Quantum resistance is one of those topics where the discourse is split between “this is years away, calm down” and “this is an existential threat to all crypto, panic”. Both miss the actual threat model.
Here’s what’s true.
What quantum computing actually breaks
Public-key cryptography (RSA, ECDSA, Ed25519) relies on math problems that are easy in one direction and hard in reverse. RSA: factor large numbers. ECDSA: solve the elliptic curve discrete log problem.
A sufficiently capable quantum computer running Shor’s algorithm reduces the time to break ECDSA from “billions of years” to “hours”. This is well-established theory — the question is engineering, not mathematics.
What it does not break:
- Symmetric encryption (AES). Grover’s algorithm gives a √n speedup, not exponential — AES-256 stays secure with key sizes doubled to 512 bits.
- Most hash functions (SHA-256). Grover gives the same √n speedup.
So a post-quantum world means new signature schemes, not new symmetric crypto.
What NIST has standardized
After a six-year competition, NIST finalized in 2024:
- FIPS 203 (Kyber / ML-KEM) — key encapsulation. For establishing shared secrets.
- FIPS 204 (Dilithium / ML-DSA) — digital signatures. Lattice-based.
- FIPS 205 (SPHINCS+ / SLH-DSA) — digital signatures. Hash-based, larger but more conservative assumptions.
Federal agencies (NSA, CISA) have ordered migration timelines. Most expect federal use to be migrated by 2030-2035.
For crypto, the relevant standards are Dilithium and SPHINCS+ — both are signature schemes, which is what wallets need.
Where Q-Day estimates actually sit
“Q-Day” is the day a sufficiently capable quantum computer becomes available. Estimates have moved over the last 5 years:
- 2019 NIST estimate: 25-50 years.
- 2022: 15-25 years.
- 2024: 10-20 years.
- 2026 (current consensus among IBM / Google researchers): 8-15 years for breaking RSA-2048; ECDSA’s threat window is similar.
The trajectory is consistently earlier than expected. If your hold horizon is 10+ years, you’re now inside the conservative threat window.
”Harvest now, decrypt later”
The threat is already operational, even before Q-Day:
- Adversaries (nation-states, sophisticated criminals) record blockchain transactions today.
- Public keys are exposed every time a transaction is signed (ECDSA reveals the public key).
- When Q-Day arrives, the recorded historical public keys can be used to derive private keys.
- Anyone whose key was ever exposed in a transaction becomes vulnerable retroactively.
This is why “wait and migrate later” doesn’t fully work for inactive addresses — by the time migration is possible, the public key is already harvested.
What this means for crypto wallets
Three risk levels:
-
Low risk: addresses that have never sent a transaction. Bitcoin’s P2PKH addresses (the kind starting with
1) only expose the hash of the public key, not the key itself. The key is only revealed at first send. Untouched receiving addresses remain quantum-safe even after Q-Day. -
Medium risk: addresses that have sent transactions on chains with public-key exposure. Most ETH, BSC, and similar EVM chains expose the public key on every transaction. Once you’ve sent from an address, the public key is on-chain forever.
-
High risk: addresses with large balances and a long history of activity. Bitcoin’s old P2PK addresses (Satoshi-era) and active high-value ETH addresses are the most at-risk.
If you’re holding presale tokens with a 5-10 year horizon, your wallet is in category 2 the moment you sign your first transaction.
What “quantum-resistant wallet” actually means
Three different things, in order of strength:
-
Quantum-resistant in name only. A wallet that adds a Dilithium-style signature on top of normal ECDSA. Doesn’t help — the chain still validates ECDSA, so the chain is still the weak point.
-
Quantum-resistant via mixing. A wallet that uses CoinJoin / Stealth addresses to hide the public key on-chain, delaying harvest-now-decrypt-later. Better, but doesn’t help on chains where the public key is forced to appear.
-
Genuinely quantum-resistant. A chain whose consensus uses post-quantum signatures (Dilithium or SPHINCS+) natively, plus a wallet that signs with those primitives. The signature is part of the chain’s protocol, not an add-on.
BMIC.ai is in the third camp — built around NIST’s PQC primitives. Most other “quantum-resistant” products are in the first.
Should you actually care?
Depends on horizon:
- Holding for weeks or months: no. ECDSA will not break in your holding period.
- Holding for 1-3 years: probably no. Conservative estimates put Q-Day past this window.
- Holding for 5-10 years: yes, on the margin. Diversify into PQC-native cold storage for the genuinely long portion of your stack.
- Holding for 10+ years (e.g. multi-decade BTC plan): absolutely. Inactive untouched addresses are safer than active ones; PQC-native chains are even safer. Plan a migration path.
The honest summary
Quantum resistance is not science fiction. It’s a real, gradual threat with a window opening 8-15 years out and “harvest now, decrypt later” already operational. For short-hold tokens it’s irrelevant. For long-hold tokens — including presale tokens with 24+ month unlock cycles — it’s worth diversifying.
A balanced setup for a serious long-hold position: hardware wallet for the bulk, PQC-native cold storage for the genuinely long-horizon portion. Most retail won’t need the second tier. Some will.