When the Encryption Breaks

In December 2024, Google published a paper in Nature on its Willow quantum chip that made waves across the global technology community. The finding was significant: for the first time, researchers demonstrated that scaling up the underlying physical qubits actually improves the reliability of a logical qubit, rather than degrading it. The strategic implications are foundational, marking a shift from the era of unreliable, error-prone quantum hardware toward machines that can correct their own errors at scale.  

Classical cryptography protects sensitive data, such as access to bank accounts, communications, digital assets, by relying on mathematical problems that cannot be solved with conventional hardware. Quantum computers enable new algorithms that attack those same problems in a fundamentally different way. What is secure today may not stay that way.  

Following Willow and other breakthroughs in qubit technology and error correction techniques, major industry players  have shown rough consensus in their roadmaps: quantum computers capable of running reliably a few hundreds of logical qubits are targeted by 2030. 

That threshold alone wouldn’t be enough to break cryptography that currently underpins secure communications or account authentication, but it would make the path towards developing a cryptographically relevant quantum computer (CRQC) strikingly visible. For organizations with exposure to digital assets, the preparation window is open. The time to act is long before CRQC headlines force the issue.

Bitcoin and other digital assets rely on elliptic curve cryptography (ECDSA) for digital signatures that authorize transactions. ECDSA lets someone prove they control the private key to an address without ever revealing it. That proof is the technical foundation of property rights in decentralized networks. If ECDSA is compromised, an attacker can work backwards from a publicly visible key to derive the private key. Ownership, as it currently exists in these systems, stops being technically enforceable. 

The scope of the potential exposure can already be measured. Estimates put roughly 6.9 million Bitcoin, nearly $456 billion at current prices, at risk from a cryptographically relevant quantum computer (CRQC). That vulnerability comes from two sources: outdated address formats that leave public keys directly exposed, and address reuse, which has the same effect. Much of the Bitcoin at risk is believed to be permanently lost, including an estimated one million Bitcoin thought to belong to Satoshi Nakamoto, Bitcoin’s pseudonymous founder. 

For institutional players, this raises a practical due diligence question: where does your custody infrastructure stand if the cryptographic foundation shifts? This isn’t a concern limited to direct holders. It runs up and down the entire chain: counterparties, sub-custodians, exchanges, and every intermediary that touches digital assets. 

Bitcoin supply vulnerable to cryptographically relevant quantum computers (CRQCs)

The Bitcoin network is not standing still. In February 2026, BIP-360 was merged into the Bitcoin Improvement Proposals repository: for the first time, a proposal directly addressing quantum resistance is ready for formal discussion, testing and implementation.  

The proposal introduces a new address type called Pay-to-Merkle-Root (P2MR), which preserves the full extent of Bitcoin’s programmability without exposing a public key. Subsequent proposals would implement postquantum signature schemes, and define “migration” steps to move from vulnerable addresses to postquantum addresses. 

Beyond the technical challenges, a number of difficult, contentious questions remain open at the social and economic levels. What happens to coins whose owners have permanently lost their private keys? Should unmigrated holdings be frozen after a deadline to prevent “quantum theft”? How should the network treat coins that would be completely exposed to a quantum attacker, including, most prominently, Satoshi’s original holdings?  

These are fundamental issues, touching property rights, economic incentives, and the governance culture of a network that makes decisions by consensus across a decentralized ecosystem of miners, node operators, businesses, developers, and holders.

Waiting for public evidence of an imminent security threat before taking any action would be a strategic mistake. Migrating vulnerable holdings is constrained by network throughput, and reaching the social consensus needed for a protocol change takes time. This means that Bitcoin should take first steps towards quantum resistance years before CRQCs are realized. 

The alternative scenario is much worse: panic selling, rushed protocol decisions made under pressure, and the real possibility of chain splits that produce competing versions of the same asset. The institutional fallout from that kind of disorder would be severe.  

The more likely path, and the one we expect to take shape through 2026, is the formation of social consensus around a soft fork toward quantum resistance, implementing BIP-360 or a similarly scoped proposal. That outcome would matter well beyond the technical fix. It would demonstrate that Bitcoin can respond to an existential challenge in an orderly, deliberate way. 

Three questions every institutional decision-maker should be asking 

First, regarding custody architecture: are holdings stored in address formats that expose public keys? Is address reuse being systematically avoided—and can your custodian tell you with confidence? These questions should be going to custodians and internal treasury teams today, not when the issue becomes imminent. 

Second, regarding provider readiness: does your custodian have the technical depth and protocol-level expertise to handle address migrations and upgrades smoothly when the time comes? This question separates providers that safekeep assets from those that genuinely understand how those assets work. 

Third, regarding protocol monitoring:  are you following the development of BIP-360 and related proposals? The consensus signals will become clearer throughout 2026. Any institutional participant caught off guard by these developments simply wasn’t paying attention.

First, regarding custody architecture: are holdings stored in address formats that expose public keys? Is address reuse being systematically avoided—and can your custodian tell you with confidence? These questions should be going to custodians and internal treasury teams today, not when the issue becomes imminent. 

Second, regarding provider readiness: does your custodian have the technical depth and protocol-level expertise to handle address migrations and upgrades smoothly when the time comes? This question separates providers that safekeep assets from those that genuinely understand how those assets work. 

Third, regarding protocol monitoring:  are you following the development of BIP-360 and related proposals? The consensus signals will become clearer throughout 2026. Any institutional participant caught off guard by these developments simply wasn’t paying attention.

Quantum computing won’t drive digital asset markets in 2026. Aggressive roadmap updates from major hardware players could cause short-term volatility events, but they are unlikely to substantially influence prices. There are still massive technological challenges in terms of scalability and interconnection of reliable logical qubits. We don’t expect CRQCs to be operative by 2030. But still, the direction of travel is unmistakable: the cryptographic foundation underpinning digital asset ownership will need to be reassessed. That is a matter of when, not if. 

The encouraging news is that postquantum cryptography keeps being studied, tested, and improved. The developer communities around major protocols like Bitcoin or Ethereum understand what’s coming. Holdings already stored in secure address formats are protected right now. Institutions that start asking the right questions today, and that work with counterparties who can give them informed answers, will be well-positioned to manage this transition without disruption. 

The broader lesson here is one that applies to every major infrastructure transition: for systems that operate at this scale and consequence, the window for orderly adaptation doesn’t stay open forever. It’s worth using while it’s still possible.

The article was first published in Finanz & Wirtschaft in April 2026.