Quantum computing used to be treated as a “maybe in 50 years” problem. That view is now difficult to defend. In the last few years, improved quantum resource estimates, real hardware progress, and serious national-level roadmaps have reduced the comfort margin for anyone relying on RSA or elliptic-curve cryptography. Cryptocurrencies face even greater exposure because they broadcast public keys and signatures globally and permanently.
At the same time, post-quantum (PQ) signature schemes like FALCON have matured enough that real blockchains can deploy them. Nexa is one of the first projects doing this, preparing a full PQ migration path ahead of most of the industry.
Quantum Risk for Cryptocurrencies in 2026 and 10–20 Year Horizons
There is still no “cryptanalytically relevant quantum computer” capable of breaking RSA-2048 or 256-bit elliptic curves. Google’s Willow chip, announced in 2024, has 105 superconducting qubits and demonstrates promising error-correction and random-circuit results. Even Google stresses that it remains far below the capability needed to factor RSA or solve elliptic-curve discrete logarithms. While this sounds reassuring, the comfort zone has shrunk. Early research suggested millions of logical qubits were required. Newer analyses, using realistic surface-code implementations, conclude that only a few thousand logical qubits would be enough to run Shor’s algorithm on real curves. Circuit optimizations continue lowering the depth and gate count. This does not mean a viable quantum computer will appear by 2035, but it does mean that assuming “quantum will be slow” is no longer responsible. For long-lived systems such as blockchains, the safe planning window is now measured in decades, not centuries.
Government agencies and large technology companies are responding to this shift. The UK’s National Cyber Security Centre has published a migration roadmap calling for identification of vulnerable systems by 2028 and completion of post-quantum transitions by 2035. The intention is to avoid a rushed, late-stage transition once quantum hardware arrives. Industry leaders are behaving similarly. Cloudflare reports that a substantial share of global web traffic already uses hybrid post-quantum key exchange to prevent “harvest-now, decrypt-later” attacks. Apple redesigned iMessage using a hybrid PQ protocol called PQ3 to protect conversations even if intercepted and stored today. These indicate that quantum migration is now treated as a practical engineering project with a clear timeline. Blockchains, which are designed to preserve signatures and keys indefinitely, cannot realistically wait longer than everyone else.
The Harvest-Now, Derive-Later Threat for Blockchains
Blockchains rely heavily on public-key signatures, and their data is permanent. Shor’s algorithm breaks all discrete-log-based signatures once a quantum computer is available at scale. The Federal Reserve’s 2025 paper “Harvest Now Decrypt Later” demonstrates how an attacker could archive blockchain data today and use a future quantum machine to derive private keys from exposed public keys. This time-shifted threat destroys security assumptions once CRQC hardware exists. Old key reuse, Taproot-exposed public keys, and long mempool delays become easy targets. Once keys are derived, attackers can deanonymize historical transaction flows and, in some cases, spend from addresses that still contain funds. State-level actors are already known to archive vast quantities of encrypted and signed data. It is reasonable to assume that blockchain archives are included in that collection.
The biggest vulnerability in blockchains lies in their signature layer. Once the ability to forge signatures is available, consensus rules still run, but ownership semantics break down. Bitcoin is especially exposed, because spent outputs reveal the public key directly. Taproot’s design makes this even more explicit. Proof-of-stake systems using BLS signatures are similarly vulnerable, since Shor breaks BLS12-381 discrete logs, making validator signatures forgeable. Many zk-SNARKs, including Groth16, also depend on elliptic-curve assumptions that would be invalidated by quantum attacks. Academic surveys reach the same conclusion. Post-quantum migration for DLT must begin with replacing signature schemes and reworking consensus assumptions, not just encryption layers.
FALCON: A Post-Quantum Signature Scheme and Standardization
As NIST finalizes its new set of post-quantum standards, FALCON stands out among signature schemes. It is lattice-based, compact, and efficient enough for high-volume blockchain environments. FALCON relies on NTRU lattices, the GPV signing framework, and fast Fourier sampling to generate compact signatures. Its security depends on the hardness of Short Integer Solution problems, which are believed to be secure against both classical and quantum attacks. The performance characteristics make FALCON especially attractive. FALCON-512 signatures are about 666 bytes with public keys under 1 kilobyte. These are far larger than ECDSA signatures but much smaller than Dilithium signatures, which can be 2–3 kilobytes or more.
NIST selected FALCON in its post-quantum competition for standardization. While ML-DSA (Dilithium) and SLH-DSA (SPHINCS+) have already become FIPS standards, FALCON is undergoing an extended review as FN-DSA, with finalization expected in 2026–2027.
Nexa’s Post-Quantum Strategy and Hardware Acceleration
Nexa’s own technical roadmap closely reflects the latest quantum risk assessments. The team recognizes that quantum-capable adversaries may emerge within the economic lifetime of current cryptocurrencies, and it has chosen to act early. FALCON has already been implemented and tested in Nexa’s full node and wallet software.
Post-quantum signatures are heavier than classical ones, and Nexa also plans hardware acceleration for verification using Blitz, the first hardware solution designed specifically for accelerating signature verification. This aligns with academic benchmarks showing that FALCON’s FFT-based operations scale extremely well on parallel hardware. This will allow Nexa to maintain high throughput while upgrading security, avoiding the tradeoff between safety and scalability that other blockchains may face.
The final choice of post-quantum signature scheme may evolve depending on NIST’s certification timeline and the outcome of ongoing implementation and design considerations. However, by integrating FALCON into the node software, preparing hardware acceleration, and keeping Dilithium as an optional alternative, Nexa is positioning itself as one of the first quantum-resistant blockchains with an operational migration path.
Conclusion
Quantum computing has shifted from speculative research to a concrete engineering concern. Institutions, major technology companies, and standards bodies are already preparing for post-quantum migration on a 10–20 year horizon, reflecting the steadily shrinking safety margin around classical cryptography. FALCON offers a well-balanced combination of security, efficiency, and compactness, making it one of the strongest post-quantum signature candidates for high-throughput blockchain environments. Nexa’s decision to implement FALCON early, plan for hardware acceleration, and remain adaptable with alternative PQ schemes places it ahead of most of the industry and positions the network to remain secure long into the post-quantum era.