Summary
- Current quantum computers lack the capability to disrupt real-world cryptography.
- Older Bitcoin wallets with exposed public keys face the greatest long-term risk.
- Developers are investigating post-quantum signatures and potential migration strategies.
While today's quantum computers do not pose a threat to Bitcoin's cryptography, advancements from companies like Google and IBM indicate that the timeline for such threats may be accelerating.
As these companies make strides toward fault-tolerant quantum systems, the concept of “Q-Day” emerges as a significant concern. This term refers to the day a sufficiently powerful quantum machine could decrypt older Bitcoin addresses, potentially compromising over $452 billion in at-risk wallets.
Once a distant concern, Q-Day became more pressing following a Google whitepaper released in March 2026, which indicated that quantum computers might threaten cryptographic systems sooner than anticipated.
Transitioning Bitcoin to a post-quantum state will require years of effort, necessitating proactive measures well before the threat materializes. Experts emphasize the uncertainty surrounding the timeline for this risk, complicating consensus within the community on how to proceed.
This ambiguity has fostered anxiety that a quantum computer capable of breaching Bitcoin's defenses might be developed before adequate safeguards are in place.
This article will delve into the quantum risks facing Bitcoin and the necessary adaptations to secure the leading blockchain.
Mechanism of a Quantum Attack
A quantum-enabled attack would be subtle rather than overt. An attacker would begin by scanning the blockchain for addresses that have previously disclosed a public key. This includes older wallets, reused addresses, early miner outputs, and many dormant accounts.
In a ‘harvest now, decrypt later attack,’ the attacker would capture the public key and process it through a quantum computer using Shor’s algorithm. Invented in 1994 by mathematician Peter Shor, this algorithm enables a quantum machine to factor large numbers and solve the discrete logarithm problem much more effectively than classical computers. Bitcoin’s elliptic-curve signatures depend on the difficulty of these problems. With sufficient error-corrected qubits, a quantum computer could apply Shor’s method to derive the private key linked to the compromised public key.
Justin Thaler, a research partner at Andreessen Horowitz and associate professor at Georgetown University, explained to Decrypt that recovering the private key allows the attacker to transfer the coins. “Quantum computers could forge the digital signatures used by Bitcoin today,” Thaler stated. “An attacker with a quantum computer could authorize a transaction to withdraw all the Bitcoin from your accounts without your consent. That’s the concern.”
The forged signature would appear legitimate to the Bitcoin network. Nodes would accept it, miners would include it in a block, and the transaction would not be flagged as suspicious. If an attacker targeted a large number of exposed addresses simultaneously, billions of dollars could be transferred in a matter of minutes, causing market reactions before any confirmation of a quantum attack.
As worries about Q-Day intensified, cryptocurrency exchange Coinbase established an independent advisory board focused on the implications of quantum computing for blockchain security in January.
In March 2026, research papers from Caltech and Google indicated that future quantum computers might breach elliptic curve cryptography using fewer qubits and computational steps than previously thought.
This revelation alarmed the crypto community, prompting Bitcoin security researcher Justin Drake to tweet that there is a "minimum 10% chance that by 2032 a quantum computer will extract a secp256k1 ECDSA private key from an exposed public key."
Today marks a significant milestone for quantum computing and cryptography. Two groundbreaking papers were just published (links in the following tweet). Both papers enhance Shor's algorithm, known for its ability to crack RSA and elliptic curve cryptography. The improvements compound, optimizing different layers of…
— Justin Drake (@drakefjustin) March 31, 2026
In April 2026, researcher Giancarlo Lelli utilized a publicly accessible quantum computer to successfully decrypt a simplified elliptic curve cryptography key. By May, the U.S. Department of Commerce announced a plan to invest $2 billion into quantum technology.
France took a significant step in June by ceasing to certify technologies that do not meet quantum-safe standards, becoming one of the first nations to establish security certifications linked to post-quantum cryptography requirements. Later that month, President Donald Trump enacted two executive orders to bolster U.S. quantum computing capabilities and expedite the transition to quantum-resistant encryption.
The Current State of Quantum Computing
By 2025, quantum computing began to shift from a theoretical concept to a more tangible reality.
- January 2025: Google’s 105-qubit Willow chip demonstrated significant error reduction and surpassed classical supercomputers in benchmarks.
- February 2025: Microsoft introduced its Majorana 1 platform, achieving record logical-qubit entanglement with Atom Computing.
- April 2025: NIST achieved superconducting qubit coherence of 0.6 milliseconds.
- June 2025: IBM set goals of reaching 200 logical qubits by 2029 and over 1,000 in the early 2030s.
- September 2025: Caltech unveiled a neutral-atom quantum computer with 6,100 qubits operating at 99.98% accuracy.
- October 2025: IBM entangled 120 qubits; Google confirmed a verified quantum speed-up.
- November 2025: IBM announced new chips and software aimed at achieving quantum advantage in 2026 and fault-tolerant systems by 2029.
- January 2026: Coinbase launched an independent advisory board to address quantum computing and blockchain security.
- March 2026: Research papers from Caltech and Google suggested that quantum computers could jeopardize Bitcoin's cryptography sooner than previously thought, with Bitcoin security experts estimating a 10% chance of a quantum computer retrieving a Bitcoin private key by 2032. Google aims for the network to be quantum-ready by 2029.
- April 2026: Researcher Giancarlo Lelli successfully cracked a simplified elliptic curve cryptography key using a publicly available quantum computer.
- May 2026: The U.S. Department of Commerce announced a $2 billion investment in quantum technology development.
- June 2026: President Donald Trump signed two executive orders aimed at enhancing U.S. quantum computing capabilities and accelerating the transition to quantum-resistant encryption.
Christopher Tam, president and innovation lead at BTQ Technologies, criticized the administration's 2031 deadline for federal agencies to transition high-value assets to post-quantum cryptography as being too slow given the rapid pace of industry advancements and the potential hazards posed by quantum computing.
"I would have made it more urgent," Tam told Decrypt. "It seems somewhat peculiar that the federal government would lag behind the industry by two years."
Reasons Behind Bitcoin's Vulnerability
Bitcoin utilizes elliptic-curve cryptography for its signatures. When an address is used for spending, it reveals the public key associated with it, a permanent exposure. In Bitcoin's early pay-to-public-key format, many addresses disclosed their public keys on-chain even before any spending activity occurred. The later pay-to-public-key-hash format concealed the key until the first transaction.
Due to their public keys being permanently exposed, the oldest coins, including approximately 1 million Satoshi-era Bitcoins, are particularly vulnerable to future quantum attacks. Transitioning to post-quantum digital signatures, Thaler noted, necessitates active participation.
“For Satoshi to secure their coins, they would need to transfer them into new post-quantum-secure wallets,” he explained. “The primary concern is with abandoned coins, worth around $180 billion, including about $100 billion believed to belong to Satoshi. These amounts are significant, but they are abandoned, which represents a genuine risk.”
Additionally, many coins are linked to lost private keys, remaining untouched for over a decade. Without access to these keys, they cannot be transferred to quantum-resistant wallets, making them prime targets for future quantum computers.
Directly freezing Bitcoin on-chain is not feasible. Practical strategies against impending quantum threats emphasize migrating at-risk funds, adopting post-quantum addresses, or managing existing vulnerabilities.
However, Thaler pointed out that post-quantum encryption and digital signature methods entail considerable performance trade-offs, as they are significantly larger and more resource-intensive than today’s lightweight 64-byte signatures.
“Current digital signatures are about 64 bytes. Post-quantum alternatives can range from 10 to 100 times larger,” he stated. “In a blockchain context, this increase in size poses a much more significant challenge since every node must store these signatures indefinitely. Managing the costs associated with the actual data size is far more complex in this system than in others.”
Strategies for Protection
Various Bitcoin Improvement Proposals have been suggested by developers to prepare for potential quantum attacks, ranging from minimal optional protections to comprehensive network migrations.
- BIP-360 (P2QRH): Introduces new “bc1r…” addresses that merge current elliptic-curve signatures with post-quantum methods like ML-DSA or SLH-DSA. This offers hybrid security without necessitating a hard fork, though the larger signatures result in higher fees.
- BIP-361: This proposal would phase out the existing signature systems and freeze coins that do not transition to quantum-resistant addresses.
- Quantum-Safe Taproot: Incorporates a hidden post-quantum branch into Taproot. Should quantum threats become credible, miners could soft-fork to require the post-quantum branch, while users continue operating normally until then.
- Quantum‑Resistant Address Migration Protocol (QRAMP): A mandatory migration strategy that transfers vulnerable UTXOs to quantum-safe addresses, likely via a hard fork.
- Pay to Taproot Hash (P2TRH): Replaces visible Taproot keys with double-hashed versions, limiting exposure without introducing new cryptography or disrupting compatibility.
- Non-Interactive Transaction Compression (NTC) via STARKs: Employs zero-knowledge proofs to condense large post-quantum signatures into a single proof per block, reducing storage and fee expenses.
- Commit-Reveal Schemes: Depend on hashed commitments made before any quantum threat emerges.
- Helper UTXOs append small post-quantum outputs to safeguard transactions.
- “Poison pill” transactions enable users to pre-publish recovery strategies.
- Fawkescoin-style alternatives remain inactive until a credible quantum computer is demonstrated.
Collectively, these proposals outline a gradual approach to quantum safety: immediate, low-impact measures like P2TRH now, followed by more substantial upgrades such as BIP-360 or STARK-based compression as the threat intensifies. Successful implementation would require extensive coordination, and many of the post-quantum address formats and signature methods are still in early stages of discussion.
Thaler highlighted that Bitcoin’s decentralization—its greatest asset—also complicates extensive upgrades, as any new signature system must achieve broad consensus among miners, developers, and users.
“Two major challenges confront Bitcoin. First, upgrades are time-consuming, if they occur at all. Second, there are the issues of abandoned coins. Any transition to post-quantum signatures must be proactive, and the owners of those older wallets may no longer be involved,” Thaler remarked. “The community must decide on the fate of these coins: either agree to exclude them from circulation or do nothing and allow quantum-equipped attackers to seize them. The latter option could raise legal concerns, and those seizing the coins would likely be unconcerned.”
Most Bitcoin holders need not take immediate action. However, adopting a few prudent practices can significantly mitigate long-term risks, such as avoiding address reuse to keep public keys concealed until a transaction is made and using contemporary wallet formats.
Currently, quantum computers are not on the verge of breaking Bitcoin, and predictions about when this might occur vary widely. Some experts anticipate a threat within the next five years, while others project it into the 2030s. Nevertheless, ongoing investments could accelerate this timeline.
This article was updated in July 2026.
