For years, quantum computing has served as cryptocurrency’s favorite doomsday scenario, a distant but present threat that periodically resurfaces as labs announce qubit milestones.
The story follows a predictable arc as researchers make gradual breakthroughs, “Bitcoin is dead” predictions fly around on social media, and the news cycle moves on.
But Adam Bach’s Nov. 15 remarks on X cut through the noise with what was crucially missing from this discourse: a timeline based on physics rather than panic.
Going back, Blockstream CEO Hashcash’s proof-of-work system predates Bitcoin itself and answered questions about accelerating quantum research with a candid assessment.
Bitcoin “will probably not face” any cryptography-related vulnerabilities to quantum computers for roughly 20 to 40 years.
More importantly, he emphasized that Bitcoin doesn’t have to passively wait for that day.
NIST has already standardized quantum-secure signature schemes such as SLH-DSA, and Bitcoin could adopt these tools through a soft fork upgrade long before quantum machines pose a real threat.
His comments reframe quantum risk from an unsolvable catastrophe to a solvable engineering problem with a multi-decade runway.
This distinction is important because Bitcoin’s actual vulnerability is not what most people think, and the threat does not come from SHA-256, the hash function that protects the mining process. It comes from ECDSA and Schnorr signatures on the secp256k1 elliptic curve, which are ciphers that prove ownership.
A quantum computer running Scholl’s algorithm could solve the secp256k1 discrete logarithm problem, derive the private key from the public key, and potentially invalidate the entire ownership model.
In pure mathematics, Scholl’s algorithm makes elliptic curve cryptography obsolete.
The engineering gap between theory and reality
However, mathematics and engineering exist in different worlds. Breaking a 256-bit elliptic curve requires 1,600 to 2,500 logical, error-corrected qubits.
Each logical qubit requires thousands of physical qubits to maintain coherence and correct errors.
One analysis, based on work by Martin Roetteler and three other researchers, calculates that cracking a 256-bit EC key within the narrow time frame associated with a Bitcoin transaction would require approximately 317 million physical qubits under realistic error rates.
It is important to consider where quantum hardware actually stands. Caltech’s neutral atom system operates about 6,100 physical qubits, which are noisy and lack error correction.
More mature gate-based systems from Quantinuum and IBM operate with logic-quality qubits in the tens to low hundreds.
The gap between current capabilities and cryptographic relevance is several orders of magnitude, a chasm that requires fundamental breakthroughs in qubit quality, error correction, and scalability, rather than small incremental steps.
NIST’s own post-quantum cryptography commentators state this explicitly. Cryptographically relevant quantum computers do not currently exist, and expert estimates of their emergence vary so widely that some experts believe that “within 10 years” remains a possibility. In contrast, some are definitely looking beyond 2040.
The median outlook is centered around the mid-to-late 2030s, making Buck’s 20-40 year horizon conservative rather than reckless.
Migration roadmap already exists
Buck’s comment that “Bitcoin could be added to over time” refers to a specific proposal already circulating among developers.
BIP-360, entitled “Pay to Quantum Resistant Hash,” defines a new output type whose spending terms include both traditional and post-quantum signatures.
Both schemes allow one UTXO to be used, allowing for gradual rather than forced migration.
Jameson Lopp and other developers built BIP-360 with a multi-year migration plan. First, add PQ-enabled address types via soft fork. We then gradually encourage or subsidize the movement of coins from vulnerable outputs to PQ-protected outputs, reserving some block space in each block dedicated to these “rescue” moves.
Academic research dating back to 2017 has already recommended a similar transition. Robert Campbell’s 2025 preprint proposes a hybrid post-quantum signature in which transactions carry both ECDSA and PQ signatures during an extended transition period.
If you look at the user side diagram, you can see why this is important. Approximately 25% of all Bitcoin, 4 million to 6 million BTC, resides in address types whose public keys are already published on-chain.
Early public key payment output from Bitcoin’s first few years, reused P2PKH addresses, and some Taproot output all fall into this category. If the secp256k1 shawl becomes operational, these coins will become immediate targets.
Modern best practices already provide substantial protection. Users who use new P2PKH, SegWit, or Taproot addresses without reusing them will enjoy significant timing benefits.
In these outputs, the public key remains hidden behind a hash until first use, compressing the window for an attacker to execute Shor within the memory pool verification period (measured in minutes rather than years).
The migration effort will not start from scratch, but will build on existing good practices and migrate legacy coins to a more secure structure.
Post-Quantum Toolbox Ready
Mr. Buck’s reference to SLH-DSA was not a casual invective. In August 2024, NIST completed the first wave of post-quantum standards: FIPS 203 ML-KEM for key encapsulation, FIPS 204 ML-DSA for lattice-based digital signatures, and FIPS 205 SLH-DSA for stateless hash-based digital signatures.
NIST has also standardized XMSS and LMS as stateful hash-based schemes, and the pipeline includes the lattice-based Falcon scheme.
Bitcoin developers now have access to a menu of NIST-approved algorithms, along with reference implementations and libraries.
Bitcoin-focused implementations already support BIP-360, demonstrating that the post-quantum toolbox exists and continues to mature.
The protocol does not have to invent entirely new mathematics and can adopt standards established through years of cryptoanalysis.
That doesn’t mean implementation isn’t without its challenges. A 2025 paper examining SLH-DSA found vulnerabilities to Rowhammer-style fault attacks, highlighting that although the security is based on regular hash functions, the implementation still needs hardening.
Post-quantum signatures also consume more resources than traditional signatures, raising questions about transaction scale and fee economics.
However, these represent engineering problems with known parameters rather than unsolved mathematical mysteries.
Why 2025 is not quantum
BlackRock’s iShares Bitcoin Trust (IBIT) amended its prospectus in May 2025 to include extensive disclosures about the risks of quantum computing, warning that sufficiently advanced quantum computers could compromise Bitcoin’s encryption.
Analysts quickly recognized this as a boilerplate statement alongside standard risk factor disclosures, common technology and regulatory risks, rather than a signal that BlackRock was anticipating an impending quantum attack.
The near-term threat is not the quantum computing technology itself, but investor sentiment.
A 2025 SSRN study found that news related to quantum computing causes rotation to explicitly quantum-resistant coins. Still, traditional cryptocurrencies have shown only modest negative returns and spikes in trading volumes around such news, rather than structural repricing.
When we look at what actually drove Bitcoin’s movement from 2024 to 2025 across ETF flows, macroeconomic data, regulations, and liquidity cycles, quantum computing rarely appears as a direct cause.
Quantum computing generates headlines while CPI growth, ETF outflow days, and regulatory shocks drive price movements.
Even the loudest alarmist article, “25% of Bitcoin is at Risk,” emphasizes the need to start upgrading now, while stating that the threat is years away.
The framework consistently focuses on “governance and engineering issues” rather than “quick sell.”
The stakes are about default, not deadlines
The quantum story of Bitcoin is not really about whether cryptographically relevant quantum computers will appear in 2035 or 2045. What matters is whether the protocol’s governance can orchestrate an upgrade before that date becomes important.
All serious analyzes converge on the same conclusion: now is the time to prepare, not because the threat is imminent, but because migration will take 10 years.
The questions that will determine Bitcoin’s quantum resilience are whether developers can build consensus around BIP-360 and similar proposals, whether the community can encourage the migration of legacy coins without fracturing, and whether communications can remain stable enough to prevent panic beyond physics.
In 2025, quantum computing will not be the catalyst that will determine price trends for this cycle, but will instead pose governance challenges that require a 10-20 year roadmap.
Physics is slowly progressing and a roadmap is emerging.
Bitcoin’s role is to adopt PQ-enabled tools long before the hardware arrives and avoid governance gridlock that can turn a solvable problem into a self-inflicted crisis.
(Tag translation) Bitcoin
