Can Quantum Computers Break Bitcoin? A Calm Look at the Real Timeline

Can Quantum Computers Break Bitcoin? A Calm Look at the Real Timeline

Every few months a headline announces that quantum computers are about to break Bitcoin, and every few months the substance behind it turns out to be a real research milestone that is nowhere near what the headline implies. Spring 2026 delivered a loud round: a researcher publicly broke a 15-bit elliptic curve key for a 1 BTC bounty, Google published fresh resource estimates for attacking Bitcoin-grade cryptography, and the panic articles followed. The honest picture is more boring and more useful. Quantum computers pose a genuine long-term problem for a specific subset of bitcoin, the fix is already being engineered in the open, and there is exactly one practical thing most holders should do about it today.

What Shor's Algorithm Actually Threatens

Bitcoin uses two different kinds of cryptography, and quantum computers affect them very differently. The first is the signature scheme: ECDSA and, since Taproot, Schnorr signatures, both built on the secp256k1 elliptic curve. Spending coins means signing with a private key that corresponds to a public key, and the security assumption is that deriving the private key from the public key is infeasible for classical computers. It genuinely is.

Shor's algorithm, published in 1994, breaks exactly that assumption, but only on a large, fault-tolerant quantum computer that does not yet exist. Given a visible public key, a sufficiently powerful quantum machine could compute the matching private key and sign a transaction stealing the coins. The critical word is visible. Shor's algorithm needs the public key as input. If the blockchain only shows a hash of your public key, which is what standard pay-to-pubkey-hash and SegWit addresses have provided for years, there is nothing for the algorithm to work on until the moment you spend.

So the threat is narrow and precise: coins sitting on outputs where the public key is already exposed on-chain. Everything else in the quantum-versus-Bitcoin conversation hangs off that one detail.

What Quantum Computers Cannot Touch

A few things routinely get lumped into the panic that do not belong there.

Your seed phrase. A seed phrase written on paper or steel is not on any network and not on any chain. No algorithm attacks a piece of paper. The wallet hygiene you already follow for cold storage is unaffected by quantum progress.

Hashed addresses you have never spent from. A fresh address exposes only a hash of your public key, produced by SHA-256 and RIPEMD-160. Reversing a hash is not a Shor problem. Grover's algorithm, the relevant quantum tool for hashes, offers only a quadratic speedup, which turns a 256-bit search into a 128-bit one. That is still far beyond any conceivable machine.

Mining. The same Grover limitation applies to proof of work. A quantum miner would get a modest advantage, not a takeover, and mining hardware economics would adjust the way they always have. SHA-256 does not need replacing on any near timeline.

The network itself. Nodes, consensus rules, and the peer-to-peer layer do not depend on elliptic curve secrecy. A quantum attacker cannot rewrite history or forge blocks.

The April 2026 Break: 15 Bits Is Not 256 Bits

On April 24, 2026, researcher Giancarlo Lelli won Project Eleven's Q-Day Prize, a standing 1 BTC bounty, by deriving a private key from a public key on a 15-bit elliptic curve using a variant of Shor's algorithm on cloud-accessible quantum hardware. It was a legitimate record, extending the previous public result by a factor of about 512, and it is the event behind most of the scary headlines you saw that week.

Here is the context the headlines dropped. Bitcoin keys are 256 bits. Each additional bit roughly doubles the size of the problem, so the distance between a 15-bit toy curve and secp256k1 is on the order of 2 to the power of 241. That is not a gap you close with incremental engineering. It requires fault-tolerant machines with hundreds of thousands of high-quality physical qubits running deep error-corrected circuits, none of which exists today. Current hardware, including Google's Willow chip with 105 physical qubits, operates at a scale thousands of times too small, and raw qubit count is not even the hard part. Error correction is.

The Q-Day Prize exists precisely to make quantum progress against elliptic curve cryptography measurable and public instead of speculative. A 15-bit break is the bounty working as intended, not an alarm bell.

The 6.9 Million BTC Problem: Which Coins Are Exposed

Table showing quantum vulnerability by bitcoin address type: P2PK outputs and reused addresses vulnerable, Taproot outputs partially exposed, fresh hashed addresses safe, and SHA-256 mining only mildly affected.
Quantum exposure depends on whether a public key is visible on-chain, not on Bitcoin as a whole.

Analysts, echoed by Google's quantum team in 2026 coverage, put the pool of quantum-exposed bitcoin at roughly 6.9 million BTC, close to a third of the total supply. It breaks down into a few buckets.

Pay-to-pubkey (P2PK) outputs, roughly 1.7 million BTC. The earliest Bitcoin transactions, including the coinbase rewards widely attributed to Satoshi Nakamoto, paid directly to raw public keys. Those keys have been sitting in plain sight since 2009 and 2010. Most of these coins have never moved and their owners are presumed gone, so nobody can migrate them.

Reused addresses. The first time you spend from an address, the signature reveals your public key. If coins remain on that address afterward, or arrive later, they are exposed. Address reuse has always been bad practice for privacy reasons, quantum risk just adds a second reason.

Taproot outputs. P2TR addresses encode a tweaked public key directly rather than a hash, so unspent Taproot coins are technically in the exposed category too. The designers accepted that tradeoff knowingly, since hashing only delays exposure until spend time anyway.

The rest of the supply, coins on fresh hashed addresses, stays out of quantum reach until the owner broadcasts a spend.

The Realistic Timeline: Why Serious Estimates Say 2030 and Beyond

The hardware trajectory has genuinely steepened. Google's Willow chip demonstrated below-threshold error correction in December 2024, meaning larger error-correcting codes actually reduced logical error rates, which had been the field's key open question. In October 2025 the Quantum Echoes experiment on Willow claimed a verifiable quantum advantage. And Google research published across 2025 and 2026 cut resource estimates sharply: where attacks on modern cryptography were once thought to need tens of millions of qubits, current estimates sit under a million physical qubits, with one widely quoted 2026 figure suggesting a mature machine could derive a Bitcoin key from an exposed public key in minutes.

None of that changes what exists today: machines with qubit counts in the hundreds to low thousands, and a wall of error-correction engineering between here and the fault-tolerant scale those attacks require. The mainstream expert range for a cryptographically relevant quantum computer runs from the early 2030s outward, with 2030 as the aggressive end quoted by Project Eleven and others. NIST's post-quantum guidance already calls for deprecating vulnerable algorithms after 2030 and phasing them out by 2035, not because an attack is scheduled, but because migrations take years.

The honest summary: no credible researcher says Bitcoin's cryptography falls this decade on publicly known hardware, and no credible researcher says the risk is imaginary either.

BIP-360 and What Post-Quantum Bitcoin Looks Like

Bitcoin's answer is not a mystery, it is a numbered proposal you can read. BIP-360, merged into the official BIPs repository on February 11, 2026, defines Pay-to-Merkle-Root (P2MR), a new output type designed so that public keys are never exposed on-chain, and built to carry post-quantum signature schemes such as ML-DSA, the NIST-standardized lattice scheme also known as Dilithium. The idea has already run on test infrastructure: BTQ Technologies shipped a testnet implementation in March 2026 with full P2MR validation and ML-DSA signature opcodes, and dozens of miners joined it.

The tradeoffs are real. Post-quantum signatures are much larger than Schnorr signatures, which means fewer transactions per block or bigger blocks, and the community has strong feelings about both. Activation would require the same soft-fork consensus process as previous changes, and if you have read our page on how Bitcoin network upgrades actually happen, you know that process is deliberately slow. Taproot took years from proposal to activation with far less controversy attached.

BIP-360 co-author Ethan Heilman has estimated that a full migration would take around seven years even if the roadmap were agreed today. That is exactly why the work started before the threat became imminent.

The Hard Question: Freeze the Old Coins or Let Them Be Stolen

A migration plan only protects coins whose owners move them. That leaves the P2PK pile, including the presumed Satoshi coins, with no one to act. BIP-361, the companion proposal to BIP-360, confronts this directly by suggesting a phased sunset: after long notice periods, spends from quantum-vulnerable output types would become invalid, effectively freezing coins that never migrated.

This is the most genuinely contested part of the whole topic, and reasonable people land on both sides. Freezing coins violates the principle that valid keys always spend, and it means invalidating someone's property on a schedule set by others. Not freezing them means that whenever a capable machine arrives, millions of coins get silently swept by whoever builds it first, an event that would hit market confidence far harder than any technical detail. There is no third option where nothing happens. Expect this debate to run for years, loudly, and do not expect the first proposal to be the final shape.

The One Practical Step to Take Now

For an ordinary holder in 2026, the entire actionable checklist is short.

Stop reusing addresses, starting today. Every modern wallet generates a fresh address per receive. Use that behavior instead of fighting it. An address you have never spent from keeps your public key hidden, which keeps you out of the exposed pool entirely.

Audit your old coins once. If you hold coins on an address you have already spent from, or anything ancient enough to be P2PK, move them to a fresh address in the same wallet. One ordinary transaction, one fee, done. A few minutes of work removes you from the 6.9 million BTC category.

Do not buy panic products. Tokens marketed as quantum-safe alternatives to Bitcoin, and services offering to quantum-proof your coins for a fee, are trading on fear. The migration path for Bitcoin itself is public, free, and not urgent.

Keep your fundamentals in order. The realistic threats to your coins in 2026 remain phishing, malware, and bad key management, all covered in our Bitcoin security guide. A quantum computer is not going to steal your bitcoin this decade. A fake wallet update might do it this week.

What-Ifs Worth Thinking About

What if a state built one in secret? Possible in principle, but a secret cryptographically relevant machine would have far more valuable targets than old bitcoin: military communications, banking infrastructure, intercepted encrypted traffic. Spending the capability on a theft that instantly reveals it, and crashes the value of the stolen asset, is poor strategy. Bitcoin is likelier to get warning shots than a surprise attack.

Does harvest-now-decrypt-later apply? For encrypted communications, yes, adversaries can record ciphertext today and decrypt it later. For Bitcoin the analogue is weaker: an exposed public key is already the harvested material, and moving coins to a fresh address invalidates it. Acting now genuinely closes the window.

What if progress suddenly accelerates? Watch the public markers: Project Eleven's bounty progressing past toy curves into triple-digit bit sizes, NIST guidance tightening, and BIP-360 moving toward activation. Those signals will arrive years before any machine threatens real keys, and they are exactly what Bitcoin developers are watching too.

Frequently asked questions

Can a quantum computer steal the bitcoin in my hardware wallet?

Not by attacking the device. A hardware wallet's quantum exposure depends on address handling: if it gives you a fresh address for every receive and you do not keep coins on already-spent addresses, your public keys stay hidden and there is nothing for Shor's algorithm to attack. The device itself and your seed backup are outside quantum reach entirely.

Will quantum computers be able to guess my seed phrase?

No. A seed phrase maps to keys through hash functions, and hashes only face Grover's algorithm, which cuts effective security from 256 bits to 128 bits. A 128-bit search is still far beyond any projected machine. Seed phrase risk remains what it always was: physical theft, photos, and phishing.

What happens to Satoshi's coins if quantum computers arrive first?

The roughly 1.1 million BTC attributed to Satoshi sit on early pay-to-pubkey outputs whose keys have been exposed since 2009. If a capable machine arrives before the network acts, whoever runs it could sweep those coins. BIP-361 proposes freezing unmigrated vulnerable outputs instead, which is currently the community's most contested open question.

Should I move to a quantum-resistant cryptocurrency instead?

That trade swaps a slow, well-understood, publicly managed risk for immediate ones: thin liquidity, unproven codebases, and marketing built on fear. Bitcoin has a published migration path in BIP-360 and years of runway. If quantum resistance is your concern, avoiding address reuse gets you most of the protection for free.

Did the April 2026 quantum break put any real coins at risk?

No. A researcher broke a 15-bit elliptic curve key, winning Project Eleven's 1 BTC bounty. Bitcoin keys are 256 bits, and each added bit roughly doubles the difficulty, so the remaining gap is around 2 to the power of 241. The event's value was making progress measurable, not threatening wallets.

How will I know when it is actually time to worry?

Watch three signals: public elliptic curve breaks climbing toward triple-digit bit sizes, BIP-360 moving from merged proposal to activation debate, and exchanges or custodians announcing post-quantum migration dates. All three will play out in public over years. If none of them is happening, the scary headline you just read is noise.

Does Taproot make Bitcoin more vulnerable to quantum attacks?

Slightly and knowingly. Taproot addresses encode a public key directly rather than a hash, so unspent Taproot coins count as exposed. The designers accepted this because hashing only protects a key until the first spend anyway, and because a real quantum defense requires new signature schemes, not better hiding.

Last updated: 2026-06-30.