT’s quantum-native infrastructure for securing Web3 with PQC algorithms and verified quantum randomness.