Skip to main content

Quantum Computing vs Bitcoin: Timeline, Threats, and What Holders Should Know

· 8 min read
Dora Noda
Dora Noda
Software Engineer

Google's Willow quantum chip can solve in five minutes what would take classical supercomputers 10 septillion years. Meanwhile, $718 billion in Bitcoin sits in addresses that quantum computers could theoretically crack. Should you panic? Not yet—but the clock is ticking.

The quantum threat to Bitcoin isn't a matter of if but when. As we enter 2026, the conversation has shifted from dismissive skepticism to serious preparation. Here's what every Bitcoin holder needs to understand about the timeline, the actual vulnerabilities, and the solutions already in development.

The Quantum Threat: Breaking Down the Math

Bitcoin's security rests on two cryptographic pillars: the Elliptic Curve Digital Signature Algorithm (ECDSA) for transaction signatures and SHA-256 for mining and address hashing. Both face different levels of quantum risk.

Shor's algorithm, running on a sufficiently powerful quantum computer, could derive private keys from public keys—effectively picking the lock on any Bitcoin address where the public key is exposed. This is the existential threat.

Grover's algorithm offers a quadratic speedup for brute-forcing hash functions, reducing SHA-256's effective strength from 256 bits to 128 bits. This is concerning but not immediately catastrophic—128-bit security remains formidable.

The critical question: How many qubits does it take to run Shor's algorithm against Bitcoin?

Estimates vary wildly:

  • Conservative: 2,330 stable logical qubits could theoretically break ECDSA
  • Practical reality: Due to error correction needs, this requires 1-13 million physical qubits
  • University of Sussex estimate: 13 million qubits to break Bitcoin encryption in one day
  • Most aggressive estimate: 317 million physical qubits to crack a 256-bit ECDSA key within an hour

Google's Willow chip has 105 qubits. The gap between 105 and 13 million explains why experts aren't panicking—yet.

Where We Stand: The 2026 Reality Check

The quantum computing landscape in early 2026 looks like this:

Current quantum computers are crossing the 1,500 physical qubit threshold, but error rates remain high. Approximately 1,000 physical qubits are needed to create just one stable logical qubit. Even with aggressive AI-assisted optimization, jumping from 1,500 to millions of qubits in 12 months is physically impossible.

Timeline estimates from experts:

SourceEstimate
Adam Back (Blockstream CEO)20-40 years
Michele Mosca (U. of Waterloo)1-in-7 chance by 2026 for fundamental crypto break
Industry consensus10-30 years for Bitcoin-breaking capability
US Federal mandatePhase out ECDSA by 2035
IBM roadmap500-1,000 logical qubits by 2029

The 2026 consensus: no quantum doomsday this year. However, as one analyst put it, "the likelihood that quantum becomes a top-tier risk factor for crypto security awareness in 2026 is high."

The $718 Billion Vulnerability: Which Bitcoins Are at Risk?

Not all Bitcoin addresses face equal quantum risk. The vulnerability depends entirely on whether the public key has been exposed on the blockchain.

High-risk addresses (P2PK - Pay to Public Key):

  • Public key is directly visible on-chain
  • Includes all addresses from Bitcoin's early days (2009-2010)
  • Satoshi Nakamoto's estimated 1.1 million BTC falls into this category
  • Total exposure: approximately 4 million BTC (20% of supply)

Lower-risk addresses (P2PKH, P2SH, SegWit, Taproot):

  • Public key is hashed and only revealed when spending
  • As long as you never reuse an address after spending, the public key remains hidden
  • Modern wallet best practices naturally provide some quantum resistance

The critical insight: if you've never spent from an address, your public key isn't exposed. The moment you spend and reuse that address, you become vulnerable.

Satoshi's coins present a unique dilemma. Those 1.1 million BTC in P2PK addresses cannot be moved to safer formats—the private keys would need to sign a transaction, which we have no evidence Satoshi can or will do. If quantum computers reach sufficient capability, those coins become the world's largest crypto bounty.

"Harvest Now, Decrypt Later": The Shadow Threat

Even if quantum computers can't break Bitcoin today, adversaries may already be preparing for tomorrow.

The "harvest now, decrypt later" strategy involves collecting exposed public keys from the blockchain now, storing them, and waiting for quantum computers to mature. When Q-Day arrives, attackers with archives of public keys could immediately drain vulnerable wallets.

Nation-state actors and sophisticated criminal organizations are likely already implementing this strategy. Every public key exposed on-chain today becomes a potential target in 5-15 years.

This creates an uncomfortable reality: the security clock for any exposed public key may have already started ticking.

Solutions in Development: BIP 360 and Post-Quantum Cryptography

The Bitcoin developer community isn't waiting for Q-Day. Multiple solutions are progressing through development and standardization.

BIP 360: Pay to Quantum Resistant Hash (P2TSH)

BIP 360 proposes a quantum-resistant tapscript-native output type as a critical "first step" toward quantum-safe Bitcoin. The proposal outlines three quantum-resistant signature methods, enabling gradual migration without disrupting network efficiency.

By 2026, advocates hope to see widespread P2TSH adoption, allowing users to migrate funds to quantum-safe addresses proactively.

NIST-Standardized Post-Quantum Algorithms

As of 2025, NIST finalized three post-quantum cryptography standards:

  • FIPS 203 (ML-KEM): Key encapsulation mechanism
  • FIPS 204 (ML-DSA/Dilithium): Digital signatures (lattice-based)
  • FIPS 205 (SLH-DSA/SPHINCS+): Hash-based signatures

BTQ Technologies has already demonstrated a working Bitcoin implementation using ML-DSA to replace ECDSA signatures. Their Bitcoin Quantum Core Release 0.2 proves the technical feasibility of migration.

The Tradeoff Challenge

Lattice-based signatures like Dilithium are significantly larger than ECDSA signatures—potentially 10-50x larger. This directly impacts block capacity and transaction throughput. A quantum-resistant Bitcoin might process fewer transactions per block, increasing fees and potentially pushing smaller transactions off-chain.

What Bitcoin Holders Should Do Now

The quantum threat is real but not imminent. Here's a practical framework for different holder profiles:

For all holders:

  1. Avoid address reuse: Never send Bitcoin to an address you've already spent from
  2. Use modern address formats: SegWit (bc1q) or Taproot (bc1p) addresses hash your public key
  3. Stay informed: Follow BIP 360 development and Bitcoin Core releases

For significant holdings (>1 BTC):

  1. Audit your addresses: Check if any holdings are in P2PK format using block explorers
  2. Consider cold storage refresh: Periodically move funds to fresh addresses
  3. Document your migration plan: Know how you'll move funds when quantum-safe options become standard

For institutional holders:

  1. Include quantum risk in security assessments: BlackRock added quantum computing warnings to their Bitcoin ETF filing in 2025
  2. Monitor NIST standards and BIP developments: Budget for future migration costs
  3. Evaluate custody providers: Ensure they have quantum migration roadmaps

The Governance Challenge: Bitcoin's Unique Vulnerability

Unlike Ethereum, which has a more centralized upgrade path through the Ethereum Foundation, Bitcoin upgrades require broad social consensus. There's no central authority to mandate post-quantum migration.

This creates several challenges:

Lost and abandoned coins can't migrate. An estimated 3-4 million BTC are lost forever. These coins will remain in quantum-vulnerable states indefinitely, creating a permanent pool of potentially stealable Bitcoin once quantum attacks become viable.

Satoshi's coins raise philosophical questions. Should the community freeze Satoshi's P2PK addresses preemptively? Ava Labs CEO Emin Gün Sirer has proposed this, but it would fundamentally challenge Bitcoin's immutability principles. A hard fork to freeze specific addresses sets a dangerous precedent.

Coordination takes time. Research indicates performing a full network upgrade, including migrating all active wallets, could require at least 76 days of dedicated on-chain effort in an optimistic scenario. In practice, with continued network operation, migration could take months or years.

Satoshi Nakamoto foresaw this possibility. In a 2010 BitcoinTalk post, he wrote: "If SHA-256 became completely broken, I think we could come to some agreement about what the honest blockchain was before the trouble started, lock that in and continue from there with a new hash function."

The question is whether the community can achieve that agreement before, not after, the threat materializes.

The Bottom Line: Urgency Without Panic

Quantum computers capable of breaking Bitcoin are likely 10-30 years away. The immediate threat is low. However, the consequences of being unprepared are catastrophic, and migration takes time.

The crypto industry's response should match the threat: deliberate, technically rigorous, and proactive rather than reactive.

For individual holders, the action items are straightforward: use modern address formats, avoid reuse, and stay informed. For the Bitcoin ecosystem, the next five years are critical for implementing and testing quantum-resistant solutions before they're needed.

The quantum clock is ticking. Bitcoin has time—but not unlimited time—to adapt.

BlockEden.xyz provides enterprise-grade blockchain infrastructure across 25+ networks. As the crypto industry prepares for the quantum era, we're committed to supporting protocols that prioritize long-term security. Explore our API services to build on networks preparing for tomorrow's challenges.

Share on Twitter