{"id":25282,"date":"2026-04-07T17:47:44","date_gmt":"2026-04-07T14:47:44","guid":{"rendered":"https:\/\/www.paribu.com\/blog\/?p=25282"},"modified":"2026-04-07T17:47:44","modified_gmt":"2026-04-07T14:47:44","slug":"preparing-for-the-post-quantum-era-paribu-custodys-approach","status":"publish","type":"post","link":"https:\/\/www.paribu.com\/blog\/en\/news\/preparing-for-the-post-quantum-era-paribu-custodys-approach\/","title":{"rendered":"Preparing for the post-quantum era: Paribu Custody’s approach"},"content":{"rendered":"

Baki Er & Alim Şahin<\/strong>
\nWith contributions from Mehmet Sabır Kiraz and Süleyman Kardaş
\n<\/span><\/i><\/p>\n

On March 31, 2026, Google Quantum AI published a whitepaper of direct relevance to the future of blockchain security: <\/span>Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities<\/span><\/i>.<\/span><\/a> Prepared in collaboration with researchers from the Ethereum Foundation, Stanford, and UC Berkeley, the paper demonstrates that the quantum computing resources required to break the elliptic curve cryptography protecting all major blockchains, including Bitcoin and Ethereum, are far lower than previously estimated.<\/span><\/p>\n

The research presents two circuit designs for running Shor’s algorithm against the 256-bit elliptic curve discrete logarithm problem (ECDLP), the computational hardness assumption underlying elliptic curve cryptographic systems. The first design uses fewer than 1,200 logical qubits and 90 million Toffoli gates; the second uses fewer than 1,450 logical qubits and 70 million Toffoli gates. Google estimates these circuits could run in a matter of minutes on a superconducting quantum computer with fewer than 500,000 physical qubits, representing roughly a 20-fold improvement over prior estimates.<\/span><\/p>\n

Such a machine does not yet exist. Current quantum processors operate with only hundreds to a few thousand physical qubits, and error rates remain far too high for fault-tolerant computation at this scale. That said, Google has publicly committed to a 2029 migration timeline and is known to be running a coordinated transition process with Coinbase, Stanford, and the Ethereum Foundation.<\/span><\/p>\n

Why are blockchains at risk?<\/b><\/h2>\n

The digital signature schemes underpinning blockchain security, namely ECDSA, Schnorr, Ed25519, and BLS, all rely on elliptic curve cryptography. Their security rests on the assumption that deriving a private key from a public key is computationally infeasible for classical computers. Quantum computers fundamentally undermine this assumption: Shor’s algorithm reduces this problem from exponential classical hardness to polynomial quantum time. This is not merely a theoretical concern; it represents a serious long-term threat to cryptographic security.<\/span><\/p>\n

Vulnerabilities in Bitcoin<\/b><\/h3>\n

The quantum risk to Bitcoin falls under two main categories.<\/span><\/p>\n

The first is addresses whose public keys are already exposed on-chain. Under standard Bitcoin operation, a public key only becomes visible when a spending transaction is made. However, in certain cases the public key is already visible on-chain. P2PK (Pay-to-Public-Key) addresses, Taproot outputs, and previously spent P2PKH\/P2WPKH addresses all fall into this category.<\/span><\/p>\n

Once a public key is visible, a sufficiently powerful quantum computer could in principle derive the corresponding private key. According to Project Eleven’s analysis, more than 6.2 million BTC, roughly 30% of the circulating supply, currently falls into this category. The situation is especially acute for legacy P2PK addresses, where the public key is embedded directly in the locking script from the outset. This includes approximately 1.7 million BTC, of which roughly 1.1 million BTC is attributed to Satoshi Nakamoto.<\/span><\/p>\n

The second risk area stems from the design of Taproot itself. Taproot outputs are constructed to include the public key directly as a 32-byte output key. Unlike classical addresses, there is no “hidden until spent” protection. As a result, funds held in these addresses may be exposed to quantum attack even if they have never moved.<\/span><\/p>\n

Ethereum’s risk surface<\/b><\/h3>\n

In Ethereum, the risk is broader and embedded across multiple layers of the system.<\/span><\/p>\n

At the consensus layer, approximately one million validators rely on the BLS signature scheme, which operates over elliptic curve pairings. KZG commitments, used for data availability, share the same mathematical assumptions.<\/span><\/p>\n

At the execution layer, the picture is even more direct: every Externally Owned Account (EOA) uses ECDSA, and a single transaction is enough to expose a public key on-chain.<\/span><\/p>\n

The risk does not stop there. Smart contracts using <\/span>ecrecover<\/span> and admin keys of upgradeable proxy contracts are also directly exposed to quantum attacks. This is particularly significant for large token systems. Critical privileges in stablecoins such as USDC, including the MasterMinter, blacklister, and pauser roles, are controlled by a small number of keys. If any of these keys were compromised in a future quantum attack, the potential for systemic damage running into the billions is real.<\/span><\/p>\n

Solana’s structural dependency<\/b><\/h3>\n

In Solana, the situation is somewhat different. Ed25519 is not merely a signature scheme; it sits at the center of the system’s architecture.<\/span><\/p>\n

Wallet addresses are derived directly from Ed25519 public keys. Beyond that, nearly every critical process, from transaction signatures and validator identity keys to vote accounts, withdrawal keys, and the SigVerify pipeline, is built on Ed25519. This transforms the post-quantum problem in Solana from a cryptographic vulnerability into a structural and architectural one.<\/span><\/p>\n

There is also a size problem. While Ed25519 keeps signatures compact, post-quantum alternatives carry significantly larger payloads. Falcon-512 requires roughly 16 times more data; ML-DSA-65 requires roughly 45 times more.<\/span><\/p>\n

This gap may appear manageable in isolation, but it creates a critical bottleneck for Solana. The network’s high-throughput, low-latency design is architecturally dependent on small, fast-to-verify signatures. Larger signatures directly increase bandwidth requirements, verification costs, and overall performance overhead, putting them in direct tension with Solana’s core design assumptions.<\/span><\/p>\n

What is the ecosystem doing?<\/b><\/h2>\n

Different blockchain ecosystems are approaching the post-quantum challenge at very different levels of readiness.<\/span><\/p>\n

Ethereum: The most structured roadmap<\/b><\/h3>\n

Ethereum appears to have the most comprehensive preparation process underway. In January 2026, a dedicated Post-Quantum Security team was established within the Ethereum Foundation. Two research grants totaling $2 million were announced: the Poseidon Prize, focused on strengthening the Poseidon hash function, and the Proximity Prize, targeting broader post-quantum cryptography research.<\/span><\/p>\n

A strawmap published by Justin Drake outlines approximately seven hard forks by 2029, organized around five main goals: faster L1 finality, higher throughput, stronger L2 scaling, post-quantum security, and native privacy. Native account abstraction proposed under EIP-8141 could allow accounts to define their own signature schemes, opening a direct migration path from ECDSA to post-quantum systems. At the consensus layer, no replacement for BLS has been finalized, but hash-based signature schemes, particularly leanXMSS, and new aggregation approaches that could make them practical at scale are being actively researched.<\/span><\/p>\n

Bitcoin: A fragmented but progressing process<\/b><\/h3>\n

On the Bitcoin side, concrete steps toward addressing quantum risk are beginning to emerge.<\/span><\/p>\n

BIP-360 (Pay-to-Merkle-Root), proposed in February 2026, stands out as a significant development for enabling more flexible and advanced script structures in Bitcoin. BTQ Technologies conducted tests on the Bitcoin Quantum Testnet in March 2026, demonstrating how ML-DSA-based transaction structures could work in practice. Blockstream tested early examples of post-quantum signed transactions on the Liquid network using SPHINCS+.<\/span><\/p>\n

Despite this progress, no clear consensus has emerged within the Bitcoin community on migration strategy, mandatory timelines, or which algorithms should be adopted.<\/span><\/p>\n

Solana: Early stage<\/b><\/h3>\n

On the Solana side, there is no dedicated SIMD or official team focused on post-quantum readiness yet. The most concrete work to date is the threat assessment initiated by the Solana Foundation and Project Eleven in December 2025.<\/span><\/p>\n

Proposals such as SIMD-0296 (larger transaction payloads) and SIMD-0385 (new transaction format) are under discussion. While they do not offer a direct post-quantum solution, they are seen as prerequisites for infrastructure that could support larger signature sizes. Neither proposal has been accepted yet.<\/span><\/p>\n

Project Eleven’s recent tests make the challenge more concrete: post-quantum signatures are technically feasible but come with significant performance costs.<\/span><\/p>\n

The broader technology world is further ahead<\/b><\/h3>\n

Outside the blockchain ecosystem, the picture is considerably more advanced. Signal has been using a hybrid PQ protocol since 2023. Apple has updated iMessage, Google has deployed PQ protections within Chrome’s TLS, and Microsoft has updated the Windows cryptography library. Cloudflare reports that more than 60% of human TLS traffic is now PQ-protected. The NSA has mandated the use of ML-KEM and ML-DSA in new classified systems by January 2027. NIST calls for existing public-key cryptography to be retired by 2030 and fully phased out by 2035.<\/span><\/p>\n

What is Paribu Custody doing?<\/b><\/h2>\n

Paribu Custody, the developer of the ColdShield® technology that forms the foundation of asset security at Paribu, is among the custody providers that have been tracking the quantum threat most closely from the outset and working on it actively. Concrete steps are being taken on both academic research and long-term roadmap development.<\/span><\/p>\n

Academic research<\/b><\/h3>\n

A comprehensive analysis of quantum vulnerabilities is underway across the Bitcoin, Ethereum, and Solana ecosystems. The research evaluates which layers of each blockchain are at risk, the operational implications of current migration proposals, and the suitability of NIST-standardized PQ algorithms for custody infrastructure.<\/span><\/p>\n

The scope extends from ecosystem-specific developments such as BIP-360, EIP-8141, and QRAMP discussions to NIST PQC standards including ML-DSA, SLH-DSA, and FN-DSA. It also covers practical considerations such as signature size tradeoffs, hardware wallet constraints, and the compatibility of PQ schemes with custody workflows.<\/span><\/p>\n

Roadmap development<\/b><\/h3>\n

This research is being translated into a concrete PQ readiness roadmap structured around four pillars.<\/span><\/p>\n

Blockchain layer:<\/b> PQC transition proposals, roadmaps, integration requirements, and planning across supported networks are being closely tracked. One of the most significant external dependencies for custody providers is knowing which PQ signature mechanisms supported blockchains will adopt and when. Rather than waiting for this to take shape on its own, Paribu Custody is actively monitoring and planning around it.<\/span><\/p>\n

Signing infrastructure:<\/b> The integration of PQ signature schemes into custody operations is being evaluated. Candidate algorithms are being analyzed across dimensions including signature size, verification performance, hardware compatibility, and suitability for MPC-based workflows.<\/span><\/p>\n

Internal cryptographic stack:<\/b> Beyond blockchain signing, Paribu Custody is reviewing the PQC compliance of its certificates, encrypted data, authentication mechanisms, TLS connections, and third-party integrations. The “harvest now, decrypt later” threat model, in which encrypted communications are recorded today for future decryption, is taken seriously in the context of long-lived confidential data and infrastructure communications.<\/span><\/p>\n

Operational hygiene:<\/b> Even before a full ecosystem-wide transition is possible, practical steps can be taken today. These include preventing address reuse, implementing key rotation policies, and reducing unnecessary public key exposure where possible. These measures do not resolve the post-quantum problem on their own, but they can meaningfully reduce the attack surface throughout the transition period.<\/span><\/p>\n

Why now?<\/b><\/h2>\n

The post-quantum transition should not be thought of as a simple software update. Preparing for the post-quantum era requires coordinated alignment across protocols, wallets, custody providers, exchanges, users, hardware manufacturers, and software ecosystems. Changing the signature schemes used by blockchains is a lengthy process in itself, and adapting custody systems to those changes is a separate and equally demanding task. Chaincode Labs estimates that a full quantum-safe transition for Bitcoin alone could take approximately seven years.<\/span><\/p>\n

Google’s whitepaper is an important scientific contribution that clarifies both the reality of the threat and its timing. It should be read not as a signal for panic, but as a call to accelerate preparation. Bitcoin’s proof-of-work mechanism is quantum-resistant, and unspent addresses protected behind hash functions are relatively safer for now. Post-quantum algorithms exist and are standardized. The challenge is not the absence of solutions, but implementing them in a coordinated, timely, and operationally sound way.<\/span><\/p>\n

With that in mind, Paribu Custody plans to share its blockchain layer risk analysis, signing infrastructure assessment, and practical implications for custody operations with the industry in the period ahead, rather than keeping these findings internal. The goal is to contribute to the broader readiness of the institutional infrastructure ecosystem.<\/span><\/p>\n

Key concepts<\/b><\/h2>\n

Logical qubit:<\/b> An abstract unit of computation formed from many physical qubits with error correction applied. Depending on the error correction method, a single logical qubit may require hundreds of physical qubits.<\/span><\/p>\n

Physical qubit:<\/b> The raw qubit in real hardware. Highly susceptible to noise and error; current systems operate with hundreds to a few thousand.<\/span><\/p>\n

Toffoli gate:<\/b> A three-qubit logic gate used in quantum circuits. Used as a reference unit for measuring the computational complexity of a circuit.<\/span><\/p>\n

Elliptic Curve Discrete Logarithm Problem (ECDLP):<\/b> The mathematical problem at the foundation of elliptic curve cryptography security. Deriving a private key from a public key is computationally impractical for classical computers.<\/span><\/p>\n

Shor’s algorithm:<\/b> A quantum algorithm capable of solving certain mathematical problems, including integer factorization and discrete logarithm problems, far faster than classical methods. It poses an existential threat to all elliptic curve cryptography.<\/span><\/p>\n

P2PKH \/ P2WPKH (Pay-to-Public-Key-Hash \/ Pay-to-Witness-Public-Key-Hash):<\/b> The most common Bitcoin address formats. The public key is stored on-chain in hashed form rather than directly, so it remains hidden until a spending transaction is made. Once the output is spent, the public key becomes visible.<\/span><\/p>\n

Taproot key-path spend:<\/b> The standard way to spend a Taproot output. Because the public key appears explicitly in the output script, it is potentially vulnerable to quantum attack even before any spending transaction has been made.<\/span><\/p>\n

LeanSig \/ leanXMSS:<\/b> Post-quantum signature candidates being researched as replacements for the BLS scheme at Ethereum’s consensus layer. leanXMSS is a lightweight hash-based XMSS derivative adapted for Ethereum’s validator architecture; LeanSig refers to a broader optimization framework.<\/span><\/p>\n

KZG commitment:<\/b> A cryptographic commitment scheme used in Ethereum’s data availability layer. It relies on elliptic curve pairings, making it vulnerable to quantum attack.<\/span><\/p>\n

Harvest now, decrypt later:<\/b> An attack model in which encrypted traffic is recorded today with the intention of decrypting it in the future once a sufficiently powerful quantum computer becomes available.<\/span><\/p>\n

Fault-tolerant computation:<\/b> A computation model capable of producing reliable results by detecting and correcting qubit errors. This is the threshold a quantum computer must reach before it can mount realistic, large-scale attacks against modern cryptography.<\/span><\/p>\n

MPC (multi-party computation):<\/b> A cryptographic technique that allows multiple parties to jointly compute a result without revealing their private inputs to one another. In custody systems, MPC is used to sign transactions without exposing the private key at any single point.<\/span><\/p>\n

Hybrid PQ protocol:<\/b> A transitional approach that uses both classical and post-quantum cryptography together, so that security does not depend entirely on either alone. Signal and Chrome are notable examples of this approach.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

Having tracked the quantum threat closely from the beginning, Paribu Custody shared its approach to building a long-term roadmap for the post-quantum era.<\/p>\n","protected":false},"author":44,"featured_media":25283,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[211],"tags":[],"class_list":["post-25282","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.paribu.com\/blog\/en\/wp-json\/wp\/v2\/posts\/25282","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.paribu.com\/blog\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.paribu.com\/blog\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.paribu.com\/blog\/en\/wp-json\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/www.paribu.com\/blog\/en\/wp-json\/wp\/v2\/comments?post=25282"}],"version-history":[{"count":1,"href":"https:\/\/www.paribu.com\/blog\/en\/wp-json\/wp\/v2\/posts\/25282\/revisions"}],"predecessor-version":[{"id":25285,"href":"https:\/\/www.paribu.com\/blog\/en\/wp-json\/wp\/v2\/posts\/25282\/revisions\/25285"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.paribu.com\/blog\/en\/wp-json\/wp\/v2\/media\/25283"}],"wp:attachment":[{"href":"https:\/\/www.paribu.com\/blog\/en\/wp-json\/wp\/v2\/media?parent=25282"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.paribu.com\/blog\/en\/wp-json\/wp\/v2\/categories?post=25282"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.paribu.com\/blog\/en\/wp-json\/wp\/v2\/tags?post=25282"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}