Quantum computers cannot break blockchains today. However, the risk has already begun because attackers do not need a fully capable quantum machine right now to create serious problems in the future. All they need to do is collect blockchain data today and store it.
On many networks, public keys are revealed either as soon as an address is created (in account-based models) or when funds are spent (in UTXO models). Once quantum computers become powerful enough, attackers can use those stored public keys to derive the corresponding private keys for vulnerable schemes and then forge signatures or seize control of old addresses.
This long-term strategy is often called “harvest now, decrypt later,” but “harvest now, derive later” is more accurate in the context of blockchains [1]. The harvesting happens today. The deriving happens years or decades from now. Because blockchain history is publicly replicated across many nodes and archival infrastructure preserves past states indefinitely, anything exposed now will remain visible once quantum computers reach the required capability. This is not a hypothetical concern reserved for the distant future. As a16z crypto observes:
“Post-quantum encryption demands immediate deployment despite its costs: Harvest-Now-Decrypt-Later (HNDL) attacks are already underway, as sensitive data encrypted today will remain valuable when quantum computers do arrive, even if that’s decades from now.” [6]
Most blockchains depend on classical public-key cryptography such as ECDSA, EdDSA, and RSA. These systems are believed to be secure today because no efficient classical algorithms are known for solving the underlying mathematical problems at the key sizes used in practice. For example:
Quantum computers operate differently. They use quantum states and interference to run certain algorithms much more efficiently than classical machines. The most important in this context is Shor’s algorithm, which provides a polynomial-time method for solving both factoring and discrete logarithm problems on a sufficiently large and stable quantum computer [2].
If such a machine becomes available, the implication is clear: for cryptosystems based on factoring and discrete logarithms, a quantum-capable adversary could compute private keys from public keys. Any public key that has ever appeared on chain becomes a permanent point of potential weakness, because it can be harvested and attacked later if assets or trust still depend on it.
By contrast, symmetric primitives such as block ciphers and hash functions are affected only moderately by known quantum attacks like Grover’s algorithm [3]. These typically require doubling key sizes to maintain comparable security. The critical break occurs at the public-key signature layer, which blockchains use for ownership and transaction authorization.
Shor’s algorithm matters because it changes the cost of breaking the mathematical problems that secure classical public-key cryptography.
For classical computers, the best known algorithms for factoring and discrete logarithms still require super-polynomial time at cryptographic sizes. That makes attacks infeasible in practice and is the main reason current public-key schemes are considered secure today.
A quantum computer can approach these problems differently. It encodes the problem into quantum states that represent many possibilities at once. Shor’s algorithm uses interference patterns among those states to extract the hidden periodic structure behind the problem. Once that structure is known, the remaining steps to factor a number or compute a discrete logarithm become efficient.
In practical terms, a sufficiently powerful quantum computer running Shor’s algorithm could recover private keys from public keys for vulnerable signature schemes. The limitation today is not the algorithm, but the absence of quantum hardware with the scale and stability required to apply it to real-world key sizes.
A useful way to understand this threat is through an analogy that reflects how public-key cryptography works.
Imagine an attacker making a complete copy of an encrypted hard drive. Today, the encryption is strong, and the attacker cannot break it. The copy appears harmless.
But the attacker stores it anyway.
Years later, new technology becomes available that can break that encryption quickly. The attacker no longer needs the original device. The old copy becomes enough to unlock everything that was stored inside.
This mirrors the quantum threat to blockchain. From an attacker’s perspective, public keys and signatures recorded on-chain play a similar role to strongly encrypted data: they are safe today only because inverting the underlying math is computationally infeasible. An adversary can save this data now and wait until a quantum computer can break the assumptions behind ECDSA, EdDSA, or RSA.
At that point, previously collected public keys can be turned into the private keys needed to forge signatures or control old addresses. If valuable assets or trust relationships are still tied to those keys, the damage can be immediate and irreversible.
Preparing for quantum risk is not about panic, but about timing. As a16z crypto puts it:
“The real challenge in navigating a successful migration to post-quantum cryptography is matching urgency to actual threats.” [6]
Upgrading a decentralized network is intentionally slow. Users need time to migrate keys. Protocols must be redesigned. New signature schemes must be vetted for both security and real-world performance. None of this can occur instantly at the moment quantum hardware becomes capable.
If a public key has already appeared on-chain, that exposure cannot be erased from history. Waiting until quantum computers reach practical capability is too late because the vulnerability arises the moment public keys and signatures are recorded under quantum-vulnerable schemes, not when the first large-scale quantum machine goes online.
A responsible blockchain begins preparing early by:
These measures help ensure that by the time quantum computers operate at relevant scales, at whatever point that arrives, there is little of value left tied to keys that can be broken by Shor’s algorithm.
Quantum hardware continues to progress. It is not strong enough today to break classical signature schemes at realistic key sizes, but the theoretical tools already exist, and many experts consider large-scale quantum machines a matter of “when,” not “if.”
Because blockchain data is public and long-lived, the decisions made today determine whether that data remains trustworthy in a quantum future.
Long-term data requires long-term cryptography. Networks that begin preparing now, by reducing exposure to quantum-vulnerable keys and adopting quantum-resistant primitives, will be far better positioned to remain secure, reliable, and resilient once quantum computing matures.
Autonomys is committed to this path, continuing to harden its cryptographic foundations and evolve toward quantum-resistant security as part of its long-term network design.
[1] Subspace Network, “Harvest Now, Derive Later: The Most Underestimated Threat in Blockchain,” 2024.
Available at: https://medium.com/subspace-network/harvest-now-derive-later-the-most-underestimated-threat-in-blockchain-ccad4166e973
[2] P. Shor, “Algorithms for Quantum Computation: Discrete Logarithms and Factoring,” 1994.
Available at: https://arxiv.org/abs/quant-ph/9508027
[3] L. K. Grover, “A Fast Quantum Mechanical Algorithm for Database Search,” 1996.
Available at: https://arxiv.org/abs/quant-ph/9605043
[4] National Institute of Standards and Technology, “NIST IR 8547: Transition to Post-Quantum Cryptography Standards,” Draft, 2024.
Available at: https://csrc.nist.gov/pubs/ir/8547/ipd
[5] Global Risk Institute, “Quantum Threat Timeline Report 2023,” 2023.
Available at: https://www.globalriskinstitute.org/publications/quantum-threat-timeline-report-2023/
[6] a16z Crypto, “Quantum computing and blockchains: Matching urgency to actual threats,” 2025.
Available at: https://a16zcrypto.com/posts/article/quantum-computing-misconceptions-realities-blockchains-planning-migrations/
