Is Quantum-Resistant MPC an Overpromise in Crypto Security?

[TL;DR]

• Google's March 2026 whitepaper found that cracking the cryptography protecting Bitcoin and Ethereum would require roughly 20x fewer quantum computing resources than previous estimates: no machine capable of this exists today, but the research gives engineers a concrete target to track for the first time. 
• Quantum-resistant MPC replaces the vulnerable signing algorithm with post-quantum alternatives standardized by the US National Institute of Standards and Technology (NIST). 
• Teams that evaluate their signing infrastructure now will have options when the quantum threat matures; those that defer may face a costly rebuild under time pressure. 

In March 2026, Google Quantum AI published a whitepaper showing that breaking the elliptic curve cryptography behind Bitcoin, Ethereum, and virtually every institutional custody solution requires fewer quantum resources than prior estimates. 

The paper reignited a specific question for teams running MPC-based custody infrastructure: does quantum-resistant MPC actually exist today, what does it look like in production, and where does it still fall short of what vendors are claiming?

What Does Quantum Computing Actually Threaten?

Classical computers process data as binary bits: each bit is either 0 or 1. Quantum computers use qubits, which can exist in a superposition of both states simultaneously, allowing them to evaluate many possibilities in parallel rather than one at a time.

This gives quantum computers a structural advantage for specific mathematical problems, including the specific math that makes private keys impossible to guess from public ones. 

Every Bitcoin address and Ethereum wallet is secured by that assumption. Against classical computers, it holds. Against a sufficiently powerful quantum computer, it breaks down.

What's Inside Google's Quantum Paper

Google's core contribution is a revised resource estimate for breaking secp256k1, the elliptic curve used by Bitcoin and Ethereum: fewer than 500,000 physical qubits under specific hardware and error-correction assumptions, roughly a 20-fold reduction from previous leading estimates.

The distinction most coverage skips is between logical and physical qubits: the algorithm requires approximately 1,200 logical qubits, but translating those into real hardware demands around 500,000 physical qubits with sustained, fault-tolerant error correction, a scale no existing processor achieves.

To put that in context, Google's most advanced quantum processors today operate in the hundreds of physical qubits range, with error rates still far too high for computation of this kind.

Table 1: How Google's resource estimates compare to prior leading estimates for breaking secp256k1

The Global Risk Institute's 2025 expert survey places a cryptographically relevant quantum computer within 10 years in the "quite possible" range, with a probability of 28 to 49 percent. Google's paper gives the industry concrete engineering parameters to track for the first time, without setting an arrival date for the threat.

Why Your MPC Wallet Is Still Quantum-Vulnerable

MPC distributes key shares across nodes so the full private key is never assembled at any single point, which protects against insider compromise, device breach, and operational failure.

Shor's algorithm bypasses wallet security entirely by calculation—it can reverse-engineer a private key directly from a public key. This puts ECDSA, the standard signing algorithm that protects every Bitcoin and Ethereum transaction, at immediate risk.

Quantum-resistant MPC fixes this gap without changing how your wallet operates. It keeps your threshold security structure intact but swaps out ECDSA for lattice-based math at the signing layer. Your keys are still split safely across separate nodes, but the underlying cryptography shifts to a mathematical problem that quantum computers cannot crack.

For a deeper look at how MPC signing works and why the primitive layer matters, see our overview of MPC wallet infrastructure. 

The Real State of Quantum-Resistant MPC in 2026

The first production deployments of quantum-resistant MPC for digital asset custody launched in 2026, but maturity varies significantly across use cases. NIST published its first batch of post-quantum cryptography standards in August 2024, including ML-DSA as the new standard for digital signatures, giving the industry a stable foundation to build on.

Table 2: Current maturity assessment of quantum-resistant MPC across key deployment dimensions

The standardization timeline is the foundation all of these deployments are building on. The gap between the first NIST standards in 2024 and full ecosystem adoption reflects a coordination challenge: blockchain protocols, wallet infrastructure, and custody platforms all need to migrate in sequence.

The Performance Costs No One Puts in the Announcement

Post-quantum signing primitives carry real performance overhead that matters at the transaction volumes custody platforms and stablecoin issuers operate at. Lattice-based schemes like ML-DSA produce signatures roughly 40 to 70 times larger than ECDSA, and hash-based schemes such as SPHINCS+ are larger still. 

In high-frequency applications such as automated settlement or real-time treasury rebalancing, this difference affects latency and on-chain transaction size directly. Hybrid deployments reduce the immediate performance burden but introduce implementation complexity that requires careful design.

The strongest near-term argument for starting PQC migration planning today is the harvest-now-decrypt-later (HNDL) threat: an adversary who captures encrypted private key material now retains the ability to decrypt it once quantum hardware matures, which means long-lived key material carries risk regardless of when a quantum computer actually arrives.

What Institutions Should Actually Do Right Now

Three actions are worth taking now:

1. Audit long-lived key material: Identify which systems hold or transmit private key material over extended timeframes. Those are the harvest-now-decrypt-later exposures that carry near-term risk regardless of when a quantum computer arrives.
2. Ask your custody vendor specific questions: What NIST-standardized schemes is their PQC roadmap built on? Does their MPC implementation support a signing primitive upgrade without rebuilding the full stack?
3. Evaluate architectural flexibility: Check whether your signing infrastructure can swap its cryptographic layer independently of the key management and policy layers above it. The teams that will migrate smoothly are those whose infrastructure allows it.

Google, the UK NCSC, and G7 financial sector guidance all converge on 2030 to 2035 as the reference window for migration readiness. Teams that begin the architecture work now will have the flexibility to respond when that window arrives.

Get Started

The mpcium library is Fystack’s open-source framework, allowing any engineering team to review and verify our security code directly.

Share your current setup with us, and our technical team will review your infrastructure and map out your clearest path forward.

Frequently Asked Questions (FAQs)