On 1 June 2026, Citi published a base-case forecast that the tokenised securities market will reach US$5.5 trillion dollars by 2030, up from roughly US$17 billion today, with a range of US$2.7 trillion to US$8.2 trillion depending on adoption speed. The report, Tokenization 2030: Wall Street On-Chain, models adoption, settlement, and policy. It does not model the security of the cryptographic layer that every tokenised security depends on. That omission is the variable institutions should be pricing now.
Inside Citi's Tokenisation 2030 Forecast
The $5.5 trillion projection is based on three of Citi's driving factors
The Depository Trust and Clearing Corporation is planning limited production of tokenised securities for July with a more extensive launch planned for October. Both Nasdaq and the parent company of the New York Stock Exchange have plans for tokenised equities. Additionally, stablecoins are expected to increase to a market of US$1.9 trillion, which is estimated by Citi to add up to US$1 trillion of new demand on US Treasuries. In May, a Digital Asset legislation bill from the US passed through the Senate with a 15 - 9 bipartisan vote.
All of the current infrastructures rely on standard public key cryptography, that is, RSA and elliptic-curve that secure signatures and key exchange on the internet. If the future integrity of the forecast holds, those schemes must remain secure for the long-term beyond 2030 as well. A tokenized instrument is as good as the security of the cryptography that defines who owns it.
The Quantum Computing Threat to Blockchain Settlement
Harvest now, decrypt later (HNDL)
Security agencies and standards bodies describe a threat pattern known as harvest-now, decrypt-later (HNDL). An adversary captures encrypted data today and stores it, waiting to decrypt it once a cryptographically relevant quantum computer becomes available. The data does not need to be readable now to be worth stealing now.
Why tokenised assets are the prime target
Citi's forecast of a US$5.5 trillion tokenised securities market by 2030 signals that tokenisation is evolving from a capital markets innovation into a foundational layer of financial infrastructure. As securities, treasury instruments, funds, and other regulated assets increasingly move on-chain, ownership, settlement, collateral management, and governance become increasingly dependent on the integrity of the underlying cryptographic systems.
This is why tokenised assets are emerging as a prime target for Harvest Now, Decrypt Later (HNDL) attacks. Unlike traditional data that may lose relevance over time, tokenised assets often carry economic, legal, and regulatory significance for decades. Adversaries can collect encrypted transaction data, ownership records, and cryptographic signatures today with the expectation that future quantum computing capabilities may compromise the cryptographic foundations securing these assets. As the tokenised economy scales from billions to trillions of dollars, post-quantum readiness becomes increasingly important for preserving long-term trust, ownership certainty, and market integrity across digital asset markets.
In plain terms
- Tokenised security: a stock, bond, or fund recorded and traded on a blockchain.
- Post-quantum cryptography (PQC): encryption built to resist attack from quantum computers.
- Crypto-agility: the ability to swap the cryptography a system uses without rebuilding the system.
On-chain Asset Security After NIST's PQC Standards
The challenge is no longer whether post-quantum cryptography should be adopted. In August 2024, the US National Institute of Standards and Technology (NIST) finalised its first three post-quantum cryptography standards, establishing the baseline for government and enterprise migration programmes worldwide. The question now is how financial infrastructure should be designed to accommodate a cryptographic landscape that will continue evolving through the 2030s.
This introduces a second challenge beyond quantum resistance: cryptographic agility. A protocol that hard-codes a single post-quantum primitive as a permanent assumption may eventually face a disruptive migration when standards evolve. For financial market infrastructure, the ability to adapt cryptographic systems over time may prove just as important as the choice of algorithm itself.
In plain terms
- FIPS 203 (ML-KEM) — key encapsulation. Finalised August 2024.
- FIPS 204 (ML-DSA) — primary digital signatures. Finalised August 2024.
- FIPS 205 (SLH-DSA) — hash-based signatures. Finalised August 2024.
- HQC — additional key-encapsulation algorithm, selected March 2025.
- FIPS 206 (from FALCON) — in development.
Crypto-Agility in Financial Markets
What does crypto-agility means?
Crypto-agility is the ability to replace cryptographic primitives without re-architecting the system that relies on them. It is the difference between rotating a key and rebuilding a bank.
For on-chain asset security, post-quantum cryptography adoption is necessary but not sufficient. The property that matters over a multi-decade horizon is whether a network can transition to future cryptographic standards without disrupting ownership records, settlement processes, or market operations.
A US$5.5 trillion market cannot depend on a fixed cryptographic assumption
Citi's forecast assumes tokenised securities become a permanent part of financial market infrastructure. Yet many blockchain systems are built around cryptographic assumptions that were never designed to survive multiple generations of security standards.
As tokenised markets scale, cryptography shifts from a technical consideration to a market infrastructure dependency. The ability to evolve cryptographic standards without interrupting settlement, ownership, or custody may become as important as the security of the underlying algorithm itself.
The distinction is important because post-quantum readiness is often treated as an algorithm selection exercise. In practice, institutions are managing a much broader infrastructure challenge. The objective is not simply to deploy a quantum-resistant signature scheme, but to ensure that cryptographic standards can evolve without disrupting settlement, custody, or ownership records as tokenised markets continue to scale.
The table below sets the two approaches side by side.
| Dimension | Conventional Cryptography | Post-Quantum, Crypto-Agile Design |
|---|---|---|
| Security Foundation | RSA, ECDSA | ML-DSA, SLH-DSA, and future PQC standards |
| Quantum Resilience | Vulnerable to Shor's algorithm on a sufficiently capable quantum computer | Designed against known quantum attack methods |
| Cryptographic Upgrades | Requires protocol redesign or large-scale migration | Cryptography can be rotated without rebuilding the system |
| Migration Approach | Forced, network-wide transition | Planned, incremental transition |
| Operational Risk | Higher risk of disruption during migration | Lower disruption during cryptographic upgrades |
| Settlement Continuity | Settlement and custody operations may be affected during migration | Settlement continues throughout cryptographic rotation |
| Long-Term Adaptability | Dependent on a fixed cryptographic assumption | Designed to evolve as standards and threats change |
Estimate your own exposure
For tokenised assets, the key variable is time. Every asset has a security horizon: the period during which ownership records, transaction histories, and settlement data must remain trustworthy and legally enforceable. The longer that horizon extends, the greater the importance of the cryptographic systems protecting it.
The challenge is that quantum risk and asset maturity operate on different timelines. A tokenised Treasury bill may exist for months, while a bond, fund, or real estate instrument may require decades of integrity. Use the calculator below to estimate the gap between an asset's required security lifetime and the projected quantum risk window. The larger the gap, the greater the exposure to Harvest Now, Decrypt Later risk.
Building Quantum-Resistant Tokenised Assets in Southeast Asia
MAS Project Guardian and the production timeline
The institutions in Citi's forecast are already building these rails in this region. Citi, HSBC, Standard Chartered and other banks participate in the Monetary Authority of Singapore's Project Guardian and have formed the Guardian Wholesale Network to commercialise tokenised assets across fixed income and asset management. Tokenised settlement in Asia is moving from trial to production on the same timeline as the global forecast.
Malaysia's Capital Market Masterplan and Shariah-compliant tokenisation
Malaysia has set the same direction. The Securities Commission named securities tokenisation as a priority in its Capital Market Masterplan 2026 to 2030, which targets a market size of RM5.8 to RM6.3 trillion by 2030, against a longer 2045 vision that reaches RM20 trillion. The masterplan leans on Malaysia's Islamic capital market strength, which makes Shariah-compliant tokenisation a route to market access rather than a compliance step. Infrastructure built in this region, for this horizon, should treat the post-quantum transition as a design constraint from the first line of the protocol.
What Infrastructure Designed For This Future Looks Like
The common thread across Citi's forecast, Project Guardian, and Malaysia's Capital Market Masterplan is that tokenisation is increasingly becoming a core financial infrastructure in today's economy. As more value moves on-chain, the requirements placed on the underlying networks begin to resemble those of traditional market infrastructure: long-term security, settlement reliability, regulatory adaptability, and operational continuity.
From that perspective, post-quantum cryptography and crypto-agility are the infrastructure requirements. The ability to evolve cryptographic standards without disrupting ownership records, settlement flows, or custody operations may become an important characteristic of any network expected to support tokenised assets and liquidity movements over multi-decade time horizons.
e23 Protocol: A Crypto-Agile Layer-1 Blockchain Designed For The Post-Quantum Era
The implications extend beyond individual assets. If tokenisation is to become a foundational layer of financial infrastructure, then the networks supporting issuance, settlement, custody, and ownership must be designed for cryptographic change from the outset.
e23 Protocol is a sovereign Layer-1 network designed around post-quantum cryptography and crypto-agility at the protocol layer. Aligned with emerging NIST standards, the network supports stablecoin settlement, real-world asset tokenisation, and on-chain execution while enabling cryptographic primitives to evolve without requiring a network rebuild.
Frequently Asked Questions (FAQ)
What is post-quantum cryptography?
Post-Quantum Cryptography (PQC) refers to a new generation of cryptographic algorithms designed to remain secure against both classical and quantum computers. As quantum computing advances, widely used cryptographic standards such as RSA and elliptic curve cryptography (ECC) are expected to become vulnerable, creating the need for cryptographic systems capable of protecting financial infrastructure, digital assets, and sensitive data in a post-quantum world.
What does crypto-agility mean?
Cryptographic agility, or crypto-agility, is the ability of a system to adopt, upgrade, or replace cryptographic algorithms without disrupting the applications and infrastructure that depend on them. Rather than treating cryptography as a fixed assumption, a crypto-agile design enables security standards to evolve over time while maintaining operational continuity.
Why are tokenised assets vulnerable to HNDL attacks?
Tokenised assets often represent long-lived financial instruments such as securities, bonds, funds, and real estate. Ownership records, settlement data, and transaction histories may need to remain trustworthy for decades, making them attractive targets for adversaries seeking to exploit future quantum computing capabilities.
Has NIST finalised post-quantum cryptography standards?
Yes. In August 2024, NIST finalised its first three post-quantum cryptography standards:
- FIPS 203 (ML-KEM)
- FIPS 204 (ML-DSA)
- FIPS 205 (SLH-DSA)
Additional standards and algorithms continue to be evaluated and developed.
Why is crypto-agility important for financial infrastructure?
Financial infrastructure often operates over multi-decade time horizons. As cryptographic standards continue to evolve, institutions need systems capable of transitioning to new algorithms without disrupting settlement, custody, ownership records, or regulatory operations.
Are Bitcoin and Ethereum vulnerable to quantum computing?
Bitcoin and Ethereum currently rely on elliptic curve cryptography for digital signatures. A sufficiently capable quantum computer could theoretically compromise exposed public keys and digital signatures. Both ecosystems are actively researching post-quantum migration strategies, although no industry-wide transition has yet occurred.
Is post-quantum cryptography already available today?
Yes. NIST-standardised algorithms such as ML-KEM, ML-DSA, and SLH-DSA are available today, and many technology providers have begun integrating them into products, protocols, and security frameworks.
What is a crypto-agile blockchain?
A crypto-agile blockchain is designed to support changes to its underlying cryptographic primitives without requiring a complete protocol rebuild. This allows the network to adapt to future security standards while maintaining continuity for applications, digital assets, and settlement systems operating on the blockchain.