The calm, cited version of “quantum will break Bitcoin” — which part is actually at risk, how far away it is, and the free hygiene that protects most personal risk today.
Frontier briefing · quantum & your coins
Quantum vs Bitcoin: understand the threat, then breathe.
You have probably seen a headline saying quantum computers will "break Bitcoin." Here is the calm, cited version. No quantum computer has ever broken a real Bitcoin key — and the part everyone gets wrong is which part is even at risk. Every risk below is paired with what you can do about it, today, for free.
Signatures (ECDSA) — the exposed part Hashing & mining (SHA-256) — stays safe Defenses already exist (NIST 2024)
Educational explainer — not financial advice. Nothing here is a buy, sell, or hold signal, a price prediction, or a recommendation. Every future capability and date is an Estimate — experts disagree, and no quantum computer has ever broken a real Bitcoin key. This is not a reason to buy, sell, or panic. Sources are cited inline and listed at the end.
The one idea: it threatens signatures, not hashing
Quantum computing is not one magic key that unlocks everything. Two different algorithms hit two different parts of Bitcoin very differently. Get this one asymmetry and you understand the whole debate. Tap a card to read the plain-English why.
Signatures — ECDSA
Broken by Shor's algorithm
⚠ At risk — breakable
Shor's algorithm solves the elliptic-curve discrete-log problem in polynomial time. A future cryptographically-relevant quantum computer (CRQC) could derive your private key from a public key that is already visible on-chain. This is not "harder" — it is solved. Fact
If your public key is exposed, the signature scheme is the weak point.
Hashing & mining — SHA-256
Only dented by Grover's algorithm
✓ Largely safe
Grover's algorithm gives only a quadratic speedup — it cuts brute force from ~2256 to ~2128, which is still astronomically infeasible, and is trivially mitigated by longer hashes. So mining and address hashing stay largely safe. Fact
No "break" here — just a speed bump, fixable if it ever mattered.
The whole story in one line: quantum breaks the lock that proves ownership (signatures), not the lock that secures the ledger (hashing).
Source: Shor / Grover analysis via postquantum.com; Google Quantum AI ECDLP work.Estimateon all "future CRQC" capability.
How far away is it, really? The qubit reality gap
Headlines count physical qubits. Breaking Bitcoin needs error-corrected logical qubits — and roughly 1,000 noisy physical qubits are needed to build one good logical one. That gap is the load-bearing caveat. The bars below are to scale.
Largest machines today — noisy, not error-corrected≈ 1,000 physical
Estimated to break secp256k1 — error-corrected Estimate≈ 300k–500k physical [estimate]
That is ~1,200–1,450 logical qubits, which maps to well under ~500,000 physical, error-correctedqubits (surface code). Today's hardware is orders of magnitude short. Anchor: Gidney (Google, May 2025) lowered RSA-2048 to under ~1M noisy physical qubits; Bitcoin's 256-bit curve needs fewer resources than RSA-2048, so ECC could fall first. Estimate
Source: Google Quantum AI ECDLP-256; Gidney arXiv:2505.15917 (preprint). Curated constant, manually reviewed 2026-06-20.
What is actually exposed? A range, not a scary single number
How much Bitcoin is quantum-vulnerable depends entirely on methodology, so we show it as a range. The honest answer is "roughly a quarter to a third" — and a large chunk of that is hygiene you can fix.
25–33%
of BTC in circulation, potentially exposed Estimate
≈ 4M–6.9M BTC. Source: Deloitte (~25% / ~4M); other 2026 analyses up to ~one-third (Project Eleven).
Address type
Status
Why
P2PK (pay-to-public-key)
Vulnerable
Pubkey on-chain since 2009 (~2M BTC, Satoshi-era)
Reused P2PKH
Vulnerable
Pubkey revealed on first spend; reuse leaves it exposed (~2.5M BTC)
P2PKH never reused
Safer
Only the hash is on-chain; pubkey shown only at spend
Mining / SHA-256 PoW
Safe
Grover is quadratic-only
"Harvest now, decrypt later": blockchains publish the harvestable material permanently and cannot be re-encrypted, so exposed public keys are a clean long-horizon target. That is real — and it is why hygiene matters now, not a reason to panic. Spending from a reused address briefly puts your pubkey in the public mempool; a future CRQC could in principle front-run it. Hypothetical, contingent on a CRQC existing, not exploitable today. Estimate
Is my coin exposed? A 30-second self-check
This is a pure learning tool. It connects to nothing, asks for no address, and collects nothing. You answer about how you hold — it explains where you sit and the free fix.
Are any of your coins in a P2PK (pay-to-public-key) output — e.g. very old, Satoshi-era, or early-mining coins?
Full guidance (works without JavaScript):
How you hold
Where you sit
Free fix
P2PK / Satoshi-era / early-mining coins
Vulnerable
Move them to a fresh, never-spent modern address so only a hash is on-chain.
You reuse the same address to receive repeatedly
Vulnerable
Stop reusing; sweep to a fresh address and use a new one each time.
Modern wallet, each address used once, never reused
Safer
Keep doing that. Only the hash is public until you spend; stay non-reusing.
This tool never asks for and never accepts a seed phrase, private key, passphrase, or wallet address. There is no field that could hold a secret. Never type those into any website, including this one.
When? A band of uncertainty, not a "Q-Day"
Anyone selling you a single "Q-Day" date is selling marketing. The Global Risk Institute's 2025 expert survey (26 experts) gives probabilities over time — shown here as a shaded band, because experts genuinely disagree.
Rising likelihood over timeEstimate Expert elicitation — not a prediction
Source: Global Risk Institute, Quantum Threat Timeline Report 2025. Credible range ≈ 10–20 years, mass risk early-to-mid 2030s, wide bands. Experts disagree — treat any fixed date as marketing.
What you can do today — free, right now
Two address-hygiene moves protect most personally-held, fixable risk. No tools to buy, no signup.
✓ Do-it-now · #1
Never reuse an address
Use a fresh receive address each time. A non-reused P2PKH only ever shows its hash on-chain — the pubkey stays hidden until you spend.
✓ Do-it-now · #2
Move exposed coins to a fresh address
If coins sit in a P2PK or a reused address, send them to a brand-new, never-spent address so only a hash is published. Fact
What the protocols are already doing
NIST PQC standards
FIPS 204 ML-DSA (signature replacement), FIPS 205 SLH-DSA, FIPS 203 ML-KEM. Finalized 2024-08-14.
Finalized & published
Bitcoin BIP-360 (P2QRH)
Quantum-resistant outputs merged to the BIP repo; testnet work in 2026.
Exists — not consensus-active
Ethereum PQC
Account abstraction lets accounts opt into PQC signatures; EF formed a PQ team Jan 2026.
Proposals — timing estimated
Sources: NIST (FIPS 203/204/205); Bitcoin Magazine / bip360.org; ethereum.org & pq.ethereum.org. "Exists, not active" labels are deliberate.
The calm, honest summary
No false comfort, no doom. Six grounded talking points — and the one residual risk hygiene can't fix.
1
No quantum computer today is within orders of magnitude of breaking secp256k1. (Google ECDLP / Gidney 2025)
2
Hashing and mining stay safe — Grover is only a quadratic speedup. (postquantum.com)
3
The defenses already exist: NIST finalized post-quantum standards in 2024. (NIST)
4
Migration paths are in motion — Bitcoin BIP-360, Ethereum PQC. (bip360.org / ethereum.org)
5
You can protect most personal risk today, for free, with address hygiene. (actionable now)
6
Experts put the credible window at roughly 10–20 years, with wide disagreement. (GRI QTTR 2025)Estimate
The honest residual: roughly 4M BTC in permanently-exposed addresses (including lost Satoshi-era coins) cannot be protected by individual hygiene — a real network-level concern that migration timing must address. That is precisely why this topic deserves calm attention, not panic and not dismissal.
Sources & citations (every hard number traces here)