David Carvalho, the Founder and CEO of Naoris Protocol, reveals that state actors are already gearing up to exploit quantum computing for attacks.
Summary
- David Carvalho from Naoris Protocol discusses the quantum computing threat to financial systems
- The SEC has recently raised concerns about this technology’s risks
- State actors are actively collecting data that quantum computers could eventually breach
The threat posed by quantum computing is no longer just a hypothesis. State actors worldwide are positioning themselves to use this technology to easily undermine traditional security protocols and blockchains, jeopardizing the financial systems of their competitors.
The risk is so pronounced that the Securities and Exchange Commission has released a report highlighting its potential impacts. One of the projects cited in the report is the Naoris Protocol, a cybersecurity framework that employs “post-quantum blockchain” technology and distributed AI. Its founder and CEO, David Carvalho, shared insights with crypto.news about the necessary steps the industry must undertake to confront this challenge.
crypto.news: When do you anticipate the emergence of the first cryptographically relevant quantum computer? What risks does this pose to digital security?
David Carvalho: Anyone claiming to know the exact timing is either speculating or promoting something. Credible estimates suggest it could emerge in the next decade, though regulators are focusing on 2028 for mandatory quantum resilience. The concerning factor isn’t the timeline—it’s the duration of the migration process. Many assume that updating the algorithm is straightforward, but we’re actually discussing a complete overhaul of the digital trust framework: PKI, HSMs, code signing, TLS, VPNs, blockchains, banking infrastructures—the entire ecosystem. This requires extensive engineering, testing, and coordination. Once a cryptographically significant quantum computer exists, all mechanisms safeguarding digital identity, finances, and software integrity will be at risk. This can lead to entity impersonation, transaction forgery, and compromised digital updates.
CN: What specific risks does quantum computing present to blockchain networks?
DC: Blockchains are especially susceptible, as most rely on ECDSA or EdDSA for signatures, which Shor’s algorithm would easily dismantle when quantum computers become available. Private keys can be exposed, wallets compromised, validators impersonated, and bridges hijacked. The issue of address reuse further heightens this risk—once a public key is made known, that address becomes a target in a post-quantum landscape. Bitcoin UTXOs are particularly vulnerable. Bridges and MPC-based custody solutions that seem decentralized often rely on classical cryptography, creating single points of failure. If validator identities can be forged, attackers do not need 51% control of the stake or hashpower; they can merely impersonate legitimate parties accepted by the system.
CN: The PQFIF report indicates that only about 3% of banks currently support post-quantum computing. How possible is it for institutions to adapt legacy systems to post-quantum protocols?
DC: It can be achieved through layered, gradual adoption. Modern post-quantum solutions can function as overlays—essentially decentralized trust frameworks built atop existing infrastructures. These systems validate devices, applications, keys, and data flows without necessitating complete rewrites of the technology stack, making the transition more feasible for organizations with extensive legacy systems.
CN: How at risk are blockchain and custody systems to Harvest-Now-Decrypt-Later (HNDL) attacks? Are state actors accumulating encrypted blockchain data?
DC: HNDL is certainly real and currently occurring. The strategy entails gathering encrypted communications, keys at rest, backup files, and signed data for future decryption. While on-chain data remains public, custody logs, wallet backups, encrypted API traffic, and internal server communications represent high-value targets. Nation-states possessing sufficient resources and patience are likely amassing this data.
CN: If Q-Day were to arrive tomorrow, what would transpire for Bitcoin, Ethereum, and the banking system?
DC: The timeline is somewhat irrelevant because Harvest-Now-Decrypt-Later attacks are already in motion. Hostile governments and cybercriminals are accumulating encrypted data—including medical records, financial transactions, classified intelligence, and private communications—believing that quantum computers will eventually crack it.
If Q-Day occurred tomorrow, Bitcoin and Ethereum could face selective theft targeting anything associated with exposed public keys. We might witness chain reorganizations, forged validator identities, and exchanges halting withdrawals for verification. The DeFi sector would enter crisis mode. Banks could encounter PKI failures leading to widespread revocation issues, TLS session disruptions, and gateway connection losses. While it wouldn’t be apocalyptic, it would result in weeks of significant disruption.
CN: Are there ongoing efforts to collaborate with U.S. regulators or working groups regarding quantum computing threats?
DC: There is ongoing participation in public policy and standards dialogues surrounding crypto agility and decentralized assurance. The quantum-resistant blockchain sector has gained recognition within regulatory frameworks—an independent analyst’s submission to the SEC referenced post-quantum blockchain protocols as potential models for safeguarding digital assets against quantum risks, marking the first time blockchain protocols have been acknowledged in this context for the protection of trillions in digital assets.
The industry has also been showcased at significant events like the 1640 Society Family Office Wealth Forum and the Volcano Innovation Summit, where discussions revolved around how quantum-resistant blockchains and distributed security can protect valuable digital assets and critical infrastructure amid rising cyber risks.
CN: In what ways does decentralized cybersecurity differ from traditional validator networks?
DC: The core distinction lies in what gets validated. Conventional validators only confirm transactions, assuming the devices and code executing them are trustworthy—this represents a considerable blind spot. Advanced methodologies validate the environment itself: devices, software, identities, and data streams before they are allowed to transact. This establishes a trust mesh that continually attests to endpoints utilizing post-quantum cryptography and distributed AI. Each successful validation is cryptographically logged, offering forensic proof-of-trust embedded in the blockchain. Essentially, traditional blockchains validate conditions; next-generation systems validate the legitimacy of the entities creating those conditions.
CN: What trends in quantum or cryptography are experts often underestimating?
DC: The emphasis on algorithms tends to overshadow the true challenges: migration complexity, including key management, certificate lifecycles, and HSM upgrades. There is also a significant underestimation of the duration of the hybrid phase—we will likely be running post-quantum and classical systems alongside each other for decades, necessitating careful operational strategies. PQC alone won’t ensure security if endpoints are compromised; ongoing validation of devices, software, and data flows is critical. Looking ahead, AI and quantum computing are converging, and quantum-trained AI agents will eventually operate faster than human responses, fundamentally altering the threat landscape.
