from the migration desk
Quantum threat timelines for blockchains
A sourced view of CRQC estimates, what they mean for ECC blockchains, and how different cryptographic primitives fare.
The useful question is not whether quantum computers can break Solana today. They cannot. The useful question is whether a team with long-lived assets can finish a migration before a cryptographically relevant quantum computer becomes plausible enough to change attacker behavior.
Across government, standards bodies, research groups, and crypto engineering teams, the answer is converging: start now.
Timeline signals
NIST finalized its first three post-quantum standards in August 2024: ML-KEM, ML-DSA, and SLH-DSA. It also stated that Falcon is being developed into another digital-signature FIPS. NSA's CNSA 2.0 guidance tells national-security-system owners to plan, prepare, and budget for quantum-resistant algorithms. CISA, NSA, and NIST jointly urge organizations to build roadmaps and inventories. The White House NSM-10 target is to mitigate as much quantum risk as feasible by 2035.
The 2025 Global Risk Institute survey moved the expert window forward. Its 26 respondents put a CRQC as "quite possible" within 10 years and "likely" within 15 years. Google Quantum AI's 2026 cryptocurrency work tightened the blockchain-specific concern by estimating that ECDLP-256 can be attacked with fewer resources than previously thought.
What breaks first
Elliptic-curve signatures are the urgent blockchain problem. Ed25519 and secp256k1 depend on discrete-log hardness. A sufficiently capable quantum computer running Shor's algorithm changes the security model from "public key is safe to expose" to "public key can become enough to recover the private key."
For blockchains, the exposure is unusually stark:
- Transactions and signatures are public.
- Account keys and multisig member keys may be visible indefinitely.
- A quorum policy does not help if every member uses the same broken primitive.
- Abandoned or cold accounts may have no human operator available for migration.
Hashing is different. Grover's algorithm gives a quadratic search speedup, which is serious but not the same as Shor's break of ECC. SHA-256 and SHA-512 need security-margin analysis, but hash-based signatures remain one of the conservative post-quantum families.
Lattice signatures are the practical migration workhorse. ML-DSA is standardized, Falcon is compact and on the NIST path as FN-DSA, and Solana engineering groups have converged on Falcon because bandwidth matters.
Threat rating by primitive
| Primitive | Quantum threat | Blockchain relevance | Quorum stance |
|---|---|---|---|
| Ed25519 | High | Native Solana accounts and signatures | Support for continuity, not final high-value authority |
| Secp256k1 | High | Bitcoin, Ethereum, EVM governance | Support for cross-chain identity, not PQ security |
| SHA-256 hashing | Medium | Hash commitments, address derivation, WOTS-style chains | Conservative basis, but size and state matter |
| Falcon-512 / FN-DSA | Low against known quantum attacks | Compact PQ approval candidate | Primary compact PQ signer |
| Winternitz / WOTS-style | Low against known quantum attacks if state is safe | Hash-based approval, vault fallback | Conservative PQ signer with state discipline |
| ML-DSA / Dilithium | Low against known quantum attacks | General PQ signature standard | Strong standard, but large for Solana transaction limits |
| SLH-DSA / SPHINCS+ | Low against known quantum attacks | Stateless hash-based standard | Conservative, but very large signatures |
Why the timeline matters before Q-Day
Migration is not just a cryptography swap. It requires wallet UX, hardware support, governance procedure, custody policy, audit review, education, and incident playbooks. That is why agencies talk about roadmaps, inventories, and vendor engagement rather than a last-minute cutover.
The bet is not whether a CRQC will exist in 2030. It is whether you are sure it will not.
For Solana teams, the immediate action is narrower than "replace every key." Inventory exposed long-lived authorities, test post-quantum signer operations, and put high-value assets behind policies that can require at least one post-quantum approval.
References
- NIST post-quantum FIPS approval announcement
- NSA CNSA 2.0 quantum-resistant algorithm requirements
- CISA/NSA/NIST quantum-readiness factsheet
- Global Risk Institute Quantum Threat Timeline Report 2025
- Google Quantum AI cryptocurrency disclosure
- White House NSM-10 summary at NIST