a16z Report: Five Years or Ten? A Timeline Assessment of the Quantum Computer Threat

How far are we from the advent of a quantum computer capable of cracking Bitcoin?

When will quantum computers be able to break existing cryptography? The timeline for this question is often overemphasized, leading to calls for an "urgent and comprehensive shift to post-quantum cryptography."

However, these calls often overlook the costs and risks of premature migration, and fail to recognize that the threats faced by different cryptographic tools are fundamentally different:

• Post-quantum encryption must be deployed immediately, regardless of the cost. This is because "HNDL" (Hidden Non-Decryption) attacks already exist. Sensitive data encrypted today will remain invaluable even decades from now, when quantum computers are not yet available. While post-quantum encryption will result in performance degradation and implementation risks, it is the only option for data requiring long-term confidentiality.
• Post-quantum digital signatures are another matter. They are less susceptible to the aforementioned "storage theft and decryption" attacks, and their inherent costs and risks (increased size, performance burden, immature solutions, potential vulnerabilities) require careful planning rather than immediate action.

This distinction is crucial. Misconceptions can distort cost-benefit analyses, causing teams to overlook more pressing security risks, such as code vulnerabilities.

The real challenge in successfully transitioning to post-quantum cryptography lies in aligning the urgency of action with the actual threats. The following section clarifies common misconceptions about the threat of quantum computing to cryptography, covering encryption, signatures, and zero-knowledge proofs, with a particular focus on its implications for blockchain.

Timeline: How far are we from quantum computers capable of breaking encryption?

Despite the constant exaggerated publicity, the possibility of a "cryptography-related quantum computer" appearing in the 2020s is extremely low.

The term "cryptography-related quantum computer" refers to a quantum computer with fault tolerance and error correction capabilities. It can execute Shor's algorithm and is large enough to break elliptic curve cryptography (such as secp256k1) or RSA (such as RSA-2048) within a reasonable time (e.g., continuous operation for no more than one month).

Based on publicly available technology milestones and resource assessments, we are still quite far from such a computer. Although some companies claim it could be achieved by 2030 or even 2035, current known progress does not support these claims.

Currently, no quantum computing platform, whether it is an ion trap, a superconducting qubit, or a neutral atom system, can come close to the hundreds of thousands or even millions of physical qubits required to crack RSA-2048 or secp256k1 (the exact number depends on the error rate and error correction scheme).

The bottleneck lies not only in the number of qubits, but also in gate fidelity, the connectivity between qubits, and the depth of the continuous error correction circuitry required to execute deep quantum algorithms. While some current systems have over 1000 physical qubits, this number alone is misleading: they lack the connectivity and fidelity required for cryptographic operations.

While recent systems are gradually approaching the physical error rate threshold required for quantum error correction, no system has yet been able to stably execute more than a few logical qubits, let alone the thousands of high-fidelity, deep-circuit, fault-tolerant logical qubits required to execute Shor's algorithm. The gap between proof-of-principle and the scale required for cryptanalysis remains enormous.

In short: cryptography-related quantum computers remain a long way off until the number of qubits and fidelity increase by several orders of magnitude.

However, corporate press releases and media reports are often confusing. Key points of confusion include:

1. "Quantum advantage" demonstrations: Most of the tasks demonstrated so far are elaborately designed and not actually useful, only because they can be executed on existing hardware and "appear" to be fast. This point is often downplayed in the publicity.
2. The claim of "thousands of physical qubits" usually refers to a quantum annealing machine, not a gate-based quantum computer capable of executing Shor's algorithm, which is needed to attack public-key cryptography.
3. The misuse of "logical qubits": Physical qubits are noisy, and practical algorithms require "logical qubits," which are composed of many physical qubits through error correction. Shor's algorithm requires thousands of such logical qubits, each typically requiring hundreds to thousands of physical qubits. However, some companies exaggerate their capabilities; for example, there have been recent claims of achieving 48 logical qubits with only 2 physical qubits per logical qubit using "distance-2" error correction codes (which can only detect errors, not correct them), which is meaningless.
4. Misleading roadmaps: Many roadmaps describe "logical qubits" that only support "Clifford operations," which can be efficiently simulated by classical computers but are insufficient for executing Shor's algorithm, which requires a large number of "non-Clifford gates" (such as T gates). Therefore, even if a roadmap claims to "achieve thousands of logical qubits in X years," it does not mean that the company expects to be able to break classical cryptography by then.

These practices have severely distorted the public's (including seasoned observers') perception of the progress of quantum computing.

Of course, the progress is indeed exciting. For example, Scott Aaronson recently wrote that, given the "astonishingly rapid pace of hardware progress," he believes "it is a real possibility that we will have a fault-tolerant quantum computer capable of executing Shor's algorithm before the next US presidential election." However, he later clarified that this does not refer to a cryptography-related quantum computer—even just fault-tolerantly factoring 15 = 3 × 5 (which is faster with pen and paper) would be considered a fulfillment of that promise. This is still a small-scale demonstration, and such experiments always target 15, because modulo 15 is simple; slightly larger numbers (such as 21) are much more difficult.

Key findings: The prospect of a cryptography-related quantum computer capable of breaking RSA-2048 or secp256k1—crucial for practical cryptography—within the next 5 years lacks publicly available support for its progress. Even 10 years is still an ambitious goal.

Therefore, the excitement about the progress does not contradict the timeline judgment that it will still take more than ten years.

So what about the US government setting 2035 as the deadline for a full quantum migration of the government system? I think this is a reasonable timeline for completing a large-scale transformation, but it does not predict that cryptography-related quantum computers will necessarily emerge by then.

"Steal now, decrypt later" attack: Who is it applicable to? Who is it not applicable to?

"Steal now, decrypt later" attacks refer to attackers storing encrypted traffic now, intending to decrypt it later when cryptography-enabled quantum computers become available. Nation-state adversaries may already be archiving large amounts of encrypted communications from the US government for future decryption.

Therefore, encryption must be upgraded immediately, at least for data that requires a confidentiality period of 10-50 years or more.

But digital signatures (the cornerstone of all blockchains) differ from encryption: they don't require traceability of confidentiality. Even with the advent of quantum computers in the future, signatures can only be forged from that point onward, not "decrypted" from the past. As long as you can prove a signature was generated before the advent of quantum computers, it is unforgeable.

This makes the transition to backward quantum digital signatures far less urgent than the transition to encryption.

This is exactly what mainstream platforms are doing:

• Chrome and Cloudflare have deployed a hybrid X25519+ML-KEM solution for network TLS encryption. "Hybrid" means that it uses both the post-quantum security solution (ML-KEM) and the existing solution (X25519) to provide the security of both, protecting against HNDL attacks while maintaining classical security in case the post-quantum solution fails.
• Apple's iMessage (PQ3 protocol) and Signal (PQXDH and SPQR protocols) also deploy similar hybrid post-quantum encryption.

In contrast, the deployment of post-quantum digital signatures on critical network infrastructure has been delayed until cryptographically-related quantum computers are truly within reach. This is because current post-quantum signature schemes introduce performance degradation (detailed below).

Zero-knowledge proofs (zkSNARKs) are in a similar situation to signatures. Even those zkSNARKs that are not post-quantum secure (those that use elliptic curve cryptography) are themselves post-quantum secure due to their "zero-knowledge" property. This property ensures that the proof does not reveal any information about the secret (which even a quantum computer cannot detect), thus there is no secret that can be "stolen now" for future decryption. Therefore, zkSNARKs are also not easily vulnerable to HNDL attacks. Any zkSNARK proof generated before the advent of quantum computers is credible (even if it uses elliptic curve cryptography), and only after the advent of quantum computers can attackers forge false proofs.

What does this mean for blockchain?

Most blockchains are not easily vulnerable to HNDL attacks.

Like current non-privacy blockchains such as Bitcoin and Ethereum, their non-post-quantum cryptography is primarily used for transaction authorization (i.e., digital signatures), not encryption. These signatures do not pose an HNDL risk. Taking the Bitcoin blockchain as an example, it is public; the quantum threat lies in signature forgery (stealing funds), not in decrypting publicly available transaction data. This eliminates the immediate cryptographic urgency from HNDL.

Unfortunately, even analyses by authoritative institutions such as the Federal Reserve have erroneously claimed that Bitcoin is vulnerable to HNDL attacks, exaggerating the urgency of the transition.

Of course, the reduced urgency doesn't mean Bitcoin can rest easy. It faces varying time pressures from the enormous social coordination required for protocol changes (detailed below).

The current exception is privacy chains. Many privacy chains encrypt or hide the recipient and amount of funds. This confidential information can be stolen now and deanonymized retroactively after a quantum computer cracks elliptic curve cryptography in the future. The severity of the attack varies depending on the design (for example, Monero's ring signatures and key mappings could allow the complete reconstruction of the transaction graph). Therefore, if users are concerned about their transactions being exposed to future quantum computers, privacy chains should transition to post-quantum primitives (or hybrid schemes) as soon as possible, or adopt an architecture that does not record decryptable secrets on the chain.

Bitcoin's unique challenges: governance deadlock and "dormant coins"

For Bitcoin, there are two real-world factors driving the urgency to begin planning for post-quantum signatures, and neither of these has anything to do with quantum technology itself:

• Slow governance: Bitcoin's transformation process is sluggish, and any controversy could trigger a destructive hard fork.
• Unable to be passively migrated: Holders of the coins must actively migrate their assets. This means that abandoned coins vulnerable to quantum attacks will be left unprotected. It is estimated that there may be millions of such "dormant" and quantum-vulnerable BTC, worth hundreds of billions of dollars at current value.

However, the quantum threat is not an "overnight" doomsday for Bitcoin, but rather a selective, gradual targeting process. Early quantum attacks will be extremely expensive and slow, with attackers selectively targeting high-value wallets.

Furthermore, users who avoid address reuse and do not use Taproot addresses (which expose the public key directly on-chain) are essentially secure, even without protocol upgrades—their public key remains hidden behind the hash value until the transaction is spent. The public key is only exposed when the spending transaction is broadcast, at which point a brief, immediate race begins: honest users try to confirm the transaction as quickly as possible, while quantum attackers attempt to compute the private key and steal funds before then.

Therefore, the truly vulnerable coins are those whose public keys have been exposed: early P2PK outputs, reused addresses, and assets held in a Taproot manner.

For abandoned and fragile cryptocurrencies, the solutions are quite tricky: either the community agrees on a "deadline" after which any unmigrated coins are considered destroyed, or they are left to be seized by those who will possess quantum computers in the future. The latter would bring serious legal and security problems.

The final challenge unique to Bitcoin is its low transaction throughput. Even if the migration plan is finalized, migrating all the fragile funds at the current rate would take months.

These challenges mean that Bitcoin must start planning for the post-quantum transition now—not because quantum computers may be available before 2030, but because the governance, coordination, and technical logistics required to migrate assets worth hundreds of billions of dollars will themselves take years.

The quantum threat facing Bitcoin is real, but the time pressure stems primarily from its own limitations rather than the looming threat of quantum computers.

Note: The above-mentioned signature vulnerabilities do not affect Bitcoin's economic security (i.e., Proof-of-Work consensus). PoW relies on hash operations and is only affected by a secondary speedup from the Grover search algorithm, which has huge actual overhead and is unlikely to achieve significant acceleration. Even if it does, it would only give large miners an advantage, rather than subverting its economic security model.

Costs and risks of post-quantum signatures

Why shouldn't blockchains rush to deploy post-quantum signatures? We need to understand their performance costs and our confidence that these new solutions are still evolving.

Post-quantum cryptography is primarily based on five types of mathematical problems: hashes, encodings, lattices, systems of quadratic equations, and elliptic curve homology. The diversity stems from the fact that the efficiency of a scheme is related to the "structure" of the problem it relies on: the more structured the problem, the higher the efficiency, but the more vulnerabilities it may leave for attack algorithms—a fundamental trade-off.

• Hash schemes are the most conservative (with the highest confidence in security), but have the worst performance. For example, the smallest hash signature standardized by NIST is 7-8KB, while the current elliptic curve signature is only 64 bytes, a difference of about 100 times.
• Lattice schemes are currently the focus of deployment. The only post-quantum cryptography scheme (ML-KEM) selected by NIST and two of the three signature schemes (ML-DSA, Falcon) are based on lattices.
• The ML-DSA signature size is approximately 2.4-4.6KB, which is 40-70 times larger than current signature sizes.
• Falcon signatures are small (0.7-1.3KB), but their implementation is extremely complex, involving constant-time floating-point operations, and there have been successful cases of side-channel attacks. One of its founders called it "the most complex cryptographic algorithm I have ever implemented."
• The implementation presents greater security challenges: lattice-based signatures have more sensitive intermediate values ​​and complex rejection sampling logic than elliptic curve signatures, requiring stronger side-channel and fault injection protection.

The direct risks posed by these problems are far more real than those of distant quantum computers.

Historical lessons also urge us to exercise caution: leading candidates in the NIST standardization process, such as Rainbow (MQ-based signatures) and SIKE/SIDH (same-origin encryption), were both broken by classical computers. This illustrates the risks of premature standardization and deployment.

The Internet infrastructure has taken a cautious approach to signature migration, which is particularly noteworthy because cryptographic transitions are inherently time-consuming (for example, the migration from MD5/SHA-1 has taken many years and is still not fully completed).

Blockchain vs. the unique challenges of internet infrastructure

The advantage is that blockchains maintained by the open-source community (such as Ethereum and Solana) can be upgraded faster than traditional network infrastructure. The disadvantage is that traditional networks can reduce their attack surface through frequent key rotations, while the coins and associated keys of a blockchain may be exposed for a long time.

However, overall, blockchains should still emulate the cautious signature migration strategy of networks. Neither is immune to HNDL attacks in terms of signatures, and premature migration carries significant costs and risks.

Blockchain also has some unique complexities that make premature migration particularly dangerous:

• Signature aggregation requirements: Blockchains often need to rapidly aggregate large numbers of signatures (such as BLS signatures). While BLS is fast, it is not post-quantum secure. Research on SNARK-based post-quantum signature aggregation shows promise but is still in its early stages.
• The future of SNARKs: The community is currently optimistic about hash-based post-quantum SNARKs, but I believe that lattice-based SNARK alternatives will emerge in the coming months to years, and they will outperform in many aspects, such as proof length.

The more serious problem now is: implementing security.

For many years to come, exploitable vulnerabilities will pose a greater security risk than quantum computers. For SNARKs, the primary threat is programmatic vulnerability. Digital signatures and encryption already present challenges, but SNARKs are far more complex. In fact, digital signatures can be viewed as a very simplified form of zkSNARK.

For post-quantum signatures, attacks such as side-channeling and fault injection are more pressing threats. The community needs years to harden these implementations.

Therefore, prematurely transitioning before things have settled may lock you into a suboptimal solution or force you to migrate a second time to fix vulnerabilities.

How should we respond? Seven suggestions.

Based on the above realities, I offer the following suggestions to all parties (from builders to policymakers). The general principle is: take the quantum threat seriously, but do not assume that cryptography-related quantum computers will emerge before 2030 (current progress does not support this assumption). At the same time, there are some things we can and should begin to do now:

1. Deploy hybrid encryption immediately: at least where long-term confidentiality is required and cost is acceptable. Many browsers, CDNs, and messaging applications (such as iMessage and Signal) have already begun deployment. Hybrid solutions (post-quantum + classical) protect against HNDL attacks and circumvent the potential weaknesses of post-quantum solutions.
2. In scenarios where large sizes can be tolerated, hash-based signatures should be used immediately: for example, in low-frequency, size-insensitive scenarios such as software/firmware updates, hybrid hash signatures can now be adopted (hybridization is to hedge against implementation vulnerabilities of new schemes). This provides a conservative "lifeboat" in case quantum computers unexpectedly appear prematurely.
3. Blockchain does not need to rush into implementing quantum signatures, but planning for it should begin immediately:
4. Developers should emulate the cautious approach of the online PKI community to make their solutions more mature.
5. Public blockchains like Bitcoin need to define migration paths and policies for "dormant" and vulnerable funds. Bitcoin, in particular, needs to start planning now because its challenges are primarily non-technical (slow governance, a large number of high-value "dormant" addresses).
6. Allow sufficient time (potentially several more years) for research into post-quantum SNARKs and aggregateable signatures to mature, avoiding prematurely locking in suboptimal solutions.
7. Regarding Ethereum accounts: Smart contract wallets (which are upgradable) may offer a smoother migration path, but the difference is limited. More important than account type is the community's continued progress in post-quantum primitives research and contingency planning. Broader design implications: Decoupling account identity from specific signature schemes (such as account abstraction) provides greater flexibility, not only for post-quantum migration but also for supporting features like sponsored transactions and social recovery.
8. Privacy chains should be prioritized for transition (if performance is acceptable): their user confidentiality is currently exposed to HNDL attacks. Hybrid solutions or architectural adjustments could be considered to avoid decryptable secrets being uploaded to the chain.
9. In the short term, prioritize implementation security rather than overemphasizing quantum threats: for complex cryptography such as SNARKs and post-quantum signatures, vulnerabilities and exploits pose a greater risk than quantum computers for years to come. Invest now in auditing, fuzzing, formal verification, and defense-in-depth; don't let quantum anxiety overshadow the more pressing vulnerability threats.
10. Continued funding for quantum computing research and development is essential from a national security perspective, requiring sustained investment in funding and talent development. If major adversaries were to acquire cryptography-related quantum computing capabilities first, it would pose a serious risk.
11. Let's be rational about quantum computing news: there will be more milestones to come. But each milestone only proves that we are still far from our goal. Press releases should be seen as progress reports that require critical evaluation, not signals for hasty action.

Of course, technological breakthroughs may accelerate, and bottlenecks may prolong the forecast. I'm not asserting that it's absolutely impossible within five years, but rather that the probability is very low. Following the above advice can help us avoid more direct and likely risks: implementing vulnerabilities, hasty deployments, and common mistakes in the transition of cryptography.