Circle Post-Quantum Roadmap: How to Change Locks in Advance for "Quantum Breakdown"

Author: Karen Z, Foresight News

If quantum computers become powerful enough one day, blockchain will likely face two fundamental security assumptions: whether signatures can still prove "I am me," and whether data encrypted today will be decrypted in the future.

Circle's newly released post-quantum security roadmap paper discusses this very issue. Its core judgment is straightforward: elliptic curve cryptography, widely relied upon by blockchains today, including ECDSA, Ed25519, and BLS, will fail once faced with sufficiently powerful quantum computers. More problematic is that on EVM chains, accounts typically expose their public keys when broadcasting transactions for the first time; on chains like Bitcoin, addresses that have already spent, reused, or exposed their public keys in specific scripts will also enter a similar risk zone.

The paper's author lineup also indicates that this is not a typical popular science article.

The authors include Mira Belenkiy, Chief Software Engineer at Circle; Duc V. Le, Research Engineer at Circle; Gordon Liao, Chief Economist at Circle; Vipin Singh Sehrawat, Chief Security Engineer for Product Security at Circle; Dragos Rotaru, Research Engineer at Circle; and several Circle engineers, including Sergey Gorbunov, co-founder of Interop Labs (the original developer of the Axelar network) and now with Circle. Dan Boneh, a leading scholar in applied cryptography at Stanford University, also co-authored the paper. The most important aspect of this paper is not the fear-mongering narrative of "will quantum computing destroy cryptocurrencies?", but rather its breakdown of the problem into a real-world engineering migration issue. Circle argues that post-quantum migration is not a simple upgrade, but a "long-term relocation" across wallets, smart contracts, custody, cloud services, validators, and regulatory rules. The paper outlines several types of risks that blockchains face in the face of quantum attacks. The first type is account forgery. Once an address's public key is exposed, a future quantum attacker could potentially recover the private key and directly forge transactions. The paper cites Project Eleven's Bitcoin RisQ Metrics, stating that millions of addresses with balances are already exposed to quantum risks, including an estimated 14 million Bitcoin addresses. The second type is the "collect first, decrypt later" risk: attackers store encrypted data today and decrypt it later when quantum computing matures. The third type is consensus layer risk; if the validator's signing key is recovered, it could lead to double signatures, censorship, or even history rewriting. The fourth type is network layer risk; parts relying on traditional key exchange, such as P2P communication and RPC over TLS, also need upgrades. Circle's Three-Phase Migration Roadmap Circle's roadmap isn't simply about replacing one signature algorithm with another; it's divided into three steps: "Preparing Now," "Hybrid Transition," and "Final Switch." Each step has a different risk priority: privacy data must be protected first, accounts and smart contracts should be migrated gradually, and consensus and infrastructure should be switched over after the ecosystem, hardware, and standards are more mature. Attack Types and Countermeasures in the Arc Roadmap, Source: Circle Post-Quantum Security Roadmap Paper The first phase is the "Preparing Now" phase. The goal at this stage is not to immediately abolish ECDSA, but rather to provide a migration path for developers and users. Arc will support SLH-DSA-SHA2-128s post-quantum signature verification on the mainnet, allowing smart accounts to verify post-quantum signatures on-chain. In simpler terms, Arc is first installing an access control system on smart contracts that can recognize the new lock, but native transaction signatures will still retain ECDSA in the short term because post-quantum signatures are larger and slower to verify, impacting throughput and user experience. Meanwhile, Arc will support X-Wing HPKE encryption of transaction memos and protect transaction content, contract state, and execution traces through privacy execution. Circle places this part first because the privacy risk of "recorded today, decrypted in the future" is irreversible; signatures can be upgraded later, but leaked data cannot be restored to privacy. At the account layer, Circle also proposes several transition tools. For example, through EIP-4337 account abstraction, smart accounts can verify post-quantum signatures; through a hash-and-rotate scheme, only the public key hash is stored on-chain, minimizing the window of exposure of the public key plaintext; and through a post-quantum public key registry, users can bind their addresses and post-quantum public keys in advance. The common goal of these designs is to allow users to prepare for account migration without waiting for the underlying protocol to be completely transformed. The second phase is the "hybrid transition phase." This phase is the most realistic and also the most complex. USDC smart contracts will support both traditional signatures and post-quantum signatures simultaneously for a period of time. Once the ecosystem is ready, classic signatures will be disabled through a reservation mechanism. Circle also plans to migrate cold storage funds to multi-signature smart contracts to ensure compatibility with the migration schedules of different chains and different post-quantum signature algorithms. Since USDC smart contracts are deployed on more than 30 chains, it faces not a single-chain upgrade problem, but rather the fragmentation problem caused by the fragmentation resulting from each chain ecosystem choosing its own algorithm and setting its own timetable. The paper specifically emphasizes the challenges of ecrecover. Many EVM contracts use ecrecover to verify ECDSA signatures, but many of these contracts are no longer upgradable. Simply disabling ecrecover would break many existing applications; continuing to run it introduces the risk of quantum forgery. Circle proposes a promising solution: modifying ecrecover's behavior at the protocol layer through a hard fork, allowing it to support post-quantum signatures while maintaining the old ABI. This solution has significant practical implications because it doesn't just serve new contracts, but attempts to provide a migration path for existing, difficult-to-modify older contracts. The transition phase also includes updates to the underlying infrastructure. Circle needs to inventory its internal cryptography stack, assess whether cloud service providers, HSM, KMS, TEE, libp2p, TLS, and other dependencies have post-quantum preparedness capabilities, and rotate keys in the correct order. The paper specifically warns that if key A protects key B, and key B protects key C, then A must be rotated first, then B, and finally C. If the order is incorrect, even with a post-quantum algorithm, previously intercepted encrypted material may be exposed in the future. The third stage is the "final switch." Circle will only perform a true hard switch once the ecosystem, regulations, hardware wallets, cloud service providers, and blockchain infrastructure are all ready. At that time, Arc and USDC smart contracts may refuse ECDSA signatures, and validator signatures will migrate to the post-quantum scheme. If some chains carrying USDC fail to meet sufficient post-quantum security requirements in the long term, Circle may even consider suspending some contract functions or withdrawing support to avoid exposing user assets to the risk of quantum forgery. What to do with old accounts is the most difficult problem. But the final switch also brings the most intractable problem: what happens to the assets in accounts that haven't been migrated? Circle's stance is that freezing insecure accounts is to prevent theft and should not automatically equate to asset confiscation. In other words, "stopping control of old signatures" and "denying the economic rights of asset holders" must be handled separately. Therefore, the paper places great importance on account recovery, including migration to Arc, recovery via mnemonic phrases and zero-knowledge proofs, recovery via TEE proofs, and, in limited cases, recovery via off-chain legal documents, custodian proofs, exchange proofs, or estate documents. This leads to a crucial policy issue in the paper: account recovery. With the advent of the quantum era, traditional signatures themselves can no longer prove ownership, and KYC may not be able to prove who owns an anonymous address. Circle believes that regulators need to clarify in advance: how users should be notified before the migration deadline, what evidence is sufficient to prove asset ownership, how long after freezing assets is considered unclaimed, and how rules regarding estates, sanctions, anti-money laundering, and court orders should apply. The paper estimates that the industry may have a 5 to 10-year window to formulate these rules. This paper also offers a sober assessment: overly rapid migration could bring greater risks. For example, if companies currently use HSMs to protect their private keys, and hastily export these keys to ordinary CPUs for signing in order to catch up with post-quantum signatures, they will be more vulnerable to traditional hacker attacks. Circle's stance is that post-quantum migration should be prepared for early, but current security should not be compromised for the sake of "appearing secure." In simpler terms, Circle isn't saying "quantum computers will break the blockchain tomorrow," but rather that financial infrastructure cannot wait until the locks are proven to be ineffective before changing them. Especially for stablecoins like USDC that operate across more than 30 chains, the real challenge isn't just choosing a new algorithm, but getting wallets, contracts, custodians, validators, cloud service providers, regulators, and users to migrate together. Quantum attacks haven't actually materialized yet, but the migration costs are already a reality.