Author | Justin Thaler, a16z Research Partner

Translation | GaryMa Wu Says Blockchain

People often make exaggerated time predictions about when "quantum computers that pose a real threat to existing cryptographic systems" will arrive — leading to calls for immediate, large-scale migration to post-quantum cryptography.

However, these calls often overlook the costs and risks of premature migration, as well as the fact that different cryptographic primitives face entirely different risk profiles:

Post-quantum encryption, even if costly, must be deployed immediately: "Harvest-now-decrypt-later" (HNDL) attacks are already occurring, because when quantum computers truly arrive, even if that is decades from now, sensitive data protected by encryption today will still hold value. Despite the performance overhead and implementation risks associated with post-quantum encryption, for data that requires long-term confidentiality, HNDL attacks leave no choice.

The considerations for post-quantum signatures are entirely different. They are not affected by HNDL attacks, and their costs and risks (larger sizes, performance overhead, immature implementations, and potential vulnerabilities) mean that migration should be approached cautiously rather than implemented immediately.

These distinctions are very important. Various misunderstandings can distort cost-benefit analyses, causing teams to overlook more critical security risks — such as vulnerabilities themselves.

The real challenge in moving towards post-quantum cryptography is matching "urgency" with "real threat." Below, I will clarify common misconceptions about quantum threats and their implications for cryptography — including encryption, signatures, and zero-knowledge proofs — with a particular focus on their impact on blockchain.

What is our current timeline?

The likelihood of "cryptographically relevant quantum computers (CRQC)" emerging in the 2020s is extremely low, despite some high-profile claims that have raised concerns.

ps: Cryptographically relevant quantum computer will be referred to as CRQC hereafter.

The "cryptographically relevant quantum computer" mentioned here refers to a fault-tolerant, error-corrected quantum computer capable of running Shor's algorithm at a sufficient scale to attack elliptic curve cryptography or RSA (for example, breaking secp256k1 or RSA-2048 within a month of continuous computation).

Based on publicly available milestones and resource assessments, we are far from such a quantum computer. While some companies claim that CRQC is likely to appear before 2030 or even 2035, the visible progress does not support these assertions.

In context, none of the current architectures — ion traps, superconducting qubits, and neutral atom systems — have any quantum computing platform close to the hundreds of thousands to millions of physical qubits required to run Shor's algorithm to attack RSA-2048 or secp256k1 (the exact number depends on error rates and error correction schemes).

The limiting factors are not just the number of qubits, but also gate fidelity, qubit connectivity, and the depth of error-correcting circuits necessary to sustain the execution of deep quantum algorithms. While some systems now exceed 1,000 physical qubits, looking solely at the number can be misleading: these systems lack the connectivity and gate fidelity required for cryptographic computations.

Recent systems are approaching the physical error levels where quantum error correction becomes feasible, but no one has demonstrated more than a few logical qubits with sustainable error-correcting circuit depth — let alone the thousands of high-fidelity, deep-circuit, fault-tolerant logical qubits needed to run Shor's algorithm. There remains a significant gap between theoretically proving quantum error correction is feasible and actually achieving the scale necessary for cryptographic breaking.

In short: Unless both the number of qubits and fidelity improve by several orders of magnitude, "cryptographically relevant quantum computers" remain out of reach.

However, corporate press releases and media reports can easily lead to misunderstandings. Common misconceptions include:

Claims of achieving "quantum advantage" in demonstrations, but these demonstrations often target artificially constructed problems. These problems are not chosen for their practicality but because they can run on existing hardware while seemingly presenting significant quantum speedup — a point often downplayed in marketing.

Companies claiming to have achieved thousands of physical qubits. However, this usually refers to quantum annealers, not gate-model quantum computers required to run Shor's algorithm to attack public key cryptography.

Companies' casual use of the concept of "logical qubits." Physical qubits are inherently noisy, and quantum algorithms require logical qubits; as mentioned, Shor's algorithm needs thousands of logical qubits. Using quantum error correction, a logical qubit typically requires hundreds to thousands of physical qubits (depending on error rates). However, some companies have misused the term to an absurd extent. For example, a company recently claimed to have achieved 48 logical qubits using only two physical qubits per logical qubit with a distance of 2 coding. This is clearly unreasonable: a distance-2 code can only detect errors, not correct them. True fault-tolerant logical qubits for cryptographic breaking require hundreds to thousands of physical qubits, not two.

More generally, many quantum computing roadmaps use "logical qubits" to refer to qubits that only support Clifford operations. These operations can be efficiently simulated by classical algorithms, thus are insufficient for running Shor's algorithm, which requires thousands of error-corrected T gates (or more generally, non-Clifford gates).

Therefore, even if a roadmap claims "achieving thousands of logical qubits by year X," it does not mean that the company expects to run Shor's algorithm to break classical cryptography in the same year X.

These practices severely distort the public (and even industry professionals') perception of "how close we are to a true CRQC."

Nonetheless, some experts are indeed excited about the progress. For instance, Scott Aaronson recently wrote that given "the astonishing speed of current hardware development," he now believes it is a real possibility to have a fault-tolerant quantum computer running Shor's algorithm before the next U.S. presidential election.

But Aaronson later clarified that his statement does not imply a quantum computer with cryptographic capabilities: even if a fully fault-tolerant Shor's algorithm successfully factors 15 = 3×5 — a number you could calculate faster with pen and paper — he would consider his point satisfied. The standard here remains merely the execution of a miniature scale Shor's algorithm, not a scale of cryptographic significance; the previous quantum factorization of 15 used simplified circuits, not a complete fault-tolerant Shor. Moreover, the continued choice of factoring 15 in quantum experiments is not coincidental: arithmetic calculations modulo 15 are extremely simple, while factoring slightly larger numbers (like 21) is much more difficult. Thus, some quantum experiments claiming to factor 21 often rely on hints or shortcuts.

In short, expecting a quantum computer capable of breaking RSA-2048 or secp256k1 within the next five years (which is what cryptography is genuinely concerned about) has no public progress to support it.

Even ten years remains an aggressive prediction. Considering how far we are from truly cryptographically relevant quantum computers, it is entirely possible to maintain excitement about progress while coexisting with timelines of over ten years.

So, what does it mean that the U.S. government has set 2035 as the target year for the overall migration of government systems to post-quantum cryptography? I believe this is a reasonable timeline for completing such a large-scale migration. However, it does not imply an expectation that "CRQC will appear by then."

In which scenarios do HNDL attacks apply (and in which do they not)?

"Harvest now, decrypt later" (HNDL) attacks refer to attackers storing all encrypted communication data now, waiting for a future day when a "cryptographically relevant quantum computer" appears to decrypt it. It is certain that nation-state attackers are already archiving U.S. government encrypted communications on a large scale to decrypt them when quantum computers truly arrive. This is why cryptographic systems must begin migrating today — at least for entities that need to maintain confidentiality for over 10–50 years.

However, digital signatures — the technology all blockchains rely on — differ from encryption: they do not have a "confidentiality" that can be attacked retroactively.

In other words, when quantum computers truly arrive, they will indeed make it possible to forge digital signatures from that moment on, but past signatures do not "hide" any secret like encrypted messages do. As long as it can be confirmed that a digital signature was generated before the emergence of CRQC, it cannot be forged.

Therefore, compared to encryption systems, the migration to post-quantum digital signatures is not as urgent.

The actions of major platforms also reflect this: Chrome and Cloudflare have deployed a hybrid X25519+ML-KEM in Web Transport Layer Security (TLS) encryption. [In this article, I refer to these as "encryption schemes" for readability, although strictly speaking, security communication protocols like TLS use key exchange or key encapsulation mechanisms, not public key encryption.]

Here, "hybrid" means simultaneously layering a post-quantum secure scheme (ML-KEM) with an existing scheme (X25519) to gain the security of both. This approach aims to prevent HNDL attacks through ML-KEM while providing traditional security assurances through X25519 in case ML-KEM is proven insecure against current computers.

Apple's iMessage has also deployed a similar hybrid post-quantum encryption in its PQ3 protocol, and Signal has implemented this mechanism in its PQXDH and SPQR protocols.

In contrast, the migration of key web infrastructure to post-quantum digital signatures will be delayed until "truly approaching the emergence of CRQC," as current post-quantum signature schemes bring significant performance degradation (which will be discussed later in this article).

zkSNARKs — zero-knowledge, succinct, non-interactive proofs — which are core to the future scalability and privacy of blockchains — face quantum threats similarly to digital signatures. This is because, even if some zkSNARKs themselves lack post-quantum security (as they use the same elliptic curve cryptography as current encryption and signatures), their "zero-knowledge" nature remains post-quantum secure.

The zero-knowledge property ensures that the proof does not leak any information about the secret witness — even in the face of quantum attackers — thus there is no confidential data that can be "collected" in advance and decrypted later.

Therefore, zkSNARKs are not affected by HNDL attacks. Just as non-post-quantum digital signatures generated today are secure, as long as the zkSNARK proof was produced before the emergence of CRQC, it is trustworthy (i.e., the statement of the proof must be true) — even if zkSNARK uses elliptic curve cryptography. Only after the emergence of CRQC can an attacker construct a "seemingly valid but actually incorrect" proof.

What This Means for Blockchain

Most blockchains are not exposed to HNDL attacks: most non-privacy chains — such as today's Bitcoin and Ethereum — primarily use non-post-quantum cryptography for transaction authorization, meaning they use digital signatures rather than encryption.

Again, it is emphasized that digital signatures are not affected by HNDL attacks: "harvest now, decrypt later" attacks only apply to encrypted data. For example, the Bitcoin blockchain is public; the quantum threat lies in forging signatures (deriving private keys to steal funds), not decrypting already public transaction data. This means that HNDL attacks do not create immediate cryptographic urgency for current blockchains.

Unfortunately, some trusted institutions (including the U.S. Federal Reserve) still incorrectly claim in their analyses that Bitcoin is vulnerable to HNDL attacks, which exaggerates the urgency of migrating to post-quantum cryptography.

However, "reduced urgency" does not mean Bitcoin can wait indefinitely: due to the significant social coordination required for protocol upgrades, Bitcoin faces different time pressures. (The unique challenges of Bitcoin will be discussed in more detail below.)

One current exception is privacy chains, many of which hide recipients and amounts through encryption or other means. Such confidential information can be "collected" in advance, and once quantum computers can break elliptic curve cryptography, it may be de-anonymized retroactively.

For such privacy chains, the severity of the attack varies depending on the design of the chain. For example, in the case of Monero's elliptic curve-based ring signatures and key images (a uniquely linkable label for each output to prevent double spending), the entire transaction flow graph could be reconstructed in the future based solely on the public ledger. However, in other privacy chains, the extent of damage may be more limited — see the relevant discussions by Zcash cryptographic engineer and researcher Sean Bowe.

If users believe it is very important that "transactions will not be exposed due to the emergence of quantum computers in the future," then privacy chains should migrate to post-quantum cryptographic primitives (or hybrid schemes) as soon as possible. Alternatively, they should adopt architectures that do not place secrets on-chain that can be decrypted.

Bitcoin's Unique Dilemma: Governance Mechanism + Abandoned Coins

For Bitcoin, two real factors make the migration to post-quantum digital signatures urgent, and these factors have nothing to do with quantum technology itself. The first concern is governance speed: Bitcoin's evolution is extremely slow. Any contentious issue that the community cannot reach a consensus on regarding an appropriate solution could trigger a destructive hard fork.

The second concern is that migrating Bitcoin to post-quantum signatures cannot be accomplished passively: coin holders must actively migrate their funds. This means that coins that have been abandoned but are still exposed to quantum threats cannot be protected. Some estimates suggest that the number of quantum-vulnerable and potentially abandoned BTC could be in the millions, amounting to hundreds of billions of dollars at current prices (as of December 2025).

However, the quantum threat does not imply a sudden "catastrophic overnight collapse" for Bitcoin… it is more likely to manifest as a selective, gradual attack process. Quantum computers will not break all cryptographic schemes at once — Shor's algorithm must break public keys one target at a time. The cost of early quantum attacks will be extremely high and slow. Therefore, once quantum computers can break a single Bitcoin signature key, attackers will prioritize targeting the wallets with the highest value.

Moreover, as long as users avoid address reuse and do not use Taproot addresses (which directly expose public keys on-chain), they are generally protected even if the protocol itself has not yet been upgraded: their public keys remain hidden behind hash functions until they spend. When they eventually broadcast a spending transaction, the public key becomes public, at which point there exists a brief "real-time race window": honest users need to get their transactions confirmed quickly, while quantum attackers attempt to find the private key and spend the coins before the transaction is confirmed. Thus, the truly vulnerable coins are those whose public keys have been exposed for years: early P2PK outputs, reused addresses, and Taproot holdings.

For those already abandoned vulnerable coins, there are currently no easy solutions. Possible options include:

1. The Bitcoin community reaches a consensus to set a "flag day," after which all un-migrated coins are considered destroyed.
2. Allow all abandoned coins exposed to quantum risk to be seized by anyone with CRQC.

The second option would bring serious legal and security issues. Using quantum computers to seize funds without private keys — even claiming to do so out of legitimate ownership or good faith — would touch upon theft and computer fraud laws in many jurisdictions.

Additionally, "abandoned" itself is based on an assumption of inactivity, but no one can know for certain whether these coins have truly lost active holders with the keys. Even if someone can prove they once held these coins, they may not have the legal authority to breach the cryptographic protection to "retrieve" them. This legal ambiguity makes it highly likely that these abandoned coins, exposed to quantum risk, will fall into the hands of malicious attackers who disregard legal constraints.

Another unique issue for Bitcoin is its extremely low transaction throughput. Even if a migration plan is ultimately finalized, moving all funds exposed to quantum threats to post-quantum secure addresses would still take months at Bitcoin's current transaction rate.

These challenges mean that Bitcoin must start planning for post-quantum migration now — not because CRQC is likely to appear before 2030, but because the coordination of governance, reaching consensus, and the technical logistics of migrating hundreds of billions of dollars in value will take years to complete.

The quantum threat facing Bitcoin is real, but the time pressure comes from Bitcoin's structural constraints, not the impending arrival of quantum computers. Other blockchains also face the issue of quantum-vulnerable funds, but Bitcoin is particularly unique: the earliest transactions used pay-to-public-key (P2PK) outputs, directly exposing public keys on-chain, leaving a significant proportion of BTC vulnerable to quantum threats. Its technical history, combined with its long chain age, high value concentration, low throughput, and rigid governance, exacerbates the problem.

It is important to note that the vulnerabilities mentioned above only apply to the cryptographic security of Bitcoin digital signatures — they do not involve the economic security of the Bitcoin blockchain. Bitcoin's economic security comes from its proof-of-work (PoW) consensus mechanism, which is not as easily susceptible to quantum attacks for three reasons:

1. PoW relies on hash functions, so it will only be affected by the quadratic speedup brought by Grover's search algorithm, rather than the exponential speedup from Shor's algorithm.
2. The practical overhead of implementing Grover's search is immense, making it extremely unlikely that any quantum computer could achieve even limited practical speedup on Bitcoin's PoW.
3. Even if quantum computers could achieve significant speedup, the effect would only give large miners with quantum power a relative advantage, without fundamentally undermining Bitcoin's economic security model.

Costs and Risks of Post-Quantum Signatures

To understand why blockchains should not hastily deploy post-quantum signatures, we need to consider both performance costs and our evolving confidence in post-quantum security.

Most post-quantum cryptography is based on one of the following five methods: hashing, codes (error-correcting codes), lattices, multivariate quadratic equations (MQ), and isogenies.

Why are there five different methods? The reason is that the security of any post-quantum cryptographic primitive relies on an assumption: that quantum computers cannot efficiently solve a specific mathematical problem. The stronger the structure of the problem, the more efficient cryptographic protocols we can build.

But this is a double-edged sword: more structure also means a larger attack surface, making the algorithms easier to break. This creates a fundamental tension — stronger assumptions lead to better performance, but at the cost of potential security vulnerabilities (i.e., the likelihood of the assumption being proven wrong is higher).

Overall, from a security perspective, hashing-based methods are the most conservative and robust because we are most confident that quantum computers cannot efficiently attack them. However, their performance is also the worst. For example, the NIST standardized hash signature scheme has a signature size of 7–8 KB even at the minimum parameter settings. In contrast, today's elliptic curve digital signatures are only 64 bytes, about 100 times smaller.

Lattice-based schemes are the current focus of deployment. The only cryptographic scheme selected by NIST, as well as two of the three signature algorithms, are based on lattices. One of the lattice signatures (ML-DSA, originally named Dilithium) has a signature size of 2.4 KB at the 128-bit security level and 4.6 KB at the 256-bit security level — about 40–70 times larger than current elliptic curve signatures. Another lattice scheme, Falcon, has smaller signatures (Falcon-512 is 666 bytes, Falcon-1024 is 1.3 KB), but relies on complex floating-point operations, which NIST itself has marked as a significant challenge for implementation. One of Falcon's designers, Thomas Pornin, described it as "the most complex cryptographic algorithm I have implemented to date."

In terms of implementation security, lattice signatures are much more difficult than elliptic curve schemes: ML-DSA contains more sensitive intermediate values and complex rejection sampling logic, all of which require side-channel and fault attack protection. Falcon further complicates this with constant-time floating-point operations; multiple side-channel attacks against Falcon implementations have successfully recovered private keys.

The risks posed by these issues are immediate, entirely different from the distant threat of "cryptographically relevant quantum computers."

There are ample reasons to be cautious about higher-performance post-quantum cryptographic schemes. Historically leading schemes, such as Rainbow (MQ-based signatures) and SIKE/SIDH (isogeny-based encryption), have been "classically" broken — meaning they were broken by today's computers, not quantum computers.

This occurred at a stage when the NIST standardization process had already progressed significantly. This certainly reflects a healthy scientific process, but it also indicates that premature standardization and deployment can have counterproductive effects.

As mentioned earlier, internet infrastructure is taking a cautious approach to signature migration. This is noteworthy because once the cryptographic transition of the internet begins, it often takes years to complete. Even though hash functions like MD5 and SHA-1 have been officially deprecated by internet standards organizations for many years, their actual migration has continued for years, and they are still not completely eliminated in some scenarios. These algorithms have been fully broken, rather than just "potentially breakable in the future."

Unique Challenges of Blockchain vs. Internet Infrastructure

Fortunately, blockchains maintained by open-source communities (such as Ethereum and Solana) can upgrade more quickly than traditional internet infrastructure. On the other hand, internet infrastructure benefits from frequent key rotations, meaning the attack surface changes faster than early quantum computers can keep up — while blockchains do not have this advantage, as coins and their keys may be exposed indefinitely. However, overall, blockchains should still learn from the cautious approach of the internet in advancing signature migration. Both are not affected by signature-type HNDL attacks, and the costs and risks of prematurely migrating to immature post-quantum schemes remain significant, regardless of the key lifecycle length.

Additionally, blockchains face some challenges that make premature migration particularly dangerous and complex: for example, blockchains have unique requirements for signature schemes, especially the need for "rapid aggregation of large numbers of signatures." The commonly used BLS signatures are popular due to their efficient aggregation capabilities, but they do not possess post-quantum security. Researchers are exploring SNARK-based post-quantum signature aggregation schemes. Although progress is promising, it is still in the early stages.

Regarding SNARKs themselves, the community is currently focused on hash-based post-quantum structures. However, a significant shift is imminent: I am confident that in the coming months and years, lattice schemes will become an attractive alternative route. They will offer better performance across multiple dimensions, such as shorter proof lengths — similar to how lattice signatures are shorter than hash signatures.

Current More Serious Issue: Implementation Security

In the coming years, implementation vulnerabilities will be far more realistic and severe than "quantum computers that truly threaten cryptography." For SNARKs, the primary concern is bugs.

Vulnerabilities are already a major challenge in digital signatures and encryption algorithms, and SNARKs are significantly more complex. In fact, a digital signature scheme can be viewed as an extremely simplified zkSNARK used to prove "I know the private key corresponding to the public key, and I have authorized this message."

For post-quantum signatures, the current truly urgent risks also include implementation attacks, such as side-channel attacks and fault injection attacks. These types of attacks have substantial empirical evidence and can extract private keys from real systems. The threats they pose are far more pressing than "distant future quantum attacks."

The community will continue to identify and fix vulnerabilities in SNARKs over the coming years and strengthen the implementation of post-quantum signatures to resist side-channel and fault injection attacks. Premature migration during the phase when post-quantum SNARKs and signature aggregation schemes have not yet stabilized will put blockchains at risk of locking themselves into suboptimal solutions — once better solutions emerge or current solutions expose significant implementation vulnerabilities, they may have to migrate again.

What Should We Do? Seven Recommendations

Based on the realities discussed above, I offer the following recommendations to different participants — from developers to policymakers. The overall principle is: take quantum threats seriously, but do not act under the assumption that "quantum computers that pose a real threat to cryptography will inevitably appear before 2030." Current technological progress does not support this premise. However, there is still much we can and should do to prepare:

1. Immediately Deploy Hybrid Encryption

At least in scenarios where long-term confidentiality is important and performance costs are acceptable. Many browsers, CDNs, and messaging applications (such as iMessage and Signal) have already deployed hybrid schemes. Hybrid schemes — post-quantum + classical cryptography — can resist HNDL attacks and guard against potential weaknesses in post-quantum schemes themselves.

2. Immediately Use Hash Signatures in Scenarios That Can Tolerate Large Signature Sizes

Low-frequency, size-insensitive scenarios such as software/firmware updates should immediately adopt hybrid hash signatures. (The hybrid approach is to guard against implementation vulnerabilities in the new scheme, not because there are doubts about the security assumptions of hashing.) This is a conservative and prudent approach that can provide society with a clear "lifeboat" in case quantum computers suddenly arrive early. If there is no already deployed software update mechanism for post-quantum signatures, we will face a bootstrapping problem after CRQC appears: we will be unable to safely distribute the cryptographic updates needed to counter quantum threats.

3. Blockchains Do Not Need to Rush to Deploy Post-Quantum Signatures — But Should Start Planning Now

Blockchain developers should learn from the practices of Web PKI to advance the deployment of post-quantum signatures cautiously. This allows post-quantum signature schemes time to mature in terms of performance and security understanding. At the same time, it gives developers time to redesign systems to accommodate larger signatures and develop better aggregation techniques. For Bitcoin and other layer-one chains: the community needs to establish migration paths and policies regarding quantum-vulnerable and abandoned funds. Passive migration is not possible, so planning is crucial. The challenges Bitcoin faces are mostly not technical — slow governance and a large number of potentially abandoned quantum-vulnerable addresses — further highlight the need for the Bitcoin community to start planning early.

Meanwhile, research on post-quantum SNARKs and aggregatable signatures needs to continue maturing (which may take several years). Again, premature migration could lead to being locked into suboptimal solutions or having to migrate again after discovering implementation vulnerabilities.

A Note on Ethereum's Account Model: Ethereum supports two types of accounts, which have different implications for post-quantum migration: externally owned accounts (EOAs) controlled by secp256k1 private keys, and smart contract wallets with programmable authorization logic.

In non-urgent situations, when Ethereum adds support for post-quantum signatures, upgradable smart contract wallets can switch to post-quantum verification through contract upgrades — while EOAs may need to transfer assets to new post-quantum secure addresses (although Ethereum may also provide a dedicated migration mechanism for EOAs). In a quantum emergency situation, Ethereum researchers have proposed a hard fork solution: freezing vulnerable accounts, allowing users to recover assets using post-quantum secure SNARKs by proving they possess the mnemonic phrase. This mechanism applies to both EOAs and un-upgraded smart wallets.

The practical impact on users is that well-audited and upgradable smart wallets may provide a slightly smoother migration path — but the difference is not significant and comes with trust trade-offs regarding wallet providers and upgrade governance. More important than the account type is the Ethereum community's continued advancement of post-quantum primitives and emergency solutions.

Broader Design Insights: Many blockchains tightly couple account identity with specific cryptographic primitives — for example, both Bitcoin and Ethereum bind to secp256k1, while other chains bind to EdDSA. The difficulties of post-quantum migration highlight the value of decoupling account identity from specific signature schemes. The evolution of Ethereum towards smart accounts and the trend of account abstraction in other chains reflect this direction: allowing accounts to upgrade their authentication logic while retaining on-chain history and state. This will not make post-quantum migration simple, but it significantly enhances flexibility compared to locking accounts into a single signature scheme. (This also enables other functionalities, such as transaction delegation, social recovery, multi-signature, etc.)

4. For Privacy Chains, Prioritize Migration as Long as Performance Allows

These chains encrypt or hide transaction details, so user privacy is currently exposed to HNDL attacks — although the severity varies by design. Chains that can be fully de-anonymized based solely on the public ledger are at the highest risk. A hybrid scheme (post-quantum + classical) can be adopted to guard against the possibility that the post-quantum scheme itself is proven insecure in classical scenarios, or architectural changes can be made to avoid placing decryptable secrets on-chain.

5. Recent Priority on Implementation Security — Not Quantum Threat Mitigation

Especially for complex primitives like SNARKs and post-quantum signatures, vulnerabilities and implementation attacks (side-channel, fault injection) will be far more realistic and urgent than CRQC for many years to come. We should now invest in audits, fuzz testing, formal verification, and multi-layer defenses — do not let concerns about quantum threats overshadow the more pressing real threat of vulnerabilities!

6. Support the Development of Quantum Computing

From a national security perspective, we must continue to invest in the research and development of quantum computing and talent cultivation. If major adversary nations achieve CRQC before the United States, it will pose serious national security risks to the U.S. and the world.

7. Maintain a Correct Perspective on Quantum Computing-Related Announcements

As quantum hardware matures, there will be a plethora of milestone news in the coming years. Ironically, the frequency of these news items is evidence that we are still quite far from CRQC: each milestone is just one of many bridges to the ultimate goal, and crossing each bridge generates a wave of media attention and excitement. News releases should be viewed as progress reports that require critical assessment, not as signals demanding immediate action.

Of course, unexpected breakthroughs may accelerate the timeline; there may also be significant bottlenecks that slow it down.

I want to emphasize: I do not believe that the emergence of CRQC within five years is "absolutely impossible," just "extremely unlikely." The above recommendations are robust against this uncertainty and can help us avoid more direct and realistic risks: vulnerabilities, hasty deployments, and the various errors common in cryptographic migration.

Justin Thaler is a research partner at a16z and an associate professor in the Department of Computer Science at Georgetown University. His research interests include verifiable computation, complexity theory, and algorithms for large-scale datasets.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。