For years, cryptographers and blockchain developers have treated quantum computing as a distant threat. Something humans have to worry about “eventually.” That perspective changed dramatically on December 9th, 2024, when Google announced its latest quantum processor, Willow. While listening to a podcast, Scott Aaronson said a line that perhaps best describes the sentiment right now:
“I think today the message needs to change. I think today the message needs to be: yes, unequivocally, worry about this now. Have a plan.”
This urgency isn’t just a speculation anymore. Willow is a fundamental breakthrough in quantum computing that brings us significantly closer to machines capable of breaking current cryptographic systems. For the blockchain industry, built on the foundation of cryptographic trust, this quantum threat to blockchain demands immediate attention and action.
The Dawn of Willow
Quantum computers making headlines is nothing new now. Sycamore’s, the predecessor of Willow that came to headline in 2019, was a reminder of the quantum threat to blockchain, but Willow has elevated that concern to an entirely new level.
Unlike classical computers that use bits (0 or 1), these quantum machines use quantum bits or “qubits” that can exist in multiple states simultaneously. This allows them to solve certain problems much faster than classical computers. That speed advantage directly feeds into the quantum threat to blockchain.
But the problem was the more qubits you add to the system, the more unstable it becomes. It’s a problem, often named the “scale-up problem,” that has frustrated quantum researchers for three decades. Willow claims to have solved this decades-old problem. For the first time, adding more qubits to the system actually reduces errors exponentially rather than increasing them. This heightens the quantum threat to blockchain by removing a critical barrier to large-scale quantum attacks.
To demonstrate Willow’s capabilities, Google ran what’s called a Random Circuit Sampling (RCS) benchmark. The results were staggering: Willow completed in five minutes what would take today’s most powerful supercomputers 10 septillion years (10^25). For perspective, that’s about a million times longer than the universe has existed. The universe is only 13.8 billion years old.
Willow achieves this through its 105-qubit processor with 99.5% two-qubit gate fidelity. The quantum error correction techniques employed allow for exponential quantum error correction. Meaning errors can be reduced by scaling up using more qubits along with the ability to perform computations far beyond classical capabilities.
While the RCS benchmark itself may not have immediate practical applications, it tells us the kind of computational power that could eventually threaten current digital security protocols.
Hartmut Neven, who founded Google’s Quantum AI lab, puts this achievement in context:
“When I founded Google Quantum AI in 2012, the vision was to build a useful, large-scale quantum computer that could harness quantum mechanics – the ‘operating system’ of nature. With Willow, that vision is starting to materialize.”
Why is Blockchain’s Security Questioned Again and Again: What are the Attack Vectors
The blockchain industry’s concern isn’t new – in fact, Satoshi Nakamoto himself foresaw this challenge back in 2010:
What’s changed is the timeline. Before Willow, a quantum threat to blockchain felt distant; now, it feels more like watching storm clouds gather on the horizon.
Modern blockchains rely on three main cryptographic pillars: SHA-256 for hash functions and proof-of-work, ECDSA for digital signatures, and public key cryptography for wallet security. Think of these as the locks, keys, and safes of the digital world.
What makes Willow a quantum threat to blockchain is its potential to break ECDSA through Shor’s algorithm. This elliptic curve algorithm is used to generate signatures in Bitcoin’s blockchain.
Every time you make a blockchain transaction, you expose your public key. With sufficient quantum computing power, attackers could derive private keys from these public keys, potentially gaining access to millions of wallets.
Worse still, they could begin collecting encrypted data today to decrypt it once quantum computers become powerful enough. This ‘Harvest now, decrypt later’ is one of the most unsettling parts of the quantum threat to blockchain, where past data could become vulnerable in the future.
– a threat known as “harvest now, decrypt later.” Finalized transactions can’t be reversed for sure, but your keys will be vulnerable.
While Satoshi suggested the possibility of transitioning to new cryptographic systems, such a transition becomes increasingly complex as blockchain networks grow. For Bitcoin alone, millions of addresses with exposed public keys could potentially be vulnerable. That scale makes the quantum threat to blockchain even more daunting because upgrading so many addresses is no small task.
The threat is for everyone. Smart contracts, decentralized applications (dApps), and entire Layer-1 / Layer2 blockchain protocols rely on the same fundamental cryptographic principles. As Vitalik points out, externally owned accounts (EOAs) are particularly vulnerable since they rely directly on ECDSA for security. The quantum threat thus strikes at the very foundation of blockchain architecture.
A Reality Check: Where Google’s Willow Stands Today
Breaking Bitcoin’s SHA-256 “encryption” (which is technically a hash function) with Grover’s algorithm would require 6,000-10,000 logical qubits. When accounting for quantum error correction through methods like the Surface Code, this translates to 6-10 million physical qubits.
Willow, with its 105 physical qubits and 99.5% two-qubit gate fidelity, cannot yet implement a single robust logical qubit. Current fault-tolerant thresholds require error rates below 0.1%. In simple terms, Willow operates at less than 0.001% of the capacity needed to break SHA-256.
However, focusing solely on qubit counts misses a crucial point. What makes Willow significant isn’t its current computing power but rather its demonstration of “below threshold” error correction – showing errors can decrease as the system scales. This is the key technical hurdle that has prevented practical quantum computing for decades.
As physicist John Preskill notes, the path from here to cryptographically relevant quantum computers isn’t just about adding more qubits. Challenges remain in qubit stability, error correction at scale, and the sheer engineering complexity of maintaining quantum coherence. The real concern isn’t that Willow can break cryptography today but that it demonstrates a viable path forward that could progress faster than expected.
This reality has implications for how the blockchain industry should respond – not with panic, but with focused preparation for a future that’s approaching more rapidly than previously thought.
What’s often overlooked in these discussions is that blockchain isn’t alone in facing this quantum threat.
Here’s a sobering thought: quantum computers would need only about half the qubits to break the SSL/TLS security protecting your online banking than they’d need for Bitcoin. And major tech players aren’t waiting around – Cloudflare, for instance, has already moved nearly 2% of their TLS 1.3 connections to post-quantum cryptography, with plans to hit double digits by year’s end.
The race to quantum resistance isn’t just about protecting crypto – it’s about securing our entire digital world. Yet the quantum threat to blockchain is a little bit more in discussion because decentralized networks rely so heavily on cryptographic trust.
The Blockhain’s Race for Quantum Resistance
The race for quantum resistance has spawned multiple promising approaches. Each has its unique strengths and technical limitations. Let’s understand the mathematical principles that make them resistant to quantum attacks.
- Lattice-based cryptography:
Lattice-based cryptography is one of the most promising defenses. Lattice problems are notoriously tough, and they’re increasingly seen as a reliable shield against the quantum threat to blockchain.
As ZKSync security researcher Rahul Saxena explains in his detailed take, the power of lattice-based systems comes from the inherent difficulty of solving certain geometric problems – even for quantum computers. Take, for example, a multi-dimensional grid where finding the shortest path between points becomes exponentially harder as dimensions increase. The fascinating aspect is that while this problem becomes nearly impossible for attackers, legitimate users with the right key can solve it efficiently.
“The hardness comes from the difficulty of finding the shortest vector in high-dimensional lattices,” Saxena notes. “Multiple sets of basis vectors can produce the same lattice, creating the first level of hardness for hackers, where the private part is kept on the good basis lattice and the public part is the bad basis lattice.”
Fully Homomorphic Encryptions (FHE) that we have started using now, often use Lattice-based cryptography that allows for homomorphic properties.
- Hash-based Signatures:
Hash-based signatures, XMSS (eXtended Merkle Signature Scheme), and SPHINCS+ perhaps provide the most conservative quantum resistance approach using SHA256 or SHA3.
Just to make sure we’re not confused, Bitcoin already uses SHA-256 for hashing in PoW and address generation, which are not vulnerable to quantum threats. The quantum vulnerable component is ECDSA, Bitcoin’s digital signature mechanism.
Unlike present RSA and ECDSA, which are vulnerable to Shor’s algorithm due to their reliance on discrete logarithmic or factoring problems, hash-based signatures rely on one-way functions, such as finding collisions or preimages. No quantum algorithm currently exists to efficiently solve these problems.
Grover’s algorithm only slightly weakens their security, halving the effective bit strength (e.g., a 256-bit hash provides 128 bits of quantum security). This minimal vulnerability makes hash-based signatures a solid defense against the quantum threat to blockchain.
Here’s one tweet of Vitalik, back from 2022, where he shows concern about the quantum threat and advocates for hash signatures:
Though, we have little concern over the key sizes, which can reach up to tens of kilobytes. This could make them impractical for certain applications.
Zk-STARKs that many of today’s protocols (Starknet, ZKsync, Polygon zkEVM) are experimenting with are inherently quantum-resistant. They replace elliptic curves with hash-based systems and polynomial commitments, which quantum algorithms like Shor’s cannot attack.
- Code-based cryptography:
For many security experts, code-based cryptography could be another layer of defense if the quantum threat to blockchain outpaces other post-quantum solutions. Pioneered by the McEliece cryptosystem, this technique has been quietly holding its ground against quantum attacks for over 40 years. Code-based cryptography hides messages in purposely complicated math puzzles – the kind that even quantum computers find hard to solve.
They use error-correcting codes – the same technology that ensures your CD player keeps working even with a scratched disc. By deliberately introducing errors that only the rightful recipient can correct, these systems create a quantum-resistant shield around data. While the McEliece system itself has large key sizes (several hundred kilobytes), newer variants are working to trim this down while maintaining security.
- Multivariate cryptography:
The popular Rainbow sign scheme comes under this category. Multivariate cryptography is like playing multi-dimensional chess with equations. It uses systems of equations with multiple variables (Polynomials), making them incredibly difficult for both classical and quantum computers to solve.
After Rainbow, new schemes like MAYO are emerging that maintain the advantages of multivariate cryptography while learning from past vulnerabilities. They are good at creating small signatures – something invaluable for blockchain transactions where every byte counts. These evolving researches keep us one step ahead of the quantum threat to blockchain by experimenting with new forms of mathematical complexity.
- Hybrid Solutions:
Hybrid solutions may offer the most practical path forward. They could combine multiple quantum-resistant approaches we discussed above, and systems can maintain security even if individual components are compromised. That layered approach or “defense in depth” ensures the quantum threat to blockchain must tackle various mathematical pillars simultaneously until we have established relative strength records for different quantum-resistant techniques.
Unlike current cryptographic systems that rely primarily on number theory problems (which quantum computers excel at solving), quantum-resistant solutions leverage a diverse set of mathematical principles – from geometric complexity to statistical properties of hash functions. This diversity itself provides a form of security, as a quantum computer would need to break multiple different types of mathematical problems to compromise a well-designed system.
Where are we today in the quantum journey?
The response is happening on multiple fronts, and honestly, it’s pretty exciting to see how different parts of the ecosystem are tackling this challenge. Here are a few notable ones:
I) NIST’s standardization efforts are giving the industry its first real playbook for quantum resistance. Their finalized standards – ML-KEM (the algorithm formerly known as Kyber) for key encapsulation, along with ML-DSA and SLH-DSA for digital signatures – mean projects don’t have to reinvent the wheel. Instead of everyone crafting their own solutions, we now have battle-tested algorithms ready for implementation.
II) Ethereum’s not just thinking about quantum resistance – it has incorporated it into its future roadmap. The Beam Chain proposal is pushing to incorporate quantum-resistant cryptography into the base layer, and Ethereum 3.0 (targeted for 2027) is going all-in with plans for Winternitz signatures and zk-STARKs. These will fundamentally upgrade the base layer to shield transactions from quantum attacks by preventing private key exposure altogether.
III) Individual chains are preparing in their own ways, too.
Take Avalanche – they’ve already built lattice-based cryptography implementations and can deploy them immediately. As per their founder and CEO, Avalanche’s 1-second finality is like an unfair advantage here, giving quantum attackers virtually no time to crack exposed public keys or.execute brute force attacks.
StarkNet has developed STARK. They are switching from the current quantum-vulnerable Pedersen hash to the quantum-resistant Poseidon hash while using their native account abstraction gives wallets an easy upgrade to quantum-resistant signature schemes without disrupting the entire network.
IV) The zkRollup space is also doing some interesting work. ZkSync is currently running with zkSNARKs, while Polygon zkEVM is attempting something more ambitious by combining SNARK and STARK approaches. The good news is that we can potentially upgrade them to quantum-resistant variants or make the leap to zkSTARKs. Though, we’ll need to figure out how to handle those larger key sizes efficiently.
What if we have a quantum emergency now?
But what if quantum computers arrive sooner than we expect? Vitalik thinks we are pretty well positioned to tackle such a situation, and he has proposed a fascinating emergency response plan that’s both elegant and practical.
Most users’ private keys are actually generated through hash functions that would remain quantum-resistant. This means we could implement a recovery fork where users prove ownership of their addresses through STARKs without exposing any vulnerable cryptography. This kind of contingency is critical for mitigating the quantum threat to blockchain, ensuring that even a sudden jump in quantum power doesn’t blindside the entire ecosystem.
Read the thesis here:
How to hard-fork to save most users’ funds in a quantum emergency.
The Case for Rollups and Appchains
As a Rollups-as-a-Service provider, the discussion seems incomplete if we don’t bring Rollups/ appchains here. When it comes to rollups and appchains, sure, they have the same quantum attack vectors as their parent chains – after all, they’re still using those same fundamental cryptographic primitives like ECDSA. If quantum computers can crack these, both Layer-1 and Layer-2 solutions are in trouble.
But, these scaling solutions have more flexible upgrade choices than base layers. They can adapt faster, which gives them a chance to tackle the quantum threat to blockchain more aggressively than a monolithic base layer might.. They’re already adapting technologies like zkSNARKs, zkSTARKs, and Fully Homomorphic Encryption (FHE). Take StarkNet/ ZKsync’s use of STARKs – they’re not just today’s scaling solutions; they’re already building in quantum resistance.
Let’s wrap it here. If you’re looking to launch your own rollup or appchain, Zeeve supports all leading ZK rollup frameworks with 45+ custom integrations. Let’s build something that’s ready for both today’s challenges and tomorrow’s quantum future. Schedule a call with our experts, and let’s get started.
