News
Security

from the migration desk

Quantum threat timelines for blockchains

A sourced view of CRQC estimates, what they mean for ECC blockchains, and how different cryptographic primitives fare.

Quantum threat timelines for blockchains research title card

The useful question is not whether quantum computers can break Solana today. They cannot. The useful question is whether a team with long-lived assets can finish a migration before a cryptographically relevant quantum computer becomes plausible enough to change attacker behavior.

Across government, standards bodies, research groups, and crypto engineering teams, the answer is converging: start now.

Timeline signals

NIST finalized its first three post-quantum standards in August 2024: ML-KEM, ML-DSA, and SLH-DSA. It also stated that Falcon is being developed into another digital-signature FIPS. NSA's CNSA 2.0 guidance tells national-security-system owners to plan, prepare, and budget for quantum-resistant algorithms. CISA, NSA, and NIST jointly urge organizations to build roadmaps and inventories. The White House NSM-10 target is to mitigate as much quantum risk as feasible by 2035.

The 2025 Global Risk Institute survey moved the expert window forward. Its 26 respondents put a CRQC as "quite possible" within 10 years and "likely" within 15 years. Google Quantum AI's 2026 cryptocurrency work tightened the blockchain-specific concern by estimating that ECDLP-256 can be attacked with fewer resources than previously thought.

2024
NIST finalizes ML-KEM, ML-DSA, and SLH-DSA.
2025
GRI survey says the CRQC timeline accelerated.
2026
Google publishes reduced ECDLP-256 resource estimates.
2030-2035
Government and industry planning windows converge around migration completion.

What breaks first

Elliptic-curve signatures are the urgent blockchain problem. Ed25519 and secp256k1 depend on discrete-log hardness. A sufficiently capable quantum computer running Shor's algorithm changes the security model from "public key is safe to expose" to "public key can become enough to recover the private key."

For blockchains, the exposure is unusually stark:

  • Transactions and signatures are public.
  • Account keys and multisig member keys may be visible indefinitely.
  • A quorum policy does not help if every member uses the same broken primitive.
  • Abandoned or cold accounts may have no human operator available for migration.

Hashing is different. Grover's algorithm gives a quadratic search speedup, which is serious but not the same as Shor's break of ECC. SHA-256 and SHA-512 need security-margin analysis, but hash-based signatures remain one of the conservative post-quantum families.

Lattice signatures are the practical migration workhorse. ML-DSA is standardized, Falcon is compact and on the NIST path as FN-DSA, and Solana engineering groups have converged on Falcon because bandwidth matters.

Threat rating by primitive

PrimitiveQuantum threatBlockchain relevanceQuorum stance
Ed25519HighNative Solana accounts and signaturesSupport for continuity, not final high-value authority
Secp256k1HighBitcoin, Ethereum, EVM governanceSupport for cross-chain identity, not PQ security
SHA-256 hashingMediumHash commitments, address derivation, WOTS-style chainsConservative basis, but size and state matter
Falcon-512 / FN-DSALow against known quantum attacksCompact PQ approval candidatePrimary compact PQ signer
Winternitz / WOTS-styleLow against known quantum attacks if state is safeHash-based approval, vault fallbackConservative PQ signer with state discipline
ML-DSA / DilithiumLow against known quantum attacksGeneral PQ signature standardStrong standard, but large for Solana transaction limits
SLH-DSA / SPHINCS+Low against known quantum attacksStateless hash-based standardConservative, but very large signatures

Why the timeline matters before Q-Day

Migration is not just a cryptography swap. It requires wallet UX, hardware support, governance procedure, custody policy, audit review, education, and incident playbooks. That is why agencies talk about roadmaps, inventories, and vendor engagement rather than a last-minute cutover.

The bet is not whether a CRQC will exist in 2030. It is whether you are sure it will not.

Filippo Valsorda

For Solana teams, the immediate action is narrower than "replace every key." Inventory exposed long-lived authorities, test post-quantum signer operations, and put high-value assets behind policies that can require at least one post-quantum approval.

References