Quantum computers are gradually moving out of laboratories into the real world. Thanks to qubits, superposition, and entanglement, they can solve certain problems significantly faster than classical computing systems. The recent hardware breakthroughs show that this phenomenon is clearly entering an engineering-scaling phase.

At the same time, the question arises: what does this mean for Bitcoin? Quantum computers are designed for extremely fast and powerful computation of certain types of problems that, in theory, can undermine modern cryptographic mechanisms. In the case of Bitcoin, this risk is distributed unevenly. Mechanisms related to computation and miner competition are considered relatively resilient. But the cryptography that protects coin ownership is theoretically more vulnerable.

In this text, we will figure out exactly where the boundary lies between a theoretical threat and a practical risk for Bitcoin, which parts of the protocol are most vulnerable, and what the Bitcoin community can realistically do in response to the rise of quantum computing.

Quantum computing: where we are on the progress scale

Willow and the technical breakthroughs of recent years

Over the past two years, quantum computing has advanced from laboratory demonstrations to real engineering. In December 2024, Google presented the Willow processor, which, for the first time, showed that quantum errors can be reduced as the system grows. That is, quantum computers truly scale rather than remaining fragile experiments. Additionally, the physical parameters of qubits improved. For example, the coherence time of the quantum state gives more room for real computations.

Why does this matter? In practice, Willow performed the Random Circuit Sampling task in less than five minutes. A classical supercomputer, according to existing estimates, would require time exceeding the age of the Universe. This is a signal that quantum machines are gradually moving from scientific tests into tools for real tasks: from modeling materials to chemical processes.

Market, investments, and scaling

Analysts expect the global quantum computing market to grow from ~$1.44 billion in 2025 to approximately $19.44 billion by 2035. At the same time, investments are also growing: in the first quarter of 2025 alone, startups raised about $1.25 billion, and most of the money is already going to late stages: that is, to infrastructure and commercial products rather than experiments.

In other words, the industry is transitioning from a laboratory to an industrial phase – the same way classical computers once evolved. And at such a stage, previously abstract cryptographic risks, in particular for Bitcoin, begin to look like a matter of strategic preparation rather than distant theory.

How does this affect the crypto sphere?

Quantum computers primarily strike public-key cryptography – the foundation of security for banks, internet services, and blockchain systems. What today is practically impossible to break with classical machines becomes fundamentally vulnerable in the quantum model.

In traditional digital systems, cryptographic risks are partially mitigated by centralized architecture: banks, payment networks, or cloud services update algorithms, replace keys, and retire outdated mechanisms.

In blockchain systems, and in Bitcoin in particular, security is based on a public, immutable ledger where all transactions are stored forever. Public keys that appear when spending funds remain available for any future analysis. They cannot be revoked, hidden, or changed retroactively.

This causes the key asymmetry of the quantum threat for crypto. If in the future a quantum computer emerges that can break elliptic-curve digital signature algorithms, it will be able to process not only new transactions but also the entire historical database of already revealed public keys. That is, the attack may be delayed in time: data is collected today and used when the technology matures.

This effect is called harvest now, decrypt later: data is collected today and used when the necessary technologies become available. For blockchains, this means risk to the very idea of immutable ownership: by restoring a private key, it becomes possible to seize control of assets without violating the protocol rules.

This is not about “breaking tomorrow”: modern quantum computers are still far too weak. But time works against the system – the longer there is no post-quantum transition, the larger the volume of potentially vulnerable data accumulates. Therefore, the quantum topic for crypto is a long-term challenge, not a one-time attack.

The cryptographic foundation of Bitcoin: two systems – two threat profiles

Bitcoin security relies on two fundamentally different systems that perform separate roles and have their own risk profile in the context of quantum computing:

• the ECDSA digital signature algorithm, which ensures ownership and transaction authorization,

• and the SHA-256 hash function, which underlies mining and consensus.

The quantum threat to them is asymmetric, and it is precisely this asymmetry that determines the network's real risks.

ECDSA: critical vulnerability at the ownership level

The elliptic curve digital signature algorithm (ECDSA) is considered practically unbreakable for ordinary computers. Selecting a private key or breaking a signature is realistically impossible. It is on this mechanism that Bitcoin coin ownership is confirmed.

However, in the quantum threat model, the situation changes. Shor’s algorithm theoretically allows restoring a private key from a public one as soon as a sufficiently powerful quantum computer appears.

In such a scenario, an attacker can sign transactions as if they were the legitimate owner of the funds, and the Bitcoin network will not be able to distinguish the forgery. This means a risk not to a separate feature, but to the ownership model itself. It is also important that public keys that have already appeared in the blockchain remain potentially vulnerable forever: the problem cannot be “rolled back” retroactively.

SHA-256: resilience at the consensus level

By contrast, the SHA-256 hash function, used in Bitcoin mining, does not have the same critical quantum computing vulnerability as digital signature algorithms. The most effective known quantum attack, Grover’s algorithm, provides only moderate speedup of brute force, but does not make the hash function “breakable” in the practical sense – the security level remains high.

Even in theory, quantum computers do not offer a clear advantage in mining. SHA-256 is already extremely efficiently executed on specialized ASIC devices, and any local advantages are automatically smoothed out by the difficulty adjustment mechanism. As a result, quantum computing does not directly undermine Bitcoin's consensus, unlike the risks posed by digital signatures.

For Bitcoin, quantum computers are not a single big threat but two very different stories. Mining and consensus remain resilient overall, while signatures confirming ownership of coins are a potentially vulnerable point. Understanding this difference helps avoid panic and focus on real risks and how to prepare for them in advance.

Breaking Bitcoin: theory vs reality

When discussing the quantum threat to Bitcoin, people often confuse two things: what is possible in theory and what is realistically achievable on modern hardware. Yes, Shor’s algorithm theoretically makes ECDSA vulnerable. But in practice, everything comes down not to mathematics, but to the scale of quantum resources that simply do not exist today.

Breaking a single Bitcoin ECDSA signature within a realistic time window requires about 1,500–2,600 logical qubits. The problem is that logical qubits do not exist directly: each of them is built on top of thousands or even hundreds of thousands of physical qubits through error correction. As a result, we are talking about tens or hundreds of millions of physical qubits for a real attack, depending on how optimistically one evaluates system quality.

Against this background, modern quantum computers look modest. The most powerful experimental chips operate with hundreds or slightly more than a thousand physical qubits, without full scalable error correction. The most powerful experimental processors operate with hundreds or a thousand physical qubits, moreover, without fully scalable error correction.

For reference:

• The Willow processor from Google operates with 105 physical qubits.

• The Condor chip from IBM – with 1,121 physical qubits.

A simple conclusion: Bitcoin today is not under an immediate quantum threat. Between the current state of quantum hardware and the level of “Bitcoin-breaking,” there are several major technological leaps. But this does not mean the topic can be ignored. Quantum risk for Bitcoin is not a sudden catastrophe, but a long-term engineering challenge that should be prepared for in advance, neither with panic nor complacency.

These numbers look impressive from the perspective of industry progress, but they remain five to six orders of magnitude smaller than the scale required for a real break of Bitcoin. This is not about doubling or even tenfold growth, but about a gap of tens of thousands or millions of times.

Even the most aggressive public roadmaps look restrained. In particular, IBM plans to reach approximately 200 logical qubits by 2029, which is a significant engineering step, but still an order of magnitude below the minimum threshold required for an attack on Bitcoin ECDSA.

At the same time, this analysis does not remove the issue from the agenda. It rather changes its nature: the quantum threat to Bitcoin is a long-term engineering risk, not a short-term catastrophe.

Expert assessments: spectrum of positions and factual disagreements

The discussion about the quantum threat to Bitcoin already goes beyond purely academic: it is discussed by investors, developers, and cryptographers, and the main disputes concern not the fact of vulnerability itself, but timelines and consequences. Some expect problems in the coming years, others speak about a horizon of decades, and skeptics move it a generation ahead.

Despite differences in estimates, everyone agrees on one thing: the mathematical vulnerability exists, but what will be decisive is not the discovery itself, but the speed of development of quantum hardware and the Bitcoin ecosystem's ability to adapt.

1. Quantum computing – a near- or mid-term threat

Key thesis: the question is not whether quantum computers will break ECDSA, but whether Bitcoin can migrate earlier.

This narrative proceeds from the fact that the ability of quantum computers to break ECDSA is not a hypothesis but a mathematically proven fact. About 25–30% of all BTC (approximately 4-7 million coins) are located in addresses with revealed public keys and will become the first targets as soon as a cryptographically relevant quantum computer appears.

Supporters of this position expect the appearance of CRQC in the 2028–2033 window and emphasize that even a single successful quantum break may seriously undermine trust in the network, regardless of the actual amount of stolen funds. The unique vulnerability of Bitcoin lies in the immutability of the public ledger: unlike traditional systems, it is impossible to “hide” historical keys here.

• Investor Chamath Palihapitiya publicly suggested that a quantum computer with 8,000 stable logical qubits could break Bitcoin's encryption within 24 months.

• Cryptographer and entrepreneur David Carvalho points out that about 30% of bitcoins could be at risk of quantum vulnerability due to exposed public keys.

• Vitalik Buterin, Ethereum Co-Founder, expressed himself similarly, summarizing the position of this group: the elliptic curves that secure Bitcoin and Ethereum are destined to die.

2. The risk exists, but is artificially exaggerated

Key thesis: if quantum computers become a real threat, the entire global cryptographic stack will have to migrate, and Bitcoin will not be left alone with the problem.

This camp focuses on hardware reality. Even the most aggressive roadmaps of Google or IBM do not foresee millions of qubits in the next 10–15 years.

In addition, quantum computers face fundamental physical limitations, such as decoherence, the high cost of error correction, control complexity, and scaling. From this point of view, Bitcoin is not a unique target: the quantum threat equally concerns banks, TLS, state registries, and the entire digital infrastructure.

• Adam Back, Blockstream CEO, estimates the quantum threat to Bitcoin as distant, with a horizon of approximately 20-40 years, emphasizing the huge gap between modern equipment and the requirements for a real attack.

• Benchmark analyst Mark Palmer also considers the risk real but distant, and speaks of decades of preparation and protocol updates.

• Michael Saylor (MicroStrategy) goes even further, claiming that quantum technologies will not break Bitcoin, but, on the contrary, will force it to evolve and strengthen security.

3. The threat is real, but timing is uncertain

Key thesis: the quantum threat is not a signal to “panic now,” but a coordination task: solutions are known, but movement must start in advance, in the 2030–2035 window, without waiting for the extreme point.

This approach recognizes the mathematical vulnerability of ECDSA as indisputable, but emphasizes the uncertainty of timeframes. The greatest risk here is not the speed of quantum progress, but the slowness of Bitcoin governance mechanisms, where significant changes may take 5–10 years.

The first attacks, if they appear, will not be mass but selective, expensive operations against the largest and oldest wallets. Post-quantum standards are already in place, so the main challenge is to organize a large-scale migration in time and without chaos.

• Justin Thaler (a16z) believes the quantum threat is real, but the pressure comes not from the rapid emergence of quantum computers but from the slowness of Bitcoin's updates.

• Deloitte assesses the risk as long-term and strategic: in the short term, technological limitations restrain attacks, but over time, the problem will become significant.

• Chainalysis speaks of a horizon of approximately 10-15 years and emphasizes that vulnerability can already be measured, although it remains manageable.

• Academic research generally agrees that signatures are the weak point, solutions exist, and the main challenge is to organize the transition in time.

Together, these narratives show that the dispute around quantum computing and Bitcoin is not a confrontation between “alarmists” and “skeptics,” but different ways of interpreting the same fact. Quantum computers change the model of cryptographic risks, but the final outcome depends not only on physics and mathematics but also on a decentralized system's ability to act proactively.

Reaction of the Bitcoin community: from standards to practical migration

Although the quantum threat to Bitcoin is not immediate, the community's response has long since gone beyond abstract discussions. It proceeds in three stages: standardization, experimentation with the protocol, and careful migration planning, all while taking into account the constraints of the Bitcoin governance model.

What has already been done: the base for a post-quantum transition

An important reference point for the entire cryptographic ecosystem appeared in August 2024: NIST completed the standardization of post-quantum algorithms. Among them are ML-DSA and SLH-DSA – signature schemes considered resistant to attacks by quantum computers. That means the question “Is there any replacement at all?” no longer stands: solutions have already been verified and formalized.

For Bitcoin, this means that a cryptographic foundation for transition exists. Now the main challenge is not to invent new algorithms, but to carefully integrate them into a global system without breaking compatibility and user trust.

What is happening now: experiments and proposals

In practice, Bitcoin developers are already preparing: they test post-quantum signatures and observe how they affect key size, transactions, and network load. Among the ideas are approaches such as P2QRH, which allow adding quantum-resistant addresses through a soft update, without radically “rewriting” the entire system.

For now, this is at the level of prototypes and discussions, but the very fact of such experiments shows a shift in thinking: the quantum problem is already perceived not as an abstract scenario, but as an engineering task being prepared for in advance.

What is planned: careful evolution, not a sharp break

In the longer perspective, hybrid signatures are discussed, when a transaction is verified simultaneously by classical and quantum-resistant algorithms, like ECDSA + ML-DSA – hybrid signatures. This provides a security reserve: even if one method is broken, the other remains, allowing a gradual transition without abrupt moves.

The main limitation is not technology but the tempo of Bitcoin itself: serious changes here take years. Therefore, the community acts not slowly but cautiously: the quantum threat has no specific date, and the task is not to “jump at the last minute,” but to begin migration early and smoothly without loss of trust in the network.

Key conclusions: what we know for sure

After all the facts and assessments, it becomes clear: the quantum threat to Bitcoin is neither “the end of the world” nor a myth. Mathematically, the signatures can indeed be broken, but modern quantum computers are still very far from the required level, so the main question is not “if,” but “when.”

And here, the key problem is not cryptography but coordination: solutions already exist, but a decentralized network takes years to agree on and implement changes. Bitcoin has evolved more than once and is capable of doing so again. Therefore, quantum computers are rather a long-term challenge that must be prepared for in advance.

In the end, the quantum threat to Bitcoin does not look like a reason for panic nor a problem that can be ignored. This is a long-term structural challenge in which the decisive role will be played not only by breakthroughs in physics or engineering, but also by the global, decentralized community's ability to act proactively.

Time for preparation likely still exists, but it is not unlimited, which is what makes quantum computing important today.