In August 2024, NIST published the first three finalized post-quantum cryptographic standards: FIPS 203 (ML-KEM, derived from Kyber), FIPS 204 (ML-DSA, derived from Dilithium), and FIPS 205 (SLH-DSA, derived from SPHINCS+). Federal agencies were given a migration timeline running into the early 2030s. Two years on, where is the crypto industry?
What the standards actually do
FIPS 203 covers key encapsulation — establishing shared secrets without using vulnerable Diffie-Hellman primitives. FIPS 204 and FIPS 205 cover digital signatures, the primitive that crypto wallets actually use. ML-DSA is lattice-based and faster; SLH-DSA is hash-based and conservative.
Bitcoin, Ethereum, and most major chains today use ECDSA (or Ed25519 for some Solana operations). Both are vulnerable to a sufficiently capable quantum computer running Shor’s algorithm.
The migration question
For Federal use, NSA’s CNSA 2.0 mandates a transition timeline: new systems should be PQC-capable by 2027, with most legacy systems migrated by 2033-2035. The timeline reflects when a quantum computer of relevant scale is expected to be available.
For crypto, the situation is messier:
- Bitcoin has had several proposals (BIP-360, BIP-X variants) for adding PQC signatures, but none has gone past draft status. Implementation would require either a soft-fork to a new address type or a hard-fork — neither imminent.
- Ethereum has rough roadmap items mentioning PQC for the long term, but no concrete EIP-PQC has shipped.
- A handful of newer chains (QANplatform, IOTA’s Coordicide proposals, Quranium) ship with PQC primitives natively. None has the user base of major chains.
What this means in practice: by the time Bitcoin and Ethereum migrate, transaction-level PQC adoption will lag the standards by a decade or more.
”Harvest now, decrypt later” — already operational
The slow chain-level migration matters because adversaries are storing public-key data today to break later:
- Every Bitcoin transaction reveals the public key when funds are spent (P2PKH addresses expose only the hash until first spend; P2PK exposes from creation).
- Every Ethereum transaction exposes the public key.
- Recorded blockchain data is permanent and re-decryptable when Q-Day arrives.
This means the threat clock has already started for any address that has ever sent a transaction. The earlier you migrate (or the earlier you move funds to PQC-protected storage), the smaller the harvested data set is.
What changed in 2025-2026
A few real shifts since the standards finalized:
- Hardware support. Trusted Platform Modules (TPMs) shipping in 2025 server hardware include PQC primitive support. Hardware wallets follow ~12-18 months later, so the first PQC-supporting hardware wallets are landing now.
- Library maturity. The reference implementations of ML-DSA and SLH-DSA have stabilised. Multiple independent audits have confirmed the implementations match the standards.
- Q-Day estimates moved earlier. IBM and Google researchers in 2026 are putting “sufficient capability for ECDSA” at 8-15 years out, down from 15-25 years in 2022. The trajectory keeps shortening.
What this means for retail
If you hold crypto with a horizon of months: nothing. ECDSA isn’t breaking soon enough to matter.
If you hold with a 5-10 year horizon: marginal. The threat window opens in this period. Diversification into PQC-protected storage is reasonable for the genuinely long-hold portion of a stack.
If you hold with a 10+ year horizon (multi-decade BTC, generational wealth, locked-up presale tokens with very long unlocks): yes, this is something to plan around. Untouched receiving-only addresses are safer than active addresses. PQC-native cold storage is safer still.
What we expect over the next 24 months
- More wallets will add nominal PQC features. Most will be wrappers on top of ECDSA. Read past the marketing.
- Bitcoin’s PQC discussion will move from BIPs to implementation pilots. Mainnet deployment is unlikely in the 24-month window.
- Ethereum’s PQC discussion remains theoretical. EIP-level work hasn’t begun.
- A handful of PQC-native chains will mature; ecosystem support remains the gating factor for adoption.
The honest summary
NIST has done its part. The standards are finalised, the implementations are mature, the timeline is published. What’s missing is migration on the chains that hold the bulk of crypto wealth — and that migration is years away.
For most retail, this isn’t an emergency. For the long-hold portion of a serious stack, it’s worth diversifying into storage that doesn’t bet exclusively on ECDSA surviving the next decade.