Banks buying Bitcoin vaults face quantum-era custody challenge

BNY Mellon and Standard Chartered are moving deeper into crypto custody as questions grow about how to protect keys against future quantum computers. BNY Mellon, which oversees about $59.4 trillion in assets under custody and administration, said in May it will offer Bitcoin and Ethereum custody in Abu Dhabi. Standard Chartered confirmed plans to acquire Zodia Custody, with the deal expected to close by the end of August.

Custodians store the private keys that control Bitcoin and Ethereum and use those keys to produce digital signatures that authorize transactions. Whoever controls a private key can move the assets. Two main custody architectures are in wide use. Multi-party computation (MPC) splits a private key into fragments across multiple machines so the full key never exists in one place. Hardware security modules (HSMs) keep the private key inside a single tamper-resistant device.

A report from Swiss firm Taurus warns that those architectures will adapt differently when blockchains adopt post-quantum signature schemes. The report highlights that blockchains accept only signature formats they recognize. A custodian can deploy post-quantum signing inside its own systems, but a transaction using a new signature family will be rejected by nodes until the network completes a coordinated protocol upgrade.

National Institute of Standards and Technology standards published in August 2024 and guidance in IR 8547 set a migration timetable: current signature schemes are deprecated after 2030 and should be disallowed after 2035. Taurus notes that migrating a blockchain’s signature rules requires protocol upgrades, wallet updates and broad user migration, and cites proposals such as Bitcoin Improvement Proposal 360 and ongoing post-quantum research for Ethereum.

On the technical threat, the report restates that a large quantum computer running Shor’s algorithm could, in principle, derive private keys from public keys and forge transactions. Current quantum devices have on the order of 100 qubits, while many estimates put a cryptographically relevant machine at hundreds of thousands of qubits. Taurus observes that a capable attack machine appears unlikely before 2040 on current evidence, but notes the standards timeline creates an industry schedule for migration.

Taurus draws a distinction between HSMs and MPC for post-quantum readiness. The report says top HSM vendors already run post-quantum signature algorithms in firmware, so adding support typically involves a firmware update. MPC, the report states, requires new multiparty protocols for each signature family so multiple parties can compute a signature without reconstructing the key. It notes that lattice-based multiparty signing protocols appeared in 2025–2026 and remain unproven for production use.

The report also argues that hash-based signature families present mathematical obstacles for MPC because hash functions remove structure that multiparty protocols exploit. The report cites ongoing interest in hash-based schemes: Circle’s Arc roadmap and a proposal from Aptos select SLH-DSA-SHA2-128 for certain account use cases, and Ethereum researchers are evaluating hash-based options. Taurus gives an example of signature sizes: about 7,856 bytes for one hash-based scheme versus 64 bytes for current standards.

Taurus prepared the report independently and discloses a commercial interest; the firm lists Deutsche Bank among its backers. The report’s technical claims have not been universally validated by outside cryptographers and custody vendors. Vendors that use MPC say they could adapt to different post-quantum signature families if standards diverge.

The report lists operational steps institutions and service providers may need when networks migrate: rotating wallets, generating new addresses, obtaining client approvals, adjusting insurance and audit processes, and managing temporary pauses across institutional systems. It also flags a “harvest-now, decrypt-later” risk in which encrypted data captured today could be decrypted once quantum capability exists. The report adds an observation that a quantum computer capable of breaking blockchain signatures would likely be directed at higher-value national targets, which could cause market disruption before any theft could be exploited.