Blockchain Privacy Was Designed For Today’s Computers — Here’s Why That Makes It Temporary, And What Post-Quantum ZK Architecture Changes

Post-quantum cryptography has moved decisively from theoretical concern to implementation priority. Governments are setting migration timelines, standards bodies have published new specifications, and the question is no longer whether the cryptographic foundations of modern security need to change — but how fast, and at what cost.

In blockchain systems, most of that conversation centres on wallets and transaction signatures. But Christopher Smith, CEO of Quantus, argues that the deeper and less-discussed vulnerability is privacy itself. Blockchains are permanent by design: ciphertext written to a chain today will still be there in a decade, or two. If the cryptography protecting that data is eventually broken — by a quantum computer or by advances in classical cryptanalysis — the privacy it provided was never permanent. It was time-bound.

Smith and his team at Quantus are building around that assumption from the ground up, combining post-quantum cryptography with zero-knowledge architectures to create systems designed not just for today’s threat environment, but for one where computational assumptions may shift in ways that are difficult to predict and hard to reverse. In this conversation, he walks through where the quantum threat actually stands following recent hardware breakthroughs, which blockchain ecosystems are best and worst positioned to respond, and what it means to build privacy that is durable rather than just currently sufficient.

The quantum threat has been described as “five to ten years away” for decades – but recent developments like Google’s Willow chip, revised qubit estimates, and a real ECC key broken on public hardware have brought renewed attention. Has something shifted in the threat landscape?

Before Google’s Willow chip was announced, at the end of 2024, it would have been reasonable to take the position that quantum computing might be impossible. That was a widely held view. There had been a lot of claims that quantum computing was just around the corner by different companies over the years, and none of them turned out to be true. 

After Google Willow’s announcement and the subsequent announcements, I think that became a much less reasonable take, because they basically proved that quantum error correction is possible. There was a sort of miracle that needed to happen before we could be sure that the thing could work, and now we’re past that miracle — it’s just engineering now. 

It doesn’t mean it’s easy, or that it’ll happen immediately, but the fundamentals have been worked out. I don’t claim to know when a cryptographically relevant quantum computer can be developed — it’s inherently difficult to estimate, because it’s nonlinear and stochastic — but the timelines do seem to be getting shorter, from institutions and researchers like Scott Aaronson. 

It’s also worth remembering that since this is so relevant to national security, the public may not be told everything that’s going on. If the US government is encouraging everyone to update their cryptography without saying exactly why, maybe they’re worried about someone else having one too.

When quantum computing does mature, what specifically is at risk in crypto?

Cryptography largely falls into two categories: protecting information from being read by an adversary, or from being written to. The first case applies to privacy — if you’re trying to have a secret message between you and someone else and don’t want third parties to read it, that’s encryption. 

The second is authentication. If someone can violate authentication, they can impersonate you, and in the context of blockchains, that means they can take your funds. That’s a critical failure — there’s no police to call, no bank manager who can roll back the transaction.

Most blockchains like Bitcoin don’t really have privacy, but some chains have added it, such as Monero or Zcash. Quantum computers can also break certain kinds of encryption, so in the case of Monero, with its ring signatures and decoys, a quantum computer could identify which inputs are real and which are fake — it removes the camouflage. 

Then there’s a third category related to ZK systems. When a ZK system fails, it accepts invalid proofs, so an attacker can forge a false proof. In the case of Zcash, that would mean someone minting shielded coins that weren’t theirs. 

In the case of a ZK rollup, somebody could falsify balances and make it appear that transactions happened that actually didn’t. These are all slightly different failure modes, but ultimately blockchains could not exist without modern cryptography, and if that cryptography fails for any reason — whether quantum or otherwise — it’s generally a critical failure.

The industry’s response varies widely – Ethereum has active work underway, Ripple has a 2028 target, Bitcoin is still debating proposals. What does that divergence say about how the industry handles this risk?

Blockchain was, at least at the beginning, all about decentralisation — which has advantages and disadvantages. It can be hard to stop, but it can also be hard to change. We’re seeing that across different blockchains; each one is showing its governance strengths or weaknesses. 

In the case of Bitcoin, there’s a culture of “don’t change it, it’s ossified, it’s already perfect” — and maybe that’s largely true in other respects, but cryptography has always been an arms race. You need to be able to update your keys and your cryptography if something breaks, and going slow here is a real liability.

Ethereum has a founder, Vitalik Buterin, who’s alive and can tell everyone what to do — in some sense they have an easier social coordination problem, and he’s been prioritising quantum, which is an important data point. 

On the technical side, Bitcoin actually has probably the easiest job: they already have multiple address types, so they can just add a new post-quantum one, much like they added SegWit and then Taproot. 

Ethereum is in a tougher place technically because of its larger surface area and the fact that account abstraction wasn’t baked in from the beginning — there’s deeper surgery to do. 

Chains like Zcash have less of the social coordination problem that Bitcoin has, but more complex cryptography, which makes upgrading more challenging. I’m broadly glad that everyone is talking about quantum — but the one I’m most worried about is Bitcoin.

Most quantum security conversations focus on wallets and transactions. You argue the deeper issue is what happens to privacy itself. What are the broader implications?

Privacy was something of an afterthought from the beginning of blockchains. Satoshi wanted to add more privacy to Bitcoin, but it wasn’t obvious how to do it — zero-knowledge cryptography hadn’t become practical yet, and they were already trying to build the first blockchain, which was a large enough task. So privacy has by and large been a secondary feature, bolted on or added as a special layer.

Blockchains are permanent. Digital signatures from past transactions are sitting on chain, and if someone is able to crack those keys and those keys still have a balance, that’s a problem. But if there’s no balance in those old addresses, it doesn’t matter as much. 

In the case of privacy, though, someone is leaving ciphertext on chain — encrypted data that, to a normal observer, looks like random garbage, but which could be decrypted in the future if the underlying cryptography is broken. That ciphertext could remain relevant far into the future. This is the “save now, decrypt later” strategy. 

You can assume that ISPs or major government agencies like the NSA are already saving encrypted traffic in giant databases — they may not be able to decrypt it right now, but they might be able to in the future. Even if the attack doesn’t exist today, it could exist tomorrow, and they might be able to go back and find something relevant.

Data that is private today may not remain private as computational capabilities evolve. How do you think about preserving privacy across longer time horizons?

With ZK systems, it’s possible to keep ciphertext off chain entirely. Anything you want to involve in a computation but never reveal — it’s probably better if that information never leaves your device. 

Modern cryptography, like zero-knowledge protocols, enables that. Putting encrypted data on chain, or in public anywhere, is not a great strategy, because it may not stay encrypted forever. If it never goes online in the first place, it becomes much harder to decrypt.

Are existing ZK architectures quantum-resistant?

There are basically two categories of ZK: pre-quantum and post-quantum. The early ZK systems — what Zcash or the rollups on Ethereum use — are pre-quantum, because they’re based on elliptic curves. The most prominent post-quantum ZK system is STARKs, as used by StarkNet. If you use a pre-quantum ZK system, a quantum attacker could forge false proofs. 

It’s not that ZK techniques are inherently vulnerable to quantum — it’s specific techniques. A useful rule of thumb: if a system is based on elliptic curves, it’s probably vulnerable to quantum. If it’s based on hashes or lattices, it’s probably post-quantum.

Will we completely switch to post-quantum technology in the future?

I think in the future we won’t even use the term “post-quantum cryptography” — it’ll just be called cryptography, and everything else will be “pre-quantum,” something you only learn about if you’re getting a PhD in mathematics and need to know the history. Most people in blockchain don’t think about cryptography, and it’s a bad position to be in if you’re making your users of a consumer app think about it, because they probably don’t do that very often.

A lot of the world has already moved to post-quantum cryptography without most people noticing. Signal and iMessage upgraded their cryptography to post-quantum years ago, without users needing to do anything — the app just handled it. According to a report from Cloudflare, more than half of all human web traffic is now using post-quantum cryptography through TLS 1.3. Again, most users don’t have to think about it — it can happen with just a few engineers doing the right thing.

Blockchain is in a more difficult position because users are expected to control their own keys — they have to migrate them, and you have to explain why, with some urgency. That complexity also leaves a lot of room for people to get confused, or for others to intentionally confuse them for their own financial gain.

What are the things existing systems retrofitting for post-quantum security cannot fix?

I think of it as three or four steps. The first is deciding what to do — easier for chains with clear leadership and, arguably, more centralisation; harder for more decentralised ones. Once you’ve decided, you have to update the code, and in the age of AI, that’s actually not that difficult: a few competent engineers, the right instructions, and a thorough review. That’s the easy part.

The harder part is getting everyone to migrate their keys — phone wallet users, hardware wallet users, businesses with multisigs, custodians, government agencies, everyone. That also creates a huge demand for block space, and in the case of Bitcoin, with its constrained block sizes, getting everyone to move could take months even if they all tried simultaneously.

The final and most politically difficult step is deciding what to do about people who can’t or won’t upgrade. The most extreme example is Satoshi. It seems like he, or whoever it is, is dead. And the amount of coins involved represents tens of billions of dollars. What happens if someone cracks those keys? It’s a serious problem — but if you can turn off those keys, you raise the question of whose keys can be turned off next. People are naturally going to be very touchy about that. 

This last problem is mostly specific to Bitcoin — I don’t know of any other chain with such a large amount of coins sitting in an inaccessible wallet. The risk isn’t that updating the code is hard; it’s that if we move too slowly, we could find ourselves halfway through this migration when a major announcement drops, and then everyone panics.

For teams building blockchain projects today, what are the concrete design choices they can make now to reduce future exposure?

If you’re building a new blockchain in 2026, you should just skip elliptic curves. You’re only creating problems for yourself in the future. Meet it head on — work through the scaling challenges with lattice or hash-based cryptography now. Bite the bullet early, because otherwise you’re accumulating an incredible piece of technical debt that is going to come back and bite you.

The post Blockchain Privacy Was Designed For Today’s Computers — Here’s Why That Makes It Temporary, And What Post-Quantum ZK Architecture Changes appeared first on Metaverse Post.