Coinbase Explores Post-Quantum Encryption For Blockchain

Quantum computers are expected to be built at a size that is commercially useful in a mere few years, from maybe just 2028 to the mid-2030s, depending on the estimate and the exact capacity targeted.

This would be great for solving extremely complex mathematical problems to solve questions about material sciences in semiconductors, aerospace, battery, or solve proteins 3d configuration, or discover new lifesaving pharmaceuticals.

But the same capacity could be used to break encryption methods on which the modern world is built. This is why, for example, all major US banks are being forced to speed up their adoption of lattice-based cryptography, a method that is believed to be quantum-proof.

In the same way, cryptocurrencies could be in danger if the encryption that makes cryptos so secure could suddenly be broken.

Questo è particolarmente problematico poiché i futuri computer quantistici potrebbero decifrare i dati raccolti oggi, anche se ancora inviolabili, ma decodificabili in seguito, secondo un metodo chiamato "Raccolta ora, decrittazione successiva" (HNDL).

In that context, the leading actors in blockchain and cryptocurrencies are moving fast as well to prepare for the eventual emergence of quantum computers.

Uno di questi è Coinbase, which published its report “Quantum Computing & Blockchain” addressing these concerns and looking into the possible solution the blockchain community could and should adopt in time to avoid any real security issue.

“We have high confidence that a large-scale, fault-tolerant quantum computer (FTQC) will eventually be built. As such, blockchains and the wider cryptographic ecosystem must prepare for this eventuality.”

Coinbase’s Quantum Report Overview

In the overview of this report, Coinbase starts by reminding that the National Institute of Standards and Technology (NIST) recommends that post-quantum (PQ) migrations should be carried out by 2035. It also points out that this timeline for preparation, leaving only 9 years, might even be optimistic.

“We are not confident that cryptographically relevant quantum computers (CRQC) will not exist by 2035 or later, as recent research raises the possibility that the timeline may be shorter.”

The report is divided into 6 major segments plus an annex of “additional readings”, covering the topic extensively:

1. Quantum Computing Overview and the Current State of the Art.
2. Post-Quantum Cryptography (PQC).
3. Post-Quantum Cryptography and the Consensus Layer.
4. Post-Quantum Cryptography and the Execution Layer.
5. Post-Quantum Plans for Major Blockchains.
6. Post-Quantum Security Beyond Signing.

Quantum Computing Overview

This first part resumes what a quantum computer is, what it can do, and how the technology has progressed so far.

In short, quantum computers use superposition and other quantum effects to grow their computing power exponentially for each additional “qubit” (the quantum equivalent of normal computer bits), instead of linearly.

“ The power of quantum computers is directly related to the fact that, to describe a superposition with N qubits, one needs a list of 2^N parameters. When (say) N=1000, this is already more parameters than could be written down in the observable universe.”

As mentioned, such a computer would be ideal for simulations of the physical world and breaking encryption. It could also be used to train more efficiently AIs, a topic we uncovered previously in our article “Does Quantum Computing Have A First Real-World Use Case".

The main limit in building a quantum computer is the hardware, which is incredibly hard to manufacture and to keep in a quantum state long enough that qubits can be trusted and perform any useful calculation.

This can be improved from two fronts: reducing the physical error rate for two-qubit gates and designing fault-tolerance schemes able to cope with higher error rates.

“To perform fault-tolerant quantum computation (FTQC), one will also constantly need to measure the physical qubits, to find out where errors have occurred and what needs to be done to correct them.”

Recent improvement in error correction indicates that 99.9% accurate two-qubit gates

might be sufficient, a much lower and realistically achievable number than initially expected (99.9999%). More importantly, this has already been achieved by Quantinuum (part of Honeywell (HON ), seguire il link per il report di investimento associato) and Google for individual qubits.

If this accuracy can be maintained when scaling to tens or hundreds of thousands of physical qubits, it will theoretically suffice for FTQC.

The report also gives an overview of the main hardware type being explored by quantum computing companies and researchers:

• Superconducting.
• Trapped-ion.
• Neutral atom.
• Fotonica.
• Topologico.

In conclusion, the article notes that while not immediately ready, there is no reason to assume that quantum computers will not be able to break the highest levels of current encryption, and blockchain/cryptocurrencies will not exist.

Crittografia post-quantistica (PQC)

Post-quantum cryptography is essential if we want the financial system as a whole, as well as military systems, to stay safe from quantum computers.

This type of encryption should also be able to run on normal-design and capacity computers.

“Post-quantum cryptography is run on classical computers and is secure against quantum attackers. This is in contrast to things like QKD (quantum key distribution), which requires the (honest) users to use quantum systems.”

Two of the leading methods are lattice-based and hash-based:

• Lattice-based: Traditional cryptographic methods like RSA and ECC are built on periodic structures in groups that Shor’s algorithm can solve efficiently by finding their “period”. In contrast, lattice-based cryptography does not rely on such structures.
• Hash-based: A very secure, but also very computing-power-hungry encryption method.

“The faster signing variant of SLH-DSA hash-base cryptography has signatures about 250 times larger than ECDSA with signing time about 1,000 times slower. Deploying these schemes on blockchains will clearly be very challenging.”

Fonte: Coinbase

The NIST plays a major role in setting the tone here. In 2024, the National Institute of Standards and Technology (NIST) finalized three different post-quantum cryptography (PQC) standards :

• FIPS 203 – ML-KEM – Un meccanismo di incapsulamento delle chiavi (KEM) basato sulla crittografia reticolare, concepito come elemento costitutivo principale per la creazione di chiavi sicure contro i computer quantistici (ad esempio, in TLS o VPN).
• FIPS 204 – ML-DSA – Uno schema di firma digitale primario, anch'esso basato su reticoli, destinato a casi d'uso come la firma di software, i certificati e l'autenticazione.
• ‍FIPS 205 – SLH-DSA - Uno schema di firma senza stato basato su hash, costruito deliberatamente su presupposti diversi come "backup" nel caso in cui ricerche future rivelino debolezze nei sistemi basati su reticoli.

Fonte: NIST

Post-Quantum Cryptography and the Consensus Layer

This segment of the report concerns itself with how blockchain specifically could be impacted by quantum-proof encryption, with a focus on the consensus layer.

“Generally, key concerns in migrating to PQ safety is the size of data and cost of computation. An additional challenge is orchestrating active switchover of cryptographic keys by users. ”

The main vulnerabilities stem from Shor’s algorithm, which a powerful PQ computer may use to break classical public-key cryptography.

Blockchains that migrated away from energy-intensive Proof-of-Work and instead rely on solutions to the Byzantine Fault Tolerance (BFT) problem could be more vulnerable. Here it is Shor’s algorithm that is the main threat, as the math behind this method could be solved by quantum computers.

The situation is even worse for blockchains that rely on aggregate and threshold signatures for consensus.

In this system, notably used by Ethereum, votes may be aggregated or thresholded in order to reduce the costs associated with sending validator signatures, verifying, and storing them. Queste blockchain do not have any easy plug-and-play replacement in order to make them post-quantum secure.

However, the report explained that  Bitcoin’s Proof-of-Work-based Nakamoto Consensus (NC) is only theoretically threatened by another decryption method,  Grover’s attack on hash functions

“In practice, however, Grover’s quadratic speedup does not translate to a real speedup for the puzzle sizes due to the much slower time per qubit operation in a quantum computer versus a highly optimized ASIC used for mining today. Thus, Nakamoto consensus mechanisms are essentially post-quantum secure. ”

Post-Quantum Cryptography and the Execution Layer

This segment of the report concerns itself with how blockchain specifically could be impacted by quantum-proof encryption, with a focus on the execution layer.

Cryptographic signatures attached to transactions authenticate the sender and authorize state changes. All compact signature schemes, such as ECDSA and Schnorr, would need to be replaced with PQ alternatives.

One risk is that the new post-quantum encryption systems are a lot less tried-and-tested than the traditional ones.

“Regarding lattice-based schemes like ML-DSA or FN-DSA, we may be actually downgrading security, since we will be moving to a signature scheme which has much less mileage and has not been studied to nearly the depth of schemes like ECDSA and EdDSA.”

Any scheme for the adoption of post-quantum signing will ideally meet fully a series of criteria defined in this report:

• P1: The transition does not compromise our current security posture.
• P2: The new scheme provides post-quantum security, either as-is or by enabling a fast switch to post-quantum security.
• P3: The new scheme does not add significant cost to the current way of working, at least as long as no quantum threat is imminent.
• P4: The new scheme requires minimal (if any) changes to the blockchain and current way of working, as long as no quantum threat is imminent.

The report then explores different possible strategies and compares them.

Strategy 1 generates private keys as hash outputs. This method allows, when the quantum threat is coming closer, to sign using ECDSA or EdDSA, as a signature can be constructed based on the owner’s knowledge of the preimage of the private key.

Strategy 2 moves to 2-out-of-2 hybrid/double signing. This strategy works by adding a post-quantum signature scheme and requiring that every transaction include both an ECDSA/EdDSA signature as well as a post-quantum signature (e.g., ML-DSA).

Strategy 3 moves to 1-out-of-2 (or more) signing. Similar to strategy 2, but instead of requiring both signatures, it suffices to provide a signature either using the elliptic-curve scheme or the post-quantum scheme.

Fonte: Coinbase

All these methods will require account holders to transfer their balances to new accounts protected by PQ signature schemes, which will be a problem in itself.

“There are millions of owned accounts UTXOs, and at the current transaction rates of blockchains like Bitcoin and Ethereum, it may take months just to commit the sheer volume of switchover transactions. ”

Complessivamente, la Coinbase recommends using the “move to 1-of-2” strategy, as it deals with the threat without adding cost until it is needed.

Post-Quantum Plans for Major Blockchains

Bitcoin

Bitcoin’s current approach is to ensure that all UTXO public keys can be hidden behind a hash function. This could be mitigated with a change in how public keys are managed.

"The BIP-360 proposal introduces a new taproot output type called Pay-to-Merkle-Root (P2MR) that removes this public key altogether. Once this proposal is enabled on Bitcoin main net, transitioning a P2TR output to a P2MR output will remove this vulnerability.”

Nel frattempo, some core Bitcoin devfuggitivos are exploring hash-based signatures for Bitcoin. At least, proof-of-work is making the mining network rather secure, which is a strong point for Bitcoin from a quantum risk perspective.

However, a wait-and-see approach is mostly favored at the moment. Coinbase points out that this is not without causing issues, notably as it could damage the prospect of Bitcoin as people start to worry about quantum-related risks.

“We remark that the wait-and-see approach has a price in that it causes market uncertainty. Thus, waiting for the exact migration plan can make sense, but it should come with a clear statement of strategy and preparation to enable speedy migration if needed.”

Ethereum

While more vulnerable to a quantum computer, the Ethereum community also published a detailed plan for mitigating the related issues.

The current plan is to transition to hash-based signatures for both the consensus and execution layers. If a standard cryptographic hash function is used, then this does not introduce new security assumptions to Ethereum.

A debate is still ongoing between stateless and stateful signature options, with stateful shorter signatures a better option for the consensus layer and stateless for the execution layer, so that account owners are protected from mistakes in state management.

Complessivamente, la Coinbase visualized a post-quantum Ethereum where “validators attest to each block using a stateful hash-based signature scheme, and all the attestations on a specific block will be aggregated into a single proof using a hash-based succinct proof system”.

solario

Solana created a new vault type, called the Caveau di Solana Winternitz, a hash-based signature scheme that has a manageable signature size (although signatures are two orders of magnitude bigger than ECDSA signatures).

Once Solana token holders have moved their assets to a new Winternitz-based address, the assets are no longer exposed to a quantum attacker.

In itself, this could prove a major advantage for Solana, as it is a lot more ahead than Bitcoin & Ethereum when it comes to being quantum-ready.

Others: Algorand, Sui, Aptos

Algorand è tra the first blockchain platforms to deploy post-quantum (PQ) signature schemes in production across both consensus-related mechanisms and the execution layer. This is still partially a work in progress, but it also demonstrates that blockchain technology can move to be quantum-ready quickly in some cases.

Aptos uses a system where the user’s address is not derived from the hash of the user’s public key. Thus, users who want to become post-quantum secure need only sign a transaction that updates their authentication key to a post-quantum public key. There is no need to move assets to a new account.

Nel frattempo, sui ha delineato a number of strategies for migrating to a post-quantum secure chain, but it is not yet clear which of these strategies will be deployed.

Post-Quantum Security Beyond Signing

Transaction signatures and integrity of the blockchain are not the only topics where quantum computers could wreak havoc by breaking encryption.

Un esempio è threshold signatures, which are used to protect signing keys throughout the blockchain ecosystem.

In that case,  MLDSA, a lattice-based analogue of the Schnorr signature scheme, could be used. A hash-based signature scheme, such as either variant of SLH-DSA, could also be used for applications that need a stronger security assurance.

Un altro è collision-resistant hash functions, used in Merkle trees, Patricia trees, and hash-based proof systems. A priori, this is not a topic where quantum computers are a threat. But potentially, some new quantum algorithm could change that.

The pre-quantum TLS protocol is at risk of an attack called harvest-now-decrypt-later (HNDL). Luckily, post-quantum TLS is already widely deployed on the Internet. For example, in February 2026, over 60% of Cloudflare’s Internet traffic uses the hybrid post-quantum secure cipher suite X25519MLKEM768.

Nel frattempo, sistemi a prova di conoscenza zero, used in privacy systems, should not be affected. Other privacy systems with quantum-vulnerable transaction data that is meant to remain hidden forever could be more at risk of harvest-now-decrypt-later threats.

Investire in Coinbase

Questo rapporto di Coinbase on quantum risks and readiness of the cryptocurrency and blockchain ecosystem is an important one, and reflects on the role played by the company in being a leader of the industry and its innovation. This is a direct consequence of the size and importance the company has taken on over the past few years.

Nel 2025, Coinbase Aveva 8 milioni di account attivi ed era il più grande depositario di Bitcoin al mondo, con 2.4 milioni di BTC. Ciò rappresenta non meno del 12% dell'intera offerta di Bitcoin.

Today, besides Coinbase’s main app and crypto exchange, the company has a series of complementary offerings:

• Coinbase Uno, un servizio di abbonamento premium che offre zero commissioni di trading, ricompense di staking potenziate e accordi con partner come il calcolatore delle imposte sulle criptovalute, la ricerca sulle criptovalute, ecc.
• Coinbase Filtri, per i trader professionisti di criptovalute.
• Coinbase PORTAFOGLIO MAGSAFE, per l'autocustodia di criptovalute fuori dagli exchange, nonché di NFT.
• Coinbase Guadagnare, un servizio di stacking in cui i possessori di criptovaluta possono bloccare la propria criptovaluta per guadagnare interessi dalla rete, con 230 milioni di dollari guadagnati da Coinbaseclienti nel 2023.
• Coinbase Carta, una carta di debito Visa per effettuare acquisti utilizzando criptovalute, con l'1% di rimborso in Bitcoin quando si paga con USD e l'1.5% in USDC quando si paga con ETH. La carta è accettata ovunque siano accettate le carte di debito Visa.
• Moneta USD, USDC, una stablecoin digitale con un valore pari al dollaro statunitense, sta cercando di creare un "dollaro digitale".

Coinbase è un partner chiave per molti ETF Bitcoin per i quali detiene la custodia dei Bitcoin, il che lo rende un attore importante nel settore per questi prodotti, semplificando la proprietà degli ETF per investitori individuali e istituzionali.

Recentemente, Coinbase has been actively working on “tokenizing” its stock (and other securities), currently listed “normally” on the Nasdaq.

Da un inizio precoce e ambizioso, Coinbase has grown into becoming a cornerstone of the Bitcoin and crypto industry, especially in the US markets.

This has by far not been a smooth ride, Coinbase having to deal with cybersecurity attacks, unclear regulations, and lawsuits by the SEC, and see its customer services and safety protocol playing catch-up with the company’s growth.

Volatility and risks are a given in the crypto space (and really all investments), and quantum computing could bring some disruption.

But in any case, today’s more mature and dominant Coinbase is well-positioned to capitalize on crypto becoming increasingly mainstream through the growing trends of Bitcoin ETFs, stablecoin, and stock tokenization.

(You can read more from us about the pros and cons of Coinbase come uno scambio di criptovalute in "Coinbase Review – Is it Really the Best Platform?.

Puoi anche leggere di più su Coinbase in il nostro rapporto di investimento dedicato all'azienda.)

Ultimissime Coinbase (COIN) Notizie e sviluppi azionari