The Unique Quantum Risk Profile of CBDCs
Central bank digital currencies occupy a distinct position in the quantum cryptography threat landscape. Unlike retail cryptocurrency, CBDCs are government-issued, government-operated, and government-guaranteed. Their expected operational lifetimes extend decades. They are high-value targets for nation-state-level adversaries who have both the motivation to attack sovereign financial infrastructure and the resources to invest in long-horizon cryptanalytic programs. And they are being designed right now, which means architects have the opportunity to build post-quantum security into the foundation rather than retrofitting it later.
The combination of these factors, long lifetime, sovereign stakes, nation-state threat actors, and current design phase, makes CBDC quantum security an urgent question despite the fact that no cryptographically relevant quantum computer (CRQC) exists today. The decisions made in CBDC design specifications written in 2025 and 2026 will determine the cryptographic architecture of systems that may be operating in 2045 or 2055. The uncertainty in quantum computing timelines does not reduce this urgency; it amplifies it. Planning for a range of timelines is more prudent than planning for the most optimistic one.
The Current CBDC Landscape
As of mid-2026, the global CBDC landscape is well past the research phase. China's e-CNY (digital renminbi) has reached scale deployment, with billions of yuan in transactions processed through the platform and tens of millions of active wallets. The People's Bank of China has not publicly disclosed the specific cryptographic schemes used in e-CNY's production implementation, but academic analyses of available technical documentation suggest reliance on SM2, China's domestic elliptic curve standard, which carries quantum vulnerability comparable to ECDSA.
The European Central Bank's digital euro project entered its preparation phase in October 2023, with a target for a potential issuance decision around 2027-2028. The digital euro's technical design, under development by the ECB and Eurosystem national central banks, references NIST standards for cryptographic algorithm selection. The design includes consideration of post-quantum cryptography, but published documents as of 2026 describe PQC as a future migration rather than a launch requirement.
The U.S. Federal Reserve has not committed to a CBDC but conducts ongoing research through the Boston Fed's Project Hamilton and the New York Fed's Project Cedar. Both research programs have examined post-quantum cryptographic requirements and the technical challenges of implementing PQC in high-throughput payment systems. The Fed's research posture is cautious: no CBDC design decisions have been made that would lock in classical cryptographic schemes.
Dozens of other central banks are in active pilot or design phases, including the Bank of England's digital pound consultation, the Reserve Bank of India's e-Rupee pilot, and the Bank of Japan's CBDC proof-of-concept program. The BIS Innovation Hub coordinates technical work across these national projects, providing shared research infrastructure and published technical guidance. Central bank digital currencies face particularly acute quantum risk given their sovereign stakes and decade-long operational lifetimes.
Current Cryptographic Schemes and Their Quantum Exposure
Most CBDC prototypes and pilots use ECDSA or Ed25519 for transaction signing and ECDH for transport layer key exchange. These are the same algorithms used in existing blockchain platforms and internet security infrastructure, and they carry identical quantum vulnerability profiles.
ECDSA and Ed25519 private keys can be derived from their corresponding public keys by an adversary with a CRQC of sufficient qubit count and quality. The specific qubit requirement is estimated at between 2,000 and 4,000 logical qubits for 256-bit elliptic curve keys under current algorithmic assumptions, with the exact number depending on circuit depth and error correction overhead. The quantum vulnerability of elliptic curve cryptography is well-characterized in the academic literature.
For CBDC transaction records, the threat is twofold. Transaction signing keys could be compromised by a CRQC, allowing an attacker to forge transactions or prove ownership of CBDC balances that they do not legitimately hold. And transaction records, which may be stored encrypted on central bank infrastructure, could be decrypted retroactively. Depending on the privacy architecture of the CBDC, this could expose the transaction histories of individual citizens or commercial entities to adversaries who collected the data years earlier.
The Harvest-Now/Decrypt-Later Threat to CBDC Records
The harvest-now/decrypt-later threat is particularly acute for CBDC transaction records because of their sovereign context. State-sponsored adversaries monitoring financial flows between individuals and businesses, supply chain payments, government disbursements, and financial sanctions compliance have strong incentives to collect CBDC transaction data today for retroactive decryption.
A nation that deploys a CBDC with classical cryptography in 2026 is creating a permanent record of its citizens' and businesses' financial transactions that could be readable by adversary states in 2035 if a CRQC becomes available on that timeline. The sensitivity of this data does not expire when the individual transaction settles; transaction histories revealing trade secrets, investment strategies, or individual financial circumstances remain sensitive for years or decades.
Central banks designing CBDC systems should treat the protection of transaction record privacy as a requirement with a time horizon matching the CBDC's operational lifetime, not just the transaction settlement window. Post-quantum protection of the transport layer and storage encryption is a requirement derivable directly from this design principle.
BIS Innovation Hub and Quantum-Safe CBDC Architecture
The Bank for International Settlements Innovation Hub published technical research on quantum-safe CBDC design in 2023 and 2024. The BIS research identified three layers of quantum risk in CBDC architecture: the payment transaction layer (signing and verification), the messaging layer (central bank to commercial bank communications), and the ledger storage layer (persistent transaction records).
The BIS recommended a phased migration approach: begin with the messaging layer, where post-quantum TLS can be deployed immediately without changes to CBDC-specific protocols; proceed to ledger storage encryption using post-quantum key encapsulation; and complete migration with transaction signature scheme replacement, the most complex and operationally disruptive layer.
The BIS technical paper also noted that hardware security modules (HSMs) are central to CBDC key management and that HSM vendors must support CNSA 2.0 algorithms for a complete quantum-safe deployment. As of 2024, major HSM vendors including Thales and Utimaco had announced roadmaps for FIPS 203 and FIPS 204 support, with availability in 2025-2026. CBDC architects should verify HSM vendor roadmaps as a procurement constraint before finalizing cryptographic design specifications.
What a Quantum-Safe CBDC Architecture Requires
A quantum-safe CBDC architecture requires post-quantum algorithms at each of the three layers identified by BIS. For transaction signing: ML-DSA (FIPS 204) for all transaction signatures, with ML-DSA-65 as a minimum and ML-DSA-87 for high-security implementations. For transport encryption: ML-KEM (FIPS 203) for key encapsulation in all central bank communications, deployed in hybrid mode with X25519 during the transition period. For storage encryption: AES-256 with post-quantum key management; the session keys used to encrypt stored records must be derived from post-quantum key exchange to prevent retroactive decryption. For key rotation: a defined key rotation protocol that ensures no signing key is in use long enough to be at elevated quantum risk, with hardware security module support for the full key lifecycle.
The NIST PQC standards provide the algorithmic foundation for all of these layers. The implementation challenge for CBDCs is not algorithm selection but performance at scale. China's e-CNY reportedly processes hundreds of thousands of transactions per second in peak scenarios. ML-DSA signatures at 2.4 to 4.6 KB each require significantly more bandwidth and storage than 64-byte ECDSA signatures. Hardware acceleration for ML-DSA signature generation and verification is a requirement for high-throughput CBDC deployment, and this must be accounted for in infrastructure planning.
Why CBDC Designers Have More Time but Less Margin for Error
CBDCs have structural advantages over retail cryptocurrency and enterprise blockchain in managing quantum migration. Central banks control the entire deployment infrastructure: there is no decentralized network of independent validators to coordinate. Coordinated upgrades can be mandated rather than negotiated. Key rotation protocols can be enforced at the protocol level. The attack surface is known and bounded.
These advantages create a temptation to defer post-quantum migration. A central bank can decide that the migration will happen in 2030 and implement the protocol change on a specific date. This controlled upgrade path is genuinely easier than the equivalent migration on a decentralized network.
But the margin for error on a sovereign financial system is correspondingly smaller. A cryptographic failure in a CBDC is not an inconvenience to individual users; it is a failure of a national monetary instrument. The political and economic consequences of a successful attack on a CBDC's cryptographic integrity, whether through key compromise, forged transactions, or mass decryption of transaction history, are categorically more severe than the equivalent attack on a retail cryptocurrency.
The appropriate response to this asymmetry is to begin post-quantum design work now, during the current design phase, rather than treating it as a future migration. Protecting cryptographic systems from quantum threats is substantially cheaper and lower-risk when done at design time than when retrofitted into operating systems. CBDC projects still in design or pilot phases have this opportunity. Those that deploy with classical-only cryptography will eventually face the harder path.
