Menu
Search

Quantum Computing’s Real Threat to Crypto Isn’t Your Bitcoin Wallet. It’s the Plumbing Underneath

Darian Kovel avatar
BY: Darian Kovel
PUB:
ETA: [ 5 MIN ]
CAT: Quantum Security

Everyone’s worried about the wrong thing. The fear that grabs headlines, that a quantum computer cracks your private key and empties your wallet overnight, isn’t the part of the system most exposed right now. The part that breaks first sits one layer down, in the authentication and payment infrastructure that exchanges, custodians, and banks rely on to talk to each other.

Call it the plumbing problem. Andrew Gault, CEO of the decentralized networking firm ZeroTier, makes the case that the quantum conversation has fixated on a dramatic but slow-moving target while ignoring the fragile one already under quiet assault. His point deserves attention because it changes what “preparing for quantum” actually means.

Where the Wallet Panic Comes From, and Why It’s Half Right

The wallet fear isn’t irrational. Bitcoin addresses lean on elliptic curve cryptography, specifically secp256k1, and Shor’s algorithm is designed to chew through exactly that kind of problem. Factor large integers, compute discrete logarithms, and the math protecting public-key systems stops protecting anything. So the worry that a powerful enough machine could derive a private key from a public one has a real mathematical basis.

It’s directionally correct. The flaw is timing and scope.

A cryptographically relevant quantum computer, the kind that could break secp256k1, likely needs millions of stable qubits. Current machines from IBM, Google, and China’s quantum programs are nowhere close, still measured in the hundreds or low thousands of physical qubits with error rates that wreck long computations.

That machine is years out. Bitcoin’s core protocol can also upgrade its signature scheme before it arrives, and the mining layer runs on SHA-256, which quantum computers degrade rather than shatter. The wallet, in other words, has both time and a fix path.

The plumbing has neither in the same measure.

The Plumbing Problem, Defined

In simple terms, the plumbing is everything that lets financial institutions and crypto firms authenticate transactions and communicate securely. Banks confirming payments to each other. Exchanges verifying API calls from institutional clients. Custodians signing off on withdrawals. Cross-chain bridges proving that a deposit on one network justifies a release on another.

All of it runs on the same cryptographic primitives, ECDSA and RSA, that quantum algorithms are expected to break.

“The narrative has been heavily focused on individual wallet security, but that’s a distraction from the larger, more fragile target,” Gault said. “The financial plumbing, how banks, exchanges, and custodians authenticate transactions and communicate with each other, is where the real exposure lies.”

Here’s why that distinction has teeth. A wallet is one key controlled by one person who can move funds to a new, quantum-safe address when the time comes. The plumbing is thousands of interconnected systems, signed messages, and stored records, many of which can’t be retroactively protected once they’ve been transmitted. You can rotate a key. You can’t un-send a message that’s already been intercepted.

Harvest Now, Decrypt Later

So this is where the timeline argument falls apart for anyone feeling comfortable. The threat called “Harvest Now, Decrypt Later,” or HNDL, doesn’t wait for the quantum computer to exist. It’s running today.

The mechanic is simple. An adversary intercepts and stores encrypted data now, inter-institutional payment records, authentication messages, digital signatures, and parks it. They can’t read it yet. They’re betting they’ll be able to read it in five, ten, fifteen, twenty years, once the hardware catches up. The encryption protecting that data today becomes the open book of tomorrow.

For finance, that’s a stockpile with a fuse. Transaction histories, trading strategies, authentication credentials, all of it could surface years after transmission. The confidentiality the whole system assumes is already compromised for anything sensitive enough to be worth recording and patient enough to wait for.

Let’s face it. Most encrypted financial traffic was never designed with the assumption that someone might decrypt it a decade later. That assumption is now wrong.

The exposure doesn’t stop at traditional banking. Gault points to three parts of the crypto stack that lean on the same breakable primitives, and each fails in its own ugly way.

Exchange API authentication is one. Compromise the keys that trading bots and institutional clients use, and an attacker walks into exchange accounts with valid credentials. Cross-chain bridge proofs are another, and worse. Forge the signatures that validate a bridge transaction and you can drain liquidity pools or mint tokens backed by nothing. Custodian signature systems round it out, since the signatures authorizing large movements of assets rest on cryptography a quantum machine is built to forge. Gault warned:

“The entire stack of digital asset operations is built on assumptions about cryptographic security that may not hold in a post-quantum world. (..) We need to start thinking about upgrading these systems now, not after the first major breach.”

The contrast between the wallet story and the plumbing story comes down to a few variables that move in opposite directions. The wallet has a single owner and a clean migration. The plumbing has many owners, slow coordination, and a clock that started ticking the day someone began saving encrypted traffic.

What Preparing Actually Looks Like

The work splits into two honest tasks, and neither is glamorous.

First, the institutions, exchanges, custodians, and DeFi protocols, need to start moving to quantum-resistant algorithms. That means lattice-based cryptography and hash-based signatures, the families NIST has been standardizing.

It also means crypto-agility, or building systems so it’s possible to swap out an algorithm without ripping the whole stack apart. Auditing cryptographic dependencies comes before any of that, because most firms don’t have a clear inventory of where ECDSA and RSA actually live in their code.

Second, everyone should assume current encrypted traffic will eventually be readable. For long-lived secrets, master seed phrases, root keys, anything meant to stay secret for a decade or more, that assumption should change behavior now, not after a breach makes the news.

The Window, and What Closes It

Gault’s reframing lands because it moves the deadline. If the threat were only the wallet, you could wait, watch qubit counts, and migrate when the machine got close. The wallet has slack.

The plumbing doesn’t, because HNDL converts a future capability into a present liability. The data leaving institutional systems today is the breach on schedule for tomorrow.

At the very least, the next few years are an audit-and-migrate window, and the firms treating it as optional are the ones whose stored traffic will be most worth decrypting. Quantum computing will probably stay too weak to crack live keys for a while yet. That’s cold comfort if the sensitive thing was already copied, stored, and sitting on a drive somewhere, waiting. The hardware is the patient part. The data theft isn’t.