The attack has already started. Not against quantum-resistant systems. Against yours.
Nation-state intelligence agencies run mass data collection programs at internet scale. PRISM, XKeyscore, Tempora. These are not conspiracy theories. They are documented programs, revealed through classified document disclosures and court filings. The infrastructure exists, is funded, and runs continuously. It hoovers up encrypted traffic indiscriminately, stores it, and waits.
The strategy is called Harvest Now, Decrypt Later. The acronym is HNDL. The logic is simple: collect everything today that you cannot break today. When the cryptographic tools to break it arrive, decrypt retroactively. The data has already been captured. The only variable is time.
What HNDL Means for Blockchain Specifically
Traditional HNDL targets TLS-encrypted communications: HTTPS sessions, VPN tunnels, encrypted email. Those are valuable but perishable. The content of a negotiation from 2020 is less actionable in 2035.
Blockchain is categorically different in three ways that make it the ideal HNDL target.
First, the data is permanent. Every Bitcoin transaction ever executed is stored in a public ledger that will exist as long as nodes exist. There is no expiry. An adversary who captures Bitcoin’s transaction history today has it forever.
Second, the data is already public. There is no collection step required. Every transaction, every address, every signature is on a public ledger accessible to anyone with a node. Intelligence agencies do not need to intercept Bitcoin traffic. They can download the entire chain right now. The HNDL “harvest” phase is trivially complete for any blockchain with a public ledger.
Third, each output contains a cryptographic signature tied to a public key, and that public key is mathematically linked to a private key via ECDSA. When a cryptographically relevant quantum computer (CRQC) arrives, the private key can be derived from the public key. With the private key, the adversary can spend any funds at any address whose public key has been exposed.
The ECDSA Problem
ECDSA (Elliptic Curve Digital Signature Algorithm) is the signature scheme used by Bitcoin, Ethereum, and most other blockchains. Its security rests on the Elliptic Curve Discrete Logarithm Problem (ECDLP): given a public key Q = k * G, where G is a generator point and k is the private key, finding k from Q is computationally infeasible on classical hardware.
Shor’s algorithm, when run on a sufficiently large fault-tolerant quantum computer, solves ECDLP in polynomial time. The security disappears entirely. It is not weakened; it is broken.
The current estimate for breaking a 256-bit elliptic curve key (Bitcoin’s secp256k1) requires approximately 4,000 fault-tolerant logical qubits running Shor’s algorithm. The exact figure varies by paper and implementation approach, with some estimates ranging from 2,300 to 4,100 logical qubits. The key word is logical: physical qubits require error correction, and current error rates demand roughly 1,000 physical qubits per logical qubit. Current quantum processors are approaching this threshold.
Bitcoin’s Specific Exposure
Not all Bitcoin addresses are equally exposed. The exposure depends on whether the public key is visible on-chain.
P2PK outputs (Pay-to-Public-Key): The earliest Bitcoin transaction format, used extensively by Satoshi Nakamoto in the genesis era. The full public key is stored directly in the output script. Every coin in a P2PK output is quantum-vulnerable right now, without waiting for any additional transactions. There are an estimated 1 million BTC in P2PK outputs.
P2PKH with address reuse: Pay-to-Public-Key-Hash addresses hash the public key, providing one additional layer. But when you spend from a P2PKH address, the full public key is revealed in the transaction input script. Any address that has ever spent funds has its public key exposed. Addresses that received funds but never spent them retain their hash protection, but only until they spend. Given the prevalence of address reuse, a large fraction of Bitcoin’s supply has already exposed public keys.
Multisig and P2SH: Depends on whether the redeem script has been revealed through a spend.
Research published in 2022 (Webber et al., “The impact of hardware specifications on reaching quantum advantage over the best classical algorithm for factoring and discrete logarithms”) estimated approximately 4 million Bitcoin addresses had exposed public keys at the time of analysis. At Bitcoin’s price at time of writing, that represents a multi-hundred-billion-dollar target.
The Chain Cannot Be Patched Retroactively
This is the structurally fatal problem. Bitcoin’s blockchain is immutable by design. The 800,000+ blocks committed since 2009 cannot be altered. Every P2PK output, every spent P2PKH address, every multisig script with a revealed redeemScript is permanently recorded with its public key.
Bitcoin developers have discussed quantum migration proposals. The most serious involve a freeze-and-migrate approach: freeze vulnerable UTXOs at a certain block height, allow owners to migrate keys to a post-quantum scheme with a proof of ownership using the current key. But this requires consensus across thousands of nodes and miners, a social coordination problem that has proven nearly impossible for far less contentious changes. And it does nothing for people who lose their keys, or who are not paying attention to protocol governance, or whose heirs inherit funds and do not know what a UTXO is.
There is no soft fork path. There is no opt-in migration that protects the existing history. The historical chain exists as it was written.
The Timeline: IBM’s Qubit Roadmap
IBM published a public quantum roadmap projecting 100,000 physical qubits by 2033. Google’s Willow chip demonstrated 105 physical qubits with below-threshold error correction in late 2024. Quantinuum has demonstrated logical qubit operations with error rates approaching fault-tolerance thresholds.
The fault-tolerant logical qubit target for ECDSA is approximately 4,000. At 1,000 physical qubits per logical qubit, that is 4 million physical qubits. IBM’s 2033 target of 100,000 physical qubits falls short, but roadmaps accelerate, competitors enter, and error correction techniques improve. The consensus among NIST cryptographers is not “if” but “when,” with serious estimates clustering in the 2030-2040 window.
The HNDL math is unambiguous: if harvesting happens in 2026 and decryption capability arrives in 2035, any data captured in 2026 is broken in 2035. For blockchain data, “captured” already happened. The entire history of every public blockchain has been trivially archivable since day one.
What QNTM Does Differently
QNTM uses ML-DSA (NIST FIPS 204) as its native signature scheme from the genesis block. There is no ECDSA anywhere in the protocol. Not in consensus. Not in wallet key derivation. Not in transaction signing.
This means there is no historical ECDSA data to harvest. An adversary archiving QNTM’s blockchain today captures ML-DSA signatures. ML-DSA’s security rests on the hardness of Module Learning With Errors (MLWE), a lattice problem for which no quantum algorithm provides exponential speedup. Shor’s algorithm does not apply. Grover’s algorithm provides only a quadratic speedup, which is accounted for in the security parameter selection.
A QNTM address from the genesis block will be as secure in 2040 as it is today. The same cannot be said for any Bitcoin address whose public key has ever been on-chain.
Urgency Is Now, Not When Quantum Computers Arrive
The framing of “we have years before quantum computers can break Bitcoin” is technically correct and practically dangerous. It treats a storage problem as a computation problem.
The storage step is already done. For any adversary with the motivation to collect and archive public blockchain data, that collection requires nothing more sophisticated than a Bitcoin full node and a hard drive. The compute step, breaking ECDSA, comes later. But the window for protecting against the compute step closes the moment data is captured.
For your funds in a Bitcoin address with a spent output, the capture is already complete. For any new transaction you execute on Bitcoin today, the capture is complete the moment it hits the mempool.
The question is not “when will quantum computers arrive?” The question is “who is already archiving this data, and how long until they can break it?”
The answer to the first question is: nation-states with harvest-now-decrypt-later mandates, adversarial intelligence agencies, and sophisticated threat actors with long time horizons. The answer to the second is: within the careers of people working in this industry today.
The time to switch to a quantum-safe chain is not the week before a CRQC is demonstrated. It is now.
Key Takeaways
- HNDL is an active strategy: adversaries collect encrypted data today and decrypt it when the tools arrive.
- Blockchain is uniquely vulnerable because all data is public, permanent, and already collected.
- An estimated 4 million Bitcoin addresses have exposed public keys that will be breakable by a CRQC.
- ECDSA cannot be patched into Bitcoin’s historical chain. The vulnerability is structural and immutable.
- IBM, Google, and Quantinuum are approaching the fault-tolerant qubit thresholds required to break 256-bit ECDSA.
- QNTM uses ML-DSA from genesis. There is no ECDSA history to harvest.