The Quantum Threat to Cryptocurrency
The quantum threat to cryptocurrency is simple to state: Shor’s algorithm can break the discrete logarithm problem that secures ECDSA and Schnorr signatures once a sufficiently large fault-tolerant quantum computer exists.
That machine does not exist today. The engineering question is whether major ledger systems can migrate before it does, and whether already-exposed keys can be protected after the fact.
This page explains the threat model. It is not a claim that current quantum hardware can break cryptocurrency signatures today.
What Shor’s Algorithm Breaks
ECDSA and Schnorr signatures over secp256k1 depend on a one-way relationship: given a private key, it is easy to compute the public key; given the public key, it is infeasible for a classical computer to recover the private key.
Shor’s algorithm changes the second part. On a large enough quantum computer, recovering the private key from the public key becomes efficient enough to be a security break.
For a cryptocurrency, that means:
- A public key becomes visible on-chain.
- A quantum attacker derives the private key.
- The attacker signs a spend.
- The network accepts the signature if the transaction follows consensus rules.
The chain does not know the signature was produced by an attacker. It only sees a valid signature.
Which Funds Are Exposed
Exposure depends on address and script type:
| Situation | Quantum-era risk |
|---|---|
| Public key directly appears in the locking script, such as old P2PK outputs | The key is visible before spend. |
| Address is reused after a spend | The public key is visible after the first spend, so remaining funds at that address become exposed. |
| Hash-only address with no prior spend | The public key is hidden until the owner spends. |
| Multisig or script paths that reveal keys | Exposed keys become part of the future attack surface. |
Hashing a public key delays exposure. It does not make ECDSA post-quantum safe. Once the owner spends and reveals the key, the quantum race begins.
Timeline Risk
NIST IR 8547 recommends migration to post-quantum cryptography on a 2030 to 2035 planning horizon. Academic and industry estimates vary, and they should be treated as planning ranges rather than precise dates.
For cryptocurrency, the conservative position is to start before the deadline looks urgent. Protocol migrations can take years because they involve wallet software, exchanges, miners, custodians, hardware devices, node operators, auditors, and users.
Why Retrofit Migration Is Hard
Replacing a signature scheme in a live cryptocurrency is not only a code change. It requires:
- new address and script types;
- wallet support for new keys;
- fee policy that accounts for larger signatures;
- exchange and custodian support;
- hardware signer and offline signer support;
- user migration from old outputs to new outputs;
- a decision about unmigrated and lost coins;
- consensus activation without splitting the network.
Post-quantum signatures are also larger than ECDSA. That makes mass migration consume real block space and fee capacity.
How Tidecoin Handles the Threat
Tidecoin avoids the ECDSA migration problem by using Falcon-512 from genesis. There are no historical ECDSA spends to reinterpret, protect, or migrate.
Tidecoin still has upgrade work like any live protocol. The difference is that cryptographic agility is built around post-quantum signature families and height-gated activation, rather than a future emergency conversion away from classical signatures.
Practical Takeaway
Current quantum computers are not breaking secp256k1 wallets today. The risk is that blockchains move slowly, public key exposure is permanent, and the cost of a late migration is higher than the cost of designing for post-quantum signatures from the start.
See also: Harvest Now, Decrypt Later, Post-Quantum Primer, Protocol / Security Analysis, Protocol / Design Positioning.