Cryptographic Migration Debt:
The Post-Quantum Exposure Framework
for Institutional Digital Asset Programmes

Sources: Google Quantum AI whitepaper (March 30, 2026); Oratomic/Caltech arXiv:2603.28627 (March 30, 2026); Ethereum Foundation pq.ethereum.org (March 24, 2026); DTCC/SEC no-action letter (December 11, 2025); NIST FIPS 203/204/205 (August 2024); BlackRock/Securitize, JPMorgan AM, Franklin Templeton, Visa, Fidelity, WisdomTree primary press releases; Elliptic/TRM Labs (Drift, April 2026).

The market is asking the wrong question. "When will wallets be cracked?" skips the enterprise consequences that arrive first and cost more. The most damaging institutional exposures under a compressing quantum timeline are not theft. They are the operational and financial liabilities that begin accruing the moment an asset is issued on the wrong rail.

The market-structure repricing argument. Four mechanisms can trigger repricing without any CRQC existing. First, boards can ask now whether fiduciary duty requires addressing documented vulnerabilities against NIST-finalized standards. Second, auditors can advise now that continued issuance on documented vulnerable rails creates a disclosure obligation to investors. Third, regulators monitoring stablecoin infrastructure can require quantum-exposure disclosures as part of reserve reporting. Fourth, institutional counterparties can begin applying risk haircuts to assets issued on rails with no disclosed PQ roadmap when pricing collateral or repo agreements. None require a quantum computer — they require only that institutional awareness reaches the same level as the public technical record. Google's paper, covered by Bloomberg, CoinDesk, and the Financial Times within hours of publication, has accelerated that process by years.

On March 30, 2026, Google compressed the qubit threshold for breaking Bitcoin and Ethereum's cryptography by twenty-fold in a single paper. Prior best estimate: ~9 million physical qubits. New estimate: fewer than 500,000 — running in minutes on standard superconducting architecture. Researchers validated their resource estimates using a zero-knowledge proof to avoid disclosing attack circuits — responsible disclosure at the scale of a national security implication. The same day, Oratomic and Caltech published independently showing the same attack executes with as few as 9,739 atomic qubits in under three years. Two independent research groups. Same conclusion. One day.

Oratomic co-founder Manuel Endres has already trapped arrays of 6,000 atomic qubits — hardware trajectory is concrete, not theoretical. Their paper shows ECC-256 attacks execute with 9,739 qubits in under three years, 11,961 qubits in under one year, and ~26,000 qubits in approximately ten days.

The Manhattan Project analogy is precise in a way that matters institutionally. The atomic bomb went from theoretical proof of fission (1938) to Trinity test (1945) in seven years, once the engineering began. The engineering on quantum computing began in earnest with Google's Willow processor in late 2024. The seven-year clock, if the analogy holds, runs to 2031. That is not a distant horizon. It is inside the asset-life window of every institutional digital asset programme currently operating.

The no-notice-period argument is the most consequential element of both Google's paper and the analyst consensus it has generated. Google's own authors state explicitly that a threshold model is the correct planning assumption — meaning the transition from a non-threatening environment to a CRQC will be abrupt rather than gradual. Institutions that are banking on having 18–24 months of lead time from public announcements to plan and execute a migration are planning for a scenario the authors of the paper say will not occur.

Cloudflare has already completed its post-quantum migration. The internet infrastructure in use today by institutions communicating about these risks is already post-quantum. Apple, Google, and the US government have all set internal migration targets of 2029–2030. Google's Android 17 will ship ML-DSA post-quantum digital signature protection natively — meaning the mobile operating system used by over three billion people will have PQ signatures by default before most blockchains have a migration plan. Every major institution on the planet is aware of and actively mitigating post-quantum risk. The institutional blockchain stack — carrying $317 billion in stablecoins and $36 billion in tokenized RWAs — is the outlier, not the standard.

The public reaction to Google's paper focused almost entirely on Bitcoin. That reaction misses the institutional story. Google's paper includes a dedicated section — Section VI.D, "Stablecoins and Real-World Asset Tokenization" — that explicitly maps quantum vulnerabilities to the institutional tokenization ecosystem. It notes that financial developments "such as fiat-backed stablecoins and tokenization of other real-world assets, are projected to increase the pool of assets governed by smart contracts by nearly an order of magnitude by 2030." This is the first time a tier-one technical institution has formally catalogued these exposures in a peer-reviewed-pathway publication.

On Ethereum, five distinct vulnerability classes exist. Account vulnerability: Ethereum permanently exposes a user's public key on first transaction — top 1,000 wallets hold ~20.5 million ETH, all exposed, with no rotation mechanism without abandoning the account. Admin vulnerability: at least 70 of the top 500 contracts by ETH balance have admin keys on-chain, holding ~2.5 million ETH crackable in under 15 hours — and those keys govern ~$200 billion in stablecoins and tokenized assets. Consensus vulnerability: ~37 million ETH staked using BLS signatures Google considers quantum-vulnerable; Lido holds ~20%, concentrating attack surface. L2 vulnerability: at least 15 million ETH across rollups and bridges; each must upgrade independently. Data availability vulnerability: the KZG ceremony underpinning Ethereum's DAS creates a one-time-attack, permanently-exploitable classical backdoor.

Post-quantum Bitcoin risk is the most-searched query in this space and deserves a precise, standalone answer. Bitcoin's primary quantum vulnerability is the at-rest attack against addresses whose public keys are permanently exposed on-chain. This exposure arises in three ways: Pay-to-Public-Key (P2PK) scripts from the Satoshi era (~1.7 million BTC, all with public keys permanently on-chain); address reuse across wallet types; and the Taproot upgrade (2021), which made public keys visible by default and expanded the vulnerable pool. Google estimates approximately 6.9 million BTC are currently in addresses with some form of public-key exposure — roughly one-third of total circulating supply.

Bitcoin is immune to on-setup attacks (no trusted cryptographic ceremonies) and its Proof-of-Work consensus mechanism is not vulnerable to Shor's algorithm. For on-spend attacks, Google modeled that a fast-clock superconducting CRQC could derive a secp256k1 private key in approximately nine minutes — close enough to Bitcoin's ten-minute average block time to create a ~41% theft probability on live mempool transactions. This is the "on-spend" window that generated most media coverage. Bitcoin has no disclosed end-to-end post-quantum migration plan as of April 2026. Bitcoin Improvement Proposal BIP-360 (proposing a quantum-resistant Pay-to-Merkle-Root output type) was merged into the BIP repository in February 2026, but has no confirmed activation pathway — and critically, BIP-360 does not replace ECDSA or Schnorr signatures with post-quantum alternatives. It only removes the Taproot key path exposure pattern. A full base-layer transition to PQ signatures requires a separate and much larger change. In April 2026, multiple competing post-quantum signature proposals are under active discussion — BIP-360 (P2MR key-path removal), SHRIMPS (2.5KB hash-based signatures, Jonas Nick / Blockstream Research), SHRINCS (324 bytes, stateful), Hourglass V2 (limits spending of exposed legacy coins to 1 BTC per block), and Tadge Dryja's commit/reveal scheme for mempool protection. Five proposals, no coordination, no consensus activation pathway for any of them. Ethereum's governance challenge has drawn significant commentary — but Bitcoin's coordination mechanism for changes of this scale has no equivalent of the Ethereum Foundation, no hard-fork framework, and as Nic Carter observed, "no one will admit that they have real influence over what gets implemented."

For institutional readers: the Bitcoin quantum risk is concentrated in custody and wallet infrastructure, not in the protocol consensus layer. Institutions holding BTC in custody should treat key rotation practices and the long-term viability of their signing infrastructure as first-order questions under a compressing CRQC timeline.

Solana hosts three of the most significant institutional programmes in this report: Visa's $3.5 billion annualized stablecoin settlement, WisdomTree's tokenized fund suite, and BUIDL's Solana share class. The Drift Protocol exploit at $285 million also occurred on Solana. A structural vulnerability that distinguishes Solana from Bitcoin and Ethereum: unlike chains where wallet addresses are typically derived from hashed public keys, Solana exposes public keys directly and by default across its entire address space.

This direct public-key exposure means Solana's at-rest attack surface is structurally wider than Ethereum's — where only wallets that have transacted expose their public key on-chain. For institutional programmes on Solana, every admin key, every governance signer, and every wallet associated with an institutional programme is an immediately accessible quantum attack surface, with no filtering by whether the wallet has ever transacted.

In April 2026, Project Eleven and the Solana Foundation published results from live testnet experiments replacing Solana's Ed25519 signatures with quantum-resistant alternatives. The results confirm the magnitude of the engineering challenge. Quantum-safe signatures are 20 to 40 times larger than current signatures. In live testing, a version of Solana using quantum-resistant cryptography ran approximately 90% slower than its current throughput — a result that cuts directly at the foundation of Solana's commercial value proposition as the fastest institutional settlement rail in crypto.

Solana's ~400ms finality provides structural protection against on-spend attacks specifically — but offers zero protection against at-rest attacks on permanently and directly exposed admin keys, governance multisig signers, and Security Councils, as demonstrated by the $285 million Drift exploit. The live testnet data from Project Eleven confirms what modeled figures suggested: migrating Solana to quantum-safe cryptography imposes a commercially prohibitive throughput penalty on the current architecture. The Solana Foundation deserves credit for engaging on the problem — but engagement is not a roadmap, and a testnet that runs 90% slower is not a solution. For the three major institutional programmes currently operating on Solana, this gap requires an immediate strategic decision.

Algorand: the first major L1 to complete a live PQ mainnet transaction. On November 3, 2025, Algorand broadcast the first mainnet transaction signed with Falcon-1024 — a NIST-selected lattice-based signature scheme. This was a significant milestone: proof that quantum-resistant signatures are deployable on a live public blockchain. Google's March 2026 paper explicitly cited Algorand's deployment as the closest existing real-world example of PQ adoption on a major L1. The important nuance for institutions: Algorand's Falcon-1024 deployment covers state proofs and is opt-in; core accounts still use Ed25519; full protocol-level migration remains on roadmap. The Falcon-1024 signature at ~1,330 bytes is 8.3× larger than EternaX's scheme. Algorand demonstrates the industry is moving — it does not demonstrate the full-stack institutional solution.

This is the central financial argument of the report. Bitcoin's value is inseparable from the cryptographic network that secures it — rail risk is native and appropriate to price. That is not true of tokenized treasuries, stablecoins, tokenized money market funds, tokenized deposits, or most real-world assets. Their value comes from reserves, legal claims, fund structures, custodianship, sovereign credit, and regulated financial rights. The blockchain is the rail. When that rail is non-PQ-safe, a separate infrastructure choice contaminates otherwise clean financial claims with an avoidable future cryptographic liability.

Donohue is right that other G-SIBs will follow. The question for each institution following JPMorgan's lead is not whether to issue a tokenized money market fund. The question is which rail to issue it on — and whether that rail imports a cryptographic contamination into an asset backed by U.S. Treasury securities and banking-grade custody.

Naming institutions is not enough. The exposure becomes concrete only when you trace the complete chain: enterprise → product → counterparties → control surfaces → privacy surfaces → rail.

Brian Armstrong's April 6, 2026 statement is notable not because it resolves anything — Coinbase has disclosed no PQ roadmap for its custody infrastructure, its exchange, or its L2 (Base). It is notable because the CEO of the largest publicly traded crypto company is now personally engaged. That engagement is the first acknowledgement from major exchange leadership that the quantum problem requires CEO-level attention. It is not a roadmap. It is the acknowledgement that a roadmap is needed. The verdict box above remains accurate: zero end-to-end PQ roadmaps disclosed across all named programmes.

Post-quantum risk is not a wallet problem. For enterprises, the control plane is the primary exposure — admin keys, governance multisigs, upgrade authorities, transfer-agent signing perimeters. These surfaces govern far more value than the ETH they directly hold, because they control the logic sitting above billions in tokenized assets. A quantum computer does not need to steal a wallet to drain an institutional programme. It needs to crack the key that controls the contract that governs the fund.

Privacy-preserving blockchains will degrade retroactively under quantum attack. Google's March 2026 paper makes this explicit. The word "retroactive" is what matters: historical transaction data that appears private today becomes readable in the future as quantum capabilities improve. The privacy was real when the transaction occurred. It will not be real when a quantum computer arrives with the stored record.

State actors are already collecting blockchain data with no intention of decrypting it now. An adversary who collects data in 2026 and decrypts it in 2031 has effectively travelled back in time to observe 2026 transactions as if conducted in the clear. For on-chain institutional finance, where the ledger is permanent and every transaction irreversibly recorded, this threat has no expiry date and no remediation once the data is on-chain.

Migration debt is not a metaphor. It is a concrete and compounding set of costs that accumulates when long-duration value is issued on rails whose authorization model, control surface, and privacy architecture are not future-safe. It begins accruing the moment an asset is issued, not the moment an attack occurs. It compounds on success, not on failure — every new counterparty, DeFi integration, and client relationship deepens it. Every expansion makes it worse. The window for cheap correction closes as the programme scales.

Legacy exposure may require years of managed migration. New issuance is entirely a choice. No board wants to be told in 2030 that in April 2026 — with NIST standards finalized, government milestones published, Google's paper in the public record, and the Ethereum Foundation acknowledging the urgency — their programme knowingly created fresh migration debt for long-duration assets on documented vulnerable rails.

The three-plane model is the core analytical framework of this report. Every exposure, attack vector, and remediation maps to one of three planes. Understanding which plane your exposure sits in determines the correct response.

The requirements established through this report constitute a demanding rubric. Seven requirements. Every one of them necessary. None of them optional for long-duration institutional value. The analysis that follows evaluates each requirement against EternaX's current positioning, with evidence cited and open items disclosed. The conclusion the rubric evidence supports: EternaX is the only market participant currently building to satisfy all seven simultaneously — the full stack of PQ-native issuance, migration infrastructure, custody and policy integration, auditable privacy, and market-speed execution quality, designed from inception rather than retrofitted onto a quantum-vulnerable architecture.

On the "Requires Diligence" Items. The rubric table above is intentionally honest — it includes a "Requires Diligence" column rather than claiming every item is fully resolved. Institutions should understand what EternaX is doing about each open item. On peer review completion: the IACR Journal of Cryptology publication by Dr. Chen Feng, Dariia Porechna et al. is in the submission pipeline; independent cryptographic validation is available upon request to institutions conducting diligence. On production-scale throughput validation: testnet has processed 1M+ transactions and 475K+ prediction-market bets; independent external benchmarking is the appropriate next step and EternaX welcomes it. On enterprise custody partner traction: institutional custody integration is in active development; the architecture is designed from inception for policy-engine and custody-framework compatibility. On live institutional issuance partnerships: EternaX is in active conversations with issuers and regulatory counsel; announcing partnerships before regulatory and technical readiness is complete would itself be a credibility signal in the wrong direction. The "requires diligence" column is transparency, not weakness. It is the column that distinguishes a credible institutional technology claim from a marketing document.

The Four Structural Moats. A rubric match shows EternaX satisfies requirements. The moat analysis shows why that positioning is durable and difficult to replicate.

The market EternaX competes in has two distinct components: the migration market (assets already on quantum-vulnerable rails that will require re-platforming over the NCSC 2028–2035 window), and the new-issuance market (every dollar of long-duration institutional value that will be tokenized from here, which faces a binary choice between legacy vulnerable rails and PQ-native infrastructure). The new-issuance market is the primary opportunity — it requires no migration coordination, no counterparty consent, and no legacy smart contract replacement. It requires only a decision at the moment of issuance.

EternaX's revenue architecture follows the same funnel as its product stack: Issue → Migrate → Custody → Trade → Settle. Each layer generates a distinct revenue stream — venue fees on market activity, settlement gas, distribution fees on stablecoin balances, routing tolls on institutional flows, and enterprise privacy contracts. The enterprise contract model converts institutional adoption into recurring revenue that compounds with switching cost. Every institutional relationship built on an auditable-private, PQ-native model is a relationship where migration away from EternaX carries the same cost as migration away from a quantum-vulnerable rail — which is precisely the institutional lock-in that makes the revenue model durable independent of transaction volume alone.

That is the real board question. Not: when will quantum computers arrive? Not: is our wallet safe today? But: why are we still contaminating stablecoins, tokenized treasuries, tokenized money market funds, and long-duration RWAs with the cryptographic liabilities of blockchain rails not designed for the lives of those assets?

The problem is bigger than Bitcoin-theft framing — it encompasses migration debt, control-plane contamination, retroactive privacy degradation, vendor dependence, and market-structure repricing before any theft occurs. It affects real institutions now because BlackRock, JPMorgan, Franklin Templeton, Visa, DTCC, and Fidelity are all operating at scale on rails with no disclosed post-quantum roadmap. And there is a right way to issue from here: the category of PQ-native market infrastructure for institutional finance is now identifiable, its requirements are specifiable, and at least one market participant is building to satisfy all of them.

The evidentiary record is now closed. NIST finalized core post-quantum standards in August 2024, establishing the technical baseline any institution can audit today. Google's March 2026 paper compressed the qubit buffer by twenty-fold and its authors explicitly stated that a threshold model — no gradual warning, no observable approach — is the correct planning assumption. The Ethereum Foundation has acknowledged the problem, published a roadmap, and been explicit that base-layer upgrades do not cover deployed contracts. Project Eleven and the Solana Foundation confirmed in live testnet that quantum-safe migration imposes ~90% throughput loss on Solana. The Drift exploit on April 1, 2026 demonstrated precisely what reaching a protocol's control plane costs today when keys are exposed — and what changes when the social engineering dependency is removed by direct quantum computation. Cloudflare, Apple, and Google have all set internal PQ migration targets of 2029–2030. The institutional blockchain stack is the only major financial infrastructure that has not begun.

For new long-duration issuance, the rational conclusion has arrived. The institutions that act before the market forces the reckoning will be the architects of the next institutional standard. Those that defer will be the subjects of an expensive, public, and entirely avoidable migration.

This report is the second in the EternaX Post-Quantum Research Series. The first report, published in March 2026, established the foundational post-quantum threat case across 27 named institutions and nine chains, introduced the concept of cryptographic migration debt, and identified nine open 2026 architecture decisions still available to institutions before lock-in. This report extends that work by developing the enterprise-first exposure framework, the enterprise-to-rail trace methodology, the full migration-debt taxonomy, and the institutional post-quantum decision framework.