The arrival of powerful quantum computers has gone from speculative to increasingly plausible, prompting serious concern across financial services and the wider cryptographic world.
While many predictions remain speculative at this stage, the potential implications are significant. Customers are rightly asking: How is Xapo Bank preparing for this?
Let’s unpack how we’re securing your Bitcoin and data against potential future threats, and why this matters even today.
Why quantum computing matters to Bitcoin and banking
Quantum computers may one day be able to break widely used cryptographic algorithms: particularly those based on elliptic curves, like the ones securing Bitcoin and many internet communications.
In practice, that could mean:
Encrypted data intercepted today could be stored and decrypted years later – a threat known as Harvest Now, Decrypt Later.
Bitcoin public keys exposed on the blockchain could potentially be used to steal coins once quantum capabilities are strong enough.
Financial institutions may face systemic vulnerabilities in transaction signing, identity verification, and data protection.
Governments, including the US and UK, now expect these threats to become tangible within a decade – prompting global regulatory guidance and post-quantum cryptography (PQC) transition planning.
What Xapo Bank is doing today
At Xapo Bank, we take these risks seriously – well before they become urgent.
1. Bitcoin security: quantum-resilient custody
We protect your Bitcoin using a Multi-Party Computation (MPC) framework – specifically, MPC-CMP – which replaces the concept of a single private key with secure key shares distributed across independent nodes. This design:
Never creates a full private key in one place at any point in time.
Eliminates single points of failure – physical, insider, or cryptographic.
Reduces on-chain exposure of key material, aligning with Bitcoin best practices on minimising address reuse.
Offers built-in protection against common attack vectors that could be amplified by quantum threats.
This architecture, already used by leading financial institutions, is widely seen as inherently more resistant to quantum attacks than traditional hot or cold wallet models – particularly multi-signature wallets, where public keys are often exposed prematurely on-chain.
We also closely monitor and support community-level upgrades to the Bitcoin protocol, such as proposals for quantum-safe signature schemes (e.g. Lamport-based BIP-340 variants or hybrid approaches), and will adopt proven implementations as they mature.
2. Data security: strong encryption, actively updated
Our infrastructure uses industry-standard encryption, notably AES (Advanced Encryption Standard), which is currently considered secure against both classical and near-term quantum attacks.
We actively track developments from the NIST Post-Quantum Cryptography Standardization Project, and are preparing to adopt leading candidates such as:
ML-KEM (based on Kyber) for key encapsulation.
ML-DSA (based on Dilithium) for digital signatures.
These algorithms are designed to withstand known quantum attacks and are being integrated into migration-ready systems across our technology stack.
3. Layered defence: reduce all attack surface
Quantum resilience doesn’t just come from stronger algorithms. It’s also about hardening the rest of the infrastructure. That includes:
Strong access controls, privilege separation, and zero-trust architecture.
Regular patching and upgrade cycles to avoid legacy cryptographic dependencies.
Ongoing training and internal security awareness.
Fully segregated environments with strict runtime policies.
Red team and threat modelling exercises considering known post-quantum vectors.
Continuous staff education on evolving threat landscapes.
Even in a world with Cryptographically Relevant Quantum Computers (CRQCs), attackers would still face a deeply segregated, monitored, and hardened environment before they could even attempt a cryptographic breach.
Why we’re acting now – even before quantum computers arrive
A fair question from some customers has been: “Quantum computers aren’t here yet – why worry now?”
Because the risks start today. If someone captures your encrypted traffic or records blockchain data now, they could decrypt or exploit it years later when quantum capabilities mature. That’s why the “Harvest Now, Decrypt Later” model is so potent – and why our defence must be proactive, not reactive.
Industry standards and regulatory alignment
We’re not alone in this. In January 2025, the Bank of Israel issued a directive calling on financial institutions to:
Map and classify all encrypted data assets.
Monitor cryptographic dependencies across vendors and partners.
Prepare for post-quantum migration and implement lifecycle plans.
This follows global momentum, including guidance from NIST, the UK NCSC, and others. At Xapo Bank, we are:
Conducting a full cryptographic asset inventory.
Designing hybrid cryptographic approaches for key systems.
Testing post-quantum algorithms in sandboxed environments.
Working with vendors to assess and upgrade their quantum readiness.
Developing policy-based controls to enable smooth PQC migration.
Looking ahead: from readiness to resilience
While timelines vary, many experts expect Cryptographically Relevant Quantum Computers (CRQCs) by 2030–2035. Some projections suggest it could come sooner.
We’re planning accordingly:
Short-term: Adopt hybrid encryption methods when possible and maintain address hygiene and MPC-based custody.
Mid-term: Transition key systems to NIST-approved PQC algorithms, as well as retire or phase out non-quantum-resilient protocols.
Long-term: Actively support ecosystem-wide Bitcoin migration paths, including future protocol upgrades if consensus emerges and when necessary, re-architect affected systems and governance models to ensure long-term safety.
Final thoughts
Quantum computing is an emerging threat, but not a guaranteed crisis. It’s one of many risks we prepare for to protect your Bitcoin and your data.
At Xapo Bank, we combine MPC-based custody, layered defences, and early adoption of post-quantum standards to give our members confidence not just today, but for the decades to come.
We don’t wait for threats to become urgent. We act now, because your trust depends on it.
Have more questions? We're always here to answer them.
