Currently, quantum computers cannot break Bitcoin’s encryption, but new advances from Google and IBM suggest that the gap is closing faster than expected. Their progress toward fault-tolerant quantum systems raises the stakes for a “Q-day,” when a sufficiently powerful machine could crack old Bitcoin addresses and expose more than $711 billion in vulnerable wallets.
It will take years to upgrade Bitcoin to a post-quantum state. This means you need to start working long before the threat arrives. The challenge, experts say, is that no one knows when that will be and communities are struggling to agree on the best way to move forward with plans.
This uncertainty has lingered fears that quantum computers could come online that can attack Bitcoin before the network is ready.
In this article, we look at the quantum threat to Bitcoin and what needs to change to prepare for the number one blockchain.
How quantum attacks work
Even if the attack is successful, it doesn’t look dramatic. Quantum-enabled thieves start by scanning the blockchain for addresses that have previously revealed public keys. Old wallets, reused addresses, early miner output, and many dormant accounts fall into that category.
The attacker copies the public key and runs it on a quantum computer using Shor’s algorithm. Developed in 1994 by mathematician Peter Scholl, this algorithm gives quantum machines the ability to factor large numbers and solve discrete logarithm problems much more efficiently than classical computers. Bitcoin’s elliptic curve signature relies on the difficulty of these problems. With enough error-correcting qubits, a quantum computer can use Scholl’s method to calculate the private key associated with the published public key.
said Justin Thaler, Andreessen Horowitz’s research partner and associate professor at Georgetown University. decryptionOnce the private key is recovered, the attacker can move the coins.
“What a quantum computer can do, and this is relevant to Bitcoin, is forge the digital signatures that Bitcoin uses today,” Thaler said. “Someone with a quantum computer could authorize a transaction that takes all your bitcoins out of your account without you authorizing it. That’s OK. That’s what I’m worried about.”
The forged signature will appear genuine to the Bitcoin network. Nodes accept it, miners include it in blocks, but nothing on-chain marks the transaction as suspicious. If an attacker attacks a large group of exposed addresses at once, billions of dollars can be moved within minutes. Before anyone confirms that a quantum attack is occurring, the market will begin to react.
The state of quantum computing in 2025
In 2025, quantum computing is finally starting to feel less theoretical and more practical.
- January 2025: Google’s 105-qubit Willow chip shows significant error reduction and benchmarks that outperform traditional supercomputers.
- February 2025: Microsoft deploys the Majorana 1 platform and reports record logical qubit entanglement with Atom Computing.
- April 2025: NIST extends coherence of superconducting qubits to 0.6 milliseconds.
- June 2025: IBM sets a goal of 200 logical qubits by 2029 and more than 1,000 logical qubits in the early 2030s.
- October 2025: IBM entangled 120 qubits. Google has confirmed that quantum acceleration has been verified.
- November 2025: IBM announces new chips and software aimed at quantum advantage by 2026 and fault-tolerant systems by 2029.
Why Bitcoin became vulnerable
Bitcoin signatures use elliptic curve cryptography. Spending from an address reveals the public key behind it, and that public key is held forever. In Bitcoin’s early public-key payment format, many addresses published their public keys on-chain even before the first spend. Subsequent forms of payment for public key hashes hid the keys until first use.
These oldest coins, including about 1 million Satoshi-era Bitcoins, could be exposed to future quantum attacks because the public keys were never hidden. Thaler said the switch to post-quantum digital signatures requires active engagement.
“For Satoshi to protect their coins, they need to move them to a new post-quantum secure wallet,” he said. “The biggest concern is about $180 billion worth of abandoned coins, including about $100 billion that is believed to belong to Satoshi. These are huge amounts, but they are abandoned and that’s the real risk.”
Coins associated with lost private keys further increase the risk. Many have been sitting idle for over a decade and cannot be moved to a quantum-proof wallet without these keys, making them a prime target for future quantum computers.
No one can freeze Bitcoin directly on-chain. Practical safeguards against future quantum threats focus on migrating vulnerable funds, adopting post-quantum addresses, or managing existing risks.
However, Thaler pointed out that post-quantum encryption and digital signature schemes are much larger and more resource-intensive than today’s lightweight 64-byte signatures, which comes at a huge cost in performance.
“Today’s digital signatures are about 64 bytes. Post-quantum versions could be 10 to 100 times larger,” he said. “With blockchain, every node has to store their signatures forever, so increasing its size is a much bigger problem. Managing that cost, the literal size of the data, is much more difficult here than in other systems.”
road to protection
Developers have announced several Bitcoin improvement proposals to prepare for future quantum attacks. From light option protection to complete network migration, there are many paths to follow.
- BIP-360 (P2QRH): Creates a new “bc1r…” address that combines current elliptic curve signatures with post-quantum schemes such as ML-DSA and SLH-DSA. It offers hybrid security without the need for hard forks, but the larger the signature, the higher the price.
- Quantum-safe tap root: Add a hidden post-quantum branch to the tap root. If quantum attacks become a reality, miners could soft-fork and request a post-quantum branch while users continue to operate as usual.
- Quantum‑Resistant Address Migration Protocol (QRAMP): A mandatory migration plan to move vulnerable UTXOs to quantum-secure addresses (usually through a hard fork).
- Pay to Taproot Hash (P2TRH): Replaces the visible Taproot key with a double-hashed version, limiting the public window without breaking new encryption or compatibility.
- Non-interactive transaction compression (NTC) with STARK: Uses zero-knowledge proofs to compress large post-quantum signatures into one proof per block, reducing storage and fee costs.
- Commit-Reveal scheme: Relies on hashed commitments published before the quantum threat occurs.
- Helper UTXO connects small post-quantum output to protect spending.
- A “poison pill” transaction allows users to pre-publish their recovery path.
- Folkscoin-style variants will remain dormant until a real quantum computer is demonstrated.
Taken together, these proposals chart a step-by-step path to quantum safety. Fast, low-impact fixes such as P2TRH are available for now, and more powerful upgrades such as BIP-360 and STARK-based compression occur when risk increases. All of these require extensive coordination, and many post-quantum address formats and signature schemes are still in the early stages of discussion.
Thaler pointed out that Bitcoin’s greatest strength, decentralization, makes large-scale upgrades slow and difficult, as new signature schemes require broad consensus among miners, developers, and users.
“Two big problems stand out with Bitcoin. First, upgrades will take a long time, if they happen at all. Second, they are abandoned coins. The transition to post-quantum signatures has to be proactive, and the owners of those old wallets are gone,” Saylor said. “The community will have to decide what happens to them. Either agree to remove them from circulation, or do nothing and let quantum-equipped attackers take them. That second path is legally gray, and those who seized the coins probably won’t care.”
Most Bitcoin holders don’t need to do anything right away. Some habits can go a long way in reducing long-term risk. For example, avoid reusing addresses, keep your public key hidden until you spend the money, and use modern wallet formats.
Current quantum computers are far from being able to beat Bitcoin, and predictions of when Bitcoin will be broken vary widely. Some researchers see the threat within the next five years, others predict it in the 2030s, but continued investment could speed up the timeline.
