Bitcoin vs. quantum computers: separating the real threat from the FUD | Bitcoin Index

The quantum fear story has been circulating in crypto for years, but in early 2026 it started moving markets. Institutional risk assessments are mentioning quantum computing. Taproot adoption has declined from its highs, though the reasons are mixed. And when Strategy reported its Q4 2025 results (a $12.4 billion net loss, mostly on tumbling Bitcoin prices), Michael Saylor still felt the need to address quantum directly, announcing a “Bitcoin Security Program” to coordinate with the global crypto security community.

So: is the quantum threat real? Should you be worried? The honest answer is more boring than either camp wants to admit.

What Bitcoin’s cryptography actually does

First, a quick separation that matters a lot here. Bitcoin uses two distinct cryptographic systems, and they have very different quantum exposure.

ECDSA and Schnorr signatures authorize transactions. They’re based on the elliptic curve discrete logarithm problem, the mathematical hardness that lets you prove you own coins without revealing your private key. This is where quantum computing poses a genuine theoretical threat: Shor’s algorithm could, on a sufficiently powerful quantum computer, derive a private key from an exposed public key.

SHA-256 hash functions are used in mining (proof-of-work) and in the address system. Here, the relevant quantum threat is Grover’s algorithm, which reduces effective security from 256-bit to 128-bit. But 128-bit security is still computationally infeasible to brute-force. Breaking a Bitcoin address hash remains far outside what any plausible quantum system could do. SHA-256 is not the problem.

And critically: quantum computers cannot modify Bitcoin’s 21-million coin cap, bypass proof-of-work, or change the rules of the network. The threat is specific: it concerns signature forgery on exposed public keys, not Bitcoin’s fundamental architecture.

The numbers: what it would actually take

The most commonly cited quantum threat is dramatic. The reality is more grounding.

Research published in AIP/AVS Quantum Science calculated that breaking a Bitcoin private key within a single day would require a quantum computer with 13 million physical qubits running with fault-tolerance performance that doesn’t yet exist.

Google’s Willow chip, announced in 2024 and the most advanced publicly demonstrated quantum processor, has 105 qubits.

The gap is not close. CoinShares’ research note from February 6, 2026 puts it this way: breaking secp256k1 (Bitcoin’s elliptic curve) within a practical time window of less than a year would require “10–100,000 times the current number of logical qubits.” Charles Guillemet, CTO at Ledger, told CoinShares: “To break current asymmetric cryptography, one would need something in the order of millions of qubits. Willow, Google’s current computer, is 105 qubits. And as soon as you add one more qubit, it becomes exponentially more difficult to maintain the coherence system.”

Expert consensus: a cryptographically relevant quantum computer is at minimum a decade away, with many analyses projecting 10–20 years. Saylor said on Strategy’s earnings call that quantum is “likely more than a decade away” from posing real risk, and he’s not exactly motivated to downplay threats to his biggest position.

Which Bitcoin addresses are actually vulnerable?

This is where the nuance matters most, because different address types have completely different exposure.

Modern address types (P2PKH, P2SH, P2WPKH) hide public keys behind cryptographic hashes. Your public key isn’t visible on the blockchain until you spend from an address. A quantum attacker would need to derive your private key from your public key during the brief window it’s exposed in the mempool, requiring roughly 3 million times more capability than current quantum systems have.

Legacy P2PK addresses are the real weak point. These “Pay-to-Public-Key” addresses permanently expose the public key. No waiting for a spend window. If a sufficiently powerful quantum computer existed today, these addresses would be first targets.

CoinShares estimates that approximately 1.6 million BTC sit in P2PK addresses, about 8% of total supply, largely Satoshi’s early coins and long-dormant miners. But here’s the part that often gets left out: only around 10,200 BTC of that total sits in UTXOs that could cause meaningful market disruption if stolen. The remaining ~1.59 million BTC sits in 32,607 individual ~50 BTC UTXOs, which CoinShares notes “would take millennia to unlock even in the most outlandishly optimistic scenarios.”

You’ll sometimes see the claim that “25% of Bitcoin is vulnerable.” CoinShares disputes this as an overstatement. The figure conflates permanently exposed P2PK addresses with reused P2PKH addresses (which expose keys after spending, but are mitigable with existing best practices) and exchange hot wallets. It’s not accurate.

Taproot’s complicated position

Taproot, Bitcoin’s 2021 upgrade introducing Schnorr signatures, uses the same secp256k1 curve as ECDSA, meaning key-path Taproot spends are theoretically subject to the same Shor’s algorithm risk.

But the picture is more nuanced. Bitcoin cryptographer Tim Ruffing (Blockstream Research) published a paper arguing that Taproot, when restricted to script-path spends, is actually post-quantum secure. A quantum attacker can’t see inside a Taproot output until it’s revealed at spend time. The decline in Taproot adoption has multiple explanations including fee optimization and exchange behavior; there’s no direct evidence quantum concern is the primary driver.

What the institutions are actually saying

On the institutional side, a Citi report published in early 2026 put the quantum risk to traditional banking infrastructure in stark terms: a quantum-enabled attack on U.S. bank access to Fedwire could put $2.0–$3.3 trillion of U.S. GDP at risk, with the probability of widespread public-key encryption being broken estimated at 19–34% by 2034, rising to 60–82% by 2044.

It’s worth being precise about what that report is and isn’t. It’s about traditional banking infrastructure, not Bitcoin specifically. Bitcoin’s quantum exposure is distinct from a bank’s RSA-protected Fedwire connections, and per CoinShares, less acute than the picture the Citi report paints for legacy finance. But the report is why institutional investors are paying attention to quantum across all financial systems. The narrative has legitimacy at the highest levels.

What Bitcoin developers are actually doing

The developer response is real and ongoing, even if the timeline is debated.

BIP-360 is a draft Bitcoin Improvement Proposal to introduce a post-quantum signature option for Bitcoin addresses. Charles Edwards of Capriole (a quantitative Bitcoin fund) has called for it to be finalized and deployed in 2026. Note: Edwards also made the contested claim that “20–30% of Bitcoin will be taken by a quantum hacker in the next few years” (this is disputed by serious cryptographers and should be treated as an outlier position, not consensus).

On the other end of the spectrum: Adam Back (Blockstream CEO, inventor of Hashcash) has been blunt: “Bitcoin does not use encryption. Get your basics right, or it’s a tell. Quantum computing threat is still decades away.” Back has also proposed his own hash-based post-quantum signature scheme, distinct from BIP-360’s lattice-based approach, that relies entirely on hash function collision resistance.

Bitcoin Optech tracks active developer discussions on competing schemes: SLH-DSA verification, SHRINCS (324-byte stateful signatures), and Falcon post-quantum signatures. There’s genuine disagreement between lattice-based and hash-based approaches, and no consensus yet on a path forward.

The NIST standards exist. The U.S. National Institute of Standards and Technology finalized its first three post-quantum cryptographic standards on August 13–14, 2024: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA). A fourth based on FALCON is in development. These are the cryptographic building blocks any Bitcoin post-quantum upgrade would draw from. The hard part isn’t the math. It’s coordinating a network upgrade.

European regulators and ENISA have pushed member states to begin national post-quantum cryptography transition planning, with hard deadlines for critical infrastructure. The EU Commission’s coordinated implementation roadmap sets a 2030 deadline for critical systems. That’s pushing financial institutions to prepare regardless of timeline certainty.

The uncomfortable question: what about the Satoshi coins?

If a quantum computer capable of attacking P2PK addresses ever does arrive, Bitcoin faces an awkward philosophical problem. Most of the exposed coins are presumably lost (early miners, Satoshi’s holdings, dormant wallets from 2009–2011). If a migration deadline passes and those coins haven’t moved, what happens to them?

Burning unmigratable coins would protect the network from quantum attackers who could otherwise drain them onto the market, but it would also destroy property that might genuinely belong to someone who just hasn’t checked in. Setting a precedent for confiscating dormant coins violates principles that are pretty fundamental to Bitcoin’s value proposition. This debate hasn’t been resolved, and it won’t be until it absolutely has to be.

The actual situation

The quantum threat to Bitcoin is real enough to plan for. The timeline gives Bitcoin room, probably more room than market panic in early 2026 would suggest. The question isn’t whether quantum will eventually be capable of breaking elliptic curve cryptography. It almost certainly will be, given enough decades. The question is whether Bitcoin’s upgrade path (BIP-360, hash-based signatures, the NIST standards) will be deployed, tested, and broadly adopted before that capability arrives.

Taproot took roughly four years from proposal to activation. A post-quantum signature scheme would be at minimum as complex. Multi-year warnings will precede any real cryptographically relevant quantum system. That’s not complacency. It’s a calibrated read of where the physics actually is.

The real threat isn’t that quantum computers will suddenly appear and drain Bitcoin overnight. It’s that the community debates the right approach for too long and the migration window closes before the upgrade is ready. Given that Bitcoin’s community has navigated contentious upgrades before, I’m cautiously optimistic. But “cautiously” is doing real work in that sentence.

Sources