ZKSF logo, a neon quantum brainZKSF
← All articles

Post-Quantum Cryptography: A Primer on the Quantum-Safe Transition

· 11 min read · ZKSF team

Post-quantum cryptography (PQC), also called quantum-safe cryptography, is a set of classical encryption and signature schemes designed to remain secure against a large quantum computer. A point of confusion is worth resolving first: PQC runs on ordinary computers today. It is not quantum technology. It is the defense against quantum technology, and the reason it exists is a single algorithm, Shor's, whose eventual arrival on capable hardware would break most of the public-key cryptography now in use.

The questions we get asked most

We get asked the same questions constantly: when will quantum computing be able to break Bitcoin wallets, can you mine Bitcoin with a quantum computer, when will a quantum computer break Ethereum encryption, and is Zcash really post-quantum secure? They are worth answering directly and in plain language before the formal treatment, because they capture the real concern behind this topic more honestly than a standards table does. The short answer to all four is that the threat is real, specific, and future-dated, and that it is a signature problem far more than an encryption or a mining one.

When will a quantum computer be able to break Bitcoin wallets?

Bitcoin secures ownership with the elliptic-curve digital signature algorithm (ECDSA) over the secp256k1 curve. A large fault-tolerant quantum computer running Shor's algorithm could recover a private key from its corresponding public key, which is exactly the property that protects a wallet. The exposure is not uniform. Modern address types (P2PKH and native SegWit) publish only a hash of the public key, so the key itself becomes visible only at the moment coins are spent, which opens a limited window between a transaction being broadcast and being confirmed. Addresses that expose a public key directly, including reused ones and older pay-to-public-key outputs, are more exposed. No machine today can run Shor's algorithm at the scale secp256k1 requires. The resource estimates have fallen sharply: a 2026 analysis for elliptic-curve keys of Bitcoin's type points to roughly 1,200 logical qubits and under 500,000 physical qubits on a fault-tolerant machine, well down from earlier figures in the millions. Current hardware, at a few thousand physical qubits and its first few dozen logical qubits, is not close to that yet, so a break is not imminent. It turns on progress in error correction rather than the raw qubit-count figures that make headlines, and that progress has been rapid enough that the timeline is contracting rather than holding steady.

Can you mine Bitcoin with a quantum computer?

This is a different question, and the answer is largely no. Mining is proof of work: repeatedly hashing with SHA-256 to find an output below a target. Hashing has no algebraic structure for Shor's algorithm to exploit. The only relevant quantum tool is Grover's algorithm, which offers a mere quadratic speedup on unstructured search, reducing effective difficulty by roughly a square root rather than exponentially. In practice, the sequential nature of Grover iterations, the overhead of running them under error correction, and the clock-speed and massive parallelism of purpose-built classical ASICs mean a quantum computer is not expected to be competitive at mining for the foreseeable future. The security concern for Bitcoin is signature forgery, not mining.

When will a quantum computer break Ethereum encryption?

Ethereum accounts, like Bitcoin wallets, are secured by ECDSA over secp256k1, so the exposure is the same in kind: the vulnerability is signature forgery through Shor's algorithm, not a break of any encryption layer. The word encryption is a common misnomer here, since what protects an externally owned account is a signature scheme rather than a cipher. The same qubit-scale requirements and the same uncertain multi-year timelines apply. Ethereum's research community is actively studying migration paths, including account abstraction, which would let accounts adopt post-quantum signature schemes without changing the base protocol's core assumptions.

Is Zcash really post-quantum secure?

Privacy and quantum resistance are separate properties, and Zcash provides the first without providing the second. Zcash conceals amounts and addresses using zero-knowledge proofs (Halo 2 in the current Orchard shielded pool), and it authorizes spends with elliptic-curve signatures. Both the proof system and the signatures rest on the hardness of discrete-logarithm problems, which Shor's algorithm solves. A sufficiently large quantum computer could therefore forge spends, and shielding does not change that, though it does keep transaction contents hidden. Zcash is strongly private but not post-quantum secure in its present construction, a distinction that applies to essentially every deployed privacy coin and zero-knowledge rollup built on elliptic-curve assumptions.

The common thread across all four is straightforward: today's blockchains authorize actions with elliptic-curve signatures, and elliptic-curve cryptography is precisely what Shor's algorithm defeats. None of this is a present-day capability, and the migration question for cryptocurrencies is an open protocol-governance problem rather than a solved one.

The underlying threat, precisely

With the popular questions addressed, the formal picture is narrower than the coverage often suggests. Shor's algorithm, run on a sufficiently large fault-tolerant quantum computer, solves integer factorization and discrete logarithms in polynomial time. That breaks the public-key cryptography that establishes shared keys and signs data: RSA, finite-field Diffie-Hellman, and all elliptic-curve schemes fall together. Symmetric cryptography is affected far less. Grover's algorithm gives only a quadratic speedup against symmetric ciphers and hash functions, and that is neutralized by doubling key or output lengths, so AES-256 and SHA-384 remain secure. The exposure is concentrated almost entirely in the public-key layer.

Scheme                          Role                       Effect of a capable quantum computer
RSA-2048                        keys, signatures           broken by Shor's algorithm
Finite-field Diffie-Hellman     key exchange               broken by Shor's algorithm
ECC / ECDSA (P-256, secp256k1)  signatures, key exchange   broken by Shor's algorithm
AES-128 (symmetric)             bulk encryption            effective security halved to ~64 bits (Grover)
AES-256 (symmetric)             bulk encryption            effective security ~128 bits, still secure
SHA-256 (hash)                  integrity, proof of work   preimage search sped up quadratically, still safe
ML-KEM / ML-DSA (PQC)           keys, signatures           no known quantum attack

Harvest now, decrypt later

No machine can run Shor's algorithm at threatening scale today, and public estimates for when one might appear span a wide range, from roughly a decade in the more aggressive industry projections to the mid-2040s in government planning documents. The reason to act now does not depend on fixing that date. It is a threat model known as harvest-now-decrypt-later, sometimes called store-now-decrypt-later. An adversary records encrypted traffic today and retains it, then decrypts it once a capable quantum computer exists. Any secret that must stay confidential beyond the arrival of that machine is therefore exposed in the present, even though the machine does not yet exist. The quantity that matters is the sum of how long data must stay secret and how long migration will take, measured against the expected arrival of cryptographically relevant hardware, a comparison often named Mosca's inequality. For data with a ten to twenty-five year confidentiality requirement, such as health records, state secrets, and financial and legal archives, that exposure window is arguably open already.

The trajectory is now concrete rather than speculative. Through 2025 and 2026 the field crossed from counting raw physical qubits into the error-corrected, logical-qubit regime: commercial devices demonstrated tens of logical qubits (a Quantinuum system reported 48 logical qubits from 98 physical, and QuEra reported 96 logical qubits running a full algorithm), and Google demonstrated below-threshold error correction, in which adding physical qubits lowers the logical error rate rather than raising it. Multiple roadmaps target around 100 logical qubits by 2026 to 2027 and a few hundred by the end of the decade. None of this is yet a cryptographically relevant machine, which needs error-corrected qubits in the thousands operating for hours, but the pace of the last two years is why migration planning has moved from prudent to pressing.

What NIST standardized

In 2024 the United States National Institute of Standards and Technology finalized its first post-quantum standards after a multi-year public competition.

  • ML-KEM (FIPS 203, derived from CRYSTALS-Kyber), for key encapsulation, meaning the establishment of a shared secret.
  • ML-DSA (FIPS 204, derived from CRYSTALS-Dilithium), for digital signatures.
  • SLH-DSA (FIPS 205, derived from SPHINCS+), a stateless hash-based signature scheme included as a hedge, since it rests on entirely different assumptions from the lattice schemes.

A further signature standard based on the FALCON scheme (FN-DSA) is in preparation for cases where compact signatures matter. Most of these schemes derive their security from the hardness of structured lattice problems, which are not currently known to be vulnerable to quantum attack. The prevailing deployment pattern is hybrid: a classical scheme and a post-quantum scheme run together, so that a weakness later found in either one alone does not by itself compromise the connection.

What this means for governments

Government bodies face the longest confidentiality horizons and the most explicit mandates, which makes them the earliest movers. In the United States, National Security Memorandum 10 and the subsequent Office of Management and Budget guidance direct federal agencies to inventory their cryptographic systems and plan migration, while the National Security Agency's CNSA 2.0 suite sets timelines for national-security systems to adopt ML-KEM and ML-DSA, with target dates running through the early 2030s. The practical program has three parts: build a cryptographic inventory that records where every key, certificate, and protocol actually lives, which is harder than it sounds in a large estate; prioritize by data lifetime and exposure; and adopt crypto-agility so that algorithms can be replaced without re-architecting the systems around them. Defense, intelligence, diplomatic, and long-lived civil records are the clearest priorities, precisely because their secrecy requirements outlast any plausible estimate of when the threat arrives.

What this means for banks and financial institutions

Financial institutions combine long-lived confidential data with heavily regulated, deeply embedded cryptography, which makes their migration both urgent and slow. Signatures and key exchange protect payment authorization, interbank messaging, card networks, and the TLS that secures every customer session, and much of this runs on hardware security modules and standards that assume specific algorithms. Three exposures are worth separating:

  • Confidentiality of records. Account histories, contracts, and personal data carry multi-decade secrecy requirements and sit squarely inside the harvest-now-decrypt-later window.
  • Integrity of authorization. Payment and settlement signatures must resist forgery for as long as the transactions they authorize can still be disputed.
  • Digital-asset custody. Institutions holding Bitcoin, Ether, or other elliptic-curve-secured assets inherit the wallet exposure described earlier and should track their custody providers' migration plans directly.

Regulators and market-infrastructure bodies have begun to respond, and quantum readiness now appears in supervisory assessments of payment and settlement systems. The sensible institutional posture is a cryptographic inventory, hybrid key exchange on external connections, and explicit vendor commitments to the NIST standards, all started well before the threat is imminent, because migration at this scale is measured in years rather than months.

What this means for service providers and ISPs

For internet service providers, cloud platforms, and other infrastructure operators, the transition is already visibly underway at the transport layer. Hybrid post-quantum key exchange, combining the classical X25519 with ML-KEM, is deployed in major browsers and across large content-delivery and cloud networks, so a meaningful share of TLS traffic is already protected against harvest-now-decrypt-later attacks on the key-exchange step. The remaining work is broader than the browser: VPN and IPsec tunnels, SSH, DNS security, the public-key infrastructure that issues certificates, and the firmware-signing and code-signing chains that secure device fleets all need post-quantum paths. That last category matters most, because hardware shipped today may still be in service when the threat matures, and a device that cannot have its signing keys upgraded becomes a long-term liability. Crypto-agility is again the operative requirement: the goal is not a single migration event but the standing ability to rotate algorithms as standards and threats evolve.

Where quantum simulation fits

Post-quantum cryptography is a classical-cryptography topic rather than a quantum-computing product, but the two are linked at the root. The reason PQC exists is Shor's algorithm, and the timeline for the threat is set by progress in quantum hardware and error correction, not by cryptographic developments. Following that progress well requires distinguishing what quantum computers can actually do today from what they might do later, and simulation is the primary tool for building that judgment. Shor's algorithm can be run at small scale to see precisely why it endangers RSA and elliptic-curve cryptography, and error-correction codes can be studied to gauge how far current hardware sits from the qubit counts that would matter. Both are exact, inexpensive experiments on a simulator, and both are more informative than tracking qubit-count announcements.

The practical recommendation for any organization handling long-lived secrets is to treat migration as a present-tense engineering project rather than a future contingency: inventory cryptographic assets, adopt crypto-agility, deploy hybrid key exchange on external connections, follow the NIST standards as they finalize, and track quantum-hardware milestones through primary technical progress rather than secondary coverage. The mathematics that motivates all of it can be explored exactly, on a simulator, today, which remains the most grounded way to separate a genuine multi-year risk from the noise around it.

Run your own 100-qubit circuit, with an error bar.