Will Quantum Computers Break Internet Computer?

Will quantum computers break Internet Computer (ICP)? It is one of the most technically specific questions circulating among ICP holders, and it deserves a precise answer rather than a vague "maybe someday." This article unpacks the cryptographic primitives underpinning ICP's signature scheme, models the realistic conditions under which a cryptographically relevant quantum computer (CRQC) could threaten it, reviews the timeline estimates from serious research groups, and outlines what holders and developers can do now. No hype, no doom-saying — just the mechanism analysis.

How Internet Computer Secures Transactions Today

The Internet Computer Protocol relies on two cryptographic layers that are relevant to the quantum threat discussion.

BLS Signatures and Chain-Key Cryptography

ICP's flagship innovation is chain-key cryptography, which uses BLS (Boneh-Lynn-Shacham) signatures to allow the network's subnets to produce a single, compact signature that any external observer can verify without downloading the full chain state. BLS signatures are constructed over elliptic curve pairings, specifically on the BLS12-381 curve.

The security of BLS12-381 rests on two assumptions:

• The elliptic curve discrete logarithm problem (ECDLP) on that curve.
• The pairing-based decisional Diffie-Hellman assumption.

Both of these are vulnerable to Shor's algorithm running on a sufficiently large, fault-tolerant quantum computer. That is the core exposure.

User-Facing Signature Schemes

For end-user authentication, the Internet Computer currently supports:

• Ed25519 (Edwards-curve Digital Signature Algorithm) — the default for most Internet Identity users.
• ECDSA secp256k1 — enabled to allow Bitcoin and Ethereum integrations via threshold signing.
• WebAuthn / FIDO2 credentials — often backed by either P-256 (ECDSA) or RSA depending on the device.

All of these rely on classical hardness assumptions that Shor's algorithm breaks. A CRQC with enough logical qubits and sufficiently low error rates would, in principle, be able to extract a private key from any of these public keys if it has access to the public key before the transaction is signed and broadcast.

---

What Would Have to Be True for a Quantum Attack to Succeed

Shor's algorithm is the theoretical weapon. But the gap between the algorithm existing and an attack being practical is enormous. Here is what a genuine attack requires.

Cryptographically Relevant Qubit Counts

Breaking a 256-bit elliptic curve key — the size used by secp256k1 and Ed25519 — requires approximately 2,330 logical qubits under optimistic estimates from Craig Gidney and Martin Ekerå's 2021 paper. Logical qubits are error-corrected qubits. Today's best physical qubit counts run to thousands, but the ratio of physical-to-logical qubits needed for error correction at useful fidelity is estimated anywhere from 1,000:1 to 10,000:1 depending on the error rate.

That means breaking Ed25519 as used in Internet Identity likely requires millions of stable physical qubits operating below a specific error threshold. As of 2025, Google's Willow chip demonstrated 105 physical qubits with improved error rates — a genuine milestone, but still orders of magnitude away from a CRQC capable of breaking 256-bit curves.

The Harvest-Now, Decrypt-Later Threat

There is a more near-term, asymmetric risk: "harvest now, decrypt later" (HNDL) attacks. A nation-state adversary could record encrypted traffic or signed messages today and decrypt them once a CRQC becomes available. For a blockchain, this matters most for:

• Long-lived public keys that remain static for years.
• Any off-chain communication associated with wallet addresses (identity metadata, off-chain state).

On-chain signatures themselves are already public, so HNDL on the blockchain record is less about decryption and more about the eventual ability to forge future signatures from harvested public keys.

The Reuse Window Problem

The most acute quantum risk for any ECDSA or EdDSA wallet occurs when a public key is exposed before the signature is finalised and irreversibly committed. Bitcoin's UTXO model has a known version of this: legacy P2PK addresses expose the public key at all times, while P2PKH addresses hide it until spend. Internet Computer's architecture exposes user public keys via Internet Identity at the time of authentication — a window that, under a CRQC scenario, could theoretically be exploited if the adversary can compute fast enough during that window.

---

Realistic Timeline: When Could a CRQC Arrive?

Consensus across the cryptographic research community clusters around a few scenarios. The table below summarises commonly cited timeline brackets from organisations including NIST, IBM Research, and academic papers published 2022-2024.

These are analyst scenario estimates, not predictions. The variance is large because quantum hardware progress has repeatedly surprised both optimists and pessimists. The key takeaway: breaking Ed25519 or secp256k1 is plausibly within a 10-15 year window under optimistic hardware scaling; breaking BLS pairing-based crypto takes longer but is not off the table.

---

Internet Computer's Own Roadmap Awareness

The DFINITY Foundation, which stewards ICP's development, is not ignoring this. Several things are worth noting:

• NIST finalised its first post-quantum cryptography standards in 2024, including CRYSTALS-Kyber (now called ML-KEM) for key encapsulation and CRYSTALS-Dilithium (ML-DSA) for digital signatures. These are lattice-based schemes.
• DFINITY has acknowledged the long-term need to migrate chain-key cryptography to post-quantum primitives, though no binding upgrade timeline has been published as of mid-2025.
• The threshold ECDSA feature, used for Bitcoin and Ethereum integrations, explicitly inherits the quantum exposure of those base chains.
• Internet Identity's WebAuthn backend depends on device-level cryptography, meaning the migration path would partly depend on browser and OS vendors implementing post-quantum FIDO standards.

The honest picture: ICP is aware of the risk, has not yet deployed a post-quantum migration path, and the timeline for doing so is uncertain. That is roughly the same position as Ethereum, Solana, and most other major layer-1s.

---

What ICP Holders and Developers Can Do Now

Waiting for a protocol-level fix is the passive strategy. There are active steps that reduce exposure.

For Holders

1. Avoid key reuse. Rotate Internet Identity anchors periodically rather than relying on a single long-lived credential.
2. Monitor DFINITY governance proposals. Post-quantum migration will require NNS (Network Nervous System) votes; participating in governance keeps you informed and gives you a voice.
3. Treat hardware security keys as a temporary, not permanent, backstop. FIDO2 keys backed by P-256 are still classical; post-quantum FIDO standards are in draft but not yet widely deployed.
4. Diversify across wallet architectures if long-term security is a priority. Some emerging wallets and token ecosystems are being built with post-quantum cryptography as a native layer rather than a retrofit.

For Developers Building on ICP

• Follow NIST PQC standards closely. ML-DSA (Dilithium) and ML-KEM (Kyber) are now standardised; build internal systems that can swap signature schemes without a full rewrite.
• If you are storing sensitive off-chain data tied to ICP canister identities, begin evaluating hybrid classical/post-quantum encryption for that layer now. HNDL attacks target stored data today.
• Watch the DFINITY research forum for ICP-specific PQC working group output.

---

How Natively Post-Quantum Designs Differ

The fundamental difference between retrofitting post-quantum cryptography onto an existing chain versus building with it from the ground up comes down to technical debt and attack surface during the transition period.

When an established L1 migrates to post-quantum signatures, it must:

• Maintain backward compatibility with legacy addresses and keys, creating a dual-stack that widens the attack surface during migration.
• Coordinate hard or soft forks across a large, decentralised validator set.
• Manage the migration of billions of dollars in assets held at classical addresses without a single coordinated custodian.

Projects architected from genesis around NIST PQC-aligned schemes, such as BMIC, bypass this transition problem entirely. Lattice-based signatures are the native scheme, so there is no legacy key format to retire, no dual-stack period, and no coordination game among existing stakeholders who may resist change. The security model is coherent from day one.

This is not an argument that ICP or other major L1s will fail — the migration is achievable. It is an argument that the migration carries friction and a transitional risk window that natively post-quantum architectures do not share.

---

Summary: The Balanced Assessment

Internet Computer's signature schemes, BLS chain-key cryptography, Ed25519 for Internet Identity, and threshold ECDSA for cross-chain integrations, are all classically secure and quantum-vulnerable in the same way as virtually every other major blockchain. A cryptographically relevant quantum computer does not exist today, and the most credible research suggests it remains at least a decade away for the qubit counts needed to break 256-bit elliptic curves.

The harvest-now, decrypt-later threat is real and operating right now, but its primary impact on a public blockchain is limited compared to encrypted databases or private communications. The more material near-term concern is the coordination challenge of migrating an established protocol to post-quantum primitives before a CRQC arrives.

ICP holders are not in immediate danger. But the window for the ecosystem to execute a clean migration is not infinite, and the sooner DFINITY publishes a concrete post-quantum roadmap, the more confidence long-term holders can have.