Key Risks: Quantum Computing & BTC's Cryptography
A look into quantum computing developments and their risks with bitcoin security
Two papers published on March 30, 2026 collapsed the estimated quantum resources needed to break Bitcoin’s elliptic curve signatures by roughly 20-fold, bringing the physical qubit requirement from millions down to fewer than half a million on superconducting hardware.
This number constricts to as few as 26,000 qubits on neutral-atom machines - A type of quantum computer used for advanced simulations. The findings matter because they shift the plausible timeline for a cryptographically relevant quantum computer (CRQC) from a comfortable “decades away” to an uncomfortably near window centered on the early 2030s.
A timeline shrink Bitcoiners were not prepared for.
Before these developments Bitcoin had been moving, slowly, toward quantum resistance with a new infrastructure proposal, BIP-360 - introducing new address types and protections against quantum risks.
The proposal was merged into the official repository only seven weeks before these papers landed, but still remains at the proposal stage, with its lead co-author estimating seven years to full post-quantum deployment.
The gap between attack capability and defense readiness is now the central risk variable for every system built on elliptic curve cryptography, and Bitcoin, with roughly 25–35% of its supply sitting behind exposed public keys, is the most visible target.
1. The Quantum Computing landscape
Quantum computing basics to understand comparisons.
We won’t go crazy deep here, just enough to contextualize what has developed.
A qubit is the basic unit of quantum information, it is the quantum equivalent of a classical computer’s bit. Where a bit is either 0 or 1, a qubit can exist in a superposition of both states simultaneously, which is what gives quantum computers their power for certain calculations.
The problem is that qubits are extraordinarily fragile. They lose their quantum state - a process called decoherence - after tiny fractions of a second, and every operation performed on them introduces small errors.
This is where the distinction between physical qubits and logical qubits becomes critical.
A physical qubit is an actual piece of hardware - a superconducting circuit, a trapped ion, an atom held in a laser grid. A logical qubit is a virtual, error-corrected qubit built from many physical qubits working together to catch and fix each other’s mistakes.
A single unreliable witness vs a jury, by combining many imperfect accounts, you arrive at a reliable verdict.
The ratio between the two, how many physical qubits you need to produce one reliable logical qubit, is the key bottleneck in quantum computing.
Until recently, the best demonstrated ratio was roughly 400 to 1 (400 physical, 1 logical) using the most common error-correction method, though newer approaches are pushing that dramatically lower.
As a note most quantum computers are measured in terms of physical qubits.
Here is where the major hardware players stand:
Google’s Willow is a 105-qubit superconducting processor, announced December 9, 2024. Traditionally what makes quantum computing hard is that adding more qubits made the system less reliable. I.E. it’s individual physical qubits were high-quality enough that adding in more helps fix errors instead of making a mess. Willow was the first system that demonstrated adding more qubits makes the system more reliable, not less.
This problem is called below-threshold quantum error correction and Willow was the breakthrough. This confirmed that the fundamental approach to error correction actually works: you can scale up and get better results, not worse. It solved a benchmark problem in under 5 minutes that would take a classical supercomputer trillions of years (not an exaggeration).
IBM’s Nighthawk is a 120-qubit superconducting processor, unveiled November 2025. IBM demonstrated a more efficient way to bundle physical qubits into logical ones, potentially reducing the total hardware needed by 10–14 times compared to Google’s approach. IBM’s roadmap targets 100,000 physical qubits by 2033 via modular chip-to-chip coupling.
Quantinuum’s Helios is a 98-qubit trapped-ion system, launched November 5, 2025. Trapped-ion machines use individual charged atoms as qubits instead of superconducting circuits. Helios achieved the highest gate accuracy in the industry and demonstrated 48 logical qubits from just 98 physical qubits, a roughly 2-to-1 ratio, far more efficient than anything achieved in superconducting systems. The trade-off: trapped-ion gates are roughly 1,000 times slower.
QuEra demonstrated a 3,000-qubit neutral-atom array in September 2025, and Atom Computing’s Phoenix reached 1,180 qubits. Neutral-atom machines trap uncharged atoms in laser grids and can scale to large qubit counts quickly. Like trapped ions, they are slow, but they may compensate with much better physical-to-logical qubit ratios.
The speed difference between architectures has a direct consequence for cryptographic attacks.
Superconducting processors operate in billionths of a second
Trapped-ion and neutral-atom gates take thousandths.
For a calculation requiring trillions of operations, this difference translates from minutes on a superconducting machine to days or weeks.
Google’s March 2026 paper draws this distinction sharply: a fast superconducting quantum computer could attack a Bitcoin transaction in real time, while a slower machine would only threaten coins whose public keys have been sitting exposed on the blockchain for years.
2. How Bitcoin’s cryptography works, and where it’s vulnerable
There are two main ways BTC could get attacked by quantum computing, which brings superconducting and Trapped-ion atom gates into the picture.
Short-range attacks target a Bitcoin transaction while it’s happening. When you send Bitcoin, your public key is briefly exposed between the moment you broadcast the transaction and when it gets confirmed in a block (We will discuss the importance of this).
A fast quantum computer (superconducting, running in minutes) could theoretically intercept the transaction, derive your private key from the exposed public key, and submit a competing transaction stealing your funds before the original confirms. This is the harder attack because the attacker is racing the clock.
Long-range attacks target coins that are already sitting behind public keys that have been visible on the blockchain for years. There’s no time pressure. The attacker downloads the public key at their leisure, runs the algorithm over days or weeks if needed, recovers the private key, and moves the funds.
This is why slower quantum architectures (trapped ion, neutral atom) are still a threat even though they’d take 10 days to crack a key, they don’t need to beat a 10-minute confirmation window, they just need to crack keys that have been exposed since 2009. Satoshi’s coins, early P2PK addresses, and any address that has been reused are all targets for this kind of attack.
The core of where this breaks stands with the basics of Bitcoins construction.
Bitcoin is a ledger.
Every transaction on the network is a signed message that says “I, the owner of this Bitcoin, am sending it to someone else.” The signature proves ownership. The entire system’s security rests on one mathematical relationship of mining consensus (Proof of Work).
Every Bitcoin wallet starts with a private key (a randomly generated 256-bit number).
The private key gives a user access to the wallet and must be hidden at all times.
From the private key, a public key is derived through multiplication along a specific mathematical curve (called secp256k1). This multiplication is easy to do forward (it takes a fraction of a second) but essentially impossible to reverse.
Undoing it with classical computers would take:
12,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 years
This is the one-way trapdoor that makes Bitcoin work.
From the public key, a Bitcoin address is created by running it through two hash functions (SHA-256 followed by RIPEMD-160), producing a shorter, more compact identifier.
This is what you share with someone who wants to send you Bitcoin.
When you spend Bitcoin, your wallet uses your private key to produce a digital signature. The network verifies this signature against your public key. If it checks out, the transaction is accepted. At no point does the private key itself need to be revealed.
The vulnerability lies in when and whether your public key becomes visible on the blockchain.
This is one of the ways quantum computing can break bitcoin.
If a quantum computer strong enough gets a bitcoin public key it can technically reverse the trap door function. It would need to be powerful enough to break the amount of years above, but that is the gap that is closing in.
In the most common address format (P2PKH, addresses starting with “1”), only the hashed version of your public key is stored on-chain. Your actual public key appears only when you send a transaction.
Once you do send a transaction, your public key is permanently recorded in that transaction. If you receive new funds at the same address later those funds now sit behind a public key that anyone can see.
It is best practice in bitcoin that after you use a P2PKH wallet you don’t use it again.
Today’s wallets (like Electrum, Ledger, Trezor) are Hierarchical Deterministic (HD) wallets. Your single “seed phrase” (12-24 words) can generate thousands of new, unique P2PKH addresses. The wallet software automatically picks a new one for every transaction, while you keep the same wallet file.
Therefore modern bitcoin wallets don’t have to worry about managing or deleting your wallets every time they transact.
As a note: Getting the Seed phrase from a quantum computer is not a risk, the seed phrase to private key step uses hash functions. Hashing is a fundamentally different operation, it’s a one-way blender, not a structured mathematical relationship.
There’s no known quantum algorithm that efficiently reverses a hash. Grover’s algorithm gives a square-root speedup against hashes, but that just reduces the difficulty from “impossible” to “still impossible”
The real issue is the mathematical relationship with the private key and public key.
Early Bitcoin transactions used a different format (P2PK) that embedded the full public key directly in the output. Every block mined in Bitcoin’s first years, including all of Satoshi Nakamoto’s estimated 1.1 million BTC, used this format. Those public keys have been visible since 2009.
Taproot addresses (P2TR), introduced in November 2021, also expose a version of the public key from the moment funds are received.
Multiple analyses converge on the scale of exposure:
Roughly 4–7 million BTC (25–35% of circulating supply) sits behind public keys that are already visible on the blockchain. Deloitte’s blockchain analysis identified approximately 4 million BTC in vulnerable addresses.
The Human Rights Foundation calculated 6.2 million BTC (~$683 billion) at risk, of which 1.7 million BTC in P2PK format is likely unmovable because the keys are presumed lost.
Google’s own whitepaper mapped approximately 6.9 million BTC across all vulnerable script types.
A separate concern, whether quantum computers could “break” Bitcoin mining, is not a near-term threat. The best quantum speedup against Bitcoin’s mining algorithm (SHA-256) only provides a square-root improvement, which sounds dramatic but in practice would require roughly 10^23 qubits and more energy than a star produces. This is centuries or millennia away.
The reader should take away one thing from this section: Bitcoin’s security depends entirely on the assumption that you cannot reverse-engineer a private key from a public key. Quantum computers running an algorithm called Shor’s algorithm can do exactly that and two new papers just showed it will take far fewer qubits than anyone expected.
3. Two papers redrew the threat timeline
Before 2024, the consensus estimate for breaking Bitcoin’s cryptography with a quantum computer required roughly 10–20 million physical qubits, a number so large it seemed decades away.
Then three papers arrived in rapid succession.
In May 2025, Google researcher Craig Gidney published a paper showing that the quantum resources needed to break RSA-2048 (a widely used encryption standard) could be reduced from 20 million noisy qubits to fewer than 1 million. This was a 10-fold reduction at the algorithmic level, not from building better hardware, but from finding more efficient ways to run the same calculation.
Then, on March 30, 2026, two papers landed simultaneously.
The first, from Google Quantum AI, authored by Ryan Babbush, Craig Gidney, and colleagues, with co-authors Justin Drake of the Ethereum Foundation and Dan Boneh of Stanford.
Specifically targeted Bitcoin’s secp256k1 curve.
The result: the code-breaking algorithm executes with approximately 1,200 logical qubits and roughly 90 million Toffoli gates, which are native to the algorithm. The Toffoli gates are key operations a quantum computer needs to perform to run the attack. Think of Toffoli gates as individual steps in a very long calculation; fewer gates means a faster attack. On superconducting hardware, this translates to fewer than 500,000 physical qubits and a runtime of approximately 9–18 minutes. This is a 20-fold reduction from the prior best estimate.
The second paper, from Oratomic (a startup founded by ex-Google and Caltech researchers), was authored by Madelyn Cain, John Preskill, and colleagues.
It applied a more efficient error-correction method to neutral-atom architectures, achieving a physical-to-logical qubit ratio of roughly 10-to-1 instead of 400-to-1.
The result: breaking Bitcoin’s signatures with approximately 26,000 physical qubits in roughly 10 days, or as few as 10,000 qubits with longer runtime. The caveat: this relies on error-correction methods that have not yet been demonstrated at scale.
An unprecedented feature of the Google paper was its use of a zero-knowledge proof, a cryptographic technique that lets you prove you know something without revealing what you know, to validate the existence of the optimized circuits without publishing them. The proof confirmed the circuits work correctly on at least 99% of inputs with 128-bit cryptographic certainty.
Google engaged with the U.S. government prior to publication and urged other quantum teams to adopt similar responsible disclosure, stating that progress has reached the stage where it is prudent to stop publishing attack methods.
Justin Drake, the Ethereum Foundation researcher who co-authored the Google paper, posted publicly on March 31, 2026 that his confidence in “q-day”, the day a quantum computer breaks real cryptography, arriving by 2032 had “shot up significantly,” with at least a 10% probability.
He noted the attack circuit is “surprisingly shallow” and that on a superconducting machine, total runtime would be roughly 1,000 seconds. He warned that “from now on, assume state-of-the-art algorithms will be censored”, reflecting the Google team’s decision to withhold details. He also pointed out that AI has not yet been applied to finding further optimizations and that the logical qubit count “could plausibly go under 1,000 soonish.”
4. Bitcoin’s defenses are under construction but years from deployment
The primary defensive proposal is BIP-360, authored by Hunter Beast of MARA and co-authored by Ethan Heilman and Isabel Foxen Duke.
It formally became a bitcoin proposal on December 18, 2024 and merged into the official Bitcoin BIP repository on February 11, 2026. BIP-360 introduces a new address type (”bc1z” addresses) that removes the quantum-vulnerable multiplication component.
It introduces “Pay-to-Merkle-Root” (P2MR), which removes spending via public keys by forcing all payments to go through script paths.
Crucially, it is a framework, that creates the plumbing for post-quantum signatures without specifying which signature algorithm to use, allowing future proposals to plug in specific options without requiring another consensus change.
But the hurdles are not just technical, they are logistical & governmental.
The signature-size problem is the dominant engineering constraint. Larger signatures mean larger transactions, which means fewer transactions per block, higher fees, and slower throughput.
Currently Bitcoin signatures are roughly 72 bytes. The leading post-quantum replacements are dramatically larger. Ranging from roughly 666 bytes (FALCON, the most compact candidate) to nearly 8,000 bytes (SPHINCS+ at baseline).
NIST has already standardized three post-quantum algorithms: ML-KEM for key exchange (August 2024), ML-DSA for signatures (August 2024), and SLH-DSA for hash-based signatures (August 2024). A fourth, FALCON, is progressing toward standardization.
Bitcoin itself has made some strides toward implementation.
Blockstream Research developed a hybrid approach called SHRINCS that achieves signatures as small as 292 bytes and deployed it on the Liquid Network (a Bitcoin sidechain) on March 6, 2026. It is the first post-quantum-signed transactions on a production Bitcoin network. BTQ Technologies launched the first working BIP-360 implementation on a testnet on March 20, 2026.
A companion proposal called QBIP, published July 14, 2025 by Jameson Lopp and others, outlines a three-phase migration:
Phase A (approximately 3 years after activation) would prohibit sending to vulnerable addresses.
Phase B (approximately 8 years total) would freeze unmigrated funds by invalidating old signature types.
Phase C would let owners recover frozen coins by proving they hold the original seed phrase, likely requiring a hard fork.
A hard fork is one of the biggest points of discussion, showing the governance challenge may exceed the technical one.
A survey of Bitcoin’s most influential developers reveals deep skepticism about urgency.
Adam Back (Blockstream CEO) has called quantum concerns “FUD” and estimates the threat at 20–40 years away. James O’Beirne stated in February 2026 that “quantum doesn’t even breach the top 100 things when it comes to Bitcoin.” The community’s track record of slow deliberation -SegWit a BTC improvement proposal took 20 months for activation and five-plus years for 50% adoption - suggests that even under ideal conditions, full migration could take 7–15 years.
5. Governments have already started the clock
NIST finalized its first three post-quantum cryptography standards on August 13, 2024.
The NSA’s CNSA 2.0 framework, published September 2022, mandates that all National Security Systems support quantum-resistant algorithms by 2025–2027, with exclusive use by 2030–2033 and full transition by 2035.
NIST operates on a “harvest now, decrypt later” threat vector, known as when a cyberattacker steals and stores sensitive encrypted data now to decrypt later. Hence the reason governments are acting now rather than waiting.
The concept: adversaries intercept and store encrypted data today, planning to decrypt it years from now when quantum computers are powerful enough. For most systems, this requires intercepting data in transit. Bitcoin is uniquely exposed because the entire blockchain is a public ledger - every exposed public key has been available for download since the day it was broadcast. No future migration can retroactively protect this data.
The Federal Reserve published a dedicated study in September 2025 describing the harvest-now-decrypt-later threat to Bitcoin as “present and ongoing.”
The G7 Cyber Expert Group warned in 2024 that quantum capabilities “could emerge within a decade.” The Bank for International Settlements has tested quantum-resistant encryption between central bank payment systems.
CISA, NSA, and NIST published a joint factsheet urging all organizations to begin preparing immediately. The UK’s National Cyber Security Centre published a migration roadmap targeting completion by 2035. Corporation’s assessment placed the average expected arrival of a code-breaking quantum computer at roughly 2033.
6. The race between attack and defense defines the risk
The realistic timeline range for a quantum computer capable of breaking Bitcoin’s cryptography spans 2029 (aggressive) to the mid-2030s (consensus) to 2040+ (conservative).
Google and IBM both target fault-tolerant systems by 2029. Quantinuum targets 2030. Justin Drake’s 10% probability of q-day by 2032 sits within the institutional consensus range. The Oratomic paper’s 26,000-qubit threshold is within reach of several company roadmaps by the late 2020s, though its reliance on unproven error-correction methods at scale warrants caution.
The scenario where Bitcoin’s value faces material threat before a defensive upgrade can be implemented is not implausible.
If a code-breaking quantum computer emerges by 2030–2032, and Bitcoin’s post-quantum upgrade requires 7–15 years from the current proposal stage, the timelines overlap.
An attacker’s first targets would be dormant P2PK addresses with no time pressure, no detection risk. The roughly 1.7 million BTC in P2PK format (approximately 8% of total supply) cannot be migrated because the keys are presumed lost.
Even before a successful attack, credible evidence of a quantum computer’s existence could trigger a confidence crisis.
Bitcoin has survived existential threats before.
On August 15, 2010, a bug created 184.4 billion BTC - 9,000 times the intended supply cap. Developers released a patched client within five hours and the network forked away from the invalid chain.
In March 2013, an unintentional chain split lasted six hours before mining pools voluntarily reconverged. The block size wars of 2015–2017 tested Bitcoin’s governance under sustained corporate and mining pressure over two years. These precedents show that Bitcoin’s community can execute emergency fixes in hours and navigate governance crises over months to years.
The quantum threat differs in one critical respect: unlike those incidents, it cannot be resolved by a simple patch. It requires replacing the cryptographic foundation of every transaction on the network, migrating billions of dollars to new address formats, and making an irreversible decision about coins that cannot be moved.
For Bitcoin holders today, the immediate actions are straightforward: avoid address reuse, use modern address types (P2WPKH or P2WSH), and move any funds sitting in addresses with prior outgoing transactions to fresh addresses.
The longer-term picture depends on whether Bitcoin’s development community can compress a historically slow consensus process to match an accelerating threat timeline. BIP-360’s merger in February 2026 is the first concrete step. Whether it is fast enough depends on a question no one can yet answer: when will the first code-breaking quantum computer will run its first attack against a real elliptic curve key, and whether its owner will announce the result or simply use it.