43 posts tagged with "Cryptography"

Roughly 6.7 million BTC sit in addresses that have already broadcast their public keys to the world. That is about a third of the total supply, including the ~1.1 million coins attributed to Satoshi Nakamoto. A sufficiently capable quantum computer could, in principle, derive the private key for any of them.

Two of the most-cited research desks in crypto have looked at exactly the same data and reached opposite conclusions about what allocators should do this year.

Capriole Investments founder Charles Edwards argues the community must ship a quantum fix by the end of 2026 or absorb a 20% valuation discount, with downside below $50,000 by 2028 if the network drags its feet. Grayscale Research, in its 2026 Digital Asset Outlook: Dawn of the Institutional Era, calls quantum risk a "red herring" — real but distant, unlikely to move 2026 prices, and overshadowed by the institutional capital wave reshaping the asset class.

This isn't a debate about whether the threat is real. Both camps agree it is. It's a debate about when the cost shows up in the price — and that question now drives two completely different allocation playbooks.

The Number Everyone Is Arguing About: 6.7 Million BTC​

Quantum vulnerability in Bitcoin is not uniform. The danger depends on what kind of address holds your coins, and whether their public key has ever appeared on-chain.

The breakdown that anchors most of the 2026 discourse looks roughly like this:

• ~1.72 million BTC in Pay-to-Public-Key (P2PK) outputs. These are the original 2009-era addresses, including the bulk of Satoshi's stash. P2PK exposes the public key directly. There is no recipient to migrate the coins to a quantum-safe address — many of these holders are believed to be dead or to have lost their keys.
• ~4.9 million BTC in reused addresses across other formats. Once you spend from a Pay-to-Public-Key-Hash (P2PKH), Pay-to-Witness-Public-Key-Hash (P2WPKH), or Taproot output, the public key is visible in the witness data. If the holder reuses that address — or leaves a balance behind after first spend — the public key is exposed for the rest of the network's history.
• ~200,000 BTC scattered across other reused or partially exposed categories.

Add it up: roughly 6.8 million BTC, or about 34% of the circulating supply, lives in addresses that a Shor-capable quantum computer could, in theory, drain. The remaining two-thirds — sitting in unspent P2PKH/P2WPKH/Taproot outputs whose public keys have never been broadcast — are protected by an additional layer of hashing that quantum computers cannot break with the same algorithm.

That asymmetry is what makes the debate so structurally weird. Quantum risk in Bitcoin is not "the network breaks." It is "early adopters and sloppy address-reusers get drained, while careful single-use HODLers are fine." The market has to price a threat that is concentrated in a specific cohort of coins, not spread evenly across the supply.

Edwards' Case: Price the Risk Now, Ship the Fix Faster​

Charles Edwards has been the loudest institutional voice on the bear side of the quantum debate. His thesis, articulated across a series of late-2025 and 2026 talks, has three parts.

First, the discount is already there. Edwards argues that if you took an honest discounted-cash-flow style approach to Bitcoin's "stock" of vulnerable supply versus its "flow" of new issuance, the asset already deserves a markdown of roughly 20% relative to where it would trade if quantum risk were zero. In his framing, every month the network goes without a clear quantum-resistant migration path, that discount widens.

Second, the timeline is shorter than people think. Edwards leans on Deloitte's analysis estimating ~25% of BTC is exposed, and stitches it to the rapid progression of public quantum hardware. Project Eleven's Q-Day Prize — awarded April 24, 2026 to researcher Giancarlo Lelli for breaking a 15-bit elliptic curve key on a publicly accessible quantum computer — is the data point he keeps returning to. Steve Tippeconnic's 6-bit demonstration in September 2025 was the first public break; Lelli's 15-bit result is a 512x improvement in seven months. The exponential is not theoretical.

Third, banks won't save Bitcoin. Edwards' more pointed argument is that Bitcoin will be hit before traditional finance because banks have already begun migrating to post-quantum encryption schemes — and even when banks fail, they have legal mechanisms to claw back fraudulent transfers. Bitcoin has no such mechanism. A successful quantum drain on a Satoshi-era P2PK address would be irreversible, public, and existentially confidence-shattering for the asset.

His prescribed action: ship a quantum-resistant migration path before the end of 2026. If Bitcoin doesn't, Edwards' worst-case scenario for 2028 puts BTC below $50,000 — not because quantum computers will actually break ECDSA by then, but because the expectation of an unfixable cliff will be priced in well before the cliff arrives.

Grayscale's Case: Real, But Not for 2026​

Grayscale's 2026 Digital Asset Outlook takes the opposite stance. Quantum computing is acknowledged as a long-term consideration, but the firm's framing is unambiguous: it is a "red herring" for 2026 markets.

The Grayscale argument rests on three load-bearing claims.

One: the hardware isn't there. A sufficiently powerful quantum computer to derive private keys from public keys is not expected before 2030 at the earliest. Google's own published whitepapers in April 2026 estimated that a 256-bit ECC attack would require under 500,000 physical qubits — and Willow, Google's flagship chip from late 2024, has 105. A subsequent Caltech and Oratomic paper brought the requirement as low as ~10,000 qubits in a neutral-atom architecture, but even that is roughly two orders of magnitude beyond what any public quantum system has demonstrated.

Two: developer response is real. BIP-360, which introduces Pay-to-Merkle-Root (P2MR) — a new Bitcoin output type that uses Dilithium (now NIST-standardized as ML-DSA) post-quantum signatures and hides public keys from quantum attack — was merged into Bitcoin's official BIP repository on February 11, 2026. BTQ Technologies released the first working testnet implementation (v0.3.0) the following month. The migration runway exists; it just hasn't activated.

Three: 2026 catalysts dominate. Grayscale's outlook frames 2026 as the start of "the institutional era." Spot ETF AUM has crossed $87 billion. The CLARITY Act is on a May Senate Banking markup track. SEC Chair Paul Atkins has shipped a four-category token taxonomy that opens institutional-grade flow into the asset class. Against that backdrop, Grayscale argues, a 2030+ tail risk is the wrong thing to underweight on.

The implicit allocator instruction is "stay long, ignore the noise." Grayscale's position is not that quantum risk is fake — the firm explicitly notes Bitcoin and most blockchains will eventually need post-quantum upgrades. The position is that 2026's price discovery will be driven by ETF flows, regulatory clarity, and macro liquidity, not by hypothetical 2030 hardware.

The Two Allocator Playbooks​

Boil the camps down to operating instructions and the divergence becomes stark.

Edwards-camp playbook (defensive):

• Front-load migration tooling reviews now. Custodians stress-test BIP-360 wallets on testnet. Cold-storage providers publish post-quantum migration roadmaps before EOY 2026.
• Pre-emptively re-spend exposed cold-storage UTXOs into fresh single-use addresses to bury public keys back behind hashes.
• Pay the real cost today — operational complexity, audit overhead, possibly fee spikes during a coordinated migration window — to avoid catastrophic tail risk in 2028-2030.
• Treat any 2026 BTC weakness as partially attributable to quantum-overhang, not just macro.

Grayscale-camp playbook (opportunistic):

• Continue sizing BTC against ETF flow models, regulatory catalysts, and four-year-cycle decoupling theses.
• Assume orderly, EF-style protocol upgrade cadence resolves the migration during the 2027-2030 window.
• Don't pay up for "quantum-resistant infrastructure" exposure today; the multiples don't justify it on 2026 cash flows.
• Keep an eye on quantum hardware milestones, but treat them as monitoring, not allocation, signals.

Neither playbook is unreasonable on its own terms. The split exists because the two camps disagree on the asymmetry — specifically, whether the cost of frontloaded defense is small relative to the payoff if Edwards is right, or large relative to the payoff if Grayscale is right.

The Governance Question Both Camps Are Avoiding​

The most uncomfortable part of the 2026 quantum debate isn't the hardware timeline. It is the governance question raised by BIP-361.

On April 15, 2026, Jameson Lopp and five co-authors published BIP-361 — "Post Quantum Migration and Legacy Signature Sunset" — a proposal that would, after activation through a soft fork, force a deadline on quantum-vulnerable address holders. Phase A (~160,000 blocks, roughly three years post-activation) stops the network from accepting new sends to vulnerable legacy address types. Phase B (another ~two years later) rejects any transaction signed with legacy ECDSA or Schnorr from those addresses. Funds in unmigrated wallets become effectively frozen.

The technical case is straightforward: if you don't sunset legacy signatures, a single quantum drain can confidence-shock the entire network. The political case is brutal. "Whoever holds the keys controls the coins — without exception" has been a load-bearing Bitcoin promise since 2009. BIP-361 puts an expiry date on that promise.

Adam Back's counterproposal — articulated at Paris Blockchain Week — is that quantum-resistant features should be added as optional upgrades, not forced freezes. Current quantum computers, Back has said publicly, "remain essentially lab experiments," and a forced sunset of dormant holdings (most prominently Satoshi's) would set a precedent that overrides Bitcoin's core property-rights guarantee.

Across developer forums and X, BIP-361 has been called "authoritarian" and "predatory" by critics who argue that the proposal — even if technically necessary — undermines the asset's most marketable property to institutional buyers: that no one, not even the developers, can take your coins.

This is the part of the debate Edwards and Grayscale don't directly address. Edwards' camp wants a fix; BIP-361 is the most concrete fix on the table; but BIP-361 is also the policy choice most likely to fracture the Bitcoin community along ideological lines and produce a contentious fork. Grayscale's camp wants to wait; but waiting compresses the runway for any soft-fork debate to play out before the threat materializes.

The Read-Through for Infrastructure​

Whichever camp is right, the migration runway is going to produce a measurable workload signature for blockchain infrastructure providers. Quantum-resistance testing and pre-emptive migration are not the same RPC traffic shape as DeFi memecoin spam.

Custodian-grade migration testing tends to generate:

• Heavy archive-node reads — full UTXO scans to identify exposed public keys across an institutional book.
• Sustained signature-scheme attestation traffic — verifying that newly-deployed P2MR outputs validate correctly under both legacy and post-quantum verifiers.
• Bulk address-format scans — institutional wallets running batch checks on which UTXOs sit in vulnerable formats.
• Long-running trace queries on settlement events — the kind of debug-level workload that mainstream commodity RPC providers are not optimized for.

This is workload that lands on the Edwards-camp side first. Grayscale-camp allocators won't generate it until they have to. So the early signal that quantum migration is becoming operational, not theoretical, will show up as a shift in custodian RPC traffic patterns long before it shows up in BTC spot price.

BlockEden.xyz operates institutional-grade RPC and indexer infrastructure across Bitcoin, Sui, Aptos, Ethereum, and 25+ other chains — including the archive-node and trace workloads that quantum-migration testing tends to generate. If your team is stress-testing post-quantum tooling on Bitcoin or any other asset, explore our API marketplace for infrastructure built for non-trivial workloads.

What to Watch Through End of 2026​

The Edwards-versus-Grayscale split is a real allocator disagreement, but it will be resolved one way or the other by a small handful of milestones over the next eight months.

Quantum hardware: Watch for the next Q-Day Prize award. A 20-bit or 24-bit ECC break on public hardware would make the exponential too obvious to ignore. Conversely, no further public progress through end of 2026 lengthens Grayscale's runway.

BIP-361 activation path: Does the proposal pick up enough developer support to enter a real activation discussion, or does Adam Back's optional-upgrades counter-proposal carry the room? Either outcome materially shifts the migration timeline.

Custodian behavior: Coinbase Custody, BitGo, Anchorage, and Fidelity Digital Assets all publish (or don't publish) post-quantum readiness statements. The first major custodian to commit to BIP-360 wallets in production is the leading indicator that Edwards' urgency is bleeding into operational decisions.

Spot price reaction: If BTC underperforms its ETF-flow model in 2026 by more than ~15%, Edwards' "quantum discount" framing gets harder to dismiss. If BTC matches or exceeds Grayscale's first-half all-time-high projection, the red-herring framing wins by default.

The asymmetry to watch is this: Edwards needs to be right eventually for his case to land, even if 2026 prices don't reflect it. Grayscale needs to be right now — every month BTC marches higher without an obvious quantum overhang strengthens the red-herring frame, but a single confidence-shock event could erase years of that thesis in a week.

That's the bifurcation. Two desks, the same data, opposite playbooks. The market will pick a side before the quantum computers do.

Sources​

• Bitcoin Faces 20% Quantum Risk Discount by 2028, Capriole Founder Says
• Charles Edwards Warns Bitcoin Price Could Drop Below $50,000 Without Quantum Security Upgrade
• Capriole Warns of a Structural Vulnerability in Bitcoin
• 2026 Digital Asset Outlook: Dawn of the Institutional Era — Grayscale
• Grayscale: Quantum Computing A "Red Herring" For Crypto In 2026
• Quantum Computing Unlikely to Affect Crypto in 2026 — Grayscale
• Quantum vulnerability of Bitcoin addresses — Project Eleven
• Which Bitcoin Is Vulnerable to Quantum Computing? — Onramp
• 15-Bit ECC Key Broken on Quantum Hardware Wins Q-Day Prize
• Researcher wins 1 bitcoin (BTC) for largest quantum attack on elliptic curve yet — CoinDesk
• Watch out Bitcoin devs. Google says post-quantum migration needs to happen by 2029 — CoinDesk
• BIP-360 Explained: Bitcoin's First Quantum-Resistant Address Type (P2MR)
• BTQ Technologies Implements BIP 360 Quantum-Resistant Bitcoin Transactions on Testnet
• Bitcoin Developers Propose Freezing Coins That Skip Quantum-Safe Migration Under BIP-361
• Bitcoin's quantum debate splits as Adam Back pushes optional upgrades over forced freeze — CoinDesk
• BIP-361 Could Freeze Millions in Bitcoin — Quantum Security Plan Sparks Community Backlash
• Google's Willow quantum chip vs. Bitcoin security — Cointelegraph

On May 2, 2026, Anatoly Yakovenko did something most blockchain co-founders avoid: he told an entire cohort of users that their network was beyond saving. "Abandon all hope," the Solana Labs co-founder wrote, was the only honest advice for anyone holding assets on an Ethereum Layer 2 and worrying about quantum computers. The tweet landed the same hour Anza and Firedancer — the two clients that secure the bulk of Solana's validator stake — published production-hardened test builds verifying Falcon-512 signatures, the lattice-based scheme NIST selected as a post-quantum standard.

That synchronicity was not an accident. It was the loudest cross-chain marketing salvo since Vitalik's Plasma deck in 2017, and it reframed quantum readiness from a 2030s engineering checklist into a 2026 competitive wedge. While Ethereum's "Strawmap" plots seven hard forks on a six-month cadence, finishing post-quantum infrastructure around 2029, Solana now has working Falcon-512 verification in two independent client implementations. The gap is roughly three years — and three years is enough time to win an institutional narrative.

A $1,000 gadget cracked Intel's most trusted hardware enclave. FHE graduated from academic curiosity to unicorn. And Aztec shipped its first decentralized privacy L2 on Ethereum — only to be met by regulators demanding selective disclosure, not full anonymity. Welcome to 2026's privacy infrastructure war, where three competing paradigms are converging into something none of them predicted.

In January 2026, Optimism did something no other Layer-2 had done before: it put a date on the death of ECDSA. Ten years from now, on or around January 2036, every externally owned account on the Superchain — OP Mainnet, Base, World Chain, Mode, Zora, Ink, Unichain — will need to live behind a post-quantum signature scheme, or it will stop transacting. No other major L2 has published a comparable migration plan. Arbitrum, ZKsync, Polygon zkEVM, Starknet, and Linea are still silent on quantum.

That silence is starting to look strategically expensive.

In May 2025, Google researcher Craig Gidney published a paper showing RSA-2048 could be broken with fewer than one million qubits — a 20× reduction from his own 2019 estimate of 20 million. IBM is targeting fault-tolerant quantum systems by 2029. Google is openly modeling Q-Day as early as 2030. NIST's deprecation calendar lines up with that pessimism: quantum-vulnerable algorithms are scheduled to be deprecated after 2030 and disallowed after 2035. The decade-out estimate that financial planners were comfortable ignoring has compressed into the same time horizon as a corporate bond ladder.

Optimism's roadmap is the first L2-cohort response that treats this timeline as real.

What Optimism Actually Committed To​

The roadmap, published by OP Labs and amplified across the Ethereum research community, breaks the migration into three workstreams that map cleanly onto the layers of the Superchain stack.

User-level migration. Externally owned accounts secured by ECDSA are scheduled to be replaced with post-quantum smart-contract accounts. The plan leverages account abstraction and EIP-7702 to swap signature schemes via hard forks without forcing users to abandon their existing balances. Old wallets keep working through a long dual-support window where ECDSA and PQ-signed transactions are both accepted; after January 2036, the network treats the PQ pathway as canonical and stops admitting new ECDSA signatures into blocks.

Infrastructure-level migration. The L2 sequencer and the batch submitter that posts data to Ethereum L1 will both transition off ECDSA. This matters more than the user-account migration in the short term, because a compromised sequencer key under a working quantum adversary could rewrite ordering or steal in-flight value. Hardening these privileged keys first is the textbook security move.

Ethereum coordination. Optimism is explicit that the Superchain cannot finish the job alone. The roadmap calls for Ethereum to commit to a timeline to move validators off BLS signatures and KZG commitments toward post-quantum alternatives, and OP Labs is in active communication with the Ethereum Foundation about it. That posture matches Vitalik Buterin's February 2026 post-quantum roadmap, which forms a Post-Quantum Security team and identifies four vulnerable layers: consensus-level BLS signatures, KZG-based data availability, ECDSA account signatures, and zero-knowledge proofs.

The Buterin plan proposes replacing BLS with hash-based schemes such as Winternitz variants and migrating data availability from KZG to STARKs, with EIP-8141 introducing recursive STARK aggregation to compress thousands of signatures into a single on-chain proof. The plan was successfully run on a Kurtosis devnet on February 27, 2026, producing blocks and verifying the new precompiles. Optimism's roadmap is calibrated to land in lockstep with this Ethereum-side work.

Why "10 Years" Is Both Aggressive and Conservative​

Ten years sounds like a long time. It isn't, once you account for what has to happen inside it.

A signature-scheme migration on a public blockchain is not a software upgrade. It is a coordination problem across wallets, hardware signers, custodians, exchanges, smart contracts that hardcode signature assumptions, oracle networks, bridge security committees, MEV builders, and the regulatory perimeter that surrounds all of it. Coinbase, Ledger, Trezor, Fireblocks, Anchorage, MetaMask, Safe, and every institution holding tokenized funds on Base will need to ship PQ-aware key management, audit it, and roll it out to clients. NIST's own deprecation deadline of 2035 leaves Optimism a one-year buffer between "PQ becomes the standard" and "regulators ban the old algorithms." That buffer is not generous.

Conversely, ten years is aggressive relative to where any other major L2 sits today. Arbitrum, ZKsync, Polygon zkEVM, Starknet, Scroll, Linea, and Mantle have not published comparable plans. The silence is partly a research-readiness problem — recursive STARK aggregation and lattice-based verifiers are not turnkey — and partly a marketing calculation, since announcing a 2036 deadline forces conversations the rest of the cohort is not ready to have. Optimism eating that political cost first turns its roadmap into a leadership asset that competitors cannot match without copying it.

The Comparison Stack: Bitcoin's Freeze, Solana's Falcon, Ethereum's STARKs​

Optimism's plan looks pragmatic when viewed against the alternatives now on the table.

Bitcoin's BIP-361. Co-authored by Casa CTO Jameson Lopp and titled "Post Quantum Migration and Legacy Signature Sunset," BIP-361 proposes freezing Bitcoin held in legacy addresses within five years of activation. The proposal pairs with BIP-360, which introduces a quantum-safe Pay-to-Merkle-Root (P2MR) address type. Phase A would, three years after BIP-360 activation, block wallets from sending funds to legacy address types. Phase B would, two years after that, render legacy signatures invalid at the consensus layer — coins that did not migrate would simply become un-spendable. Over 34% of all Bitcoin currently has an exposed public key on chain, and Bitcoin researchers estimate over $74B of BTC sits in addresses that would be frozen if Phase B activated today. Adam Back has pushed back, advocating optional upgrades over a forced freeze, and the community debate is unresolved. The contrast with Optimism is sharp: Bitcoin's plan ends with confiscation by inaction, while Optimism's plan ends with a smart-account migration that preserves balances.

Solana's Falcon trial. Both of Solana's most-used validator clients — Anza and Firedancer — have shipped test implementations of Falcon-512, the smallest of the NIST-standardized post-quantum signature schemes. Jump Crypto has been explicit that signature size is the binding constraint for a high-throughput chain: bigger signatures mean more bandwidth, more storage, and slower validation. Falcon's compact footprint is a practical fit, but post-quantum verification still incurs higher computational load than Ed25519, and the throughput cost of running Falcon at production scale on Solana has not been published. Anatoly Yakovenko has put the probability of quantum breaking Bitcoin's encryption in the next few years at 50%, which is the most aggressive public posture from any L1 founder. Solana's approach is research-and-validate; Optimism's is publish-and-commit.

Ethereum's STARK aggregation. The Buterin roadmap is structurally different from the L1/L2 plans because Ethereum's consensus layer uses BLS signatures rather than ECDSA, and BLS is a different quantum-vulnerable problem than ECDSA. The substitution path — hash-based signatures with STARK-based aggregation — is mathematically clean but operationally heavy, since STARK aggregation needs a recursive proof system that does not exist in production today. The Strawmap envisions roughly seven hard forks over four years, with Glamsterdam and Hegotá in 2026 carrying parallel-execution and state-tree changes that lay the groundwork for later PQ forks.

Optimism's plan inherits whatever Ethereum ships, layered on top of its own Superchain-level signature aggregation upgrades and CRYSTALS-Dilithium-based verifier modules. The leverage is that L2s do not have to solve the BLS problem themselves; they only have to be ready to consume the L1 solution when it lands.

The Institutional Angle: Tokenized Funds Need a Long-Term Security Story​

The unspoken commercial driver behind Optimism's roadmap is the institutional capital flowing onto Base. BlackRock's BUIDL, Apollo's ACRED, and Franklin Templeton's BENJI tokenized funds are now multi-billion-dollar deployments with multi-year custody horizons. Their compliance officers and chief risk officers do not buy "ten years from now" as a casual abstraction — they evaluate venue selection partly on long-tail security. A fund that is mandated to hold a tokenized Treasury for ten years cannot be parked on infrastructure whose signature scheme has a credible 2030-decade obsolescence risk.

Coinbase's strategic positioning of Base inside the Superchain is therefore a quiet beneficiary of the OP Labs roadmap. When BUIDL's next mandate review comes around, the chain that can point to a published, dated, technically specified PQ migration plan beats every chain that cannot. The same logic applies to Apollo's ACRED holders, who need transaction-level confidentiality alongside long-term security, and to Franklin's BENJI investors, who already operate inside a regulatory framework where NIST's 2030 deprecation calendar is a hard input to their cybersecurity posture.

In other words: Optimism's PQ roadmap is not just an engineering document. It is institutional sales material with a 2036 stamp on it.

Open Questions That the Rest of the Cohort Cannot Avoid​

Optimism's announcement sets the agenda for the rest of the L2 ecosystem in 2026 and 2027. A few questions are now unavoidable:

• Will Arbitrum, ZKsync, Polygon zkEVM, and Starknet publish dated PQ roadmaps? The cost of doing so is now lower than the cost of being the L2 without one when the next institutional mandate review happens.
• Does the EVM gain a NIST-standardized PQ verifier precompile? Vitalik's roadmap implies yes, but the gas-cost economics of CRYSTALS-Dilithium signature verification on the EVM have not been published. If verifier gas costs are prohibitive, Optimism's smart-account migration will need a different cryptographic substrate.
• How will EIP-7702 interact with PQ smart accounts? EIP-7702 lets EOAs temporarily delegate to smart-contract code, which is the migration vehicle Optimism is leaning on. The interaction model needs to handle the case where a user's ECDSA key is compromised during the dual-support window.
• What happens to bridges? Optimism's canonical bridge to Ethereum L1 inherits whatever Ethereum's settlement layer accepts. Third-party bridges (LayerZero, Wormhole, Axelar, Across) operate their own signing committees and have not published PQ plans. A bridge with quantum-vulnerable signing keys is a soft target even if both endpoints are PQ-secure.
• Does the Superchain centralize on a single PQ scheme, or pluralize? Falcon, Dilithium, SPHINCS+, and Winternitz each have different size/speed/security trade-offs. A multi-scheme Superchain inherits operational complexity; a single-scheme Superchain inherits scheme risk.

None of these questions has a clean answer in 2026. All of them have to be answered before 2036.

What This Means for Builders and Operators​

The practical takeaway for teams building on the Superchain is to start treating post-quantum as a real architectural constraint rather than a research curiosity. Wallet providers should plan for dual ECDSA/PQ key management interfaces. Smart-contract developers should avoid hardcoding signature-scheme assumptions in custody logic, multisig wallets, or governance modules. Custodians and exchanges with OP Mainnet, Base, or World Chain integration should add PQ migration to their five-year roadmap rather than their ten-year one. The thirty-six-month-from-now version of NIST's deprecation calendar will reach institutional procurement before it reaches Optimism's hard forks.

For infrastructure operators, the question is not whether to migrate but when to start. The Superchain's dual-support window means there is no operational forcing function until Phase B-equivalent enforcement kicks in late in the decade. But the institutional buyer's diligence questionnaire is a forcing function on a much shorter clock.

BlockEden.xyz operates production-grade RPC infrastructure for Optimism, Base, and the broader Ethereum L2 ecosystem. As the Superchain transitions to post-quantum signatures over the coming decade, our team is tracking the migration alongside our partners — so the chains you build on stay verifiable through Q-Day and beyond. Explore our API marketplace to deploy on infrastructure designed for the long horizon.

Sources​

• Optimism Charts 10-Year Post-Quantum Shift as Buyback Vote Looms — BanklessTimes
• A Post-Quantum Roadmap for the Superchain — Optimism on X
• Optimism Network Announced a 10-Year Transition to Post-Quantum Cryptography
• Bitcoin Developers Propose Freezing Coins That Skip Quantum-Safe Migration Under BIP-361
• BIP-361 Explained: Bitcoin's New Plan to Freeze Quantum-Vulnerable Coins — KuCoin
• Bitcoin's quantum debate splits as Adam Back pushes optional upgrades — CoinDesk
• Solana Clients Test Falcon as Quantum Security Debate Grows — crypto.news
• Solana Clients Introduce Post-Quantum Solution Falcon — Cointelegraph
• Vitalik Buterin Outlines Ethereum's Quantum Resistance Strategy for 2026-2030 — KuCoin
• Ethereum's Roadmap for Post-Quantum Cryptography — BTQ
• NIST Releases First 3 Finalized Post-Quantum Encryption Standards
• Q-Day Just Got Closer: Three Papers in Three Months — The Quantum Insider
• Predicting 2031: IBM's Roadmap to Large-Scale Fault-Tolerant Quantum Computing by 2029

In April 2026, a researcher named Giancarlo Lelli pocketed one bitcoin for breaking a 15-bit elliptic curve key on real quantum hardware. Fifteen bits. Bitcoin uses 256. The gap sounds vast — until you remember that RSA-129 fell in 1994, RSA-768 fell in 2009, and RSA-829 fell in 2020. The line on the chart only bends one way.

The bounty came from Project Eleven, a quiet post-quantum security startup founded by a former U.S. Special Forces officer. Three months earlier, the same firm closed a $20 million Series A at a $120 million valuation, led by Castle Island Ventures with checks from Coinbase Ventures, Variant, Quantonation, Fin Capital, Nebular, Formation, Lattice Fund, Satstreet Ventures, Nascent, and Balaji Srinivasan personally. Seven months between a $6 million seed and a 20x mark-up is not a normal venture cadence. It is the cadence of investors who have looked at a timeline and decided the window is shorter than the consensus believes.

This post unpacks what those investors saw.

The product nobody else is shipping​

Most "quantum crypto" companies are building greenfield Layer 1s — Naoris Protocol, QANplatform, and Circle's lattice-native Arc chain all bake post-quantum signatures into a fresh genesis block. That's the easy version of the problem. The hard version, the one Project Eleven took on, is retrofitting cryptographic assurance onto chains that already exist and already hold trillions of dollars.

The shipped product is called yellowpages. It is a free, open-source registry that lets a Bitcoin holder do something that should not be possible: prove, today, that they own a UTXO under post-quantum keys, without moving the coin, without a hard fork, and without exposing anything sensitive.

The flow is mechanically tight. The yellowpages client generates an ML-DSA key pair and an SLH-DSA key pair (the lattice-based and hash-based digital-signature standards finalized by NIST in August 2024 as FIPS 204 and FIPS 205) deterministically from the user's existing 24-word seed. The user then signs a challenge with their Bitcoin private key and with the new post-quantum keys. The bundle is sent over an ML-KEM-secured channel to a trusted execution environment, which validates the signatures and writes a single proof to a public directory permanently linking the legacy address to the new keys.

The result is a verifiable claim that survives Q-Day. If, ten years from now, a sufficiently large quantum computer derives a private key from an exposed public key on-chain, the legitimate owner can point to a yellowpages proof — pre-dated, signed by both keys, irrefutable — and contest any quantum-derived spend. It is a cryptographic alibi. The chain doesn't have to change. The wallet doesn't have to move. The proof is the migration.

That property is what makes yellowpages structurally different from every other post-quantum proposal in Bitcoin. BIP-360 (Hunter Beast's quantum-resistant address proposal) requires soft-fork consensus. The various Taproot extensions assume the holder will eventually transact. Yellowpages assumes nothing — it works for cold-storage coins whose owners are dead, asleep, or simply unwilling to touch them.

Why Coinbase Ventures actually led​

Coinbase custodies more than a million bitcoin across institutional clients. That is not a number you can casually migrate. Every coin sitting in Coinbase Custody represents an unhedged tail risk against a probabilistic event with no fixed date. The exchange has two motivations that no other strategic investor matches:

1. Operational: protect existing custody assets without forcing 50,000 institutional clients into a coordinated key rotation that could span years.
2. Regulatory: NIST IR 8547 sets a 2035 deadline to deprecate quantum-vulnerable algorithms entirely, with high-risk systems migrating earlier. Federal regulators read the Federal Reserve's October 2025 working paper on harvest-now-decrypt-later risks to distributed ledgers. They are not going to let a publicly traded custodian carry that exposure indefinitely.

Coinbase Ventures funding Project Eleven is the closest thing crypto has to a TSMC funding ASML moment — a downstream giant capitalizing the supplier that owns the only viable migration path. Castle Island and Variant participated for the same reason a decade ago they wrote checks into key infrastructure: when an entire asset class needs a primitive, and one team has the production volume and integration scars to deliver it, the rest is just math.

The Solana paradox​

While yellowpages addresses Bitcoin's coordination problem, Project Eleven's other arm is doing something more painful: showing chains exactly how much performance they will lose when they migrate.

In April 2026, the Solana Foundation ran a Project Eleven-backed testnet that swapped Ed25519 signatures for lattice-based post-quantum equivalents. The results were brutal:

• Signature size grew 20–40x compared to current compact signatures.
• Network throughput dropped roughly 90% in early benchmarks.
• Bandwidth, storage, and validator hardware requirements increased proportionally.

For Solana, whose entire value proposition is monolithic high throughput, this is an existential trade-off — security against the marketed performance edge. The chain's architects are now stuck choosing between three uncomfortable options: ship lattice signatures and lose the performance story, wait for hash-based or zero-knowledge wrappers that compress the overhead, or hope quantum hardware milestones slip far enough that they never have to commit.

Project Eleven sits on both sides of this trade. They provide the cryptographic primitives. They also provide the empirical evidence of the cost. That dual position is unusual — most security vendors would prefer you not see the bill — and it is exactly why their integration partners trust them. The numbers are what the numbers are.

The Q-Day Prize and the bending curve​

Most readers have learned to discount quantum threat warnings. The 2030s feel comfortably distant. The Q-Day Prize result on April 24, 2026 is the moment when "comfortably distant" started to feel less comfortable.

Lelli's 15-bit ECC break used a hybrid classical-quantum approach with error correction across multiple physical qubits per logical qubit — the same architecture that scales as IBM's Condor (1,121 qubits, 2023) and the planned Kookaburra (4,158 qubits, 2026–2027) come online. The historical scaling pattern is not subtle:

Year	Attack	Key size broken
1994	RSA-129	~426 bits
2009	RSA-768	768 bits
2020	RSA-829	829 bits
2026	ECC-15 (quantum)	15 bits

The 15-bit number looks small until you realize it's the first production demonstration. The integer-factorization curve took 25 years to bend through 700 bits of progress. A quantum-attack curve, riding logical-qubit growth, may bend faster. Project Eleven's prize structure — escalating bounties for each new bit broken — turns the timeline into a leaderboard. The market gets a public, time-stamped feed of how close the threat is.

That feed is exactly the catalyst Bitcoin's institutional holders cannot ignore. BlackRock's IBIT held over $96 billion in AUM at the time of the prize. Tether's reserve held roughly 140,000 BTC. Strategy held over 200,000 BTC. None of these holders can write a 10-K disclosure that ignores a measurable, escalating capability advance.

The coordination problem nobody wants to discuss​

There is a quiet number that defines Bitcoin's post-quantum dilemma: roughly 4 to 6 million BTC sit in pre-Taproot P2PKH and P2PK addresses with public keys already exposed on-chain. Some estimates of total at-risk supply run higher, with one recent analysis pegging $718 billion of bitcoin in addresses with exposed public keys. Those coins cannot be migrated by anyone except the original holder. Many of those holders are unreachable, deceased, or sitting on cold-storage hardware they have not touched in a decade. Roughly 1.1 million BTC are believed to belong to Satoshi.

Compare this to Y2K — the canonical pre-cryptographic-coordination disaster. Y2K worked because there was a fixed deadline, government coordination, mandated budgets, and central authorities that could compel migration. None of those exist for Bitcoin. The deadline is probabilistic. There is no government that can compel a wallet rotation. There is no central authority that can issue a soft-fork timeline that 100% of holders will follow.

This is what makes yellowpages quietly important. It does not solve the coordination problem — it brackets it. By creating a verifiable post-quantum claim today, holders who can commit do so cheaply. Coins whose holders are gone will eventually be susceptible to quantum-derived spends, but the legitimate owners of recoverable coins will have a cryptographic proof of priority. That proof is not a substitute for migration. It is a triage system.

Where this leaves the 2026–2029 window​

The competitive map for post-quantum crypto infrastructure is clarifying:

• Greenfield PQC chains (Naoris, QANplatform, Circle Arc): clean architectures, no migration burden, no legacy assets.
• ZK-wrapped PQC (Trail of Bits' April 2026 sub-100ms verification result): potentially compresses signature overhead by proving validity off-chain.
• Retrofit PQC (Project Eleven's yellowpages, Solana's lattice testnet, BIP-360 proposals): the only category that addresses the trillions already on-chain.

Project Eleven's bet — and the bet of the institutional capital backing them — is that retrofit will dominate. The greenfield chains may be technically superior, but they are not where the value sits. The ZK-wrapping approaches are promising but still measured in lab benchmarks rather than production deployments. Retrofit is where the money already is. Retrofit is where the regulators are looking.

Whether $120 million is the right valuation for a 2029-or-later threat is a fair question. Quantum hardware milestones have a habit of slipping. NIST's 2035 deprecation deadline is a long way out. But "quantum is a 2030s problem" was easy to say before April 2026. After Lelli's prize, after Solana's 90% throughput collapse, after Coinbase Ventures led the round, the conversation has shifted from whether to how fast. Project Eleven's edge is that they have spent eighteen months turning the "how fast" question into shipped code, integration partners, and a public benchmark series. That is the kind of moat that compounds.

The infrastructure for a multi-year cryptographic transition rarely gets built in the year the transition happens. It gets built in the years immediately before, by teams that started early enough to have production volume by the time the rest of the market wakes up. Project Eleven is currently the only team in the post-quantum-retrofit category with that profile.

The quantum clock is not yet ticking loudly. But it is ticking. And the people writing the largest checks have decided that the cost of being early is much smaller than the cost of being late.

---

BlockEden.xyz operates production blockchain infrastructure across Bitcoin, Ethereum, Sui, Aptos, Solana, and 25+ other networks — the same chains facing the post-quantum migration challenge. As cryptographic standards evolve, the teams building on stable RPC and indexing infrastructure will have the runway to focus on application logic instead of plumbing. Explore our API marketplace for chain access designed to outlast the next decade of protocol upgrades.

Sources​

• Post-quantum crypto startup Project Eleven raises $20 million in funding round — CoinDesk
• Project Eleven raises $20 million Series A at $120 million valuation — The Block
• Project Eleven Raises $20M to Prepare Digital Asset Infrastructure for the Quantum Era — Project Eleven Blog
• Researcher breaks 15-bit elliptic curve key in 'largest quantum attack' — The Block
• hello yellowpages — Project Eleven Blog
• Solana's post-quantum push reveals harsh tradeoff: security vs speed — CoinDesk
• Project Eleven to Advance Post-Quantum Security for the Solana Network — Project Eleven Blog
• NIST Releases First 3 Finalized Post-Quantum Encryption Standards
• "Harvest Now, Decrypt Later": Examining Post-Quantum Cryptography and the Data Privacy Risks for Distributed Ledger Networks — Federal Reserve
• Is Bitcoin quantum-safe? The complete 2026 guide — crypto.news

Solana sells one thing harder than any other Layer 1: speed. 400-millisecond slot times, a 65,000-TPS marketing benchmark, and a parallel execution model engineered around one assumption — that signatures are small and verification is cheap. In April 2026, that assumption met a quantum computer.

When Project Eleven and the Solana Foundation finished their first end-to-end quantum-resistant signature tests, the results landed somewhere between a warning and a crisis. Post-quantum signatures came in 20 to 40 times larger than the Ed25519 signatures Solana uses today. Throughput dropped by roughly 90%. The chain that built its brand on outrunning Ethereum suddenly looked, in test conditions, slower than the network it has spent five years mocking.

This is not a normal performance regression. It is the architectural bill arriving for a design decision Solana made a long time ago — and the entire ecosystem now has to decide what kind of chain it wants to be when the bill comes due.

The Bill: Why Quantum-Safe Signatures Punch Solana So Hard​

Every Layer 1 signs transactions with elliptic curve cryptography. Bitcoin and Ethereum lean on ECDSA. Solana uses Ed25519. Both are fast, both produce compact signatures around 64 bytes, and both rely on the same mathematical hardness assumption — the elliptic curve discrete logarithm problem. Shor's algorithm, running on a sufficiently large quantum computer, solves that problem in polynomial time. When that machine arrives, every account secured by ECDSA or Ed25519 becomes openable in minutes.

The post-quantum alternatives that NIST has standardized — lattice-based schemes like Dilithium and Falcon, hash-based schemes like SLH-DSA — are mathematically robust against Shor's. They are not, however, kind to bandwidth. A Dilithium signature can run 2.4 KB. SLH-DSA can stretch to 7-49 KB depending on parameter choice. Falcon, the most compact NIST-standardized lattice scheme, still produces signatures around 666 bytes — about 10 times the size of Ed25519, and that is the good option.

For Bitcoin, that bloat is annoying. For Solana, it is existential. Solana's throughput model depends on stuffing as many transactions as possible into a 400-millisecond slot, with leaders gossiping shreds across a Turbine tree that is sized assuming compact payloads. Inflate the per-transaction signature 20-40x and the entire pipeline downstream — bandwidth, mempool propagation (or its Gulf Stream equivalent), validator verification, ledger storage — pays the same multiplier. The 90% throughput drop in testing is not a software bug. It is what happens when you push 40x more bytes through a pipe sized for what was already there.

The Asymmetric Vulnerability: Why Solana Has Less Time Than Bitcoin​

Most blockchain quantum analysis lumps every chain together. They should not be lumped. Solana has a structural problem that Bitcoin does not.

In Bitcoin, your wallet address is a hash of your public key. As long as you never spend from an address, your public key remains hidden behind a SHA-256 wall, and a quantum attacker has nothing to attack. Only at the moment of spending does the public key get revealed on-chain. That window — the seconds or minutes between broadcasting a transaction and it being mined — is the vulnerability surface, and it is small.

Solana works differently. Solana account addresses are the public keys. There is no hash. The Ed25519 public key is the address, visible on-chain from the moment the account is funded. A cryptographically relevant quantum computer attacking Solana does not need to wait for users to transact. It can attack any funded account at any time, in parallel, indefinitely.

The Project Eleven analysis put a number on it: 100% of the Solana network is vulnerable in a quantum scenario, compared to a smaller exposed subset of Bitcoin and Ethereum addresses where users have already spent and revealed their keys. This is not a small caveat. It changes the migration urgency by orders of magnitude. Bitcoin can plausibly say "if you do not move your coins, you stay safe." Solana cannot.

How Real Is the Threat? The April 2026 Q-Day Prize​

The standard objection to all of this is that quantum computers capable of breaking real crypto are still 10-15 years away, so why panic now. Two pieces of April 2026 news made that objection harder to defend.

First, an independent researcher claimed Project Eleven's one-bitcoin Q-Day Prize by using publicly accessible quantum hardware to break a 15-bit elliptic curve key — the largest public quantum attack on EC cryptography to date. Fifteen bits is not 256 bits, and the gap is enormous. But the demonstration matters because it crossed a threshold from theoretical to executable, on hardware that is rented by the hour.

Second, a Google Quantum AI paper co-authored by Ethereum Foundation researcher Justin Drake and Stanford's Dan Boneh slashed the qubit estimate for breaking real cryptocurrency keys. The previous consensus had hovered around 20 million physical qubits. The new analysis: fewer than 500,000 physical qubits, with one design suggesting a system around 26,000 qubits could crack Bitcoin's encryption "in a few days." A separate Google-led paper modeled a quantum machine deriving a private key from an exposed public key in roughly nine minutes.

These are still future systems. IBM's largest current chip is Condor at 1,121 qubits. The path from 1,121 noisy qubits to 26,000 fault-tolerant qubits is real engineering work, not a Tuesday afternoon. But the timeline compressed, and the people doing the compressing are the same researchers building the machines. The "store-now-decrypt-later" risk — capturing on-chain public keys today to attack when hardware matures — is no longer a hypothetical for institutions managing crypto custody.

Falcon: The Compromise Both Solana Clients Independently Chose​

If quantum-safe migration is inevitable and Dilithium-class signature bloat is unaffordable, Solana has one realistic answer: pick the smallest NIST-approved post-quantum scheme and engineer around it. That answer is Falcon.

What makes the April 27, 2026 Solana Foundation roadmap interesting is not the choice itself — it is that Anza and Jump's Firedancer arrived at Falcon independently. The two flagship Solana clients did not coordinate the decision. They evaluated the same trade space — signature size, verification cost, maturity of the cryptographic library, hardware acceleration potential — and converged. That convergence is a strong signal in a fragmented client ecosystem where the two teams disagree about plenty.

Falcon is a lattice-based scheme built on NTRU. NIST standardized it as part of FIPS 206 (under the FN-DSA name). At 666-byte signatures, it is roughly 10x larger than Ed25519 — painful, but a different order of magnitude than Dilithium's 2.4 KB or SLH-DSA's multi-kilobyte profile. Verification is fast. And Firedancer reported that an optimized Falcon implementation could run 2-3x faster than current elliptic-curve alternatives in their pipeline, suggesting that the original 90% throughput collapse may have been a worst-case ceiling, not the destination.

There are honest costs to Falcon. Signing is more expensive than verifying — independent benchmarks show some post-quantum schemes are roughly 5x more costly to sign than Ed25519. Falcon's signing involves Gaussian sampling that is notoriously hard to implement in constant time, which has historically been a side-channel risk. The cryptographic library ecosystem around Falcon is younger than around ECC. None of these are showstoppers. All of them are work.

The Migration Question Solana Cannot Avoid​

The Solana Foundation's published roadmap is phased and deliberately vague on dates: continue researching threats, evaluate Falcon and alternatives, introduce post-quantum signatures for new wallets when needed, then migrate existing wallets. Each step contains a problem the foundation is not yet ready to talk about publicly.

New wallets are the easy part. Solana can introduce a new account type, gate it behind a feature flag, and let users opt in. The protocol can accept both Ed25519 and Falcon signatures for a transition period.

Migrating existing wallets is where chains fail. Solana has tens of millions of funded accounts. Each one is a public key that an attacker with a future quantum computer can target. Migration requires every user to construct a transaction that proves ownership of the old key and binds the account to a new post-quantum key. Users who have lost seed phrases, abandoned wallets, or died cannot migrate. The protocol then faces Bitcoin's exact dilemma — articulated in March 2026 around BIP-360's "frozen vs. stolen" debate — between freezing un-migrated accounts (controversial) and leaving them as quantum free lunch for whoever builds the first cryptographically relevant machine (also controversial).

The economic surface is enormous. SOL's circulating supply is around 540 million tokens. A meaningful percentage sits in addresses that have not been touched in years. Marketplaces, DAOs, treasuries, dormant whale wallets — every one of them eventually needs an on-chain action by a key-holder who may or may not still exist. The migration is not a technical feature; it is a multi-year coordination problem with no obvious deadline, no obvious authority, and no obvious recourse for accounts that miss the window.

How Solana's Approach Compares to Bitcoin and Ethereum​

The three majors are converging on quantum resistance from very different starting points.

Bitcoin (BIP-360 / P2QRH): Pay-to-Quantum-Resistant-Hash creates a new address type that uses Falcon and Dilithium signatures, structured similarly to P2TR but without the quantum-vulnerable keypath. BTQ Technologies deployed BIP-360 to Bitcoin Quantum Testnet v0.3.0 in March 2026. Bitcoin's challenge is conservatism — getting consensus to activate a soft fork that adds a new address type is slow, and the migration debate (frozen vs. stolen for Satoshi-era coins) is politically charged. But Bitcoin's hashed-public-key structure buys time that Solana does not have.

Ethereum (EIP-7701 + EIP-8141): Rather than a protocol-wide cryptographic cutover, Ethereum is leveraging native account abstraction. EIP-7701 enables smart-account validation logic, and EIP-8141 lets accounts rotate to quantum-safe authentication schemes through the abstraction layer. The trade-off: Ethereum gets a smoother migration path with no flag day, but the security depends on smart-account implementations rather than a uniform protocol guarantee. Ethereum can migrate per-account, gradually, without a hard fork.

Solana (Falcon + phased rollout): Falls between the two. The protocol must natively support a new signature scheme (more invasive than Ethereum's abstraction approach), but the per-account migration looks more like Ethereum's gradual model than Bitcoin's address-type cutover. The performance constraint is the unique pressure no other major chain faces at the same intensity.

A fourth approach worth noting: Circle's Arc and similar quantum-native L1s skip the retrofit entirely by designing for post-quantum signatures from genesis. They pay the bandwidth cost upfront and never have a migration. If Solana's Falcon migration drags into 2027-2028 while Arc-class chains ship with quantum resistance built in, the institutional pipeline that currently views Solana as "fast enough" may find a new home.

What This Means for Builders and Infrastructure​

For application developers, the immediate practical impact is small. Falcon migration will land via standard Solana protocol upgrades, libraries will abstract the change, and most dApps will not need to know what signature scheme their users employ. The bigger second-order effect is on the assumptions developers have made about transaction throughput, fee predictability, and account-state size.

If Falcon's optimized path sustains the 2-3x improvement Firedancer reported, Solana could land migration with a 30-60% throughput hit instead of 90%. That is still meaningful for high-frequency use cases — perpetual DEXs, on-chain order books, AI-agent execution loops — that have been built around Solana's current cost-per-transaction floor.

For infrastructure providers, the story is sharper. Indexers, RPC providers, and archival node operators will need to budget for ledger growth that scales with the larger signature size. WebSocket subscriptions that stream account updates will move more bytes per event. Anyone running validator hardware for Solana will need to revisit bandwidth assumptions for Turbine propagation.

For institutions evaluating which chain to build long-duration infrastructure on, the question is now harder. Solana's speed is a competitive moat that quantum migration directly attacks. The hedge is to pick chains where the migration path is shortest and the architectural cost is smallest. That probably means Falcon-based chains will look better than Dilithium-based chains, account-abstraction-based migrations will look better than protocol-wide cutovers, and quantum-native L1s will look better than retrofits — until the actual quantum hardware arrives and the theory becomes practice.

The Identity Question​

Underneath the cryptography is a quieter question: what is Solana for, after the migration?

The chain's market position has been built on an absolute speed floor that other chains cannot match. Drop that floor by even 30% and Solana is still fast — but it is closer to Aptos, Sui, Sei, and the rest of the high-performance L1 cohort than it has been since launch. The differentiation narrows. The "Solana is uniquely fast" pitch becomes "Solana is one of several fast chains."

That is not necessarily bad. A 30% slower Solana that is quantum-safe and remains the most active chain by transaction count is a chain that has matured rather than declined. But the team has spent five years framing every architectural choice as in service of throughput, and the post-quantum era forces a re-framing. Speed is no longer the only thing the architecture optimizes for. Security against future hardware is now a co-equal constraint.

The Anza-Firedancer convergence on Falcon suggests the developer ecosystem has accepted this. The next two years will reveal whether the user base, the institutional buyers, and the speculative narrative do the same.

---

BlockEden.xyz provides enterprise-grade RPC and indexer infrastructure for Solana and 27+ other chains. As post-quantum migration reshapes the performance assumptions developers have built on, explore our infrastructure services to build on foundations engineered for what comes next.

Sources​

• Solana news: The network's post-quantum push reveals harsh tradeoff: security vs speed — CoinDesk
• Solana developers outline plan to protect network from quantum threats — CoinDesk
• Solana Clients Anza, Firedancer Pick Falcon As Post-Quantum Solution — Yellow.com
• Solana Foundation Outlines Phased Quantum Readiness Plan — Unchained
• Solana Tests Falcon Against The Quantum Threat — ZebPay
• Researcher wins 1 bitcoin for largest quantum attack on elliptic curve yet — CoinDesk
• How a quantum computer can be used to actually steal your bitcoin in '9 minutes' — CoinDesk
• A quantum computer may need just 10,000 qubits to empty your crypto wallets — CoinDesk
• BIP 360: Pay-to-Merkle-Root (P2MR)
• BTQ Technologies Implements BIP 360 Quantum-Resistant Bitcoin Transactions on Testnet — The Quantum Insider
• Solana, Aptos Move to Harden Blockchains Against Future Quantum Attacks — Decrypt
• Solana in 2026: Technical Roadmap — Blockdaemon

A small group of Bitcoin developers just proposed something that would have been unthinkable five years ago: deliberately freezing roughly 6.5 million BTC, including the entire Satoshi-era stash, before a future quantum computer can sweep them onto the open market.

Welcome to BIP-361 — the proposal that forces Bitcoin to choose between two of its most sacred values: immutability and survival.

A quarter-million autonomous agents now route value across crypto rails. The stablecoin supply they touch sits at $311 billion. And yet not one production system can answer the simplest question a treasurer would ask before handing over a wallet: "Can I prove the agent is reasoning over my data without anyone — including the agent's host — being able to read it?"

That question is the soft spot in every "agent economy" pitch deck circulating in April 2026. A new 19,000-character research report from Web3Caff drops Mind Network into the gap and argues that fully homomorphic encryption (FHE) is the missing primitive between today's TEE-wrapped agent wallets and a credible "untrusted machine economy." The thesis is bold. It is also worth taking seriously, because the alternatives — TEEs you must trust, ZK proofs you cannot reason over, and reputation systems that lag exploits by weeks — each have a structural ceiling.

What if the same physics that gives quantum computers their power could empty Satoshi's wallet — and an estimated $440 billion of Bitcoin alongside it? In January 2026, a small New York startup called Project Eleven raised $20 million at a $120 million valuation to make sure that day never arrives without a defense ready. Backed by Castle Island Ventures, Coinbase Ventures, Variant, and Balaji Srinivasan, the round marks the first serious capital cycle into "quantum-safe crypto" — and the moment Bitcoin's quietest existential risk becomes a fundable industry.

For years, "quantum risk" lived in academic footnotes. In 2026, it moved into venture term sheets, NIST standards, and a live BIP debate. Here's why, and what's actually getting built.

The Funding Round That Made Quantum Real​

Project Eleven's Series A closed on January 14, 2026, led by Castle Island Ventures, with Coinbase Ventures, Variant, Fin Capital, Quantonation, Nebular, Formation, Lattice Fund, Satstreet Ventures, Nascent Ventures, and Balaji Srinivasan filling out the cap table. The $20 million ticket lifted Project Eleven's post-money valuation to $120 million and brought its total funding to roughly $26 million in 16 months — the company had previously raised a $6 million seed in mid-2025.

Founder Alex Pruden, a former U.S. Army Infantry and Special Operations officer, frames the company's mandate plainly: digital assets need a structured migration to quantum-resistant cryptography, and somebody has to build the picks and shovels.

What's notable isn't just the dollar amount. It's the investor mix. Castle Island and Coinbase Ventures don't write seven-figure checks on speculative thesis. Variant, Nascent, and Lattice are crypto-native funds. Quantonation is a quantum-focused investor. Together they're signaling that quantum-safe infrastructure has crossed the line from research curiosity into a budget line item — and that Bitcoin's $1.4T+ market cap is enough motivation to fund a defense before the offense exists.

Why Bitcoin's Cryptography Is Suddenly on the Clock​

Bitcoin secures roughly 19.7 million coins with elliptic-curve digital signatures over the secp256k1 curve. ECDSA is unbreakable on classical hardware, but Shor's algorithm — a 1994 quantum algorithm — can factor large integers and compute discrete logarithms in polynomial time. The instant a sufficiently large fault-tolerant quantum computer exists, every exposed Bitcoin public key becomes a private key in waiting.

The threat sat dormant for decades because the hardware looked decades away. That window collapsed in March 2026.

On March 31, Google Quantum AI published new resource estimates showing that breaking Bitcoin's secp256k1 curve requires fewer than 1,200 logical qubits and about 90 million Toffoli gates — translating to under 500,000 physical qubits on a superconducting surface-code architecture. The previous estimate was roughly 9 million physical qubits. A 20× reduction in one paper.

A Google researcher attached a probability to the milestone: at least a 10% chance that by 2032 a quantum computer could recover a secp256k1 ECDSA private key from an exposed public key. Google's own corporate guidance now urges developers to migrate by 2029.

Today's hardware is nowhere near 500,000 qubits. Google's Willow chip sits at 105 physical qubits. IBM's Condor crossed the 1,121-qubit threshold in 2023 and the company's Nighthawk reached 120 logical qubits in 2025. But the gap between "nowhere near" and "uncomfortably close" is exactly where insurance pricing lives — and Bitcoin's exposure isn't a 2035 problem if it takes a decade to migrate.

What's Actually Vulnerable — and What's Not​

Not all Bitcoin is equally exposed. The vulnerability depends on whether a coin's public key has ever been broadcast on-chain.

• Pay-to-Public-Key (P2PK) outputs from Bitcoin's earliest years — including roughly 1 million BTC mined by Satoshi — embed the raw public key directly in the script. These are permanently exposed and offer a quantum attacker a long, undefended runway.
• Reused addresses of any type expose the public key the moment the first spend transaction confirms, after which any remaining balance becomes vulnerable.
• Modern addresses (P2PKH, P2WPKH, P2TR with key-path spends) reveal only a hash until first spend. They're safe in cold storage but lose protection during a transaction broadcast — a window an adversary with quantum capability could potentially front-run.

The aggregate is striking. Estimates suggest about 6.5 to 7 million BTC sit in quantum-vulnerable UTXOs, worth roughly $440 billion at current prices. That's not a tail risk hidden in the corner of the order book. That's the fifth-largest "asset class" in crypto, owned by an attacker who hasn't shown up yet.

Three Mitigation Pathways Now Competing​

Project Eleven's $20 million isn't being deployed in isolation. It lands in the middle of a three-way debate over how Bitcoin actually transitions, and the answers are very different.

1. Migration Tooling: Project Eleven's Yellowpages​

Project Eleven's flagship product, Yellowpages, is a post-quantum cryptographic registry. Users generate a hybrid key pair using lattice-based algorithms, create a cryptographic proof linking the new quantum-safe key to their existing Bitcoin address, and timestamp that proof on a verifiable off-chain ledger. When (or if) Bitcoin adopts a post-quantum address standard, Yellowpages users have already pre-committed to the keys that can claim their coins.

Crucially, Yellowpages is the only post-quantum cryptographic solution actually deployed in production for Bitcoin today. The company has also constructed a post-quantum testnet for Solana — quietly positioning itself as the cross-chain migration vendor while everyone else is still drafting whitepapers.

2. Protocol-Level Address Standards: BIP-360​

BIP-360, championed by developer Hunter Beast, proposes a new Bitcoin output type called Pay-to-Merkle-Root (P2MR). P2MR functions like Pay-to-Taproot but strips out the quantum-vulnerable key-path spend, replacing it with FALCON or CRYSTALS-Dilithium signatures — both lattice-based schemes considered quantum-resistant.

If activated via soft fork, BIP-360 gives users a destination to migrate to. It does not, however, automatically rescue exposed coins.

3. Coin Freezing: BIP-361​

BIP-361, proposed in April 2026, is the most controversial response: freeze the roughly 6.5 million quantum-vulnerable BTC in place — including Satoshi's million coins — preventing any movement that an attacker could front-run. Recovery would only be possible for wallets generated from BIP-39 mnemonics. P2PK outputs and other early formats would be effectively burned.

The proposal has split Bitcoin's community along its oldest fault line. One camp argues immutability and credible neutrality are sacred — even if attackers eventually claim those coins. The other counters that allowing $440 billion to migrate to a hostile actor in a single weekend would be the largest wealth transfer in monetary history, and that the integrity of Bitcoin's fixed supply model is itself a property worth defending.

There is no clean answer. Either Bitcoin accepts that 6.5 million coins may be silently stolen, or it accepts that protocol-level intervention to freeze coins establishes a precedent the network has spent 17 years avoiding.

NIST FIPS 203/204 Sets the Crypto Defaults​

The technical building blocks now exist because NIST finalized them. On August 13, 2024, the agency published three post-quantum cryptographic standards:

• FIPS 203 (ML-KEM): Module-Lattice-Based Key-Encapsulation Mechanism, derived from CRYSTALS-Kyber. Replaces RSA and ECDH for key exchange.
• FIPS 204 (ML-DSA): Module-Lattice-Based Digital Signature Algorithm, derived from CRYSTALS-Dilithium. Replaces ECDSA and RSA for signing.
• FIPS 205 (SLH-DSA): Stateless Hash-Based Digital Signature Standard, derived from SPHINCS+, providing a conservative hash-based signature alternative.

The NSA's CNSA 2.0 roadmap mandates post-quantum deployment for new classified systems by 2027 and full transition by 2035. NIST itself projects 5–10 year adoption cycles for critical infrastructure. Cloudflare is targeting full post-quantum coverage by 2029.

Bitcoin's migration timeline is supposed to fit somewhere inside that envelope. The hard part is that nation-state IT departments can mandate a deadline. A permissionless decentralized network has to convince thousands of independent actors to coordinate without a CEO.

The Optimism Comparison: How Ethereum's Superchain Is Doing It​

Bitcoin isn't alone in this race. In late January 2026, Optimism published a 10-year post-quantum roadmap for its Superchain — a useful contrast.

The OP Stack plan has three layers:

• User layer: Use EIP-7702 to let externally owned accounts (EOAs) delegate signing authority to smart contract accounts that can verify post-quantum signatures, without forcing users to abandon their addresses.
• Consensus layer: Migrate L2 sequencers and batch submitters off ECDSA and onto post-quantum schemes.
• Migration window: Dual-support both ECDSA and post-quantum signatures until the January 2036 deadline.

Optimism is also lobbying Ethereum mainnet to commit to a timeline for moving validators away from BLS signatures and KZG commitments. The Foundation is reportedly engaged.

The architectural divide is instructive. Ethereum's account abstraction roadmap (and Solana's runtime flexibility) make post-quantum migration a smart contract upgrade. Bitcoin's UTXO model and minimalist scripting language make it a soft-fork debate that requires social consensus among developers, miners, and economic nodes. The same problem produces wildly different governance challenges.

The Investor Thesis: Insurance Premium Pricing​

Why does a $20 million Series A make sense at a $120 million valuation when no quantum computer can break Bitcoin today?

The math is actuarial. If you assign a 10% probability to Q-day occurring before 2032 and apply that against $1.8 trillion of Bitcoin and Ethereum exposure, expected loss exceeds $180 billion. Even a one-percent insurance premium on that exposure is $1.8 billion of recurring revenue across custodians, exchanges, wallets, and regulated tokenization platforms. Project Eleven only needs to capture a sliver of that to justify a multi-billion-dollar outcome.

The competitive landscape is sparse. Zama is building FHE primitives, not signature replacement. Mina is post-quantum-friendly by design but is a separate L1, not a migration vendor. AWS KMS and Google Cloud HSM will eventually offer turnkey post-quantum signing — but a hyperscaler racing to ship general PQC services is not the same thing as a domain-expert team that has actually shipped production tooling for Bitcoin.

The risk for Project Eleven is the same one any "infrastructure for inevitability" startup faces: if the migration takes too long, customers don't budget for it; if it happens too fast, it gets absorbed by cloud vendors before Project Eleven can build distribution. The Series A buys the runway to be the default during the awkward middle period.

What Builders, Custodians, and Holders Should Do Now​

The practical steps are unglamorous and don't require waiting on Bitcoin governance:

1. Audit address reuse. Any address that has spent and still holds a balance is broadcasting its public key. Sweep funds to fresh addresses you haven't transacted from.
2. Avoid P2PK and legacy formats. If your custody stack still touches them, plan migration to single-use modern address types.
3. Track BIP-360 / BIP-361 progress. The activation calendar matters more than the spot price for long-horizon holders.
4. For institutions: start the discovery phase now. NIST and the Federal Reserve both recommend completing inventory and migration planning within two to four years. That includes HSM vendor roadmaps, KYT pipelines, and treasury policy.
5. For builders: design new systems with crypto-agility. Protocols that hard-code ECDSA today will pay a higher migration cost than those that abstract signature schemes behind an interface.

Most of these steps are useful even if Q-day never arrives in the form Google's paper describes. They reduce attack surface against classical threats, too.

The Bigger Picture: Quantum Migration Is the New Y2K — Except Real​

The Y2K analogy is overused, but it's structurally apt. A long-warned, technical, governance-heavy upgrade with an externally imposed deadline, where success is invisible and failure is catastrophic. Y2K cost the global economy an estimated $300–600 billion to remediate. The post-quantum migration will likely cost more, because the install base is larger and the systems being upgraded include public blockchains that no one company controls.

Project Eleven's $20 million is the first serious admission that Bitcoin can't ignore the calendar any longer. Optimism's 10-year roadmap is the first serious admission from a major L2. Google's March 31 paper is the first serious admission from a quantum incumbent that the timeline is shorter than the industry assumed.

By 2027, expect three things: at least one BIP related to post-quantum address types reaching activation status (BIP-360 is the leading candidate), every major institutional custodian publishing a quantum readiness statement, and at least two more startups closing rounds in the Project Eleven mold. By 2030, post-quantum signing will be a checkbox in every enterprise crypto procurement RFP.

Q-day may or may not arrive on Google's schedule. The migration to defend against it has already started, and the window for getting ahead of it is narrowing fast.

BlockEden.xyz operates enterprise-grade RPC and indexing infrastructure across 15+ chains. As post-quantum standards mature and chain-level migrations roll out, our nodes are the layer where new signature schemes, address types, and dual-support windows actually need to work in production. Explore our API marketplace to build on infrastructure designed for the long arc of cryptographic transition.

Sources​

• Project Eleven Raises $20M to Prepare Digital Asset Infrastructure for the Quantum Era — Project Eleven blog
• Post-quantum crypto startup Project Eleven raises $20 million in funding round — CoinDesk
• Project Eleven raises $20 million Series A at $120 million valuation — The Block
• hello yellowpages — Project Eleven blog
• BIP 360: Pay-to-Merkle-Root (P2MR) — BIP-360 specification
• BIP-361 Proposal Seeks to Freeze Quantum Vulnerable Bitcoin Addresses — Bankless Times
• Watch out Bitcoin devs: Google says post-quantum migration needs to happen by 2029 — CoinDesk
• Google finds quantum computers could break bitcoin's encryption sooner than expected — SiliconANGLE
• NIST Releases First 3 Finalized Post-Quantum Encryption Standards — NIST
• A Post-Quantum Roadmap for the Superchain — Bankless Times on Optimism
• Quantum computing risk puts 7 million BTC including Satoshi Nakamoto's 1 million at stake — CoinDesk
• "Harvest Now Decrypt Later": Examining Post-Quantum Cryptography — Federal Reserve research