1,200. That’s the figure published in March 2026 in a landmark whitepaper from Google Quantum AI. Utilising optimised versions of Shor’s algorithm, the team showcased that compromising the 256-bit elliptic curve cryptography safeguarding every Bitcoin address necessitates a maximum of 1,200 logical qubits and under half a million physical qubits. That estimate is approximately 20 times lower than the figures that were prevalent in the field five years ago. IonQ has set an ambitious development roadmap, aiming for 1,600 logical qubits by 2028 and potentially reaching up to 80,000 by 2030. IBM’s quantum roadmap outlines the ambitious goal of achieving its Blue Jay system with 2,000 logical qubits by the year 2033. To grasp the potential threats posed by quantum computers, it’s essential to first comprehend the cryptographic foundations upon which Bitcoin is constructed. Bitcoin’s security is built on two distinct pillars. The first is SHA-256, a hash function that underpins the security of the mining process and address generation. The second is ECDSA — the Elliptic Curve Digital Signature Algorithm — which manages ownership. Each time Bitcoin is sent, ECDSA generates a digital signature that verifies your control over the wallet and authorises the transaction. Bitcoin’s implementation utilises a particular elliptic curve known as secp256k1, a mathematical framework that produces public-private key pairs. Your private key is a random number, while your public key is generated from it via elliptic curve multiplication. This computation is straightforward to execute in one direction, yet for any classical computer, reversing it is virtually impossible. That one-way property serves as the fundamental foundation for the security of Bitcoin ownership.
Quantum computers approach these two systems in distinct ways, and this distinction is significant. Quantum computers have the potential to accelerate specific searches, yet they currently lack the capability to pose a significant threat to Bitcoin’s mining infrastructure with the hardware available today. The mining system is not the issue at hand. Shor’s algorithm presents a distinct scenario altogether. It has the potential to break the mathematical barrier safeguarding every Bitcoin private key — a feat unattainable by any classical computer. According to the Google Quantum AI whitepaper, a machine with 1,200 logical qubits could derive a private key in roughly nine minutes — close to the time it takes Bitcoin to confirm a single block. Multiple quantum hardware architectures are approaching this critical threshold. The threat timeline serves as a floor rather than a ceiling: if any one of them breaches early, it effectively shuts the window ahead of schedule. Label it a decade. It could be lower. There exists a variant of this issue that allows for resolution without the need to wait until 2029. State-level intelligence agencies currently do not require a quantum computer to derive insights from Bitcoin transactions. They require storage — which is affordable — and patience — which institutions possess in plenty. The strategy is clear-cut: capture encrypted blockchain data at present, and perform decryption later when the hardware advancements align. In security circles, this phenomenon is referred to as “Harvest Now, Decrypt Later.” The acronym is HNDL. The practice, by most credible assessments, is already underway.
For the majority of Bitcoin transactions, this represents an inconvenience rather than a fundamental threat — the data remains public, and the expectation has always been pseudonymity, not complete anonymity. However, HNDL has a more significant impact for those operating privacy-preserving applications built on blockchain infrastructure. Confidential transactions and encrypted cross-chain messaging: all of it recorded today remains securely stored in a vault, awaiting the arrival of the quantum key. The long-term confidentiality assumption embedded in these systems is already compromised, regardless of user awareness. There exists a secondary attack surface that often receives insufficient scrutiny. Every unconfirmed transaction residing in the mempool broadcasts its public key prior to confirmation. In a scenario where a powerful quantum computer exists, that broadcast window — typically around ten minutes for Bitcoin, and occasionally extending beyond — transforms into a potential attack window. An adversary capable of deriving a private key from a public key more swiftly than a block is mined can reroute the transaction prior to its settlement. The technical term is a real-time substitution attack. It indicates that the issue extends beyond just wallets that have remained unprotected for years. It’s about every transaction, in real time, the moment quantum hardware crosses the threshold. The implication is uncomfortable: the clock on Bitcoin’s vulnerability didn’t start ticking in 2029. For anyone whose data holds value for collection and storage, the process has already begun. When quantum capability arrives, it won’t impact the network uniformly. The damage will be targeted — determined by a technical distinction most Bitcoin holders have never considered.
Not all Bitcoin addresses present an equal level of risk. Older P2PK addresses permanently expose the public key on the blockchain, making them a standing target for any future quantum attacker. Newer formats like P2PKH and P2WPKH ensure that the public key remains concealed until the funds are actually spent, significantly reducing the window of vulnerability. The issue lies with what is contained in the older format. Satoshi Nakamoto’s early mining rewards — over a million Bitcoin by most estimates — were documented in the older P2PK format. The public keys are recorded on the blockchain. They have been for more than seventeen years. Nobody can migrate those coins, as no one possesses the private keys. If a cryptographically relevant quantum computer emerges before Bitcoin’s infrastructure can be upgraded, those addresses don’t get a warning — they become prime targets. While discussions about quantum-resistant hard forks are ongoing, the most straightforward approach for an attacker would be to exploit them immediately — resulting in a rapid theft as the most likely scenario unless contentious collective measures are implemented. That’s not a systemic collapse. It’s a focused approach. The initial targets of quantum-capable attacks will not be selected at random; rather, they will be determined by their level of exposure. In a remarkable turn of events, the largest exposed position in Bitcoin’s history stands without an owner capable of taking action on it.
The cryptographic solutions exist. This is not a scenario in which the industry is anticipating a scientific breakthrough. NIST has finalised its post-quantum cryptography standards in 2024, which include CRYSTALS-Dilithium, Falcon, and SPHINCS+. The algorithms are published, peer-reviewed, and available. The question remains: can Bitcoin effectively implement them before the opportunity slips away? The answer necessitates a candid assessment of the costs associated with PQC migration. Post-quantum signatures exhibit a significant increase in size compared to the signatures utilised by Bitcoin currently — in certain instances, they can be hundreds of times larger. A 2026 study modelled the transition directly: throughput drops 52 to 57 percent, fees increase two to three times, and storage requirements expand dramatically across the entire network. None of that provides users with a quicker network, more affordable transactions, or an enhanced experience. It secures them against a potential threat that has yet to manifest. This represents a cautious downgrade. You settle the expenses right away. The advantages are conceptual and set for a future timeframe. Now take into account the governance structure that is required to give its approval. Bitcoin’s SegWit upgrade — which provided significant, concrete performance enhancements — took about two years from the formal proposal to activation, navigating through a community that was sharply divided.
SegWit had proponents who could highlight immediate, quantifiable benefits. PQC migration lacks a comparable rationale. The pitch is: accept 57 percent less throughput, pay two to three times more in fees, absorb years of implementation risk, so that a quantum computer that doesn’t exist yet cannot break a signature scheme that hasn’t failed yet. The Bitcoin community has put forth two proposals to date. BIP 360 introduces an innovative quantum-resistant address format leveraging Taproot, effectively eliminating the quantum-vulnerable key-spend path. This advancement ensures that public keys remain secure and are not exposed prior to transaction execution. BIP 361 takes a bold step forward — it proposes a phased approach to gradually eliminate the existing signature system, ultimately leading to the freezing of funds in wallets that have not undergone migration until their owners take action. By Bitcoin standards, that’s nearly revolutionary. Ethereum’s stance appears distinct. Vitalik Buterin has unveiled a quantum emergency roadmap that tackles the issue across multiple layers at once. An upcoming protocol upgrade will enable individual accounts to independently switch to quantum-resistant signatures, eliminating the need for a network-wide vote. Ethereum is actively replacing elements of its foundational cryptographic framework that could be vulnerable to quantum computing threats. Simultaneously, it is innovating compression techniques to maintain network efficiency during this critical transition. This is a coordinated, multi-layer response from a network whose founder is publicly leading it.
The disparity between these two trajectories should not be viewed as a critique of Bitcoin’s culture. Extreme conservatism in a monetary protocol stands as a defensible philosophy. However, conservatism incurs a price when the timeline of threats is dictated by the engineering roadmap of others, rather than by an internal consensus. The JBBA research estimated that achieving community consensus on PQC migration could take ten to fifteen years. The threat window spans a duration of ten to fifteen years. Those two numbers are identical. In 2025, reports surfaced indicating that at least one global investment firm had decided to exclude Bitcoin from its recommendations. The firm pointed to long-term quantum security uncertainty as a key factor in this decision. It might not be the final one. As the roadmaps for IBM and IonQ gain traction, due diligence frameworks will increasingly recognise “post-quantum migration plan” as a key line item rather than a mere footnote. What occurs is more detailed and, in certain aspects, more concerning. The initial wave focuses on the vulnerable: P2PK addresses, early mining rewards, and the Satoshi-era million coins previously mentioned. A capable quantum machine wouldn’t announce itself with a market crash — it would announce itself with a series of anomalous transactions draining wallets whose owners have either lost access, cannot be reached, or were never identified. The on-chain data is already present. It has remained in that position for years.
The second wave is psychological. Bitcoin’s value has always transcended its technical properties. It is grounded in a conviction — that the regulations are immutable, that the calculations are robust, and that the asset is impervious to any entity with ample resources. The moment a confirmed quantum breach hits the news, that belief faces a blow it may not bounce back from swiftly. BlackRock and Fidelity didn’t construct Bitcoin ETFs based on a technical specification. They constructed them within a narrative framework. Narratives possess a fragility that stands in stark contrast to the robustness of cryptography. The third wave hinges completely on governance. If the Bitcoin community takes decisive action — truly takes action, with the urgency that the timeline necessitates — then the protocol endures and the value proposition endures alongside it. The technology enables this. Nothing in the physics makes Bitcoin indefensible. However, the situation demands choices that contradict the very instincts of a community rooted in a distrust of centralised control, a reluctance to embrace change, and a profound scepticism towards urgency as a persuasive tactic.