The Problem With Thinking Quantum Threats Are Future Problems
There is a common and deeply dangerous assumption in the blockchain community: that quantum computing is a problem for another decade. The hardware is not powerful enough yet, the thinking goes, so we have time to plan, time to migrate, time to upgrade before anything bad happens.
This assumption is wrong in the most important possible way. The threat is not waiting for quantum computers to arrive. The threat is already being executed by adversaries who understood something crucial years ago: you do not need a quantum computer to harvest data for a quantum computer. You just need patience, storage capacity, and the foresight to collect today what you plan to decrypt tomorrow.
This strategy has a name: harvest now, decrypt later. And understanding it changes everything about how you should think about blockchain security today.
What Harvest Now, Decrypt Later Actually Means
The core idea is simple. Modern encryption is computationally hard to break with classical computers. But it will not always be computationally hard. Once fault-tolerant quantum computers with sufficient logical qubit counts become operational, algorithms like Shor's algorithm will be able to derive private keys from public keys in hours rather than the millions of years a classical brute-force attack would take.
An adversary who understands this does not need to wait for that hardware to exist before starting their attack. They start collecting right now. They record encrypted communications, store exposed public keys, archive transaction histories, and build databases of cryptographic material that will become valuable once the hardware arrives to process it.
For most encrypted data, this is concerning but not catastrophic. The information has a shelf life. A stolen corporate memo from 2025 is not particularly useful in 2040.
Blockchain is a completely different story.
Why Blockchain Is Uniquely Vulnerable to This Attack
Public blockchains are permanent, immutable, and completely public. Every transaction ever made on Bitcoin or Ethereum is sitting in a database that anyone in the world can download, right now, for free. That database is not going anywhere. It will be just as accessible in 2035 or 2045 as it is today.
More critically: every time you spend from a Bitcoin or Ethereum address, you expose your public key. Not just to people watching the network in real time. To anyone who ever downloads the blockchain, forever, including future versions of yourself with access to hardware that does not exist yet.
This is what makes the harvest now, decrypt later attack so dangerous for blockchain specifically. The data is already harvested. Every exposed public key on every major blockchain is already in the collection of anyone who wants to run this attack. Adversaries do not need to intercept anything. They just need to keep a copy of the public blockchain, which costs almost nothing.
When fault-tolerant quantum hardware arrives, they have everything they need to start recovering private keys and draining the funds associated with any address that ever exposed its public key on chain.
Which Addresses Are Actually at Risk
Not all blockchain addresses are equally vulnerable. The risk depends on whether your public key has ever been exposed on chain. There are several specific scenarios where exposure occurs.
Reused Bitcoin Addresses
Bitcoin's original design encouraged address reuse. In the early years, many users sent and received funds repeatedly from the same address. Every time you spend from a Bitcoin address, the signature attached to that transaction mathematically reveals your public key. If you have ever spent from an address and it still holds funds, your public key is permanently on the public record and your remaining funds are exposed to a future quantum attack.
Estimates vary, but a significant portion of all Bitcoin in circulation sits in addresses that have already spent at least once, meaning their public keys are already exposed. Some estimates put this figure above 30 percent of all circulating Bitcoin.
Standard Ethereum Accounts
Ethereum's account model is slightly different but the vulnerability is the same. Every externally owned account that has ever initiated a transaction has exposed its public key in the signature data of that transaction. If you have ever sent ETH or interacted with a smart contract from your main wallet, your public key is recorded on chain forever.
This includes the vast majority of active Ethereum wallets, because you cannot interact with DeFi protocols, NFT marketplaces, or any on-chain application without initiating a transaction that reveals your public key.
Address Types That Offer Some Protection
Newer Bitcoin address formats including Pay-to-Taproot and Pay-to-Witness-Public-Key-Hash do not reveal the public key until the address spends for the first time. If you receive funds to one of these addresses and never spend from it, your public key remains unknown. This provides some protection, but it is conditional: the moment you spend, the protection ends permanently.
The fundamental problem is that spending is the whole point. A wallet that can never spend is not useful. And the instant you spend, you are vulnerable.
The Timeline Is Closer Than the Headlines Suggest
Quantum computing progress tends to get reported in two extreme ways. Either breathless headlines about quantum supremacy milestones that have no direct cryptographic relevance, or dismissive commentary from classical computing researchers who underestimate the pace of hardware progress. Neither is useful for making accurate risk assessments.
The relevant question is not "when will a quantum computer exist?" Quantum computers already exist. The question is: when will a fault-tolerant quantum computer with enough logical qubits to run Shor's algorithm against secp256k1 exist?
Based on the research by Webber et al. published in 2022, breaking the elliptic curve cryptography used by Bitcoin and Ethereum requires approximately 2,330 fault-tolerant logical qubits running Shor's algorithm. At current surface code error correction overhead, that translates to roughly 2.3 million physical qubits operating at low error rates.
The QuanChain Quantum Threat Calculator models three progress scenarios based on doubling rates for logical qubit capacity. In the moderate scenario, with logical qubit counts doubling every 20 months from a 2024 baseline, the threshold is crossed around 2039. In the aggressive scenario, driven by nation-state investment or algorithmic breakthroughs in error correction, the timeline compresses to roughly 2033. The conservative scenario pushes it toward the mid-2040s.
The important insight is not any specific year. It is the range. We are not talking about a science fiction timeline. We are talking about within the working careers of people in the industry today, and well within the time horizon of financial assets and infrastructure that need to remain secure for decades.
Nation-States Are Already Running This Playbook
The harvest now, decrypt later strategy is not theoretical. It has been documented in the context of encrypted communications by multiple intelligence agencies and cybersecurity research organizations. The US National Security Agency, the UK's GCHQ, and Chinese state intelligence agencies have all been credibly reported as operating large-scale collection programs specifically designed to archive encrypted data for future quantum decryption.
The focus of these programs has historically been on government and corporate communications. But blockchain data is a much easier target. There is nothing to intercept. The data is public. Anyone who wants a complete archive of the Bitcoin or Ethereum blockchain can download it today for the cost of a few terabytes of storage.
It would be surprising if sophisticated state-level actors had not already built these archives. It would also be surprising if they were the only ones. Criminal organizations with long time horizons, hedge funds with positions in quantum computing companies, and opportunistic actors with access to cheap storage all have reasons to collect now and wait.
The Migration Problem Is Harder Than It Sounds
The standard response to this analysis is: fine, we will migrate to post-quantum cryptography before the quantum computers arrive. Problem solved.
This underestimates the difficulty significantly.
For a blockchain network, migration is not a software update. It is a protocol change that requires coordination across thousands of independent validators, wallet developers, exchange operators, and end users. Bitcoin, for instance, has struggled to coordinate relatively minor protocol upgrades for years. A cryptographic primitive change is orders of magnitude more complex.
Even if a migration plan were agreed upon today, execution would take years. And any wallet that fails to migrate before quantum hardware arrives leaves its funds permanently vulnerable. With Bitcoin's famously distributed governance, getting every Satoshi migrated before the deadline is essentially impossible.
Ethereum is in a better position governance-wise, but still faces the fundamental problem that many addresses are controlled by people who have lost access to their keys, died, or simply lost interest in the asset. Those funds cannot be migrated. They sit in place, public keys exposed, waiting.
There is also a subtler problem: migration to post-quantum cryptography on existing blockchains often requires exposing your public key one final time in the migration transaction itself. The act of migrating can be the moment of maximum vulnerability, because you publish your public key right before you try to rotate away from it. If an adversary is watching and has sufficient quantum hardware, migration transactions are a valuable target.
What Structural Immunity Actually Looks Like
The only approach that is immune to harvest now, decrypt later attacks is one that never exposes a public key on chain in the first place. If there is no public key in the historic record, there is nothing for an adversary to harvest.
This is the architectural principle behind TADEQS. On QuanChain, value is never locked behind a public key. It is locked behind an address hash, which is the output of a one-way hash function applied to the public key, not the public key itself. The network validates spending not against the public key but against a hash commitment registered when the child wallet was created.
The public key is used exactly once: to generate a signature that authorizes a spend. That signature is visible for the duration of the transaction broadcast window, and then the child wallet is retired. By the time the transaction is confirmed, the signed key is already gone from the active address space. The next transaction comes from a new child wallet derived from the parent identity, with a fresh key pair that has never been seen before.
This is what SpendAndRotate means in practice. The atomic combination of spending from the current child and deriving a new one means there is never a window where a spent key still guards live funds. The key that authorized your last transaction cannot be used to steal from your next address, because your next address was created with a key that did not exist when your last transaction was signed.
The harvest now, decrypt later attack requires two things: historical public key data to harvest, and future quantum hardware to process it. TADEQS eliminates the first requirement. Without any harvested public key material, there is nothing for the quantum hardware to run against, regardless of how powerful it becomes.
What You Should Do Right Now
If you hold assets on classical blockchains like Bitcoin or Ethereum, there are practical steps you can take today to reduce your quantum exposure, even before migrating to a quantum-native network.
First, stop reusing addresses. This does not eliminate the vulnerability of addresses that have already spent, but it prevents creating new ones. Use a new receive address for every incoming transaction, which most modern wallet software supports by default.
Second, identify which of your addresses have spent before. Any address that shows outgoing transactions on a block explorer has already exposed its public key. The funds in those addresses are the ones that will be at risk when quantum hardware arrives. Consider the time horizon on those holdings. If you plan to hold for 15 or 20 years, they are more exposed than short-term positions.
Third, follow the development of NIST post-quantum cryptography standards and the migration plans for the networks you use. The first NIST PQC standards were finalized in 2024. The question is how and when networks will adopt them, and whether the migration can happen before it matters.
Fourth, consider whether a purpose-built quantum-native network is more appropriate for holdings you intend to keep for decades. A system where structural immunity is a design property rather than a retrofit is categorically different from one where immunity requires a future migration to succeed.
What the Regulatory Landscape Is Saying
Regulators and government agencies are not ignoring this. The US National Institute of Standards and Technology finalized its first post-quantum cryptography standards in 2024 after an eight-year competition. NIST and CISA, the Cybersecurity and Infrastructure Security Agency, have both published guidance urging organizations to begin their post-quantum migration planning immediately, citing the harvest now, decrypt later threat specifically as a present-day risk, not a future one.
The US Office of Management and Budget issued a memorandum in 2022 directing federal agencies to inventory their cryptographic systems and prioritize migration to post-quantum alternatives. The UK's National Cyber Security Centre published similar guidance. The German federal cybersecurity agency, BSI, has recommended beginning post-quantum migrations for high-security systems by 2025.
None of these agencies are known for catastrophizing. When they cite a threat as requiring immediate action, it is because their intelligence assessments give them reason to believe the threat is being actively exploited or will be within the planning horizon of systems being built today.
For blockchain specifically, none of this regulatory guidance has translated into concrete migration mandates yet. But the direction of travel is clear. Organizations holding significant value in blockchain infrastructure, and the networks themselves, are beginning to face questions from boards, auditors, and regulators about their quantum migration plans. Having no plan is becoming a harder position to defend.
The Honest Assessment
The harvest now, decrypt later threat is not hypothetical. It is a strategy that makes rational economic sense for any adversary with long time horizons and access to cheap storage. The data is already being collected, by nation-states for certain and almost certainly by others. The question is whether the quantum hardware arrives before the blockchain networks migrate, and whether the migrations are comprehensive enough to protect all exposed addresses.
The answer for legacy networks is probably not fully reassuring. The game theory of migration coordination on permissionless blockchains is genuinely hard. Some addresses will be missed. Some users will not act. Some funds will be lost.
The more useful question is what you build and hold on going forward. A network designed from the start to never expose public keys on chain does not have a migration problem, because it does not have an exposure problem. The data that would be harvested simply does not exist.
That is the standard worth building toward, and the reason QuanChain's TADEQS architecture represents a fundamentally different answer to the quantum threat than any post-quantum upgrade applied to an existing protocol. One is a patch. The other is a different foundation.
Frequently Asked Questions
Is the harvest now, decrypt later threat specific to blockchain, or does it affect all encryption?
It affects all encryption that relies on public-key cryptography, including TLS for web traffic, encrypted email, and VPN connections. But blockchain is uniquely vulnerable because the data is public and permanent. Most encrypted communications have a limited shelf life of usefulness. A blockchain transaction from 2017 that reveals a public key is still perfectly fresh data for a future attacker, because the private key associated with that public key may still control funds on chain today. The permanence of blockchain data is what elevates the risk from concerning to structural.
How much storage would it take to archive all exposed Bitcoin public keys?
The entire Bitcoin blockchain is currently around 600 gigabytes. A targeted archive of just the public keys from spent addresses would be a small fraction of that. We are talking about a dataset that fits comfortably on a standard hard drive costing less than one hundred dollars. Storage is not even a meaningful barrier to this attack. The cost of building the harvest is trivially low relative to the potential payoff if quantum hardware arrives on a favorable timeline.
Would a blockchain hard fork to post-quantum cryptography solve the harvest now problem?
Partially, and only for addresses that successfully migrate before quantum hardware arrives. A hard fork that transitions the network to post-quantum signature schemes would protect future transactions, but it cannot retroactively hide the public keys that are already on chain for addresses that have already spent. Those keys are permanent. The historic chain data cannot be altered. For addresses that migrate, the remaining funds would be protected going forward. For addresses that fail to migrate in time, the historic exposure remains. And for a network like Bitcoin with complex governance, getting full migration coverage before the deadline is not guaranteed.
How does TADEQS protect against harvest now, decrypt later specifically?
TADEQS ensures that no public key is ever published on chain. When you spend from a TADEQS wallet, the network validates the transaction against a hash commitment, not a raw public key. The signing key is used to generate a signature, but the key itself is never broadcast. This means there is no public key in the blockchain record for an adversary to harvest. Without harvested public key material, Shor's algorithm has nothing to run against. The attack is structurally impossible, not just computationally difficult.
Are hardware wallets enough to protect against this threat?
Hardware wallets protect your private key from being extracted by malware or network attacks. They do not protect the public key that gets published on chain when you spend. The harvest now, decrypt later attack does not try to steal your private key directly. It extracts the private key mathematically from the public key that is already on the public blockchain. A hardware wallet cannot prevent a mathematical derivation performed years later by a quantum computer, because that derivation happens on the attacker's hardware, not yours.
Should I move my Bitcoin to a new address right now?
Moving funds to a new address by sending to yourself does not help and may make things worse. The act of moving your funds requires signing a transaction, which reveals the public key of your current address in the process. You would be creating a new exposed address while exposing the old one. The only genuinely protective step for existing Bitcoin holdings is migrating to a post-quantum address format if and when the Bitcoin protocol supports it, which it does not yet. In the meantime, not spending from exposed addresses and not reusing addresses for new receipts are the most practical steps available.