Bitcoin and Quantum Computing

The threat, the timeline, and what Bitcoin holders should know

15 min read
Core Concept
Beginner Friendly

The Quantum Threat: What's Actually at Risk

Bitcoin's security relies on cryptographic algorithms that are computationally infeasible to break with today's computers. Quantum computers could potentially change that equation, but the reality is more nuanced than headlines suggest.

Bitcoin's Two Cryptographic Pillars

Technology What It Does Quantum Risk
ECDSA/Schnorr Signatures Proves ownership of Bitcoin via public/private key pairs Higher Risk
SHA-256 Hashing Mining, addresses, transaction verification Lower Risk

The Signature Vulnerability

Bitcoin uses elliptic curve cryptography (ECDSA) for digital signatures. When you spend Bitcoin, you reveal your public key on the blockchain. A sufficiently powerful quantum computer running Shor's algorithm could theoretically derive your private key from that public key, allowing theft of any remaining funds.

The Hash Function Question

SHA-256 (used for mining and addresses) is more resistant. Grover's algorithm offers only quadratic speedup (like reducing 256-bit security to 128-bit),still extremely difficult to crack. Most researchers believe mining remains safe from quantum threats for the foreseeable future.

Key Distinction

The main threat is to exposed public keys (signature vulnerability), not to the mining/consensus mechanism. Bitcoin could theoretically continue working even if some addresses were compromised.

What's Actually at Risk

Not all Bitcoin is equally vulnerable. The risk depends on whether public keys have been exposed:

6.51M
BTC vulnerable if CRQC arrived today
~33%
of circulating supply
1.87M
structurally exposed (cannot be fixed without protocol change)

The headline number is misleading without the breakdown. Of the 6.51M BTC currently vulnerable, only roughly 1.87M is structurally exposed (mostly P2PK from Satoshi-era mining rewards, where public keys are visible by protocol design). The remaining 4.49M is at risk through address reuse, balances sitting at addresses that have already broadcast a spending transaction. Address-reuse exposure can be defended today, with no protocol change required, just key rotation and operational discipline. Cold wallets of major exchanges (Binance, Robinhood, Bitfinex) top the reused-address list precisely because they kept reusing the same address for operational convenience.

Bitcoin vulnerable-set breakdown: 6.51M BTC at risk if a CRQC arrived today (May 2026)
Bitcoin vulnerable-set breakdown by category Address reuse 4.49M BTC fixable WITHOUT protocol change via key rotation; exchanges Binance / Robinhood / Bitfinex top this list P2PK (inherent) 1.72M BTC Satoshi-era mining rewards; public keys visible by design; require protocol-level intervention P2TR + P2MS 0.15M BTC small additional inherent exposure from Taproot key-path spends and multisig BCH fork 0.15M BTC Bitcoin Cash fork copies; same exposure inherited
Source: Presidio Bitcoin via Four Pillars, May 2026

Most Vulnerable

  • Pay-to-Public-Key (P2PK) addresses, Bitcoin's earliest format, public key directly visible. Includes Satoshi's ~1M coins.
  • Reused addresses, Any address that has sent a transaction has revealed its public key
  • Taproot addresses, Expose public keys by design (though still require quantum attack)
  • Large exchange cold wallets, Some have exposed public keys through past transactions

More Secure

  • Pay-to-Public-Key-Hash (P2PKH), Standard addresses where public key is hashed; only revealed when spending
  • Addresses never used for sending, Public key never exposed
Satoshi's Coins

Satoshi Nakamoto's estimated 1 million BTC sit in early P2PK addresses, the most vulnerable format. These coins cannot be retroactively secured without moving them, which Satoshi apparently can't or won't do. A quantum attacker could theoretically steal them.

Timeline: When Could This Happen?

The critical question: when will quantum computers be powerful enough to break Bitcoin's cryptography?

Current state and the 1/20 trajectory (May 2026 update)

Today's most advanced quantum processors are at Google's Willow (105 qubits) and IBM's Heron (156 qubits). What matters more than the absolute number is the trajectory of how much quantum hardware is needed to break ECDSA-256. That estimate has been falling sharply:

  • 2022 (Webber et al.): ~13 million physical qubits needed to break ECC-256.
  • March 31, 2026 (Google Quantum AI, "Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities"): ~500,000 physical qubits (roughly 1,200 logical qubits) under specific fast-clock superconducting architecture + favorable error-rate assumptions. A 1/20 reduction in four years.

That reduction did not come from hardware qubit counts going up. It came from sharper algorithms, better circuit compilation, and stronger error-correction codes improving in parallel. The distance to a Cryptographically Relevant Quantum Computer (CRQC) closes from both sides: hardware capacity AND algorithm progress. The Google paper's specific operational claim is that an ECDSA-256 key recovery would take around 9 minutes under the modeled architecture, shorter than Bitcoin's average 10-minute block time. That window is what makes a short-range mempool-snipe attack theoretically possible once hardware reaches the threshold.

When does CRQC actually arrive? Where the forecasters land

No single number is reliable, but the directional signal across independent sources is consistent:

CRQC arrival probability: where the major forecasters land (May 2026)
CRQC arrival probability across forecasters GRI 2025 (15yr) 60% Global Risk Institute / evolutionQ expert survey, range 51-70% Kalshi (2035) 50% prediction market, per Citi Institute January 2026 Kalshi (2030) 39% same source, nearer-term horizon GRI 2025 (10yr) 38% range 28-49%
Source: Multiple, compiled by Four Pillars (May 2026)

Adding to the institutional picture: Germany's BSI revised its CRQC arrival estimate down to 10-15 years (from 20) in 2025, citing error-correction progress. BSI recommends ordinary PQC migration target 2032, critical infrastructure 2030. Google has committed to migrating its own infrastructure to post-quantum cryptography by 2029. Bernstein's April 2026 research note frames the Bitcoin upgrade as "manageable" specifically because the path is set now, estimating 3 to 5 years to upgrade Bitcoin's cryptographic defenses.

NIST's regulatory schedule

2030

NIST Deprecation Deadline (NIST IR 8547)

US federal systems must deprecate legacy public-key algorithms (RSA, ECDSA). The schedule applies to government systems, not blockchains, but it sets the regulatory tone.

2035

NIST Complete Disallowance

Legacy public-key cryptography fully disallowed for US federal systems. Migration must be complete.

The reframing that matters

Cryptography engineer Filippo Valsorda has reframed the question more usefully than any probability number does: "The point isn't 'are you 100% certain a CRQC will exist in 2030.' It's 'are you 100% certain a CRQC will not exist in 2030.'" What matters in security isn't the most likely scenario. It's the risks users cannot afford to absorb. Even if the modal forecast is "still far off," when migration takes years and the cost of failure is large, you cannot defer the response.

Treating 2030 to 2035 as the important preparation window is the reasonable read of the data above.

Qubit counts are not the answer

"500K qubits" doesn't immediately mean CRQC. What matters is not the physical qubit count, but whether enough logical qubits can compute with each other at low error rates, whether that state can be maintained for a meaningful duration, and whether the system can scale beyond a lab demonstration to actually operate. Track multiple benchmarks together: low-error operations between logical qubits, coherence times measured in minutes, and the spread of commercial systems beyond the lab.

Attack Scenarios

Long-Range Attack

An attacker with unlimited time could work through all addresses with exposed public keys, deriving private keys and stealing funds. This could be done secretly, stealing from dormant wallets first before moving to active ones.

The most valuable targets: Satoshi's coins, lost coins in old addresses, and inactive whale wallets.

Short-Range Attack

Even with limited quantum capability, an attacker could potentially intercept transactions in the ~10 minutes between broadcast and block inclusion. The attacker would derive the private key from the exposed public key, then broadcast a competing transaction (to themselves) with a higher fee.

This "transaction interception" attack is harder but potentially more devastating, it would undermine trust in the entire network.

Geopolitical Scenarios

The first cryptographically relevant quantum computer will likely belong to a nation-state. Scenarios include:

  • Hostile actor, Steals vulnerable coins, causes chaos, potentially collapses Bitcoin
  • Benign actor, Preemptively secures vulnerable coins to prevent theft (raises questions about property rights)
  • Secret capability, Nation maintains quantum advantage for intelligence purposes, doesn't reveal through Bitcoin attacks

Potential Solutions

Post-Quantum Cryptography

NIST has selected new cryptographic algorithms designed to resist quantum attacks. Bitcoin could adopt these through a soft fork, introducing new address types that use post-quantum signatures.

Challenge: Post-quantum signatures are much larger than ECDSA signatures, which would impact block space and transaction costs.

Migration to New Addresses

Users could proactively move funds to quantum-resistant addresses once available. This would protect future transactions but requires active participation from every holder.

Migration time is NOT the bottleneck

One often-cited claim is that "full Bitcoin migration would take 76 to 305 days or more." This number is misleading because it treats dust UTXOs with negligible value the same as systemically important UTXOs. The actual value distribution is heavily concentrated: per mempool.space's May 2025 UTXO report, 97.75% of Bitcoin's value is concentrated in 5.26 million UTXOs (about 3.04% of the total UTXO count). Weighting migration transaction sizes by script type and value, the average comes out to roughly 678 weight units, allowing about 5,900 migration transactions per block.

Under that assumption:

  • Allocating 25% of block space to migration moves 90% of Bitcoin's value in about 4.4 days, and 98% in about 3.5 weeks.
  • In an emergency where 100% of block space is allocated to migration, 90% moves in about 1.1 days, 98% in about 6.2 days.

The chain's capacity is not the bottleneck. The real bottleneck is community consensus: wallet upgrade timelines, exchange and custodian operational decisions, hardware wallet support, ordinary users becoming aware of the upgrade.

What to do with the coins left behind: three approaches

Even after a quantum-resistant migration path opens and most holders begin moving, some coins will inevitably stay put (lost keys, deceased owners, Satoshi's wallet). The Bitcoin community is converging on three approaches to this problem, each with sharp tradeoffs:

1. Steal (legacy signatures stay valid)

Legacy signatures continue to be valid, and the network accepts that quantum attackers may steal coins with exposed public keys. This is the most faithful to Bitcoin's principles of immutability and respect for property rights. The cost: 1.72 million P2PK coins flow into the market at once if quantum attackers succeed. As a market-impact comparison, that volume is roughly the annual sell volume of long-term holders at a bull-market peak; severe but not historically unprecedented in absolute terms.

2. Throttle (rate-limit legacy spending)

Hunter Beast and Michael Casey's Hourglass V2 proposal is the representative example. It limits P2PK output spending to 1 BTC per block, slowing the flow into the market by force even if a quantum attack happens. Under this rule, moving all P2PK coins would take roughly 32 years. The logic is similar to imposing withdrawal limits during a bank run. Because no coins are burned, original owners who return later still retain access, just slowly.

3. Soft-freeze (reclaim via seed-phrase proof)

Recently formalized by BitMEX Research, this invalidates all legacy signatures but lets the original owner reclaim their coins by proving control of the wallet's seed phrase via zero-knowledge proof. The key insight: a 12-to-24-word seed phrase is quantum-resistant in itself, since even a CRQC cannot recover an ordered seed phrase from an exposed public key. A recently published prototype showed the seed-possession ZK proof runs in under a minute on consumer hardware. For P2PK coins where the public key is exposed but no seed was used, reclamation is still possible if a hash commitment was posted on-chain before Q-Day.

This decision will likely be Bitcoin's most contentious fork point. The chain may well split into two, and once that happens the market decides which side counts as "Bitcoin" (the 2017 Bitcoin Cash precedent applies: once one side trades at a premium, liquidity and users tilt toward it).

Development progress and proposals

Bitcoin community research on the quantum transition has been accelerating. Data from the bitcoin-dev mailing list shows quantum-related messages went from about 5% of total in 2024 to roughly 50% by March 2026. Chaincode Labs and Blockstream Research are leading the work. In March 2026, a SHRINCS verifier was actually deployed to the Liquid sidechain, putting post-quantum signatures into a live environment. Also in March 2026, BTQ Technologies deployed the first working build of BIP-360 (P2MR, Pay-to-Merkle-Root) in Bitcoin Quantum Testnet v0.3.0.

Three output types are under discussion for where to attach the post-quantum signature scheme: extending the existing P2TR, the P2MR proposal in BIP-360, and P2Q (a middle path that behaves like P2TR for now but can have the key-path disabled later via soft fork). The community preference leans toward hash-based signatures (SHRINCS, SHRIMPS, both variants of SPHINCS+) because hash-based doesn't introduce new cryptographic assumptions, which fits Bitcoin's conservative culture.

The Bitcoin-vs-Ethereum structural contrast

Bitcoin and Ethereum face the same quantum threat with very different structural exposures. The cleanest framing:

  • Migration transaction required? Bitcoin: yes (move UTXOs to a new output type). Ethereum: yes, but only to swap the account's verification logic via EIP-8141.
  • Address preservation after migration? Bitcoin: NEW address required. Ethereum: SAME address preserved via account abstraction.
  • State migration granularity? Bitcoin: per UTXO (or batched). Ethereum: per account in a single migration step.

If Bitcoin's bottleneck is community consensus and slow governance, Ethereum's is the complexity of the four layers that need to transition (consensus, execution, data availability, ZK proof systems) plus the application layer's admin-authority web.

Sources for this section: Four Pillars, "The Real Nature of Quantum Threats to Blockchain" (May 2026). Presidio Bitcoin vulnerable-set analysis. Hunter Beast and Michael Casey's Hourglass V2 proposal. BitMEX Research soft-freeze proposal. mempool.space May 2025 UTXO distribution data. Last verified: 2026-05-14.

What Should Bitcoin Holders Do?

Today

  • Don't reuse addresses, Use fresh addresses for receiving; this is already best practice
  • Avoid sending from addresses with large balances, Once you send, your public key is exposed
  • Stay informed, Follow Bitcoin development proposals related to post-quantum security

When Quantum-Resistant Addresses Arrive

  • Migrate promptly, Move funds to new address formats when available
  • Update wallets, Ensure your wallet software supports new standards

Perspective

Quantum computing is a real threat that deserves attention, but it's not imminent. Current systems are nowhere near cryptographically relevant. The bigger risk may be not preparing rather than panicking prematurely.

The Balanced View

Quantum computers powerful enough to break Bitcoin don't exist yet and won't for years. But the timeline has been steadily compressing, and Bitcoin's slow upgrade process means preparation should start well before the threat materializes.

Key Takeaways

  1. The threat is to signatures, not mining, ECDSA is vulnerable; SHA-256 mining is more resistant
  2. Not all Bitcoin is equally at risk, Only addresses with exposed public keys (~20% of supply) are vulnerable
  3. Timeline is unclear but compressing, Government deadlines suggest 2030-2035 as critical window
  4. Solutions exist but require coordination, Post-quantum cryptography is ready; rollout takes time
  5. Best practice today: don't reuse addresses, Limits your exposure even before quantum threats materialize
  6. Satoshi's coins are the elephant in the room, ~1M BTC in the most vulnerable address format
Disclaimer: This is educational content about technological risks, not investment advice. Quantum computing timelines are uncertain and predictions vary widely. Always do your own research.

External Resources

For the latest on quantum computing progress and Bitcoin development proposals, follow core developer discussions and NIST post-quantum cryptography updates.

Related Research

Deep-dive analysis from TokenIntel Research

📊 Bitcoin (BTC)

Related concepts

Bitcoin Halving Cycles Consensus Mechanisms