Frequently Asked Questions

The Quantum Threat

What is Q-Day and when will it happen?

Q-Day (sometimes called Y2Q) refers to the future moment when a cryptographically relevant quantum computer (CRQC) becomes powerful enough to break the encryption protecting most of today’s digital infrastructure, including cryptocurrencies.

Expert estimates vary significantly. The Global Risk Institute’s 2024 Quantum Threat Timeline suggests a 33% probability that Q-Day arrives before 2035. Recent algorithmic breakthroughs have led some researchers to revise estimates to around 2030. NIST has directed federal agencies to complete migration to quantum-resistant cryptography by 2035, while the EU recommends critical infrastructure be protected by 2030.

The uncertainty exists because Q-Day depends on simultaneous breakthroughs in quantum hardware (millions of stable qubits), error correction (reducing noise to usable levels), and algorithmic efficiency. Different quantum computing approaches—superconducting circuits, trapped ions, photonics—face different challenges, making precise timelines impossible.

How do quantum computers break cryptocurrency?

Quantum computers threaten cryptocurrency through two primary algorithms:

Shor’s algorithm (published 1994) can solve the mathematical problems underlying ECDSA, EdDSA, RSA, and other public-key cryptography in polynomial time. This means a sufficiently powerful quantum computer could derive your private key from your public key, forge your digital signature, and steal your funds. Current estimates suggest breaking a 256-bit elliptic curve key (used by Bitcoin, Ethereum, and most cryptocurrencies) would require approximately 2,330 logical qubits—or 12-20 million physical qubits with today’s error correction technology.

Grover’s algorithm provides a quadratic speedup for brute-force searches, effectively halving the security of symmetric encryption and hash functions. AES-256 would retain 128-bit security under quantum attack—still considered safe. SHA-256 would similarly retain adequate security margins. This is why hash functions are a lower concern than signatures.

What is “Harvest Now, Decrypt Later” and why does it matter now?

Harvest Now, Decrypt Later (HNDL) is a strategy where adversaries collect encrypted data today with the intention of decrypting it once quantum computers become available. A September 2025 Federal Reserve paper specifically analyzed this threat to Bitcoin and other distributed ledgers, warning that blockchain’s permanent, public transaction history makes it uniquely vulnerable.

Because blockchain transactions are immutable and contain exposed public keys, anyone who has copied the ledger (which is publicly available) could potentially identify wallet ownership and transaction patterns once quantum decryption becomes possible. This threat exists today—even though Q-Day hasn’t arrived. Data with long-term sensitivity (10+ years) is already at risk.

Understanding QRC Scores

How does QRC score cryptocurrencies?

QRC uses a 7-dimension weighted scoring model to measure quantum resistance. Higher scores indicate better protection—a score of 100 represents full quantum resistance, while 0 indicates critical vulnerability. Our V5.1 scoring engine evaluates 49 cryptocurrencies across these dimensions:

Dimension	Weight	What It Measures
Signature Resistance	35%	Quantum strength of signature algorithms (ECDSA vs XMSS vs ML-DSA)
Consensus Security	15%	Whether network operation depends on quantum-vulnerable signatures
Key Protection	15%	Percentage of value behind unexposed public keys
Crypto-Agility	12%	Ability to upgrade cryptographic primitives quickly
Hash Strength	8%	Post-Grover security margin of hash functions
Pairing-Free Status	8%	Avoidance of BLS signatures and KZG commitments
Operational Mitigations	7%	Active measures reducing quantum exposure

A Dependency Multiplier is applied to wrapped assets and cross-chain tokens, reducing their scores because they inherit vulnerabilities from underlying protocols. See our full methodology documentation for detailed scoring formulas.

What do the risk bands (GREEN, YELLOW, RED) mean?

How often are scores updated?

QRC scores undergo weekly review cycles. Major announcements—such as successful PQC migrations, new quantum-resistant proposals, or significant protocol upgrades—trigger 48-hour reassessment. Quarterly deep methodology reviews ensure our scoring weights remain aligned with the evolving threat landscape. The most recent update was December 4, 2025.

Cryptographic Vulnerabilities

What is ECDSA and why is it vulnerable?

ECDSA (Elliptic Curve Digital Signature Algorithm) is the signature scheme used by Bitcoin, Ethereum, and most major cryptocurrencies. It relies on the mathematical difficulty of the Elliptic Curve Discrete Logarithm Problem (ECDLP)—given a public key point on an elliptic curve, finding the private key scalar is computationally infeasible for classical computers.

Shor’s algorithm solves ECDLP efficiently on a quantum computer. A 256-bit elliptic curve (secp256k1 used by Bitcoin, or Curve25519 used by others) would require approximately 2,330 logical qubits to break. With current error correction overhead, this translates to 12-20 million physical qubits—still beyond current technology but potentially achievable within a decade.

Importantly, ECC keys are actually more vulnerable than RSA keys of equivalent classical security. A 256-bit ECC key (128-bit classical security) falls to a smaller quantum computer than a 2048-bit RSA key (112-bit classical security) because elliptic curve operations require different quantum circuit constructions.

What are BLS signatures and KZG commitments, and why are they concerning?

BLS signatures (Boneh-Lynn-Shacham) use pairing-based cryptography to enable signature aggregation—combining thousands of signatures into one compact proof. Ethereum’s beacon chain aggregates over 100,000 BLS signatures per slot. While efficient, BLS relies on the same elliptic curve mathematics vulnerable to Shor’s algorithm.

KZG commitments (Kate-Zaverucha-Goldberg) are polynomial commitment schemes used for data availability sampling in Ethereum’s EIP-4844 (Proto-Danksharding). They’re also pairing-based and quantum-vulnerable. Unlike user signatures which can be individually upgraded, KZG is embedded in Ethereum’s consensus layer.

This creates a systemic risk: breaking BLS/KZG doesn’t just threaten individual wallets—it threatens the network’s ability to reach consensus. An attacker could impersonate validators, halt block production, or reverse transactions. This is why our Pairing-Free Status dimension specifically penalizes protocols using these primitives.

What is key exposure and why does it matter?

Key exposure refers to whether your public key is visible on the blockchain. A quantum computer can only derive your private key if it knows your public key. Different blockchain architectures handle this differently:

UTXO model (Bitcoin): Public keys are only revealed when you spend from an address. If you receive funds to a fresh address and never spend, your public key remains hidden behind a hash. Estimates suggest approximately 25-35% of Bitcoin has exposed public keys (from spending transactions, P2PK addresses, or address reuse).

Account model (Ethereum): Public keys are revealed on your first outgoing transaction and remain permanently exposed. Once you’ve ever sent a transaction, your address is quantum-vulnerable forever. This affects approximately 88% of Ethereum’s supply.

Key exposure determines immediate theft risk. Low exposure buys time for migration; high exposure means funds are vulnerable the moment quantum computers arrive.

Post-Quantum Solutions

What are NIST’s post-quantum cryptography standards?

In August 2024, the U.S. National Institute of Standards and Technology (NIST) published three Federal Information Processing Standards (FIPS) for post-quantum cryptography:

Standard	Algorithm	Purpose	Based On
FIPS 203	ML-KEM (Kyber)	Key encapsulation	Module lattices
FIPS 204	ML-DSA (Dilithium)	Digital signatures	Module lattices
FIPS 205	SLH-DSA (SPHINCS+)	Digital signatures	Hash functions

FALCON (a lattice-based signature with compact sizes) will be published as FIPS 206. HQC (a code-based key encapsulation mechanism) was selected for standardization in March 2025 as an additional option.

These algorithms are designed to resist both quantum and classical attacks and can interoperate with existing communications protocols. They represent the culmination of NIST’s 8-year post-quantum cryptography standardization project.

Why are post-quantum signatures so much larger?

Current ECDSA signatures are remarkably compact: 64-72 bytes with 33-byte public keys. Post-quantum alternatives require significantly more space because they rely on different mathematical structures:

Algorithm	Public Key	Signature	Notes
ECDSA (current)	33 bytes	64-72 bytes	Quantum vulnerable
ML-DSA-44	~1,312 bytes	~2,420 bytes	NIST Level 1
ML-DSA-65	~1,952 bytes	~3,293 bytes	NIST Level 3
FALCON-512	~897 bytes	~666 bytes	Compact signatures
SLH-DSA (SPHINCS+)	Variable	7-49 KB	Stateless, hash-based

This size increase has significant implications for blockchains: larger transactions mean higher fees, reduced throughput, and increased storage requirements. Migration strategies must account for these tradeoffs, which is why crypto-agility—the ability to upgrade cryptographic primitives efficiently—is a key scoring dimension.

What is crypto-agility and why does it matter?

Crypto-agility is the ability of a system to quickly and efficiently transition between cryptographic algorithms. A highly crypto-agile blockchain can upgrade its signature scheme without requiring years of contentious debate, hard forks, or ecosystem-wide coordination.

Key factors affecting crypto-agility include governance speed (how quickly changes can be proposed and approved), account flexibility (whether users can upgrade individually or must wait for network-wide changes), and ecosystem readiness (availability of PQC tooling, testnets, and developer resources).

Bitcoin, for example, has demonstrated 22+ month timelines for major upgrades (SegWit, Taproot). Polkadot’s forkless upgrade mechanism and on-chain governance can deploy changes in weeks. This difference significantly impacts preparedness timelines and is reflected in our Crypto-Agility scoring dimension.

Protecting Your Holdings

Is my Bitcoin/Ethereum safe right now?

Today, yes. No quantum computer exists that can break cryptocurrency cryptography. Current machines have only hundreds of qubits; breaking ECDSA requires millions of high-quality, error-corrected qubits. The largest numbers factored using Shor’s algorithm on real quantum hardware are tiny (21 = 3 × 7).

The future is less certain. Expert timelines for Q-Day range from the early 2030s to beyond 2045. NIST recommends beginning migration now and completing it by 2035. The EU’s 2025 roadmap targets critical infrastructure protection by 2030.

Your specific risk depends on several factors: which cryptocurrency you hold (check our Rankings), whether your public key is exposed, and how long you intend to hold. Long-term holders face greater HNDL risk than active traders who regularly move funds to new addresses.

What can I do to reduce my quantum risk today?

While you cannot eliminate quantum risk from current-generation cryptocurrencies, you can reduce exposure:

What’s the realistic timeline for action?

Based on current expert consensus and regulatory guidance:

Timeframe	Expected Developments
Now – 2026	Begin cryptographic inventory, assess exposure, monitor project PQC roadmaps
2026 – 2028	Major cryptocurrencies should have concrete migration proposals; early testnets
2028 – 2030	Production deployments of hybrid (classical + PQC) schemes; critical infrastructure protected (EU target)
2030 – 2035	Complete migration to quantum-resistant cryptography (NIST/NSA target); possible Q-Day arrival

A University of Kent study estimated that migrating all vulnerable Bitcoin addresses would require approximately 76 days of dedicated block space—or roughly 2 years if 25% of blocks are used for migration. This underscores why preparation must begin well before Q-Day.