The Quantum Threat to Bitcoin: What You Need to Know

The first thing I want to make very, very clear is that a quantum computer is not a faster version of a classical computer. It is a completely different machine. It works with a fundamentally different unit of information.  Unlike an ordinary bit, which always holds one definite value of zero or one, a qubit gives you a zero or a one only at the moment you measure it. Behind that outcome sits a precise set of numbers, one for every possible configuration of the machine and as more qubits are added, the number of possible configurations of the computer grows exponentially. 

This matters because qubits enable different algorithms, not faster versions of the same calculations, but entirely new operations relying on quantum interference and entanglement that classical computers cannot emulate at scale, at least not in any practical timeframe. Most of those new algorithms are narrow and specialized, but one of them is a direct threat to the cryptography that secures Bitcoin.

Bitcoin relies on elliptic curve cryptography (ECC) for digital signatures. When you hold Bitcoin, what you actually own is knowledge of a private key. Digital signatures let you prove you know that key without ever revealing it.  

That proof is the technical foundation of ownership in the Bitcoin network. If ECC can be broken, meaning someone can derive your private key from your public key, then the entire system of property rights in Bitcoin stops being enforceable. 

This is foundational. Every Bitcoin transaction is authorized via digital signatures relying on ECC. It is the mechanism through which the network knows that you, and only you, have the right to move your coins.

So the question is: can a quantum computer actually break ECC? And the answer is yes, if it is powerful enough. 

In 1994, cryptographer Peter Shor published a method, known as Shor’s algorithm, that in principle reverse the mathematical operation ECC depends on, making it possible to derive a private key from a public key. 

If you can run Shor's algorithm at the scale relevant to standard security parameters, classical public key cryptography becomes obsolete. Digital signatures can be forged. Authentication fails. For Bitcoin, it means an attacker could extract private keys from exposed public keys and claim ownership of the corresponding coins. 

But Shor's algorithm has heavy requirements. You need a cryptographically relevant quantum computer (CRQC), a computer with many high-quality logical qubits operating at extremely low error rates.  

We do not have that today. Not even close. The current state is fewer than a hundred logical qubits, and none at the error rates required for cryptographic attacks. The target for breaking ECC is roughly a thousand, running reliably for tens of millions of operations. 

So the gap is still huge. That is a fact. But the building blocks are real. That is also a fact.

Not all Bitcoin is equally exposed. The vulnerability depends on whether a public key has been revealed.  

Roughly 7 million BTC, hundreds of billions of dollars at current valuations, sit in addresses where the public key is already exposed, either because of their address format or because of address reuse. If a CRQC existed today, those coins could be targeted one public key at a time. The attacker would apply Shor's algorithm, extract the private key, and move the funds. 

Much of that vulnerable Bitcoin is believed to be permanently lost, including an estimated one million BTC attributed to Satoshi Nakamoto. But the exposure is not limited to lost coins. Any address that has ever spent coins, revealing its public key in the process, is at quantum risk if it controls more BTC. That includes active holdings.

We do not have a CRQC today, but several developments have changed the risk assessment. 

In December 2024, Google demonstrated with its Willow chip that quantum error correction works at scale: the more physical qubits you add, the lower the logical error rate goes. This was a breakthrough. It confirmed that the path toward reliable logical qubits is real, not just theoretical. Since then, multiple companies have shown progress on the same principle. The building blocks are real, and more of them arrive every year. 

NIST has mandated a transition to post-quantum cryptography. The migration is not optional for organizations that need to remain compliant with national security standards. And DARPA's managing director stated in March 2026 that it now “seems more likely than not” that someone will build a utility-scale quantum computer by 2033. 

Most recently, Google Quantum AI published a paper demonstrating a significant optimization of Shor's algorithm — specifically applied to secp256k1, the elliptic curve that underpins Bitcoin's digital signatures.  

Independent researchers have already improved on Google's result, and the optimization space appears far from exhausted. This moves the threat from a general concern about public key cryptography to a targeted effort aimed at Bitcoin's exact cryptographic foundation. 

Nobody knows the exact timeline, but the direction is clear, and the preparation window is measured in years, not decades.

Bitcoin is not standing still. BIP-360, merged into the Bitcoin Improvement Proposals repository in February 2026, introduces a new address type facilitating a subsequent deployment of post-quantum or hybrid digital signature schemes. Testnets are running. The developer community is engaged. Post-quantum signature schemes exist, are standardized, and are safe. 

The challenge ahead is not whether the cryptographic solutions exist. They do. The problem is that they are not optimized for Bitcoin’s requirements in terms of size, safety guarantees, simplicity, efficiency and so on. There will be tradeoffs, and it will be challenging to coordinate a migration across a decentralized network requiring broad consensus and active participation from every coin holder. In addition, lost coins raise a controversial governance question on whether it is better to freeze them or let them available to CRQCs. 

We will be covering the timeline, the migration challenge, and how different protocols are preparing in the coming weeks. For a quick-reference overview of the core concepts covered here — qubits, ECDSA, Shor's algorithm, and public key exposure — we will release a video explainer shorty. 

The threat is real, the preparation has started, and the time to understand what is at stake is now.