Quantum computing threat is already here: Naoris Protocol

David Carvalho, Founder and CEO of Naoris Protocol, explains that state actors are already ready to use quantum computing for attacks.

The quantum computing threat is no longer theoretical. State actors across the globe are already positioning themselves to use this potential technology, which can break traditional security protocols and blockchains with ease, to compromise the financial systems of their rivals.

The threat is so visible that the Securities and Exchange Commission published a report on its potential consequences. One of the projects mentioned in the report was the Naoris Protocol, a cybersecurity mesh that uses a “post-quantum blockchain” and distributed AI. Its founder and CEO, David Carvalho, spoke to crypto.news about the steps that the industry must take to tackle this threat.

crypto.news: When do you believe the first cryptographically relevant quantum computer will emerge? What are the risks to digital security as we know it?

David Carvalho: Anyone who tells you exactly when is either guessing or selling something. Credible timelines put it somewhere in the next decade; however, regulators are eyeing 2028 for mandatory quantum resilience. The scary part isn’t the date—it’s how long migration actually takes. There’s a naive assumption that you can just update the algorithm. In reality, we’re talking about retooling the entire nervous system of digital trust: PKI, HSMs, code signing, TLS, VPNs, blockchains, banking rails—the whole infrastructure. That’s years of engineering, testing, and coordination. Once a cryptographically relevant quantum computer exists, all the mechanisms that keep digital identity, money, and software signatures safe become vulnerable. This opens the door to entity impersonation, transaction forgery, and compromised signed updates.

CN: What are the unique risks of quantum computing to blockchain networks?

DC: Blockchains are particularly vulnerable since most depend on ECDSA or EdDSA for signatures, and Shor’s algorithm makes these trivial to break once quantum computers arrive. Private keys lose their privacy, wallets can be drained, validators spoofed, and bridges hijacked. The address reuse problem compounds this risk—once a public key is revealed, that address becomes a target in a post-quantum world. Bitcoin UTXOs are especially exposed. Bridges and MPC-based custody setups that appear decentralized often rest on classical cryptographic assumptions, creating single points of failure. If validator identities can be forged, attackers don’t need 51% of stake or hashpower—they simply impersonate the right parties and the system accepts them as legitimate.

CN: The PQFIF report suggests only ~3% of banks support post-quantum computing today. How feasible is it for institutions to retrofit legacy systems with post-quantum protocols?

DC: It’s feasible through layered, incremental adoption. Modern post-quantum solutions can work as overlays—essentially decentralized trust meshes sitting on top of existing infrastructure. These systems attest devices, applications, keys, and data flows without requiring complete stack rewrites, making the transition more practical for institutions with extensive legacy systems.

CN: How vulnerable are today’s blockchains and custody systems to Harvest-Now-Decrypt-Later (HNDL) attacks? Are state actors stockpiling encrypted blockchain data?

DC: HNDL is absolutely real and happening right now. The strategy is to collect encrypted traffic, keys at rest, backup files, and signed data for future decryption. While on-chain data is public, custody logs, wallet backups, encrypted API traffic, and internal server communications represent high-value targets. Nation-states with resources and patience are certainly accumulating this data.

CN: If Q-Day arrived tomorrow, what would happen to Bitcoin, Ethereum, and the banking system?

DC: The timeline is almost irrelevant because Harvest-Now-Decrypt-Later attacks are already underway. Hostile governments and cybercriminal groups are stockpiling encrypted data—medical files, financial transactions, classified intelligence, private communications—confident that quantum computers will eventually crack it.

If Q-Day arrived tomorrow, Bitcoin and Ethereum would experience selective theft targeting anything tied to exposed public keys. We’d likely see chain reorganizations, forged validator identities, and exchanges freezing withdrawals during verification. DeFi would enter crisis mode. Banks would face PKI failures causing revocation storms, TLS session failures, and gateway connection drops. It wouldn’t be apocalyptic, but it would create weeks of severe disruption.

CN: Are there efforts to engage with U.S. regulators or working groups on quantum computing risks?

DC: There’s active engagement in public policy and standards discussions around crypto-agility and decentralized assurance. The quantum-resistant blockchain space has gained recognition in regulatory circles—an independent analyst’s submission on the SEC’s site cited post-quantum blockchain protocols as models for protecting digital assets against quantum threats, marking the first time blockchain protocols have been explicitly referenced in this context for safeguarding trillions in digital assets.

The sector has also been represented at high-profile gatherings like the 1640 Society Family Office Wealth Forum and the Volcano Innovation Summit, where discussions focused on how quantum-resistant blockchain and distributed security can protect high-value digital assets and critical infrastructure amid escalating cyber risks.

CN: How does decentralized cybersecurity differ from conventional validator networks?

DC: The fundamental difference is the validation target. Traditional validators only validate transactions, assuming the devices and code executing them are trustworthy—a significant blind spot. Advanced approaches validate the environment itself: devices, software, identities, and data streams before they can transact. This creates a trust mesh that constantly attests endpoints using post-quantum cryptography and distributed AI. Every successful validation is cryptographically recorded, providing forensic proof-of-trust embedded in the chain. In essence, blockchains prove the state of things; next-generation systems prove the actors creating that state are legitimate.

CN: What trends in quantum or cryptography are experts underestimating?

DC: The focus on algorithms overshadows the real challenge: migration complexity, including key management, certificate lifecycles, and HSM upgrades. There’s also an underestimation of the hybrid phase duration—we’ll likely run post-quantum and classical systems in parallel for decades, which requires careful operational planning. PQC alone won’t provide security if endpoints are compromised; continuous attestation of devices, code, and data pipelines is essential. Looking ahead, AI and quantum computing are converging, and quantum-trained AI agents will eventually operate faster than human response times, fundamentally changing the threat landscape.