Circle Post-Quantum Roadmap: How to Pre-Change the Lock for “Quantum Breakthrough”?

Author: KarenZ, Foresight News

If one day quantum computers become powerful enough, the blockchain's primary concerns may be two fundamental security assumptions: whether signatures can still prove "I am I," and whether encrypted data today will be deciphered in the future.

Circle's latest published post-quantum security roadmap paper, "Circle’s Post-Quantum Security Roadmap," discusses exactly this issue. Its core judgment is straightforward: the elliptic curve cryptography widely relied upon in today's blockchains, including ECDSA, Ed25519, and BLS, will become invalid once sufficiently powerful quantum computers emerge. More troubling is that on EVM chains, accounts typically expose their public keys when broadcasting transactions for the first time; on chains like Bitcoin, addresses that have been spent, reused, or exposed via specific scripts also enter a similar risk zone.

The authorship lineup also indicates this is not an ordinary popular science article. Authors include Circle Chief Software Engineer Mira Belenkiy, Circle Research Engineer Duc V. Le, Circle Chief Economist Gordon Liao, Circle Product Security Lead Vipin Singh Sehrawat, Research Engineer Dragos Rotaru, and Sergey Gorbunov, co-founder of Interop Labs—the original developer of Axelar Network, now part of Circle—among several other Circle engineers; additionally, Dan Boneh, a prominent scholar in applied cryptography at Stanford University, also contributed.

The most important aspect of this paper is not the scare narrative of "Will quantum computing destroy cryptocurrencies," but rather that it breaks down the problem into a practical engineering migration challenge. Circle believes that post-quantum migration is not a simple upgrade button but a "long-term relocation" across wallets, smart contracts, custody, cloud services, validators, and regulatory rules.

The paper lists several risks that blockchain faces from quantum attacks.

First is account forgery. As long as the public key of an address is exposed, future quantum attackers could recover the private key and directly forge transactions. The paper cites Project Eleven’s Bitcoin RisQ Metrics, stating that millions of addresses with balances are exposed to quantum risk, including an estimated 14 million Bitcoin addresses.

Second is the "collect now, decrypt later" risk: attackers today can store encrypted data and decrypt it once quantum computers are mature.

Third is consensus layer risk: if validator signing keys are recovered, it could lead to double signing, censorship, or even rewriting history. Fourth is network layer risk: P2P communication, RPC over TLS, and other parts relying on traditional key exchanges also need upgrades.

Circle’s three-phase migration roadmap

Circle’s roadmap does not simply replace one signature algorithm with another but divides the process into three steps: "now preparation," "hybrid transition," and "final switch." Each step has different risk priorities: privacy data must be protected first, accounts and smart contracts should migrate gradually, and consensus and infrastructure will switch once the ecosystem, hardware, and standards are more mature.

Attack types and the corresponding response phases in the Arc roadmap, source: Circle Post-Quantum Security Roadmap paper

Phase one is "Now Preparation." The goal at this stage is not to immediately discard ECDSA but to leave migration pathways for developers and users. Arc will support post-quantum signature verification on the mainnet with SLH-DSA-SHA2-128s, allowing smart accounts to verify post-quantum signatures on-chain. In simple terms, Arc will initially equip smart contracts with an access control system capable of recognizing new locks, but native transaction signatures will still use ECDSA in the short term because post-quantum signatures tend to be larger and slower to verify, impacting throughput and user experience.

Meanwhile, Arc will support encrypting transaction memos with X-Wing HPKE, and protect transaction content, contract states, and execution traces via trusted execution environments (TEEs). Circle emphasizes this early support because "recorded today, decrypted tomorrow" privacy risks are irreversible; signatures can be upgraded later, but data already leaked cannot be made private again.

At the account level, Circle proposes several transitional tools. For example, using EIP-4337 account abstraction to verify smart accounts with post-quantum signatures; employing a hash-and-rotate scheme that only stores public key hashes on-chain to minimize the window of public key exposure; and establishing a post-quantum public key registry to pre-bind addresses with post-quantum public keys. The common goal of these designs is to enable users to prepare for account migration without waiting for the underlying protocol to be fully upgraded.

Phase two is "Hybrid Transition." This is the most realistic and complex stage. USDC smart contracts will support both traditional signatures and post-quantum signatures simultaneously for a period, then, once the ecosystem is ready, close the classic signatures via reserved mechanisms. Circle also plans to migrate cold storage funds to multi-signature smart contracts to accommodate different chains and post-quantum signature algorithms. Since USDC smart contracts are deployed on over 30 chains, the challenge is not just a single-chain upgrade but managing fragmentation caused by each chain choosing different algorithms and timelines.

The paper emphasizes the difficulty of ecrecover. Many EVM contracts verify ECDSA signatures with ecrecover, but many of these contracts are already non-upgradable. Simply disabling ecrecover would break many existing applications; continuing to run it leaves quantum forgery risks. Circle proposes a promising solution: a hard fork that modifies ecrecover behavior at the protocol level, supporting post-quantum signatures while maintaining the old ABI. This approach is significant because it is not just for new contracts but aims to provide a migration path for already deployed, hard-to-modify legacy contracts.

The transition also involves updating lower-level infrastructure. Circle needs to inventory its cryptographic stack, assess whether cloud providers, HSMs, KMS, TEE, libp2p, TLS, and other dependencies are post-quantum ready, and rotate keys in the correct order. The paper warns that if key A protects key B, and key B protects key C, then A must be rotated first, B second, and C last. An incorrect order—even with post-quantum algorithms—could expose previously intercepted encrypted data in the future.

Phase three is "Final Switch." When the ecosystem, regulators, hardware wallets, cloud providers, and blockchain infrastructure are all ready, Circle will execute a true hard switch. At that point, Arc and USDC smart contracts may reject ECDSA signatures, and validator signatures will migrate to post-quantum schemes. If some chains hosting USDC cannot meet post-quantum security standards for a long time, Circle might even consider suspending certain contract functions or withdrawing support to prevent user assets from being exposed to quantum forgery risks.

What about old accounts? This is the most difficult issue. The final switch will cause the most pain: what happens to assets in accounts that haven't migrated? Circle’s stance is that freezing insecure accounts is to prevent theft, not to confiscate assets. In other words, "stopping old signature control" and "denying the economic rights of asset holders" must be handled separately. Therefore, the paper emphasizes account recovery options, including migration to Arc, recovery via mnemonics and zero-knowledge proofs, recovery through TEE attestations, and, in limited cases, recovery via off-chain legal documents, custodial proofs, exchange attestations, or inheritance documents.

This raises a critical policy issue discussed in the paper: account recovery. After the advent of quantum, traditional signatures no longer prove ownership, and KYC may not be able to verify who owns an anonymous address. Circle believes regulators need to clarify in advance: how to notify users before migration deadlines, what evidence suffices to prove asset ownership, how long assets can remain frozen before being considered unclaimed, and how rules around inheritance, sanctions, anti-money laundering, and court orders apply. The paper estimates the industry has a 5 to 10-year window to establish these rules.

The paper also offers a sober assessment: rushing the migration could introduce greater risks. For example, a company currently using HSMs to protect private keys might, in a rush to adopt post-quantum signatures, export keys to a standard CPU for signing, making them more vulnerable to traditional hacking. Circle’s stance is that post-quantum migration should be prepared early but not at the expense of current security.

In plain language, Circle is not saying "quantum computers will break blockchain tomorrow," but rather that: financial infrastructure cannot wait until locks are proven to fail before changing them. Especially for USDC, which operates across more than 30 chains, the real challenge is not just choosing a new algorithm but coordinating migration across wallets, contracts, custody, validators, cloud providers, regulators, and users.

Quantum attacks have not yet fully materialized, but the costs of migration are already in front of us.