A stark warning from Coinbase's top quantum computing advisors has sounded the alarm for the entire crypto sector: Bitcoin and Ethereum must begin immediate preparations for quantum threats. The advisory board, comprising leading cryptographers including Scott Aaronson and Dan Boneh, published a position paper stating with 'high confidence' that large-scale quantum computers will eventually be built, making current blockchain encryption vulnerable. While the quantum threat isn't immediate, the report emphasizes that migration to post-quantum cryptography can no longer be treated as a distant problem, urging the industry to develop concrete implementation roadmaps before fault-tolerant quantum computing arrives.

Coinbase Puts Bitcoin And Ethereum Devs On Notice

At the same time, it stresses that breaking current public-key cryptography still requires a machine far beyond today’s devices, and that the threat remains an engineering challenge rather than an imminent market event. NIST’s recommendation that post-quantum migrations should be completed by 2035 features prominently in that framing, though the authors add that they are “not confident” cryptographically relevant quantum computers will not exist by then or later.

Still, the report pushes hard against complacency. “Waiting for it to be urgent is not a good idea,” the authors write. “The discussion regarding quantum computing often revolves around the timeline. However, we believe that this debate on timelines is largely irrelevant (beyond that it is not imminent) since migrations should be planned for and prepared now.”

The advisory board argues that post-quantum protection is needed at both the consensus layer, where validators sign blocks, and the execution layer, where users sign transactions. The catch is that the cleanest cryptographic replacements are often much heavier than the elliptic-curve systems chains use today, especially once signature size, verification cost and aggregation are taken into account.

For Bitcoin, the report draws a distinction between UTXOs whose public keys remain hidden behind hashes and outputs where the cleartext public key is already exposed on-chain. It cites an estimate from Project 11 that about 6.9 million BTC sit in UTXOs for which the cleartext public key is known, including roughly 1.7 million BTC in older pay-to-public-key outputs, among them the so-called Satoshi coins. Those are the coins that would be most vulnerable to a harvest-now, break-later style attack once a sufficiently capable quantum machine exists.

The Bitcoin section does not read like a call for panic. It notes that Grover’s algorithm is unlikely to hand quantum miners an edge over classical ASICs anytime soon, because the overhead of running the quantum search remains too high. But it does outline practical mitigation ideas, including a commit-reveal approach for spending pre-quantum UTXOs more safely and an “Hourglass” proposal that would cap spending of exposed P2PK outputs at 1 BTC per block, effectively turning dormant coins into a canary rather than an instant jackpot.

Ethereum’s path in the paper is more expansive. The authors say the network faces four quantum-sensitive surfaces: EOA transaction signing at the execution layer, BLS validator signatures at the consensus layer, pairing-based proof systems in the EVM, and KZG commitments in the data layer. The report says Ethereum’s current direction is to move to hash-based signatures for both consensus and execution, using leanXMSS for validators and leanSPHINCS for user-level execution, then compressing the resulting signature load through SNARK-based aggregation. In that design, the on-chain aggregate signature would be on the order of 128KB.

More broadly, the paper recommends staged migration rather than abrupt replacement. At the consensus layer, it proposes periodic post-quantum checkpoints that can anchor prior history even before a full switchover.

At the execution layer, it favors a “1-out-of-2” approach, where users can sign with either the current elliptic-curve scheme or a post-quantum scheme, allowing chains to keep today’s costs low while preserving the option to disable legacy signatures later. “We firmly believe that a large-scale fault-tolerant quantum computer will eventually be built,” the authors write. “This doesn’t mean that the threat is imminent… However, we believe that the time to begin preparing for it is now.”

At press time, Bitcoin traded at $77,974.