Coinbase Explores Post-Quantum Encryption For Blockchain

Quantum computers are expected to be built at a size that is commercially useful in a mere few years, from maybe just 2028 to the mid-2030s, depending on the estimate and the exact capacity targeted.

This would be great for solving extremely complex mathematical problems to solve questions about material sciences in semiconductors, aerospace, battery, or solve proteins 3d configuration, or discover new lifesaving pharmaceuticals.

But the same capacity could be used to break encryption methods on which the modern world is built. This is why, for example, all major US banks are being forced to speed up their adoption of lattice-based cryptography, a method that is believed to be quantum-proof.

In the same way, cryptocurrencies could be in danger if the encryption that makes cryptos so secure could suddenly be broken.

Dies ist besonders problematisch, da zukünftige Quantencomputer die Verschlüsselung von Daten, die heute gesammelt werden, knacken könnten, selbst wenn diese noch unknackbar ist, aber später entschlüsselt werden könnte, eine Methode, die als „Harvest Now, Decrypt Later“ (HNDL) bezeichnet wird.

In that context, the leading actors in blockchain and cryptocurrencies are moving fast as well to prepare for the eventual emergence of quantum computers.

Einer von ihnen ist Coinbase, which published its report “Quantum Computing & Blockchain” addressing these concerns and looking into the possible solution the blockchain community could and should adopt in time to avoid any real security issue.

“We have high confidence that a large-scale, fault-tolerant quantum computer (FTQC) will eventually be built. As such, blockchains and the wider cryptographic ecosystem must prepare for this eventuality.”

Coinbase’s Quantum Report Overview

In the overview of this report, Coinbase starts by reminding that the National Institute of Standards and Technology (NIST) recommends that post-quantum (PQ) migrations should be carried out by 2035. It also points out that this timeline for preparation, leaving only 9 years, might even be optimistic.

“We are not confident that cryptographically relevant quantum computers (CRQC) will not exist by 2035 or later, as recent research raises the possibility that the timeline may be shorter.”

The report is divided into 6 major segments plus an annex of “additional readings”, covering the topic extensively:

1. Quantum Computing Overview and the Current State of the Art.
2. Post-Quantum Cryptography (PQC).
3. Post-Quantum Cryptography and the Consensus Layer.
4. Post-Quantum Cryptography and the Execution Layer.
5. Post-Quantum Plans for Major Blockchains.
6. Post-Quantum Security Beyond Signing.

Quantum Computing Overview

This first part resumes what a quantum computer is, what it can do, and how the technology has progressed so far.

In short, quantum computers use superposition and other quantum effects to grow their computing power exponentially for each additional “qubit” (the quantum equivalent of normal computer bits), instead of linearly.

“ The power of quantum computers is directly related to the fact that, to describe a superposition with N qubits, one needs a list of 2^N parameters. When (say) N=1000, this is already more parameters than could be written down in the observable universe.”

As mentioned, such a computer would be ideal for simulations of the physical world and breaking encryption. It could also be used to train more efficiently AIs, a topic we uncovered previously in our article “Does Quantum Computing Have A First Real-World Use Case".

The main limit in building a quantum computer is the hardware, which is incredibly hard to manufacture and to keep in a quantum state long enough that qubits can be trusted and perform any useful calculation.

This can be improved from two fronts: reducing the physical error rate for two-qubit gates and designing fault-tolerance schemes able to cope with higher error rates.

“To perform fault-tolerant quantum computation (FTQC), one will also constantly need to measure the physical qubits, to find out where errors have occurred and what needs to be done to correct them.”

Recent improvement in error correction indicates that 99.9% accurate two-qubit gates

might be sufficient, a much lower and realistically achievable number than initially expected (99.9999%). More importantly, this has already been achieved by Quantinuum (part of Honeywell (HON ), folgen Sie dem Link für den zugehörigen Anlagebericht) and Google for individual qubits.

If this accuracy can be maintained when scaling to tens or hundreds of thousands of physical qubits, it will theoretically suffice for FTQC.

The report also gives an overview of the main hardware type being explored by quantum computing companies and researchers:

• Superconducting.
• Trapped-ion.
• Neutral atom.
• Photonik.
• Topologische.

In conclusion, the article notes that while not immediately ready, there is no reason to assume that quantum computers will not be able to break the highest levels of current encryption, and blockchain/cryptocurrencies will not exist.

Post-Quanten-Kryptographie (PQC)

Post-quantum cryptography is essential if we want the financial system as a whole, as well as military systems, to stay safe from quantum computers.

This type of encryption should also be able to run on normal-design and capacity computers.

“Post-quantum cryptography is run on classical computers and is secure against quantum attackers. This is in contrast to things like QKD (quantum key distribution), which requires the (honest) users to use quantum systems.”

Two of the leading methods are lattice-based and hash-based:

• Lattice-based: Traditional cryptographic methods like RSA and ECC are built on periodic structures in groups that Shor’s algorithm can solve efficiently by finding their “period”. In contrast, lattice-based cryptography does not rely on such structures.
• Hash-based: A very secure, but also very computing-power-hungry encryption method.

“The faster signing variant of SLH-DSA hash-base cryptography has signatures about 250 times larger than ECDSA with signing time about 1,000 times slower. Deploying these schemes on blockchains will clearly be very challenging.”

Quelle: Coinbase

The NIST plays a major role in setting the tone here. In 2024, the National Institute of Standards and Technology (NIST) finalized three different post-quantum cryptography (PQC) standards :

• FIPS 203 – ML-KEM – Ein auf Gitterkryptographie basierender Schlüsselkapselungsmechanismus (KEM), der als Hauptbaustein für die quantensichere Schlüsselerzeugung (z. B. in TLS oder VPNs) gedacht ist.
• FIPS 204 – ML-DSA – Ein primäres digitales Signaturverfahren, ebenfalls gitterbasiert, das für Anwendungsfälle wie Softwaresignatur, Zertifikate und Authentifizierung vorgesehen ist.
• FIPS 205 – SLH-DSA – Ein zustandsloses, hashbasiertes Signaturverfahren, das bewusst auf anderen Annahmen basiert und als „Backup“ dient, falls zukünftige Forschungen Schwächen in gitterbasierten Systemen aufdecken.

Quelle: NIST

Post-Quantum Cryptography and the Consensus Layer

This segment of the report concerns itself with how blockchain specifically could be impacted by quantum-proof encryption, with a focus on the consensus layer.

“Generally, key concerns in migrating to PQ safety is the size of data and cost of computation. An additional challenge is orchestrating active switchover of cryptographic keys by users. ”

The main vulnerabilities stem from Shor’s algorithm, which a powerful PQ computer may use to break classical public-key cryptography.

Blockchains that migrated away from energy-intensive Proof-of-Work and instead rely on solutions to the Byzantine Fault Tolerance (BFT) problem could be more vulnerable. Here it is Shor’s algorithm that is the main threat, as the math behind this method could be solved by quantum computers.

The situation is even worse for blockchains that rely on aggregate and threshold signatures for consensus.

In this system, notably used by Ethereum, votes may be aggregated or thresholded in order to reduce the costs associated with sending validator signatures, verifying, and storing them. Diese Blockchains do not have any easy plug-and-play replacement in order to make them post-quantum secure.

However, the report explained that  Bitcoin’s Proof-of-Work-based Nakamoto Consensus (NC) is only theoretically threatened by another decryption method,  Grover’s attack on hash functions

“In practice, however, Grover’s quadratic speedup does not translate to a real speedup for the puzzle sizes due to the much slower time per qubit operation in a quantum computer versus a highly optimized ASIC used for mining today. Thus, Nakamoto consensus mechanisms are essentially post-quantum secure. ”

Post-Quantum Cryptography and the Execution Layer

This segment of the report concerns itself with how blockchain specifically could be impacted by quantum-proof encryption, with a focus on the execution layer.

Cryptographic signatures attached to transactions authenticate the sender and authorize state changes. All compact signature schemes, such as ECDSA and Schnorr, would need to be replaced with PQ alternatives.

One risk is that the new post-quantum encryption systems are a lot less tried-and-tested than the traditional ones.

“Regarding lattice-based schemes like ML-DSA or FN-DSA, we may be actually downgrading security, since we will be moving to a signature scheme which has much less mileage and has not been studied to nearly the depth of schemes like ECDSA and EdDSA.”

Any scheme for the adoption of post-quantum signing will ideally meet fully a series of criteria defined in this report:

• P1: The transition does not compromise our current security posture.
• P2: The new scheme provides post-quantum security, either as-is or by enabling a fast switch to post-quantum security.
• P3: The new scheme does not add significant cost to the current way of working, at least as long as no quantum threat is imminent.
• P4: The new scheme requires minimal (if any) changes to the blockchain and current way of working, as long as no quantum threat is imminent.

The report then explores different possible strategies and compares them.

Strategy 1 generates private keys as hash outputs. This method allows, when the quantum threat is coming closer, to sign using ECDSA or EdDSA, as a signature can be constructed based on the owner’s knowledge of the preimage of the private key.

Strategy 2 moves to 2-out-of-2 hybrid/double signing. This strategy works by adding a post-quantum signature scheme and requiring that every transaction include both an ECDSA/EdDSA signature as well as a post-quantum signature (e.g., ML-DSA).

Strategy 3 moves to 1-out-of-2 (or more) signing. Similar to strategy 2, but instead of requiring both signatures, it suffices to provide a signature either using the elliptic-curve scheme or the post-quantum scheme.

Quelle: Coinbase

All these methods will require account holders to transfer their balances to new accounts protected by PQ signature schemes, which will be a problem in itself.

“There are millions of owned accounts UTXOs, and at the current transaction rates of blockchains like Bitcoin and Ethereum, it may take months just to commit the sheer volume of switchover transactions. ”

Insgesamt Coinbase recommends using the “move to 1-of-2” strategy, as it deals with the threat without adding cost until it is needed.

Post-Quantum Plans for Major Blockchains

Bitcoin

Bitcoin’s current approach is to ensure that all UTXO public keys can be hidden behind a hash function. This could be mitigated with a change in how public keys are managed.

"The BIP-360 proposal introduces a new taproot output type called Pay-to-Merkle-Root (P2MR) that removes this public key altogether. Once this proposal is enabled on Bitcoin main net, transitioning a P2TR output to a P2MR output will remove this vulnerability.”

Unterdessen some core Bitcoin devElopers are exploring hash-based signatures for Bitcoin. At least, proof-of-work is making the mining network rather secure, which is a strong point for Bitcoin from a quantum risk perspective.

However, a wait-and-see approach is mostly favored at the moment. Coinbase points out that this is not without causing issues, notably as it could damage the prospect of Bitcoin as people start to worry about quantum-related risks.

“We remark that the wait-and-see approach has a price in that it causes market uncertainty. Thus, waiting for the exact migration plan can make sense, but it should come with a clear statement of strategy and preparation to enable speedy migration if needed.”

Ethereum

While more vulnerable to a quantum computer, the Ethereum community also published a detailed plan for mitigating the related issues.

The current plan is to transition to hash-based signatures for both the consensus and execution layers. If a standard cryptographic hash function is used, then this does not introduce new security assumptions to Ethereum.

A debate is still ongoing between stateless and stateful signature options, with stateful shorter signatures a better option for the consensus layer and stateless for the execution layer, so that account owners are protected from mistakes in state management.

Insgesamt Coinbase visualized a post-quantum Ethereum where “validators attest to each block using a stateful hash-based signature scheme, and all the attestations on a specific block will be aggregated into a single proof using a hash-based succinct proof system”.

Solana

Solana created a new vault type, called the Solana Winternitz Vault, a hash-based signature scheme that has a manageable signature size (although signatures are two orders of magnitude bigger than ECDSA signatures).

Once Solana token holders have moved their assets to a new Winternitz-based address, the assets are no longer exposed to a quantum attacker.

In itself, this could prove a major advantage for Solana, as it is a lot more ahead than Bitcoin & Ethereum when it comes to being quantum-ready.

Others: Algorand, Sui, Aptos

Algorand ist unter the first blockchain platforms to deploy post-quantum (PQ) signature schemes in production across both consensus-related mechanisms and the execution layer. This is still partially a work in progress, but it also demonstrates that blockchain technology can move to be quantum-ready quickly in some cases.

Aptos uses a system where the user’s address is not derived from the hash of the user’s public key. Thus, users who want to become post-quantum secure need only sign a transaction that updates their authentication key to a post-quantum public key. There is no need to move assets to a new account.

Unterdessen Auf hat umrissen a number of strategies for migrating to a post-quantum secure chain, but it is not yet clear which of these strategies will be deployed.

Post-Quantum Security Beyond Signing

Transaction signatures and integrity of the blockchain are not the only topics where quantum computers could wreak havoc by breaking encryption.

Ein Beispiel ist threshold signatures, which are used to protect signing keys throughout the blockchain ecosystem.

In that case,  MLDSA, a lattice-based analogue of the Schnorr signature scheme, could be used. A hash-based signature scheme, such as either variant of SLH-DSA, could also be used for applications that need a stronger security assurance.

Ein anderes ist collision-resistant hash functions, used in Merkle trees, Patricia trees, and hash-based proof systems. A priori, this is not a topic where quantum computers are a threat. But potentially, some new quantum algorithm could change that.

The pre-quantum TLS protocol is at risk of an attack called harvest-now-decrypt-later (HNDL). Luckily, post-quantum TLS is already widely deployed on the Internet. For example, in February 2026, over 60% of Cloudflare’s Internet traffic uses the hybrid post-quantum secure cipher suite X25519MLKEM768.

Unterdessen Zero-Knowledge-Proof-Systeme, used in privacy systems, should not be affected. Other privacy systems with quantum-vulnerable transaction data that is meant to remain hidden forever could be more at risk of harvest-now-decrypt-later threats.

Investieren in Coinbase

Dieser Bericht von Coinbase on quantum risks and readiness of the cryptocurrency and blockchain ecosystem is an important one, and reflects on the role played by the company in being a leader of the industry and its innovation. This is a direct consequence of the size and importance the company has taken on over the past few years.

In 2025, Coinbase verfügte über 8 Millionen aktive Konten und war mit 2.4 Millionen BTC der weltweit größte Bitcoin-Verwahrer. Dies entspricht nicht weniger als 12 % des gesamten Bitcoin-Angebots.

Today, besides Coinbase’s main app and crypto exchange, the company has a series of complementary offerings:

• Coinbase Eins, ein Premium-Mitgliedschaftsdienst, der keine Handelsgebühren, erhöhte Staking-Belohnungen und Angebote mit Partnern wie Krypto-Steuerrechner, Krypto-Forschung usw. bietet.
• Coinbase Erweitert, für professionelle Krypto-Händler.
• Coinbase Wallet, für die Selbstverwahrung von Kryptowährungen außerhalb von Börsen sowie von NFTs.
• Coinbase Verdienen Sie, ein Stacking-Service, bei dem Kryptowährungsbesitzer ihre Kryptowährungen sperren können, um Zinsen vom Netzwerk zu erhalten. 230 Millionen Dollar wurden dabei verdient. CoinbaseKunden im Jahr 2023.
• Coinbase Karte, eine Visa-Debitkarte für Einkäufe mit Kryptowährungen, mit 1 % Rückerstattung in Bitcoin bei Zahlung mit USD und 1.5 % in USDC bei Zahlung mit ETH. Die Karte wird überall akzeptiert, wo Visa-Debitkarten akzeptiert werden.
• USD Coin, USDC, eine digitale Stablecoin mit einem Wert, der dem US-Dollar entspricht, versucht, einen „digitalen Dollar“ zu schaffen.

Coinbase ist ein wichtiger Partner für viele Bitcoin-ETFs, für die es die Bitcoins verwahrt, und ist damit ein wichtiger Akteur in der Branche dieser Produkte, der den Besitz von ETFs für Privat- und institutionelle Anleger erleichtert.

Kürzlich wurde gezeigt, dass Coinbase has been actively working on “tokenizing” its stock (and other securities), currently listed “normally” on the Nasdaq.

Von einem frühen und ehrgeizigen Start, Coinbase has grown into becoming a cornerstone of the Bitcoin and crypto industry, especially in the US markets.

This has by far not been a smooth ride, Coinbase having to deal with cybersecurity attacks, unclear regulations, and lawsuits by the SEC, and see its customer services and safety protocol playing catch-up with the company’s growth.

Volatility and risks are a given in the crypto space (and really all investments), and quantum computing could bring some disruption.

But in any case, today’s more mature and dominant Coinbase is well-positioned to capitalize on crypto becoming increasingly mainstream through the growing trends of Bitcoin ETFs, stablecoin, and stock tokenization.

(You can read more from us about the pros and cons of Coinbase als Krypto-Börse in „Coinbase Review – Is it Really the Best Platform?.

Sie können auch mehr darüber lesen Coinbase in unser Investitionsbericht, der dem Unternehmen gewidmet ist.)

Neueste Coinbase (COIN) Aktiennachrichten und Entwicklungen