Harvest now, forge at Q-day: the quantum clock is already running for blockchains
Guilherme Felipe da Silva

At a glance
We reviewed the primary node implementations of the 36 largest blockchains by market cap (June 2026). Only 2 have any merged post-quantum signature code; 0 protect consensus.
The threat starts before the quantum computer exists. Exposed public keys can be harvested today and forged against at Q-day, and roughly a quarter of all bitcoin already sits in outputs with exposed keys.
The hardware target keeps getting cheaper: Google's 2025 estimate cut the qubits needed to break RSA-2048 twentyfold.
The fix is known but slow: hybrid signing (classical plus post-quantum, both must verify), opt-in per account, covering consensus and bridges, not just user transactions.
Post-quantum signatures cost real block space, roughly 3.7 KB per signer versus 100 bytes today, and consensus layers built on BLS aggregation need redesign, not a drop-in.
We reviewed the primary node implementations of the thirty-six largest blockchains by market cap, as of June 2026. Two contained any merged post-quantum signature code, and neither protects the consensus layer that actually produces blocks. The rest of this post explains why that gap matters now, and not at some future Q-day (the day a cryptographically relevant quantum computer exists).
Most conversations about quantum computing and crypto start with a date. When does a machine arrive that can break the signatures protecting a chain? That is the wrong place to start, because for blockchains the damage does not wait for that machine to exist. It starts the day a public key lands on-chain.
Why post-quantum, and why now
Public-key cryptography holds the whole thing together. Every account, every validator, every bridge relies on the same hard math: it is easy to go from a private key to a public key, and infeasible to go back. Shor's algorithm removes that gap. A large enough quantum computer running Shor recovers the private key from a public key for the elliptic-curve schemes every major chain uses today, secp256k1 and Ed25519 included.[1][11]
The threat is specific to public-key cryptography. Hash functions and symmetric ciphers face only the quadratic speedup of Grover's algorithm,[12] which larger parameters absorb: SHA-256 retains 128-bit security against a quantum adversary, so proof-of-work mining, Merkle trees, and hash-derived addresses survive. The exposed surface is signatures and key exchange, which on a blockchain is precisely the surface that controls all the money.
Encryption has a "harvest now, decrypt later" problem: record traffic today, decrypt it once the machine exists. Blockchains have a sharper version of the same idea. Public keys are not secrets waiting to leak; they are published on the ledger by design, and on many chains the address is the public key. So the correct framing is harvest now, forge at Q-day. An attacker copies exposed keys today, waits, and forges signatures the moment the hardware is ready. Anything still protected by an already-exposed public key is at risk retroactively: reused addresses, chains where the address is the public key, long-lived validator keys, and old outputs that paid straight to a public key. All of it is recorded and waiting.
How exposed a given coin is varies, and it turns on one thing: whether the public key is already visible. Where the address is the public key, it is exposed from the first deposit. Where the address is a hash of the key, as with most Bitcoin and Ethereum accounts, the key stays hidden until the account first spends and is public forever after.
A never-used address is therefore safe today, but that safety ends at its first spend: the transaction reveals the key, and from then on it carries the same permanent exposure as any other. Reused addresses never had that grace period; their keys are already out. The scale is not hypothetical. Analyses of the Bitcoin ledger have estimated that roughly a quarter of all bitcoin, including the untouched Satoshi-era coins paid directly to public keys, already sits in outputs with exposed keys.[13]
Where is the hardware today? Real machines have crossed a thousand physical qubits, but they are noisy, and breaking the crypto still needs thousands of stable logical qubits, which translates to a large number of physical qubits once error correction is accounted for. Nobody is close to that today. That is the reassuring half, and it keeps shrinking. In May 2025 Google Quantum AI published a new resource estimate showing that a 2048-bit RSA key could be broken with under a million noisy qubits, down from the 20 million its own 2019 analysis had projected.[2][3] The trade was qubits for time. The projected runtime rose from about eight hours to just under a week, but the twenty-fold drop in the hardware requirement is the number that matters. The machine did not get built; the estimate of what it takes got about twenty times cheaper, mostly through better error correction and arithmetic. That is the pattern worth watching. The target does not move away from us. It moves toward us, in steps that arrive without warning.
The other half is that the fix is slow. NIST finalized the first post-quantum standards in 2024 (ML-KEM for key exchange, ML-DSA and SLH-DSA for signatures),[4] and NIST's draft transition plan and US government guidance point toward a migration period of roughly 2030 to 2035.[6][7] A chain that starts when the machine is announced has started years too late, because the keys it needs to protect have been public the whole time.
The market is not ready, and we can measure it
We reviewed, in June 2026, the primary node implementations of thirty-six of the largest chains by market cap. Rather than relying on roadmaps or announcements, we inspected the code paths that verify signatures in each project's default branch and searched for merged post-quantum implementations. When we say a chain has no post-quantum code, we mean nothing merged into that main branch; experimental forks and unmerged research branches are out of scope, as are opt-in on-chain programs and ecosystem tooling deployed on top of the chain, which can shield individual users but do not constitute protocol-level support. We are intentionally not naming the individual projects here: the goal is to describe the state of the ecosystem, not to rank or single out specific teams. The picture is stark.
Only two of the implementations we examined contained any merged post-quantum signature code at all, and only on narrow, opt-in surfaces. One has added a hash-based scheme behind a feature flag, the other is integrating a lattice-based one into its main branch. Both are recent, both are opt-in, and on both the consensus layer that actually produces blocks is still fully classical.
Every other chain had no post-quantum implementation merged into its main branch. The past year has seen a genuine wave of activity. Several major ecosystems published migration roadmaps, opened post-quantum testnets, or demonstrated one-off post-quantum transactions in late 2025 and 2026, and that momentum is real. But a roadmap is not a scheme a validator can run, and the gap between the two is usually the whole project. Across all thirty-six, no chain currently offers end-to-end post-quantum protection across both user accounts and consensus. For practical purposes, post-quantum-secure blockchains do not yet exist.
The exposure is not uniform, and the differences decide how hard the fix is. On some designs the account address is literally the public key, the maximum-exposure case, where the key an attacker needs is on-chain from the first transaction. On proof-of-stake and Byzantine fault tolerant chains, designs where a known committee of validators votes on each block, the validator identity and consensus signing keys are public by construction, so the machinery that produces blocks is exposed regardless of how careful users are. Proof-of-work chains avoid that particular exposure, since block production is not signature-based, but their accounts sit on the same vulnerable curves as everyone else's.
The modern high-throughput chains then cluster around one specific problem: they lean on signature aggregation, BLS committee signatures, a scheme that compresses thousands of validator signatures into one, or threshold certificates, on exactly the consensus surfaces that are hardest to make post-quantum. The standardized post-quantum signatures are single-signer, with no standardized equivalent to BLS aggregation[4][5]; NIST only finalized its first call for threshold and multi-party schemes in January 2026[8], with an initial draft having circulated since 2023, and the aggregate constructions that do exist are still research-stage[9]. A consensus layer that depends on aggregation therefore needs a redesign, not a drop-in, which is why the leading proposals for post-quantum consensus replace BLS with hash-based signatures aggregated through succinct arguments[10].
The account-model chains built around the Ethereum virtual machine cluster around a different problem: they recover the signer from the signature and never put the public key on-chain, which the post-quantum schemes cannot support, because their keys cannot be recovered that way. Readiness is a per-surface map, and most of that map is currently red.
The short version: the chains securing hundreds of billions in value are, in code, where TLS was before the migration to modern ciphers began. The difference is that a blockchain cannot quietly rotate a broken key after the fact. The exposure is permanent and public.
What post-quantum readiness actually looks like
The instinct is to rip out the old signature scheme and drop in a new one. That is the wrong move, and not only because it breaks every existing account. The post-quantum schemes are young. A hard cutover bets the whole chain on one new algorithm being flawless, with no way back.
The safer path is hybrid signing. A transaction carries both signatures, the classical elliptic-curve one and a post-quantum one, and both must verify. Because a forged transaction would have to defeat both signatures at once, an account stays secure as long as either scheme is unbroken. Classical signatures keep protecting against the attacks that exist today, and the post-quantum signature protects against the machine that is coming. If one scheme is later broken, the other still stands. It buys the one thing a permanent public ledger cannot otherwise get: a way to be wrong about the new cryptography without losing the chain.
A credible migration has a few properties worth naming. It is opt-in, so users move on their own schedule rather than through a flag-day fork that splits the network. Once an account opts in, the post-quantum signature is mandatory for it, so there is no downgrade path an attacker can exploit. It carries the post-quantum public key with the transaction, because unlike the classical schemes those keys cannot be recovered from the signature and have to be supplied. And it covers the whole signing surface, not just user transactions: consensus votes, validator manifests, and bridges all sign, and a chain that hardens only its accounts has left its block production exposed.
Migration also has a window problem that hybrid signing solves. Even an account hidden behind a hashed address reveals its classical public key the moment its first transaction enters the mempool, the public waiting room where transactions sit before being confirmed into a block; a fast-enough quantum attacker could derive the private key in flight and race a competing transaction before confirmation. Hash-based address shielding therefore protects funds at rest but not funds in motion, which is one more reason the post-quantum signature must be mandatory once an account opts in, with no classical-only path left to race.
None of this is free. Post-quantum signatures are large. An ML-DSA-44 signature and its public key add roughly 3.7 kilobytes per signer,[5] against about a hundred bytes for an elliptic-curve signature, so the cost shows up in block space, bandwidth, and state growth, and it lands hardest on the consensus and bridge surfaces that sign most often. Falcon (FN-DSA, the draft FIPS 206) is roughly two and a half times more compact, at about 1.6 kilobytes for signature plus key, which is why the chains that have chosen a scheme are converging on it, though it is not yet a finalized standard, and its floating-point signing path makes correct implementation delicate. These costs are measured rather than modeled: early experiments on the post-quantum Solana testnet that Project Eleven built with the Solana Foundation recorded signatures tens of times larger than today's and throughput drops approaching 90 percent before optimization.[14] Aggregation-dependent surfaces need real redesign, not a drop-in. The challenge is architectural as much as cryptographic: migrating a consensus protocol is a different problem from replacing a signature library. The point is not that this is easy. The point is that it is a known, scoped engineering problem with a clear shape, and it is far cheaper to solve now, deliberately, than after a machine exists and the window for a calm migration has closed.
None of it waits on protocol teams alone, either. Holders and operators can shrink their own exposure today: never reuse addresses, keep long-term holdings behind hashed addresses that have never spent, rotate validator and bridge keys on a schedule, and ask wallet and custody vendors what their post-quantum plan is. These are mitigations, but they decide which side of the exposure map your keys sit on while the protocols catch up.
And one problem no hybrid scheme solves: migration only protects accounts whose owners act. Keys that are lost, owners who are gone, Satoshi-era outputs that will never move, none of them can opt in, and every chain will eventually face the same policy choice about them. Freeze or burn the vulnerable funds by fork, or watch them be taken by whoever gets the hardware first. That is a governance question, and it is better debated calmly now than during the event.
Equilibrium builds core protocol infrastructure, and post-quantum migration is exactly the kind of problem we work on: scoped, architectural, and cheaper to solve deliberately than under pressure. If you're mapping your chain's exposure or planning a migration, talk to us.
The quantum computer is not the deadline. The deadline is however long you are willing to leave a public key exposed, and for most chains that clock started the day they launched.
References
[1] Peter Shor, "Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer" (1994/1997), the algorithm that breaks RSA and elliptic-curve cryptography. https://arxiv.org/abs/quant-ph/9508027
[2] Google Quantum AI, "Tracking the cost of quantum factoring" (May 2025). https://blog.google/security/tracking-cost-of-quantum-factori/
[3] Craig Gidney, "How to factor 2048-bit RSA integers with less than a million noisy qubits" (arXiv:2505.15917). https://arxiv.org/abs/2505.15917
[4] NIST, "NIST Releases First 3 Finalized Post-Quantum Encryption Standards" (August 2024), covering ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205). https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards (also cited at b)
[5] NIST, FIPS 204, Module-Lattice-Based Digital Signature Standard (ML-DSA), which specifies the signature and public-key sizes cited above. https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.204.pdf (also cited at b)
[6] NIST IR 8547, "Transition to Post-Quantum Cryptography Standards" (initial public draft, November 2024; not yet finalized as of this writing), which sets deprecation of the vulnerable algorithms after 2030 and disallowance after 2035. https://csrc.nist.gov/pubs/ir/8547/ipd
[7] NSA, "Announcing the Commercial National Security Algorithm Suite 2.0" (CNSA 2.0), which mandates the migration of US national security systems to post-quantum algorithms on a timeline running to 2035. https://media.defense.gov/2022/Sep/07/2003071836/-1/-1/0/CSACNSA_2.0_ALGORITHMS.PDF
[8] NIST IR 8214C, "NIST First Call for Multi-Party Threshold Schemes" (finalized January 2026; initial public draft January 2023), which opens, rather than concludes, standardization of threshold and multi-party schemes including post-quantum primitives. https://nvlpubs.nist.gov/nistpubs/ir/2026/NIST.IR.8214C.pdf
[9] The research line on post-quantum aggregation: Fleischhacker, Simkin, and Zhang, "Squirrel: Efficient Synchronized Multi-Signatures from Lattices" (CCS 2022), and the follow-up "Chipmunk: Better Synchronized Multi-Signatures from Lattices" (CCS 2023), lattice constructions that aim to recover BLS-style non-interactive aggregation. Both are academic proposals, not standardized or deployed. https://eprint.iacr.org/2022/694 and https://eprint.iacr.org/2023/1820
[10] Drake, Khovratovich, Kudinov, and Wagner, "Hash-Based Multi-Signatures for Post-Quantum Ethereum" (IACR Communications in Cryptology, vol. 2 no. 1, 2025; ePrint 2025/055), which provides post-quantum multi-signatures for consensus by aggregating hash-based signatures through succinct arguments in place of BLS. https://eprint.iacr.org/2025/055
[11] Roetteler, Naehrig, Svore, and Lauter, "Quantum resource estimates for computing elliptic curve discrete logarithms" (ASIACRYPT 2017), which gives concrete qubit and gate counts for breaking elliptic-curve cryptography specifically, the scheme family most chains rely on. https://arxiv.org/abs/1706.06752
[12] Lov Grover, "A fast quantum mechanical algorithm for database search" (1996), the quadratic-speedup search algorithm that bounds the quantum threat to hash functions and symmetric ciphers. https://arxiv.org/abs/quant-ph/9605043
[13] Deloitte, "Quantum computers and the Bitcoin blockchain", an analysis of the Bitcoin ledger estimating that roughly a quarter of all bitcoin resides in outputs with already-exposed public keys (pay-to-public-key outputs and reused addresses). https://www.deloitte.com/nl/en/services/risk-advisory/perspectives/quantum-computers-and-the-bitcoin-blockchain.html
[14] CoinDesk, "Solana's quantum-threat readiness reveals harsh tradeoff: security vs speed" (April 2026), reporting measured results from the Solana post-quantum testnet built by Project Eleven in partnership with the Solana Foundation: signatures up to 40x larger and roughly 90 percent throughput degradation in early, unoptimized tests. https://www.coindesk.com/tech/2026/04/04/solana-s-quantum-threat-readiness-reveals-harsh-tradeoff-security-vs-speed
Continue reading

April 21, 2026
ZAIR: Zero-Knowledge Selective Disclosure for Zcash Notes
Imagine proving you hold Zcash without revealing which note, how much, or anything else. That's no longer hypothetical. Here's how we built the first end-to-end selective disclosure tool for Sapling and Orchard

April 9, 2026
Scaling distributed systems: Eiger and Equilibrium Labs unite
we're excited to announce that Eiger and Equilibrium Labs are merging to form Equilibrium —a unified team dedicated to advancing the infrastructure that powers the decentralized web.

May 28, 2025
State of Verifiable Inference & Future Directions
Verifiable inference enables proving the correct model and weights were used, and that inputs/outputs were not tampered with. This post covers different approaches to achieve verifiable inference, teams working on this problem, and future directions.

March 25, 2025
Introducing Our Entrepreneur in Residence (EIR) Program
After 6+ years of building core blockchain infrastructure across most ecosystems and incubating ventures like ZkCloud, we're looking for ambitious pre-founders with whom to collaborate closely.

March 10, 2025
From Speculation to Utility: Next Steps For Onchain Lending Markets
Despite its promises, onchain lending still mostly caters to crypto-natives and provides little utility besides speculation. This post explores a path to gradually move to more productive use cases, low-hanging fruit, and challenges we might face.

February 18, 2025
Can Blockchains And Cryptography Solve The Authenticity Challenge?
As gen-AI models improve, it's becoming increasingly difficult to differentiate between AI- and human-generated content. This piece dives into whether cryptography and blockchains can solve the authenticity challenge and help restore trust on the Internet

February 6, 2025
Vertical Integration for both Ethereum and ETH the Asset
In recent months, lackadaisical price action and usage growing on other L1/L2s has driven a discussion on what Ethereum’s role and the value of ETH, the asset is long-term.

January 29, 2025
Equilibrium: Building and Funding Core Infrastructure For The Decentralized Web
Combining Labs (our R&D studio) and Ventures (our early-stage venture fund) under one unified brand, Equilibrium, enables us to provide more comprehensive support to early-stage builders and double down on our core mission of building the decentralized web

November 28, 2024
20 Predictions For 2025
For the first time, we are publishing our annual predictions for what will happen by the end of next year and where the industry is headed. Joint work between the two arms of Equilibrium - Engineering and Ventures.

November 7, 2024
9 + 1 Open Problems In The Privacy Space
In the third (and final) part of our privacy series, we explore nine open engineering problems in the blockchain privacy space in addition to touching on the social/regulatory challenges.

October 15, 2024
Aleo Mainnet Launch: Reflecting On The Journey So Far, Our Contributions And Path Ahead
Equilibrium started working with Aleo back in 2020 when ZKPs were still mostly a theoretical concept and programmable privacy in blockchains was in its infancy. Following Aleo's mainnet launch, we reflect on our journey and highlight key contributions.

August 12, 2024
Do All Roads Lead To MPC? Exploring The End-Game For Privacy Infrastructure
This post argues that the end-game for privacy infra falls back to the trust assumptions of MPC, if we want to avoid single points of failure. We explore the maturity of MPC & its trust assumptions, highlight alternative approaches, and compare tradeoffs.

August 1, 2024
Working on Aptos: Insights into Mutation Testing and Specification Assurance

July 23, 2024
Equilibrium brings Move to Polkadot

July 23, 2024
Releasing Lumina.rs - Directly verify Celestia in your browser
We're excited to release Lumina. Go to https://lumina.rs/ and run a Celestia light node in the browser. By running Lumina you synchronize with the network, sample data availability, directly verify correctness and contribute to the network health

June 12, 2024
What Do We Actually Mean When We Talk About Privacy In Blockchain Networks (And Why Is It Hard To Achieve)?
An attempt to define what we mean by privacy, exploring how and why privacy in blockchain networks differs from web2, and why it's more difficult to achieve. We also provide a framework to evaluate different approaches for achieveing privacy in blockchain.

April 9, 2024
Will ZK Eat The Modular Stack?
Modularity enables faster experimentation along the tradeoff-frontier, wheras ZK provides stronger guarantees. While both of these are interesting to study on their own, this post explores the cross-over between the two.

January 16, 2024
Nebula for Soroban: Simplifying Contract Execution

January 16, 2024
Equilibrium is taking over responsibility for Beerus StarkNet Light Client

December 14, 2023
Enhancing Rust RPC Client and Nodes for Celestia Network

December 11, 2023
Introducing the MoveVM Substrate Pallet

October 23, 2023
Unveiling the Zcash UniFFI Library

October 5, 2023
Overview of Privacy Blockchains & Deep Dive Of Aleo
Programmable privacy in blockchains is an emergent theme. This post covers what privacy in blockchains entail, why most blockchains today are still transparent and more. We also provide a deepdive into Aleo - one of the pioneers of programmable privacy!

September 18, 2023
Securing cross-chain communication from Ethereum to the Internet Computer with an on-chain Light Client

September 4, 2023
Elusiv: Bringing Privacy To Solana

July 31, 2023
Engineers thoughts: Fireblocks SI partnership

July 25, 2023
Introducing OpEVM: The Next Generation Optimistic EVM Rollup

June 7, 2023
Equilibrium Becomes the First Accredited Systems Integrator for Fireblocks
March 12, 2023
2022 Year In Review
If you’re reading this, you already know that 2022 was a tumultuous year for the blockchain industry, and we see little value in rehashing it. But you probably also agree with us that despite many challenges, there’s been a tremendous amount of progress.

May 31, 2022
Testing the Zcash Network
In early March of 2021, a small team from Equilibrium applied for a grant to build a network test suite for Zcash nodes we named Ziggurat.

June 30, 2021
Connecting Rust and IPFS
A Rust implementation of the InterPlanetary FileSystem for high performance or resource constrained environments. Includes a blockstore, a libp2p integration which includes DHT contentdiscovery and pubsub support, and HTTP API bindings.
June 13, 2021
Rebranding Equilibrium
A look back at how we put together the Equilibrium 2.0 brand over four months in 2021 and found ourselves in brutalist digital zen gardens.
January 20, 2021
2021 Year In Review
It's been quite a year in the blockchain sphere. It's also been quite a year for Equilibrium and I thought I'd recap everything that has happened in the company with a "Year In Review" post.