Quantum computing poses a real threat to Bitcoin, and 99% of people are getting it wrong.

Written by: nvk

Compiled by: Saoirse, Foresight News

TL;DR

Bitcoin does not use encryption; it uses digital signatures. Nearly every article gets this wrong, and the distinction is crucial.

Quantum computers cannot break Bitcoin within 9 minutes. That description is only a theoretical circuit; the machine itself does not exist, and at least for the next decade it will not.

Quantum mining is physically completely impossible. The energy it would require is actually more than the total energy output of the Sun.

Bitcoin can absolutely be upgraded— it has successfully upgraded before (Segregated Witness, Taproot), and the related work has already started (BIP-360). But the community needs to move faster.

The real reason for upgrading is not a quantum threat. Traditional mathematics has already broken countless cryptographic systems; secp256k1 is very likely next. To date, quantum computers have not broken any cryptographic system.

There is, however, a real risk: the public keys for about 6.26 million Bitcoins have already been exposed. This is not something worth panicking over, but it is worth preparing for in advance.

Main storyline

In one sentence, here is everything I’m going to say next:

The threat of quantum attacks against Bitcoin is real, but still far away; media coverage is broadly inaccurate and exaggerated; and the most dangerous thing is not quantum computers, but a complacent attitude disguised as panic or “who cares.”

Whether it’s people shouting “Bitcoin is finished” or those claiming “nothing to worry about—stop freaking out,” they’re both wrong. To see the truth, you have to accept two things at the same time:

Bitcoin currently has no imminent quantum threat; the real threat is likely much farther out than tabloid-style headlines suggest.

But the Bitcoin community still needs to prepare early, because the upgrade process itself takes years.

This is not a reason to panic—it’s a reason to act.

Below, I’ll lay it out with data and logic.

This chart compares two major quantum algorithms: Shor’s algorithm (left) provides exponential speedups for factoring large numbers and directly breaks public-key cryptography like RSA/ECC; Grover’s algorithm (right) is a general quantum accelerator that provides a square-root speedup for unsorted search. Together they show the disruptive potential of quantum computing, but today they are still limited by the fact that error-correction hardware can’t be scaled to a large, practical deployment.

Media playbook: Clickbait headlines are the biggest risk

Every few months, the same script repeats:

A certain quantum computing lab publishes a rigorous research paper, heavily qualified with many conditions.

Tech media immediately turns it into: “Quantum computer breaks Bitcoin in 9 minutes!”

Crypto Twitter boils it down to: “Bitcoin is dead.”

Your friends and relatives message you asking whether you should quickly sell.

But the original paper doesn’t say any of that.

In March 2026, Google’s Quantum AI team published a paper stating that the physical quantum resources needed to break Bitcoin’s elliptic-curve cryptography could be reduced to under 500k qubits, a 20x improvement over earlier estimates. This is indeed important research. Google was very cautious: it did not disclose an actual attack circuit, only a zero-knowledge proof.

But the paper never said: that Bitcoin can be broken right now, with a clear timeline, or that people should panic.

Yet the headline becomes: “Break Bitcoin in 9 minutes.”

CoinMarketCap once published an article titled “Will AI-accelerated quantum computing destroy Bitcoin in 2026?”, and throughout the body it explains that the answer is almost certainly “no.” This is the classic pattern: use sensational headlines to get clicks, but keep the body careful and accurate. However, the link that got shared by 59% of people was never even clicked— for most people, the headline is the information itself.

There’s a line that captures it well: “Markets price risk extremely fast. You can’t steal something and have it go to zero the moment you get it.” If quantum computing truly could upend everything, Google’s own stock price (using similar cryptography) would have already crashed. But Google’s stock is steady.

Conclusion: The headline is the real rumor. The research itself is real and worth understanding—so let’s look at it seriously.

What quantum computers truly threaten—and what they don’t

Biggest misconception: “encryption”

Almost all articles about quantum computing and Bitcoin use the word “encryption.” That’s wrong, and the wrongness affects everything.

Bitcoin doesn’t protect assets through encryption; it protects them through digital signatures (ECDSA, later using Schnorr via Taproot). The blockchain itself is public: all transaction data is forever visible to everyone. There’s nothing to “decrypt” in the first place.

As Adam Back, the inventor of Hashcash cited in Bitcoin’s whitepaper, put it: “Encryption means data is hidden and can be decrypted. Bitcoin’s security model is based on signatures, used to prove ownership, without exposing private keys.”

This isn’t pedantry. It means the most urgent “collect now, decrypt later” type of threat in the quantum realm simply doesn’t apply to Bitcoin asset security. There is no encrypted data to collect—exposed public keys are already openly available on-chain.

Two quantum algorithms: one is a real threat; the other is negligible

Shor’s algorithm (a real threat): it gives exponential speedups for the underlying math problems of digital signatures—recovering private keys from public keys and forging transaction signatures. This is what you really need to worry about.

Grover’s algorithm (not a threat): it only provides square-root speedups for hash functions like SHA-256. It sounds scary, but once you compute it, you’ll see it’s completely unrealistic.

A 2025 paper titled “Cardasshov-Level Quantum Computing and Bitcoin Mining” calculates that under Bitcoin’s current difficulty, quantum mining would require:

about 10^23 physical qubits (there are currently only about 1,500 worldwide)

about 10^25 watts of energy (the Sun’s total output is about 3.8×10^26 watts)

To mine Bitcoin with a quantum computer, the energy required would be roughly equivalent to about 3% of the Sun’s total output. Humans are only at the 0.73 level Kardashev civilization. To use quantum computing for mining, the required energy is so high that it would only be possible for a Type II civilization. Humans can’t reach that. Physically, it’s nearly impossible to implement.

(Note: combining Kardashev civilization levels: Type I can fully utilize the energy of one planet (Earth); Type II can utilize the energy of an entire star (the Sun))

By comparison: even with the most ideal design, the hash rate of a quantum miner would be only about 13.8 GH/s. Meanwhile, an ordinary Antminer S21 can reach 200 TH/s. The speed of traditional ASIC miners is 14.5k times that of quantum miners.

In the end, quantum mining doesn’t hold up. It’s impossible now, and it will be impossible 50 years from now, and even forever. If someone says a quantum computer can “break Bitcoin mining,” they’re mixing up two entirely different algorithms.

The 8 common claims floating around—7.5 of them are wrong

Claim 1: “The moment quantum computers appear, all Bitcoins will be stolen overnight”

The truth is: only Bitcoins whose public keys have already been exposed face a security risk. Modern Bitcoin address formats (P2PKH, P2SH, SegWit) do not reveal public keys until you initiate a transfer. As long as you never reuse addresses and have never sent funds out of that address, your public key will never appear on the blockchain.

The breakdown is:

Class A (directly at risk): about 1.7 million BTC use the older P2PK format, and the public keys are fully exposed.

Class B (risk exists but can be mitigated): about 5.2 million BTC are in reused addresses and Taproot addresses; users can avoid risk by migrating.

Class C (brief exposure): for each transaction, during the roughly 10 minutes its transaction waits in the mempool to be packaged, the public key is temporarily exposed.

According to Chaincode Labs’ estimate, a total of about 6.26 million BTC have exposed public-key risk, accounting for roughly 30%–35% of the total supply. The number is indeed large, but it’s absolutely not “all Bitcoins.”

Claim 2: “Satoshi’s coins will be stolen, instantly dumped to zero”

Half right, half wrong. About 1.1 million BTC held by Satoshi use the P2PK format, with public keys completely exposed—this is indeed high-risk. But:

A quantum computer that could break these private keys simply does not exist today.

Countries that possess early quantum technologies would prioritize intelligence and military systems rather than staging a “public opinion farce of openly stealing Bitcoins” (as the Quantum Canary Research Group might put it).

To scale from the current roughly 1,500 quantum bits to a level of hundreds of thousands requires several years of major engineering breakthroughs, and the progress is highly uncertain.

Claim 3: “Bitcoin can’t be upgraded—too slow, governance is chaotic”

This claim is not correct, but it’s not entirely without basis. In Bitcoin’s history, it has successfully completed multiple major upgrades:

Segregated Witness (SegWit, 2015–2017): extremely controversial, nearly failed, directly led to a Bitcoin Cash fork, but ultimately went live successfully.

Taproot (2018–2021): rolled out smoothly; from proposal to mainnet activation took about 3.5 years.

The quantum-resistant mainstream scheme BIP-360 was officially added to the Bitcoin BIP library in early 2026, introducing a new bc1z address type and removing the key-path spending logic in Taproot that is vulnerable to quantum attacks. This proposal is still in draft form; the testnet has already run Dilithium after-quantum signature instruction sets.

Co-author Ethan Heilman of BIP-360 estimates the full upgrade cycle to be about 7 years: 2.5 years of development and review, 0.5 years of activation, and 4 years of ecosystem migration. He admits, “This is just a rough estimate—no one can give an exact timeline.”

Objective conclusion: Bitcoin can be upgraded, and the upgrade has already started, but it is still in an early stage and needs to accelerate. Claiming it is “completely impossible to upgrade” is wrong, and claiming it has “already been fully upgraded” is also wrong.

Claim 4: “We only have 3–5 years left”

Probably not, but you also can’t completely dismiss it. Experts’ time estimates vary wildly:

Adam Back (Hashcash inventor, cited in Bitcoin’s whitepaper): 20–40 years

Jensen Huang (CEO of NVIDIA): 15–30 more years for practical quantum computers

Scott Aaronson (quantum computing authority at the University of Texas at Austin): refuses to provide a timeline and says breaking RSA might require “a billion-billion-dollar level investment”

Craig Gidney (Google Quantum AI): only a 10% probability of achieving it before 2030; also believes that, under existing conditions, it’s hard for quantum resources to see another 10x optimization, and the optimization curve may have flattened

A survey of 26 quantum security experts: the probability of risk appearing within 10 years is 28%–49%

Ark Invest: “Long-term risk, not imminent”

Worth noting: Google’s Willow chip surpassed the quantum error-correction threshold in late 2024. This means that as you increase the error-correction code level, the logical error rate drops by a fixed coefficient (Willow at 2.14). This kind of error suppression improves exponentially, but the actual expansion speed depends entirely on hardware—it could be logarithmic, linear, or extremely slow. Passing the threshold only indicates that scaling is feasible, not that it will be quick, easy, and inevitable.

Also, in Google’s March 2026 paper, they did not publish an actual attack circuit—only a zero-knowledge proof. Scott Aaronson also reminds that future researchers may not publicly disclose resource estimates needed to break cryptography. Therefore, we might not be able to detect the arrival of a “quantum crisis day” far in advance.

Even so, building a computer with hundreds of thousands of fault-tolerant qubits is still a massive engineering challenge. Today’s most advanced quantum computers can’t factor numbers with more than 13 digits; breaking Bitcoin cryptography corresponds to factoring numbers with about 1,300 digits. This gap cannot be filled overnight, but the technology trend is worth paying attention to—not ignoring it.

Claims 5–8: Quick clarifications

“Quantum computing will destroy mining”

Wrong. The energy requirement is close to the Sun’s total output—see Part 2.

“Collect data now, decrypt later”

This does not apply to theft of assets (the blockchain is public), though it can affect privacy to some extent—so it’s a secondary risk.

“Google says it can break Bitcoin in 9 minutes”

Google is referring to a theoretical circuit running time of about 9 minutes on a nonexistent 500k-qubit quantum machine. Google has explicitly warned against such panic-inducing claims and withheld the details of the attack circuit.

“Post-quantum cryptography isn’t mature yet”

The U.S. National Institute of Standards and Technology (NIST) has already standardized algorithms such as ML-KEM, ML-DSA, and SLH-DSA. The algorithms themselves are mature; the challenge is deploying them in Bitcoin systems, not inventing them from scratch.

The five issues I’m truly worried about

A debunking article that dismisses everything would lose credibility. Here are the five issues that worry me deeply:

Estimates of the number of qubits required to break cryptography keep decreasing, though the trend may be slowing down. In 2012, estimates for breaking cryptographic systems required 1 billion qubits; by 2019 it dropped to 20 million; by 2025 it was below 1 million. In early 2026, Oratomic claimed that only 10k physical qubits are needed using a neutral-atom architecture to achieve breaking. But note: the paper’s nine authors are all Oratomic shareholders, and the conversion ratio from 101:1 physical qubits to logical qubits that their estimates rely on has never been validated (the historical real ratio is closer to 10,000:1). It also needs to be made clear that the “9 minutes” computation task on Google’s superconducting architecture would take 10^26^4 days on neutral-atom hardware—completely different devices with wildly different compute speeds. Gidney himself also says the optimization curve may have entered a plateau. Even so, no one knows when the tipping point between “required number of qubits” and “existing number of qubits” will arrive. The most objective conclusion is: there is currently enormous uncertainty.

The exposed range of public keys is expanding, not shrinking. Bitcoin’s latest and most widely adopted address format, Taproot, will publicly reveal the adjusted public keys on-chain, leaving quantum attackers an effectively unlimited offline cracking window. Bitcoin’s most recent upgrade, ironically, weakened quantum resistance security. That irony is worth thinking hard about. What’s more, the problem is not limited to on-chain addresses: Lightning Network channels, hardware wallet connections, multisig schemes, and extended public key sharing services all, by design, spread public keys. In a world where a fault-tolerant quantum computer (CRQC) with cryptographic-breaking capability becomes real, when the entire system is built around public-key sharing, “protecting public-key privacy” is simply not realistic. BIP-360 is only the first step; it is far from a complete solution.

Bitcoin governance moves slowly, but there is still a window of time. Since November 2021, Bitcoin’s base protocol has not activated any soft fork for more than four years, leaving it in a prolonged stalled state. Google plans to complete its own post-quantum migration in 2029, while Bitcoin’s most optimistic estimate is no earlier than 2033. Given that a practical-grade cryptographic-breaking quantum computer is very likely still far away (most reliable forecasts put it in the 2040s, or possibly never), this is not an immediate crisis—but it’s also absolutely not a reason to be complacent. The earlier the preparation starts, the more relaxed things will be later.

The Bitcoin held by Satoshi is a game-theoretically unsolvable puzzle. About 1.1 million BTC are stored in P2PK addresses; because no one holds the corresponding private key (or Satoshi has disappeared), these assets can never be moved. Whether you choose to ignore it, freeze it, or destroy it, there will be severe consequences—there is no perfect solution.

The blockchain is a permanent list of attack targets. Every exposed public key will be recorded forever. Agencies around the world can already start preparing and simply wait for the time. Defense requires proactive coordination across multiple parties, while an attack only needs patience to wait.

These are real challenges. But there’s another side to this that’s also worth paying attention to.

Why the quantum threat could be extremely far away—or never arrive at all

Multiple serious physicists and mathematicians (not extremists) believe that reaching the scale of fault-tolerant quantum computing needed to break cryptography may face fundamental physical obstacles—not just engineering technical difficulties:

Leonid Levin (Boston University, co-proposer of NP-completeness): “Quantum amplitudes must be precise to hundreds of decimal places, yet humans have never found any physical law that remains valid at precision beyond a dozen decimal places.” If nature doesn’t allow precision beyond about 12 decimal places, the entire quantum computing field will hit a physical ceiling.

Michel Dyakonov (University of Montpellier, theoretical physicist): A system of 1,000 qubits would require controlling about 10^300 continuous parameters simultaneously—far more than the total number of atoms in the universe. His conclusion is: “Impossible, never possible.”

Gil Kalai (Hebrew University, mathematician): Quantum noise contains unavoidable correlated effects, and these effects worsen as system complexity increases, making large-scale quantum error correction fundamentally unachievable. His conjecture has survived 20 years without being proven, though experimental predictions also show partial deviations—pros and cons both exist.

Tim Palmer (Oxford University, physicist): His rational quantum mechanics model predicts a hard upper limit on quantum entanglement around 1,000 qubits, far below the scale needed to break cryptography.

None of these are fringe viewpoints. Existing evidence clearly supports this view as well: so far, practical experience indicates that quantum computing capable of threatening cryptographic systems is either much harder to realize in reality than in theory, or it is fundamentally impossible due to unknown rules of the physical world. The analogy to autonomous driving is very fitting: demonstrations look great, attracting massive investment, yet for more than a decade it has repeatedly claimed “we’re only five years away” from maturity.

Most media assumes “quantum computers will eventually break cryptography, it’s only a matter of time.” That’s not a conclusion supported by evidence; it’s an illusion produced by the hype cycle.

The core drivers for upgrading have nothing to do with quantum

Here is a key fact that few people mention (thanks to @reardencode for pointing it out):

To date, cryptographic systems broken by quantum computers: 0;

Cryptographic systems broken by classical mathematical methods: countless.

DES, MD5, SHA-1, RC4, SIKE, the Enigma machine… They all fell due to sophisticated mathematical analysis, not quantum hardware. SIKE was once a U.S. National Institute of Standards and Technology (NIST) post-quantum cryptography final candidate, but in 2022 it was completely broken in an hour by a researcher using an ordinary laptop. Since cryptographic systems first existed, classical cryptanalysis has continuously overturned one cryptographic scheme after another.

Bitcoin uses the secp256k1 elliptic curve. It could fail at any time due to a mathematical breakthrough; it does not require quantum computing at all. All it would take is a top number-theory mathematician making new progress on the discrete logarithm problem. That has not happened yet, but cryptography’s history is a history of “supposedly secure” systems having their vulnerabilities discovered and proven.

This is the real reason Bitcoin should adopt alternative cryptographic schemes: not because quantum computers are coming soon—maybe they never will—but because for a network worth trillions of dollars, relying on a single cryptographic assumption is a risk that rigorous engineering must actively mitigate.

Quantum-related panic hype, ironically, can obscure this lower-profile but more real vulnerability. Paradoxically, the preparations made to address quantum threats (BIP-360, post-quantum signatures, hash-based alternatives) can also defend against classical cryptanalysis attacks. People did the right things for the wrong reasons—and that’s fine, as long as they ultimately get implemented.

What should you do?

If you hold Bitcoin:

Don’t panic. The threat is real, but it’s still far away—you have plenty of time.

Stop reusing addresses. Each reuse exposes a public key; use a new address for receiving funds.

Follow the progress of BIP-360. Once post-quantum addresses are released, migrate your assets in time.

Long-term holding can keep funds in addresses that have never been spent from, so public keys remain hidden.

Don’t let the headlines set your agenda—read the original papers. The content is more interesting than the coverage and not nearly as scary.

If you’re a Bitcoin developer:

BIP-360 needs more people to review. The testnet is already running, and the code urgently needs inspection.

The 7-year upgrade cycle needs to be compressed. Every year of delay shrinks the security buffer by one more unit.

Initiate governance discussions around old, unspent transaction outputs (UTXOs). Satoshi’s Bitcoin will not self-protect; the community needs a solution.

If you just saw a sensational headline: remember, 59% of the shared links are never clicked. Headlines are only there to inflame emotions; the paper is there to provoke thinking. Read the original text.

Conclusion

The threat from quantum computing to Bitcoin is not black or white; there’s a middle ground. On one end: “Bitcoin is over—sell everything now.” On the other end: “Quantum is a scam—no risk at all.” Both extremes are wrong.

The truth lies in a rational, feasible middle: Bitcoin faces clear engineering challenges; parameters are known and R&D is progressing; time is tight but manageable—assuming the community maintains a reasonable sense of urgency.

The most dangerous thing is not quantum computers themselves, but the recurring cycle of public opinion that swings between panic and indifference, preventing people from looking at an essentially solvable problem rationally.

Bitcoin has survived the block-size wars, exchange hacks, regulatory shocks, and the disappearance of the founder. It can also make it through the quantum era. The prerequisite is that the community starts steady preparation now—no panic, no “let it be,” and moving forward with the resilient engineering mindset Bitcoin is built on.

There’s no fire in the house, and it may even never start in the direction everyone is worried about. But cryptographic assumptions are never permanently valid. The best time to harden cryptographic foundations is always before the crisis arrives—not after.

Bitcoin has always been built by a group of people laying groundwork for threats that haven’t happened yet. This isn’t paranoia; it’s engineering thinking.

References: This article references a total of 66 research papers from two major themed Wiki libraries. The content covers estimates of quantum computing resources, analyses of Bitcoin vulnerabilities, and research on the psychology of debunking and content dissemination mechanisms. Core sources include Google Quantum AI Lab (2026), the paper “Quantum Mining at the Kardashev Scale” (2025), the BIP-360 proposal document, the research by Berger and Milchman (2012), “The 2020 Debunking Playbook,” and commentary by industry practitioners such as Tim Euren, Dan Lu, patio11, and others. Complete Wiki materials are open to peer review.