Charles Guillemet, who serves as the CTO of Ledger, the French hardware wallet maker known for its Secure Element-based cold storage devices and its in-house security research lab called the Donjon, posted the analysis laying out exactly where the cryptographic migration stands, where NIST is forcing the timeline, and what the blockchain world is doing differently from everyone else.
Guillemet has been one of the most vocal voices in the industry on quantum threats, having previously warned that approximately 7 million Bitcoin sit in addresses with exposed public keys, including an estimated 1 million BTC tied to Satoshi Nakamoto.
Here is everything he said, broken down.
The Tipping Point: “We still don’t know when, but the transition is inevitable”
Guillemet opened by declaring that the post-quantum cryptography debate has reached a tipping point. The industry, he said, still does not know when, or even if, a cryptographically relevant quantum computer (CRQC) will arrive. But one thing is certain: the transition to post-quantum cryptography is inevitable.
A CRQC is the theoretical quantum machine powerful enough to run Shor’s algorithm at scale, which could derive private keys from public keys and render today’s elliptic curve cryptography (the ECDSA used by Bitcoin and Ethereum) useless overnight.
No such machine exists today, but the credibility of its arrival has sharpened significantly in 2026, especially after Google Quantum AI published research in March estimating that Bitcoin’s cryptography could be cracked with as few as 1,200 to 1,450 logical qubits, roughly 20 times fewer than earlier projections.
NIST is driving the clock
Guillemet then laid out the regulatory pressure. The traditional world, he said, has a clear roadmap, and the timeline is largely being set by the National Institute of Standards and Technology (NIST). This US federal body standardises cryptographic algorithms globally.
Under NIST IR 8547, the agency mandates the deprecation of vulnerable algorithms like RSA, ECDSA, EdDSA, DH, and ECDH by 2030 and their full disallowance by 2035. Major enterprises and government agencies are already preparing, aiming to be migration-ready as early as 2029. Guillemet called the undertaking “massive” and, in his view, “still underestimated,” floating the comparison to the Y2K bug, except several orders of magnitude bigger.
For context, the Y2K bug was the late-1990s panic where software storing years as two digits (99 for 1999) was expected to roll over to 00 and misinterpret it as 1900. The world spent roughly half a trillion dollars on remediation. Guillemet’s point is that the PQC transition will dwarf that effort in scale.
ML-KEM: The most urgent front for encryption
On encryption and key exchange, Guillemet said the industry is converging on ML-KEM, formerly known as CRYSTALS-Kyber and standardised by NIST as FIPS 203. ML-KEM, short for Module-Lattice-Based Key-Encapsulation Mechanism, is the lattice-based algorithm now being rolled out across Chrome’s hybrid key exchange, Cloudflare, Apple’s iMessage PQ3, and Signal’s PQXDH.
The reason this front is the most urgent, Guillemet explained, is the “harvest now, decrypt later” attack. Adversaries, including state actors, can record encrypted traffic today and sit on it for years. The moment a sufficiently powerful quantum computer becomes available, every day of delay widens the window of exposure retroactively. That said, Guillemet noted that encryption is largely a non-issue in the blockchain world, where the primary cryptographic primitive is the digital signature, not encryption.
The signature families: ML-DSA vs SLH-DSA
This is where Guillemet’s analysis gets pointed. For signatures, two families dominate the post-quantum landscape, and the industry is splitting on which to adopt.
- Lattice-based signatures (ML-DSA) are formerly known as CRYSTALS-Dilithium and standardised as FIPS 204. ML-DSA, short for Module-Lattice-Based Digital Signature Algorithm, is fast and produces compact signatures. Most of the industry outside blockchain will adopt ML-DSA, often in a hybrid configuration alongside traditional ECC during the transition phase.
- Hash-based signatures (SLH-DSA) are formerly known as SPHINCS+ and standardised as FIPS 205. SLH-DSA, short for Stateless Hash-Based Digital Signature Algorithm, produces significantly larger signatures (up to 8 kilobytes versus 64 bytes for current Bitcoin signatures) and is slower to sign.
Why Blockchain is diverging
Guillemet gave the industry its clearest framing yet.
ML-DSA, he wrote, is fast and produces compact signatures, but it relies on the hardness of structured lattice problems, a mathematical foundation that is comparatively young. The cryptographic community, he said, does not yet have decades of confidence in its security assumptions. The concern is not that a flaw has been found, but that the algebraic structure could conceal one.
SLH-DSA, on the other hand, produces larger and slower signatures, but its appeal lies in simplicity and maturity. Hash functions, Guillemet noted, are among the best-understood primitives in cryptography. There is no hidden algebraic structure to exploit. Hashes simply mix bits, and the community has strong, long-standing confidence in their security.
For blockchains, where signature verification sits on the critical path of every block and long-term trust assumptions are paramount, Guillemet said the conservative choice of hash-based signatures carries real weight, even at the cost of performance. He concluded that most of the industry outside blockchain will adopt ML-DSA, often in a hybrid configuration alongside traditional ECC, but in the blockchain world, though the discussion is far from settled, sentiment is leaning toward hash-based signatures.
The MPC gap: “The most underappreciated risk”
Guillemet saved the sharpest warning for last. There is, he said, a critical challenge that neither signature family handles well: multi-party computation (MPC) and threshold signatures. MPC is the cryptographic technique used by custody providers like Fireblocks, Safeheron, and many institutional wallet setups, where a private key is split across multiple parties so no single entity can sign alone.
The problem, Guillemet explained, is structural. ML-DSA’s rejection sampling makes secret-shared signing awkward, since intermediate values need to be kept hidden until rejection checks are complete, creating costly coordination overhead between parties. SLH-DSA, meanwhile, is fundamentally built around a single signer with full state, making it almost incompatible with distributed signing by design.
His verdict: for an industry whose security model rests on MPC custody, that gap may be the most underappreciated risk of the entire PQC transition.
The broader context
Guillemet’s analysis lands in the middle of the most aggressive PQC push the crypto industry has seen. Coinbase CEO Brian Armstrong called the quantum threat “urgent” earlier this month and announced he would begin spending time on it personally.
Binance co-founder Changpeng Zhao downplayed the risk but flagged execution challenges like forks and wallet migrations. Ripple has committed to full post-quantum readiness on the XRP Ledger by 2028, while Bitcoin is rehearsing its transition through BIP-360, now live on its own testnet.
Interestingly, Ledger itself has publicly backed ML-DSA for its own hardware wallet implementation, citing better performance, better hardware support, and alignment with global standards. Guillemet’s post is not a contradiction of that position, but an honest mapping of where the rest of the blockchain world is landing, and the trust gap he says is eroding faster than the industry is willing to admit.
Whichever family wins, the clock is no longer theoretical. Deprecation starts in 2030. Disallowance in 2035. And as Guillemet put it, trust has already started to erode, and what is missing is urgency.
Also Read: Coinbase Paper Maps Quantum Threats to Blockchain Security
