Chips

Will quantum computing break Bitcoin? The real threat timeline

One headline says a quantum computer could steal your Bitcoin any day now. Another says that will never happen. Both are wrong, and the real answer sits in between.

Fang YuFang Yu
Compare: what quantum-versus-Bitcoin headlines suggest, and the actual situationDon't panicQuantum vs Bitcoin: headlines vs realityWhat headlines suggestThe actual situationA quantum machine steals all Bitcoin instantlyMining gets crushed overnightAll current encryption is obsoleteNothing to do but wait for doomNeeds million-scale error-corrected qubits; est. 10 to 20+ yrsGrover only halves hash search; difficulty adjustment compensatesNIST already published post-quantum standards; migration is possibleJust switch to quantum-resistant signatures, but it needs coordinationRemember: Short term, your coins are safe. What matters is account security and staying skeptical of "quantum coin" scams.
A side-by-side of what quantum-versus-Bitcoin headlines imply, and how far the actual technology still has to go to get there.

Every few weeks another headline claims a quantum computer just cracked Bitcoin in minutes, or that quantum machines are about to wipe out encryption everywhere. Half the replies panic about their wallets; the other half dismiss the whole thing as hype. Both reactions skip over the complicated, genuinely important part in the middle. If you have not read what a quantum computer actually is, start with what quantum computing can and cannot do. This piece focuses on a narrower question: what does quantum computing actually threaten in crypto, what is the "harvest now, decrypt later" risk, how large a machine would an attack actually require, and where does post-quantum cryptography stand today. By the end you should know what is worth worrying about now, and what is worth just keeping an eye on.

This is for you if

  • You saw a "quantum computer breaks Bitcoin" headline and want to know how much of it is real.
  • You hold or care about crypto and want to know whether this is something to worry about now.
  • You want to be able to tell a real quantum research update from panic marketing.

Skip this if

  • You want the math behind Shor's algorithm or lattice cryptography.
  • You want step-by-step instructions for a specific wallet or exchange.
  • You are looking for advice on whether "quantum-resistant" tokens are worth buying.

The bottom line first: no quantum computer today can break Bitcoin, but one risk is worth understanding now

The most important judgment first: today, no quantum computer on Earth can break the signature algorithms securing Bitcoin or Ethereum. That is not optimism, it is a hard engineering gap: the error-corrected qubits an attack would need are several orders of magnitude beyond the strongest chips that exist right now. The next few sections lay out the actual numbers.

But "safe for now" is not "nothing to watch." One risk is not waiting ten years to start; it is quietly accumulating today. If a Bitcoin address's public key has already been exposed on-chain, that record sits permanently on a public ledger, and someone could store it now and come back to compute the private key once a capable quantum machine exists. Section 4 covers this store-now, crack-later approach: harvest now, decrypt later.

This piece does not take the side of "it's over" or "it will never happen." It lays out what is actually threatened, how far the technology has gotten, and what to do about it now.

What quantum actually threatens

Most people assume quantum computing threatens mining. The real target is different: the public-key signature scheme that proves a transaction was authorized by whoever owns the coins. Bitcoin and Ethereum both use ECDSA, built on an elliptic curve called secp256k1. Your wallet holds a private key only you know and a public key anyone can see; spending funds means signing with the private key, and every node checks that signature against your public key. Verifying a transaction without trusting any middleman is the same foundation that lets blockchain move value without an intermediary.

Its security rests on one hard math problem: given a public key, working backward to the matching private key takes a classical computer an impractical amount of time. What makes quantum computing worth watching is that it could, in theory, turn that problem from impossible into merely very hard.

Mining runs on a different mechanism entirely: repeatedly guessing a number until the resulting hash (SHA-256) meets a difficulty target. That has nothing to do with the math problem behind signatures, and quantum computing threatens it far less, as the next section explains.

Shor versus Grover: one is a real threat, the other is just a discount

Two quantum algorithms come up whenever this topic is discussed, and they pose wildly different levels of threat. A lot of coverage blurs them together, which is exactly where the confusion starts.

Shor's algorithm is built specifically to solve the kind of math problem Bitcoin's signatures depend on: integer factoring and the elliptic curve discrete logarithm. Given a large, stable enough quantum computer, it could in principle compute a private key directly from a public one. That is a genuine, category-level threat: once a machine is capable enough, the security assumption behind the whole signature scheme stops holding. It is not slowed down, it is bypassed.

Grover's algorithm is the one that comes up around "will mining get broken," but it only speeds up brute-force search, and quadratically, not exponentially. Applied to SHA-256, it cuts effective security from 256 bits to roughly 128. That sounds like losing half the strength, but 128 bits is still an astronomically large margin, and miners can offset even that theoretical dent by raising the difficulty target.

Shor's algorithm goes after the lock itself, the signature scheme; once a machine is capable enough, it can in principle open the lock directly. Grover's algorithm goes after the search space behind mining; at best it discounts how long the search takes. The lock stays intact.

Harvest now, decrypt later: why some risk is being planted today

Even without a signature-breaking quantum machine today, an attacker has another option: record valuable encrypted data or already-exposed public keys now, and compute the private key once a quantum machine matures later. Cryptographers call this store-first, crack-later approach harvest now, decrypt later, and it is the phrase researchers reach for most often when warning against complacency.

Blockchain's particular characteristics make this worth watching. The ledger is public, permanent, and effectively unchangeable. Once a Bitcoin public key is exposed on-chain, that record stays there forever, visible to anyone, and can be archived for later. That differs from an encrypted email sitting on a server for a few years; a public ledger entry can, in theory, be stored and waited on indefinitely.

That said, not all Bitcoin is equally exposed. Many unspent addresses use a format that hashes the public key before turning it into an address, so the funds there correspond to a hash of the key, not the key itself; as long as those funds are never spent, the public key stays hidden behind that hash. Real exposure sits with addresses that have already been spent from once, which reveals the public key on-chain, plus a batch of early Bitcoin holdings that used raw, unhashed public keys as addresses from the start. Ethereum's account model differs: addresses get reused repeatedly, and the first outgoing transaction from one typically exposes its public key, so exposure there works somewhat differently than on Bitcoin.

None of this means your funds are at risk tomorrow. It means whether a public key has ever been exposed is a key variable in judging how exposed a given holding is, and section 8 covers what you can do about it.

How big a quantum computer would it actually take

Headlines love to say a company just built a chip with some large number of qubits. Almost always, that number refers to physical qubits, the raw, error-prone kind that have not been error-corrected. Running something as demanding as Shor's algorithm reliably requires logical qubits instead: a bundle of many physical qubits working together, correcting each other's errors, to form one dependable unit. The two terms sound similar but differ by an order of magnitude in what they represent.

Different research groups land on somewhat different numbers, but the rough scale looks like this: breaking Bitcoin's signatures is estimated to need somewhere in the thousands of error-corrected logical qubits. Translated into physical qubits using today's leading error-correction approaches, estimates range from the hundreds of thousands into the tens of millions, and those figures keep getting revised, usually downward, as new research comes out.

Compare that to where things stand today: across every company building quantum hardware, physical qubit counts have just crossed one thousand, and those qubits are still noisy and error-prone; stable, large-scale error correction is still in its early, hard-fought stages. This gap is not small, it is several orders of magnitude, and it will not close just because someone spends more money or draws a longer roadmap.

Because that gap is so wide, estimates of when quantum computing could actually threaten Bitcoin span roughly ten years to twenty-plus, and keep shifting as hardware and error-correction techniques advance. Nobody can hand you a reliable date, and anyone stating a precise "year quantum breaks crypto" with total confidence is more likely marketing something than reporting research.

Post-quantum cryptography: where NIST standards stand

Rather than waiting for an answer to "when will quantum break current encryption," cryptographers started on a backup plan much earlier: a new generation of algorithms that stay hard to break even for a quantum computer. That effort goes by the name post-quantum cryptography, or PQC.

The US National Institute of Standards and Technology (NIST) ran a nearly decade-long, open, global process to solicit and evaluate candidate algorithms, finalizing the first three standards in 2024: FIPS 203 (ML-KEM, derived from Kyber, for key exchange and encryption), FIPS 204 (ML-DSA, derived from Dilithium, for digital signatures), and FIPS 205 (SLH-DSA, derived from SPHINCS+, a backup signature scheme built on different math, kept in reserve in case one approach is ever broken).

These standards are not staying on paper. Internet infrastructure is already rolling them out; a meaningful share of encrypted web connections already use the new key-exchange algorithms, and several countries and large institutions have published migration timelines. Migration at the blockchain protocol layer is further behind and more complicated, since changing a signature algorithm means coordinating an entire network's upgrade and figuring out what happens to old addresses, covered next.

Can Bitcoin and Ethereum upgrade to resist quantum attacks

Yes. Cryptographically, nothing stops Bitcoin or Ethereum from replacing today's ECDSA signatures with a post-quantum scheme. This is not an unsolved technical mystery; having a technical path was never the hard part.

The hard part is coordination. Changing a blockchain's rules requires most of the network, miners or validators, node operators, exchanges, wallet developers, to agree and roll the upgrade out through a soft fork or hard fork. That routinely takes years of debate, testing, and consensus-building, and plenty of past proposals have stalled or been reworked along the way. There is also a thornier question: whether and how old addresses and holdings get migrated to a new signature scheme, itself a governance problem that touches everything downstream.

Different chains are moving at different speeds. Some already have teams working on post-quantum signature research and roadmaps, with periodic cross-team interoperability tests. Bitcoin's community has developers proposing several approaches at the signature-format level, but those remain at the discussion stage, with no network-wide rollout timeline. That gap does not mean one chain is more at risk; both are still inside the window to prepare, but the upgrade will not happen automatically. It needs sustained community effort.

What ordinary people should do now

First, none of this should drive an investment decision, buying, selling, or panic-exiting included. There is no evidence today that any quantum computer can break Bitcoin's or Ethereum's signatures, and the real, immediate losses from panic trading tend to be far more concrete than the quantum threat itself.

Second, put the attention where you actually have control: basic account hygiene. Avoid reusing the same receiving address when you can, since that limits how often a public key gets exposed early. Keep private keys and exchange two-factor authentication locked down, and treat any message using "quantum threat" to manufacture urgency with extra suspicion. If you are unsure about the safety of something like USDT, which gets asked about just as often, what a stablecoin actually is covers similar ground: understanding the mechanism beats reacting to rumors.

Finally, stay skeptical of anything marketed as a "quantum-resistant coin" or "quantum hedge token." Real quantum resistance happens at the protocol level, not by holding a particular token, and multiple regulators have already called out projects riding the quantum label for marketing, or running outright scams. Run anything like that through the checklist below first; most of it will not hold up. This is worth tracking over the long run, not losing sleep over today.

One table: common "quantum wrecks Bitcoin" claims, and where they diverge from reality

A condensed version of everything above, so you have something to check the next time a similar headline shows up.

Common claim onlineCloser to the truthWhy
Quantum computers can already break BitcoinCurrent machines are far short of the error-correction scale neededNeeds thousands of logical qubits, which is hundreds of thousands to tens of millions of physical qubits; today's strongest chip is just over 1,000
Mining will be instantly crushedGrover gives only a quadratic speedup, far less than the signature threatCuts SHA-256 from 256-bit to roughly 128-bit, still astronomical; difficulty adjusts to compensate
All Bitcoin is equally at riskOnly addresses with exposed public keys are the main riskUnspent addresses hide the public key behind a hash until it is spent
Wallets get wiped out overnightThe real danger is harvest now, decrypt later; risk accumulates graduallyAttackers store exposed public keys today and compute private keys later
Encryption is doomed either wayPost-quantum standards already exist and protocols can upgradeNIST published ML-KEM, ML-DSA and SLH-DSA; several chains already have migration roadmaps
Buying "quantum-resistant coins" hedges the riskReal upgrades happen at the protocol level, not by buying a tokenMost "quantum-resistant" token projects are marketing or outright scams

The most common myths about quantum and Bitcoin

Quantum computers can break Bitcoin right now.

They cannot. Breaking Bitcoin's signatures needs thousands of error-corrected logical qubits, which today's technology path translates to somewhere between hundreds of thousands and tens of millions of physical qubits. The strongest quantum chips today have just over 1,000 physical qubits, and error correction is still in its early stages. Estimates for closing that gap range from roughly 10 to 20-plus years, and they are far from certain.

The quantum threat only targets Bitcoin.

It does not. Almost every system built on ECDSA or RSA public-key signatures is exposed, including banking networks, HTTPS connections on ordinary websites, and other blockchains such as Ethereum. Bitcoin just gets more attention because its ledger is public and closely watched, not because it is the only target.

Buying a "quantum-resistant coin" hedges the risk.

It does not. The real fix has to happen at the protocol level, in the signature algorithm itself, not by holding a particular token. Many projects marketed as "quantum-resistant" are riding the headline for attention or running outright scams, and regulators in multiple countries have already issued warnings about them.

A checklist for the next "quantum breaks encryption" headline

You do not need a physics background. Run any such story through these four questions and it becomes fairly easy to tell real research from anxiety-farming content.

  • Does it cite logical qubits, or uncorrected physical qubits? The two numbers differ by an order of magnitude; a claim that does not specify which one is a red flag.
  • Does it mention error-correction overhead or error rates? Coverage that only brags about qubit counts and skips correction progress is usually thin.
  • Is the source a peer-reviewed paper or a recognized institution, or is it a vendor press release or a social media post? The former is far more trustworthy.
  • Does it mention progress on post-quantum migration? A responsible threat story usually also covers what the defense side is doing; attack-only framing is a sign of fear-mongering.

FAQ

Can a quantum computer break Bitcoin today?

No. It would need thousands of error-corrected logical qubits (hundreds of thousands to tens of millions of physical qubits); today's strongest chips are just over 1,000 noisy physical qubits, and error correction is still early.

Roughly how long until quantum threatens Bitcoin?

No one can give a firm answer; estimates range roughly 10 to 20+ years and keep shifting with hardware and error-correction progress. Not imminent, not something to ignore forever.

What is "harvest now, decrypt later"?

Attackers store exposed data or public keys today and decrypt them once quantum matures. On a permanent public ledger this mainly affects addresses whose public keys are already exposed, not all Bitcoin.

What is post-quantum cryptography (PQC)?

New algorithms designed to resist quantum attacks. NIST finalized three standards in 2024 (ML-KEM, ML-DSA, SLH-DSA). Internet infrastructure is already migrating; blockchain protocol migration is earlier-stage and needs coordination.

Do ordinary people need to do anything about the quantum threat now?

No panic trading is needed. The practical steps are basic account hygiene (avoid address reuse, use 2FA) and skepticism toward "quantum-resistant coin" pitches. This is educational content, not investment advice.

Sources & further reading

  • US NIST nist.gov, the official source for the post-quantum cryptography standards (FIPS 203/204/205)
  • Ethereum's official site ethereum.org, official documentation on the account model and post-quantum migration direction
  • Bitcoin's official site bitcoin.org, background on the Bitcoin protocol and its signature mechanism
  • Preprint server arxiv.org, primary source for research on qubit requirements and harvest-now-decrypt-later risk

Updated: Published July 6, 2026. This first edition covers the difference between Shor's and Grover's algorithms, the qubit scale a real attack would need, where NIST's post-quantum standards stand, and the upgrade paths for Bitcoin and Ethereum. Numbers and timelines will be revised as hardware and standardization progress.

Fang Yu
Fang Yu · Editor of FutureLens

Fang Yu is the editor of FutureLens, turning published papers, official materials and public explanations into plain-language notes. He is most interested in the gap between a technology's public pitch and the evidence a careful reader can actually check. More about the author