a16z Heavy Report: Code Vulnerabilities Are More Deadly Than Quantum Computing, Don't Be Led Astray by Panic

a16z Crypto points out that the quantum computing threat is exaggerated, and the probability of CRQC (cryptographically relevant quantum computers) appearing before 2030 is extremely low. Digital signatures and zkSNARKs are not vulnerable to “pre-collection and later decryption” attacks; switching too early could actually introduce risks. The current threats are code vulnerabilities and governance challenges, and it is recommended to prioritize auditing and testing over hasty upgrades.

a16z Refutes the 2030 CRQC Emergence Narrative

a16z Crypto published an analysis stating that the market’s timing estimates for “quantum computing threats to cryptocurrencies” are often exaggerated, and the likelihood of practically destructive quantum computers appearing before 2030 is very low. A “cryptographically meaningful quantum computer” refers to a fault-tolerant, error-corrected quantum computer capable of running Shor’s algorithm at a scale sufficient to attack elliptic curve cryptography or RSA within a reasonable timeframe.

Based on reasonable interpretations of public milestones and resource estimates, we are still far from being able to produce such a quantum computer. All existing architectures—trapped ions, superconducting qubits, and neutral atom systems—are nowhere near the scale of hundreds of thousands or millions of physical qubits. Limitations are not only in the number of qubits but also include gate fidelity, qubit connectivity, and the depth of continuous error correction circuits needed to run complex quantum algorithms.

Some systems currently have over 1,000 physical qubits, but this number is highly misleading. These systems lack the qubit connectivity and gate fidelity required for cryptographic computations. There remains a huge gap between demonstrating the feasibility of quantum error correction and achieving the scale needed for cryptanalysis. In short: unless qubit counts and fidelity improve by several orders of magnitude, cryptographically relevant quantum computers remain out of reach.

Three Common Misconceptions About Quantum Panic

Quantum Advantage Confusion: Claims of “quantum advantage” demonstrations target artificially designed tasks, not actual cryptanalysis

Quantum Annealer Misleading: Claims of thousands of qubits refer to annealers, not gate-model machines capable of running Shor’s algorithm

Misuse of Logical Qubits: Some companies claim “logical qubits” but use distance-2 codes that can only detect errors, not correct them

HNDL Attacks Do Not Apply to Signatures and zkSNARKs

The article notes that mainstream digital signature schemes and zkSNARKs, as zero-knowledge systems, are not easily vulnerable to the “harvest now, decrypt later” quantum attack model. The harvest-now, decrypt-later (HNDL) attack involves adversaries storing encrypted traffic now and decrypting it once cryptographically relevant quantum computers emerge. This poses a real threat to encryption techniques, which is why cryptography needs to evolve today—especially for those requiring confidentiality for 10-50+ years.

However, all blockchains rely on digital signatures and encryption differently: they do not have the confidentiality that can be traced back and attacked later. In other words, if cryptographically relevant quantum computing appears, forging signatures becomes possible from that point onward, but past signatures are not “secret” like encrypted messages. As long as you know that a digital signature was created before the emergence of CRQC, it cannot be forged. This makes the urgency of transitioning to post-quantum digital signatures less than that of transitioning to post-quantum encryption.

zkSNARKs (Zero-Knowledge Succinct Non-Interactive Arguments of Knowledge) are critical for blockchain scalability and privacy in the long term, and their situation is similar to signatures. Although zkSNARKs use elliptic curve cryptography, their zero-knowledge properties are post-quantum secure. Zero-knowledge ensures that no information about the secret witness is leaked during the proof process—even to quantum adversaries—so no sensitive information can be “harvested” now for later decryption.

Therefore, zkSNARKs are not vulnerable to harvest-then-decrypt attacks. Just as today’s non-post-quantum signatures are secure, any zkSNARK proofs generated before the appearance of cryptographically relevant quantum computers are trustworthy. Only after such a quantum computer appears could an attacker find convincing false proofs of statements. This technical detail is crucial for understanding the real threat of quantum computing.

Three Costs and Risks of Premature Transition

Pushing for an early switch to quantum-resistant schemes could introduce performance degradation, immature engineering, and potential security flaws. The performance cost of post-quantum signatures is significant. Hash-based signatures are around 7-8 KB in size, whereas current elliptic curve digital signatures are only 64 bytes—roughly 100 times smaller. Lattice-based schemes are somewhat better, with ML-DSA signatures ranging from 2.4 KB to 4.6 KB, still 40 to 70 times larger than current schemes.

What does this size increase mean for blockchains? Larger signatures lead to higher transaction fees, slower block propagation, and increased storage costs for nodes. For blockchains like Bitcoin, which already face scalability challenges, switching to post-quantum signatures could worsen the problem by tens of times. Additionally, post-quantum signature schemes are more challenging to implement securely than elliptic curve schemes, with ML-DSA having more security pitfalls and complex rejection sampling logic requiring side-channel protections.

Historical lessons serve as warnings. Leading candidates like Rainbow (a multivariate MQ-based signature scheme) and SIKE/SIDH (isogeny-based cryptography) were cracked on classical computers during the NIST standardization process. This reflects normal scientific progress but also shows that premature standardization and deployment can backfire. The unique challenges of blockchain—such as the need for rapid aggregation of many signatures—make early migration particularly risky.

a16z’s Seven Recommendations: Cautiously Address Quantum Threats

a16z emphasizes that, compared to the still-emerging quantum computing risks, the more immediate challenges are protocol upgrade coordination, governance complexity, and implementation bugs in existing codebases. They recommend developers plan for quantum resistance well in advance based on reasonable timelines, rather than rushing to execute migrations. They also note that, in the foreseeable future, traditional security issues like code flaws, side-channel attacks, and fault injections remain more pressing than quantum threats, and resources should be focused on auditing, fuzzing, and formal verification.

Summary of a16z’s Seven Core Recommendations

Deploy Hybrid Cryptography Immediately: Especially in scenarios where long-term confidentiality is critical

Use Hash-Based Signatures: For low-frequency, size-tolerant scenarios like software updates

Plan Blockchain Transitions Carefully: Don’t rush but start planning now

Prioritize Privacy Chains: Transition early if performance allows

Implement Security First: Auditing and testing are more urgent than quantum resistance

Fund Quantum R&D: To prevent adversaries from gaining an advantage

Maintain Rational Perspective on Announcements: View progress reports as milestones, not triggers for action

Blockchain developers should emulate the Web PKI community’s cautious approach, deploying post-quantum signatures prudently. This will help ensure that post-quantum schemes continue to improve in performance and security. It is especially important for the Bitcoin community to start planning now, given governance delays and the presence of high-value, potentially abandoned, and quantum-vulnerable addresses.