Every Major Blockchain Uses Encryption Quantum Computers Are Built to Break

Bitcoin, Ethereum, and Solana all sign transactions with quantum-vulnerable curves

Three blockchains account for roughly 72% of the total cryptocurrency market capitalization as of April 2026. Bitcoin and Ethereum both generate key pairs and sign transactions using ECDSA over the secp256k1 elliptic curve. Solana chose a different curve — Ed25519, built on Curve25519  — but the underlying security assumption is identical: the elliptic curve discrete logarithm problem (ECDLP) is too hard for classical computers to solve in any practical timeframe.

That assumption holds against every classical attack known today. It does not hold against Shor's algorithm. Peter Shor demonstrated in 1994 that a quantum computer with enough stable qubits could solve both integer factorization and discrete logarithm problems in polynomial time, reducing a computation that would take classical hardware billions of years to one that finishes in hours or days.

"The entire public-key infrastructure of the internet was designed around problems that quantum computers are specifically optimized to solve," said Dr. Michele Mosca, a quantum computing researcher at the University of Waterloo and co-founder of the Institute for Quantum Computing. "Cryptocurrency is simply the most visible subset of that infrastructure."

Smaller chains are not exempt. Litecoin, Bitcoin Cash, and Dogecoin share Bitcoin's secp256k1 curve. Avalanche, BNB Chain, and Polygon use the same ECDSA implementation as Ethereum. A single mathematical breakthrough — or a single engineering milestone in qubit stability — would threaten all of them simultaneously.

ECDSA secp256k1 protects $2.1 trillion in cryptocurrency market value

Secp256k1 is a Koblitz curve defined by the Standards for Efficient Cryptography Group. Bitcoin adopted it in 2009. Ethereum followed in 2015. The curve operates over a 256-bit prime field and generates private keys as random 256-bit integers, with corresponding public keys derived through elliptic curve point multiplication — a one-way function on classical hardware.

Bernstein analysts, in an April 2026 research note on post-quantum migration timelines, estimated that assets secured directly by secp256k1 exceed $2.1 trillion. That figure includes Bitcoin, Ethereum, and every EVM-compatible chain that inherited Ethereum's key derivation logic. It does not include tokens held on centralized exchanges, where custody keys — also ECDSA-based — sit behind additional layers of institutional security.

Reversing secp256k1 point multiplication classically would require approximately 2¹²⁸operations, a number so large that no computer built from conventional transistors could complete it before the heat death of the sun. Shor's algorithm rewrites that equation. On a fault-tolerant quantum computer, the same reversal drops to a polynomial function of the key length — on the order of thousands of logical operations rather than 2¹²⁸.

A Coinbase advisory board report published in April 2026 framed the gap between current quantum hardware and that threshold as a matter of "years, not decades." The report recommended that institutional holders begin evaluating post-quantum cryptographic standards immediately, even if deployment remains premature.

Ed25519 on Solana faces the same discrete logarithm exposure as ECDSA

Solana selected Ed25519 for transaction signing when the protocol launched in 2020. Ed25519 uses the Curve25519 twisted Edwards curve, which operates over a different prime field than secp256k1 and produces shorter, faster signatures. In benchmarks, Ed25519 verification runs roughly four times faster than ECDSA secp256k1 verification — a meaningful advantage for a chain processing 65,000 transactions per second.

Speed, however, does not translate into quantum resistance. Ed25519 derives its security from the same ECDLP that protects secp256k1. The curve is different. The field is different. The vulnerability is the same. Shor's algorithm attacks the discrete logarithm structure of any elliptic curve, regardless of which specific curve parameters the protocol chose.

John Martinis, a Nobel Prize-winning physicist and former head of Google's quantum hardware team, addressed this misconception during a panel at the Quantum World Congress in March 2026. "Switching from one elliptic curve to another is like changing the lock on a door that the attacker plans to remove entirely," Martinis said. "The curve parameters do not matter once a machine can solve the underlying mathematical problem."

Solana's development team has acknowledged the exposure. The Solana Foundation published a Winternitz vault proposal in late 2025 that uses hash-based one-time signatures as an opt-in quantum-resistant alternative. Adoption remains minimal. The vault requires a new transaction flow that most Solana wallets have not yet integrated, and the one-time nature of the signatures creates usability friction that Ed25519 does not impose.

Exposed public keys create a direct path from blockchain data to private keys

The quantum threat to cryptocurrency is not theoretical in isolation. It depends on a practical condition: the attacker needs the public key. Blockchain protocols handle public key exposure differently, and that difference determines which funds are at immediate risk when — not if — a cryptographically relevant quantum computer (CRQC) becomes operational.

Bitcoin's oldest address format, Pay-to-Public-Key (P2PK), stores the full public key directly in the transaction output. Those keys have been sitting on the blockchain since 2009, readable by anyone. Newer formats — P2PKH, P2WPKH, and P2TR — hash the public key before storing it, but the protection disappears the moment the address owner sends a transaction. Spending requires revealing the public key in the signature script, and that revelation is permanent.

Ethereum operates differently and, from a quantum perspective, worse. Every Ethereum transaction broadcasts the sender's public key as part of the ECDSA signature recovery process. There is no hash-protected dormant state. An Ethereum address that has sent even one transaction has an exposed public key — and most active addresses have sent hundreds.

Deloitte analysts, in a 2025 report that has become the most widely cited source on the topic, described exposed public keys as "a standing invitation that does not expire." The data is on-chain, immutable, and accessible to anyone running a full node. A harvest-now-decrypt-later strategy requires no special access to blockchain data  — the information is already public.

An estimated 6.9 million BTC sit in addresses with on-chain public keys

The Deloitte Netherlands blockchain team analyzed the entire Bitcoin UTXO set and identified 6.9 million BTC — approximately 34% of the circulating supply — held in addresses where the public key is visible on the blockchain. At $100,000 per bitcoin, that figure represents $690 billion in value sitting behind a cryptographic lock that Shor's algorithm is designed to pick.

The 6.9 million figure breaks down by address type. P2PK outputs, the oldest format, account for roughly 1.7 million BTC. These include addresses widely attributed to Bitcoin's pseudonymous creator, Satoshi Nakamoto, who mined early blocks before P2PKH became the default. The remaining 5.2 million BTC sit in P2PKH, P2WPKH, and P2TR addresses that have broadcast at least one spending transaction, permanently revealing the public key in the process.

Dr. Michele Mosca has described the situation as a "countdown that started the day each key was exposed." The only variable, Mosca said, is how long the countdown runs before a CRQC reaches sufficient scale. Funds in addresses that have never sent a transaction remain protected by their hash layer — a defense that buys time but does not eliminate the risk, since the holder must eventually spend and expose the key to move funds to a quantum-safe address.

Equivalent data for Ethereum is harder to isolate because Ethereum's account model exposes the public key on every outbound transaction by default. A conservative estimate, based on the number of externally owned accounts (EOAs) that have sent at least one transaction, puts the exposure count above 200 million addresses — though the concentration of value is smaller than Bitcoin's because large institutional holdings often sit in smart contract wallets rather than plain EOAs.

Smart contract platforms face a larger attack surface than UTXO chains

Bitcoin's UTXO model treats each unspent output as a discrete unit. A quantum attacker targeting Bitcoin would need to identify specific UTXOs with exposed keys, derive the corresponding private keys, and broadcast competing transactions before the legitimate owner moves the funds. The attack is per-UTXO, per-key, and bounded by the transaction confirmation time.

Ethereum and Solana present a broader target. On account-based chains, a single private key controls the entire balance of an externally owned account, all tokens held in that account, and any permissions granted to that account in decentralized finance protocols. Breaking one Ethereum EOA private key gives the attacker access not just to the ETH balance but also to every ERC-20 token, every NFT, and every DeFi position linked to that address.

The Coinbase advisory board report, which surveyed quantum risk across the top 50 blockchain networks by market capitalization, noted that "account-based architectures concentrate more value behind a single key derivation than UTXO systems, making the expected return per quantum attack higher on platforms like Ethereum and Solana." The report stopped short of estimating aggregate exposure but flagged DeFi total value locked — approximately $95 billion across all chains as of April 2026 — as an additional risk surface beyond direct token balances.

Smart contracts themselves add another dimension. Multisig wallets, governance contracts, and bridge validators all authenticate through ECDSA or Ed25519 signatures. A quantum attacker who can forge a signature does not need to find a bug in the contract logic — the attacker can simply impersonate an authorized signer. Protocol treasuries, cross-chain bridges, and DAO governance tokens sit behind the same elliptic curve assumptions as individual wallets.

Transaction-signing windows create a race between miners and quantum attackers

Even addresses that have never exposed a public key face a narrow window of vulnerability each time the holder initiates a transaction. Signing a Bitcoin transaction reveals the public key in the mempool — the waiting area where unconfirmed transactions sit before a miner includes them in a block. On Bitcoin, that window lasts an average of 10 minutes. On Ethereum, it is roughly 12 seconds. On Solana, the slot time drops to 400 milliseconds.

A quantum attacker monitoring the mempool could, in theory, extract the public key from a pending transaction, run Shor's algorithm to derive the private key, construct a competing transaction sending the funds to an attacker-controlled address, and broadcast it with a higher fee to front-run the original. The feasibility of this attack depends entirely on how fast the quantum computation runs — a variable that no one can measure today because the hardware does not yet exist.

Bernstein analysts addressed this scenario directly: "If Shor's algorithm execution time falls below a chain's block confirmation window, no transaction on that chain is safe regardless of prior key hygiene," the April 2026 research note stated. Bitcoin's 10-minute block time offers the largest buffer. Solana's 400-millisecond slot time offers the smallest — though the computational cost of breaking Ed25519 in under half a second remains far beyond any projected quantum timeline.

John Martinis offered a more measured view. "People focus on the mempool race, but that is the last attack vector to worry about," Martinis said. "Long before any quantum machine can break a key in ten minutes, it will be able to break keys that have been sitting exposed on-chain for years. The static keys are the first domino."

The static-key threat and the mempool-race threat represent two distinct timelines. Exposed keys — the 6.9 million BTC identified by Deloitte, plus the hundreds of millions of Ethereum and Solana addresses with broadcast public keys — become vulnerable the moment a CRQC can run Shor's algorithm at scale, regardless of how long the computation takes. The mempool race only matters once the computation becomes fast enough to fit inside a block confirmation window. The first timeline is closer. The second may never arrive if post-quantum signature schemes replace ECDSA and Ed25519 before quantum hardware reaches that speed.

If the cryptocurrency industry completes its migration to quantum-resistant signatures before a CRQC reaches the static-key threshold, the mempool-race scenario becomes moot. If the migration stalls — delayed by governance disputes, wallet fragmentation, or simple apathy — the $690 billion in exposed Bitcoin alone would represent the largest single pool of extractable value in the history of cryptography.