CBDC Quantum Security: Are Central Banks Building Quantum-Safe Digital Currencies?
CBDC quantum security is rapidly becoming a non-negotiable design consideration as central banks race to deploy digital currencies before quantum computers mature enough to break conventional cryptography. This article examines which central banks have publicly committed to post-quantum cryptography (PQC), which pilots are underway, where the gaps remain, and how permissioned CBDC architectures compare to public blockchains on quantum readiness. If you need a clear, technically grounded answer on whether your government's digital currency will survive Q-day, read on.
Why Quantum Computers Threaten CBDCs
Most digital payment systems, including every CBDC prototype published so far, rely on one of two families of public-key cryptography: elliptic-curve cryptography (ECC) or RSA. Both depend on mathematical problems that classical computers cannot solve in useful timeframes. A sufficiently powerful quantum computer running Shor's algorithm can solve those problems in polynomial time, effectively breaking the cryptographic guarantees that protect:
- Digital signatures on transactions (proving the payer authorised a transfer)
- Key encapsulation in TLS and API channels used by central-bank infrastructure
- Long-term storage encryption of ledger archives
The risk is not purely theoretical. The "harvest now, decrypt later" (HNDL) attack strategy is already in use by state-level actors: adversaries collect encrypted traffic today and plan to decrypt it once a capable quantum machine exists. For CBDCs, which will carry sovereign-level financial data, even encrypted historical transaction records represent a long-term national security exposure.
NIST finalised its first set of post-quantum cryptographic standards in August 2024, including ML-KEM (formerly CRYSTALS-Kyber, for key encapsulation) and ML-DSA (formerly CRYSTALS-Dilithium, for digital signatures), both based on the hardness of lattice problems believed to resist quantum attack. This gave central banks a stable target to migrate toward.
---
How CBDC Architectures Handle Cryptography
Understanding the quantum-readiness of a CBDC requires understanding its architecture. Most central-bank digital currency designs fall into one of three models:
Centralised Ledger Models
The central bank runs a single, permissioned database. Cryptography is used for API authentication, TLS sessions, and audit logs. Quantum risk is present but concentrated in infrastructure layers rather than a distributed consensus protocol.
Distributed Permissioned Ledger Models
Multiple authorised nodes (commercial banks, settlement agents) participate. Examples include the BIS Project Helvetia, ECB DLT trials, and the Bank of England's exploration work. These models use PKI-backed node authentication and digital signatures per transaction. Every signing key is an ECDSA or EdDSA key today, making them vulnerable.
Token-Based Retail CBDC
End users hold wallets containing bearer tokens signed by the central bank. The signing key used to mint and transfer tokens is the single highest-value target. If that key is compromised via a quantum attack, an adversary could forge unlimited valid tokens.
The third model carries the highest quantum risk and the most urgent need for PQC migration.
---
Central Bank PQC Statements and Pilots: The Current Picture
BIS (Bank for International Settlements)
The BIS Innovation Hub has consistently flagged quantum risk in CBDC design papers. Its 2023 report on "Technology of Retail CBDC" explicitly recommends that design teams plan for crypto-agility, the ability to swap cryptographic algorithms without redesigning the entire system. The BIS has not published a specific PQC pilot but has referenced NIST PQC standards as the appropriate migration target.
European Central Bank (ECB)
The ECB's digital euro project is in the preparation phase (entered October 2023). ECB published documentation indicates that cryptographic agility is a stated requirement for the digital euro's technical infrastructure. Whether the current prototype implementations use ML-DSA or remain on ECDSA is not public. The ECB has engaged with academic PQC researchers through its TIPS (TARGET Instant Payment Settlement) infrastructure work, but no live PQC deployment has been announced.
Bank of England (BoE)
The BoE is consulting on a potential retail CBDC ("digital pound"). Its 2023 Technology Working Paper on the digital pound specifically lists post-quantum cryptography as a consideration for the wallet and ledger interface layer. The BoE notes it is "monitoring NIST PQC standardisation" and that final algorithm choices will align with UK NCSC guidance. No pilot deployment details are public.
US Federal Reserve / Digital Dollar
The Federal Reserve has not launched a retail CBDC project. The Boston Fed's Project Hamilton (MIT collaboration) explored high-throughput CBDC transaction processing but did not address PQC. Any federal digital dollar project would fall under NIST guidance for US government systems, which mandates PQC migration timelines under NIST SP 800-208 and the NSA CNSA 2.0 suite (which requires ML-KEM and ML-DSA for new systems by 2025 and full migration by 2033). Whether a future digital dollar would implement these standards from day one is not public.
People's Bank of China (PBoC) — Digital Yuan (e-CNY)
The e-CNY is the most widely piloted retail CBDC in the world, with hundreds of millions of test wallets issued across major cities. PBoC has published that e-CNY uses a dual offline payment mechanism and hardware-based security elements. On quantum security specifically: PBoC researchers have published academic work on integrating lattice-based signatures into CBDC wallet schemes, and China's national standards body (OSCCA) has its own PQC-adjacent research programme (SM-series algorithms). Whether production e-CNY infrastructure uses any PQC algorithm is not confirmed publicly.
Monetary Authority of Singapore (MAS) — Project Orchid / Ubin+
Singapore's MAS has been among the most technically transparent central banks. Project Orchid explored Purpose Bound Money (PBM) on DLT infrastructure. MAS's broader cybersecurity framework references quantum threats in its Technology Risk Management (TRM) Guidelines, requiring financial institutions to assess quantum risk. Specific PQC implementation in MAS CBDC pilots is not public.
Bank for International Settlements — Project mBridge
mBridge is a multi-CBDC platform linking China, Hong Kong, Thailand, UAE, and Saudi Arabia. Technical documentation references standard PKI for node authentication. PQC hardening of the mBridge platform is not confirmed publicly.
---
Comparison: CBDC Quantum Readiness vs. Public Blockchains
| System | Architecture | Current Signing Algorithm | PQC Roadmap Public? | Notes |
|---|---|---|---|---|
| Digital Euro (ECB) | Permissioned DLT | Likely ECDSA (not confirmed) | Partial — crypto-agility stated | Preparation phase; live standard not chosen |
| Digital Pound (BoE) | TBD | TBD | Monitoring NIST | No pilot deployed |
| e-CNY (PBoC) | Centralised + HW token | Undisclosed | Academic work only | Widest real-world pilot |
| mBridge (BIS) | Multi-party DLT | Standard PKI | Not public | Cross-border pilot |
| Bitcoin | Permissionless PoW | ECDSA (secp256k1) | No official roadmap | Community proposals exist (e.g. P2QRH) |
| Ethereum | Permissionless PoS | ECDSA + BLS | EIP research stage | Vitalik has flagged quantum migration need |
| BMIC | Non-custodial wallet | Lattice-based (NIST PQC-aligned) | Yes — core design principle | Built for post-quantum from inception |
The table highlights a structural difference: permissioned CBDCs can mandate algorithm upgrades across all nodes simultaneously (a governance advantage over permissionless chains), but they have not yet exercised that advantage in any confirmed production deployment.
Public blockchains face a harder coordination problem. A Bitcoin PQC migration would require a soft or hard fork with global miner and node consensus, and the cryptography of every existing UTXO signed with an exposed public key would remain at risk unless users actively move funds to a PQC-secured address type.
---
Key PQC Mechanisms Relevant to CBDCs
Lattice-Based Digital Signatures (ML-DSA / CRYSTALS-Dilithium)
The most relevant algorithm for replacing ECDSA in transaction signing. ML-DSA produces larger signatures (approximately 2.4 KB vs. 64 bytes for ECDSA), which increases bandwidth and storage costs per transaction. For a high-throughput retail CBDC, this is a meaningful engineering constraint that central banks must plan for.
Hash-Based Signatures (SPHINCS+, now SLH-DSA)
Stateful hash-based schemes like XMSS offer strong quantum resistance and are already approved for some government use cases. They carry the drawback of statefulness: a signing key can only be used a fixed number of times, complicating key management in high-volume environments.
Key Encapsulation Mechanisms (ML-KEM / CRYSTALS-Kyber)
Used to protect session keys in TLS and API channels between central-bank nodes and commercial-bank participants. ML-KEM is a drop-in replacement target for RSA and ECDH key exchange. This layer is arguably the most immediately achievable migration for CBDC infrastructure because it requires no changes to on-ledger transaction formats.
Crypto-Agility by Design
The BIS recommendation that resonates across most serious CBDC programmes is crypto-agility: abstracting the cryptographic layer so that algorithms can be replaced via configuration or a software update rather than a protocol redesign. Systems built today without crypto-agility will be far more expensive to harden when the quantum threat matures.
---
What Central Banks Should (and Could) Do Now
The migration from classical to post-quantum cryptography does not have to be a single leap. A phased approach is realistic:
- Inventory all cryptographic dependencies in CBDC infrastructure: signing keys, TLS certificates, HSM configurations, key management systems.
- Adopt crypto-agile architectures in any new build, per BIS and NIST guidance.
- Hybridise in transit layers first by deploying hybrid TLS (classical + PQC key encapsulation simultaneously), which is already supported in OpenSSL 3.x and Chrome. This defeats HNDL attacks against session data at low cost.
- Pilot ML-DSA signatures in test environments to benchmark throughput, storage overhead, and HSM compatibility before committing to production.
- Publish a quantum migration timeline to give commercial-bank participants and wallet providers lead time to update their own stacks.
- Engage with national cybersecurity agencies (NCSC, CISA, ANSSI) whose quantum migration frameworks provide legal and procurement hooks.
The BIS has estimated that central banks that begin migration planning now will have a 7-to-10-year window before large-scale quantum computers threaten current ECDSA deployments. That window is not infinite, and the lead time for redesigning sovereign financial infrastructure is measured in years, not months.
---
The Broader Stakes for Monetary Sovereignty
A CBDC that can be cryptographically compromised is not merely an embarrassment. It represents a systemic risk to monetary sovereignty. A forged token attack on a retail CBDC could allow an adversary to create unbacked digital currency at scale, undermining confidence in the entire system. A broken signing key on a wholesale CBDC settlement layer could invalidate interbank transactions retroactively. These are not theoretical edge cases but design threat models that central-bank security architects are required to consider under most national risk frameworks.
The countries that move earliest on PQC-hardened CBDC infrastructure will also set the standards that others adopt, creating a first-mover advantage in the architecture of the coming digital-currency order. Conversely, countries that deploy widely-used retail CBDCs on classical cryptography and delay migration will inherit a legacy problem at national scale.
Frequently Asked Questions
What is CBDC quantum security and why does it matter?
CBDC quantum security refers to the measures taken to protect central bank digital currency infrastructure against attacks from quantum computers. Quantum computers running Shor's algorithm can break the elliptic-curve and RSA cryptography that underpins all current CBDC signing and encryption schemes, meaning a sufficiently powerful quantum machine could forge transactions or decrypt historical financial data. Designing CBDCs with post-quantum cryptography (PQC) from the outset prevents these risks.
Which central banks have committed to post-quantum cryptography for their CBDCs?
No major central bank has publicly confirmed a live, production CBDC deployment using NIST-standardised PQC algorithms as of mid-2025. The ECB has stated crypto-agility is a design requirement for the digital euro, and the Bank of England is monitoring NIST PQC standards for the digital pound. The BIS recommends crypto-agile architecture across all CBDC programmes. Specific algorithm choices and deployment timelines for most central banks are not public.
What PQC algorithms are most relevant for CBDCs?
The two most relevant NIST-standardised algorithms are ML-DSA (CRYSTALS-Dilithium) for digital signatures on transactions, and ML-KEM (CRYSTALS-Kyber) for key encapsulation in communications channels. Both are lattice-based and were finalised by NIST in August 2024. SPHINCS+ (now SLH-DSA) is a hash-based alternative for signatures where stateful key management is acceptable.
Are public blockchains like Bitcoin or Ethereum more or less quantum-safe than CBDCs?
Neither is quantum-safe today. Public blockchains face a harder coordination challenge: a PQC upgrade requires global consensus among miners, validators, and node operators, and existing wallets with exposed public keys remain at risk unless users actively migrate funds. CBDCs on permissioned ledgers have the governance advantage of mandating an upgrade across all nodes simultaneously, but none have publicly exercised that advantage in production yet.
What is a 'harvest now, decrypt later' attack and does it affect CBDCs?
A harvest now, decrypt later (HNDL) attack involves an adversary collecting encrypted data today, storing it, and decrypting it once a capable quantum computer becomes available. For CBDCs this means encrypted interbank communications, API sessions, and ledger archives captured now could be exposed in the future. Deploying hybrid TLS (combining classical and PQC key encapsulation) in transit layers is the most immediate mitigation and is achievable without changing on-ledger transaction formats.
What is crypto-agility and why do CBDC designers need it?
Crypto-agility means designing a system so that its cryptographic algorithms can be replaced via software updates or configuration changes, without requiring a full protocol redesign. The BIS and NIST both recommend it for CBDC infrastructure because no cryptographic algorithm can be guaranteed secure indefinitely. A CBDC built without crypto-agility would require a costly, high-risk redesign when its current algorithms are deprecated, whereas a crypto-agile system can migrate to PQC with far less disruption.