Interactive explainer

Quantum & Bitcoin

The calm, cited version of “quantum will break Bitcoin” — which part is actually at risk, how far away it is, and the free hygiene that protects most personal risk today.

Frontier briefing · quantum & your coins

Quantum vs Bitcoin: understand the threat, then breathe.

You have probably seen a headline saying quantum computers will "break Bitcoin." Here is the calm, cited version. No quantum computer has ever broken a real Bitcoin key — and the part everyone gets wrong is which part is even at risk. Every risk below is paired with what you can do about it, today, for free.

Signatures (ECDSA) — the exposed part Hashing & mining (SHA-256) — stays safe Defenses already exist (NIST 2024)

Educational explainer — not financial advice. Nothing here is a buy, sell, or hold signal, a price prediction, or a recommendation. Every future capability and date is an Estimate — experts disagree, and no quantum computer has ever broken a real Bitcoin key. This is not a reason to buy, sell, or panic. Sources are cited inline and listed at the end.

The one idea: it threatens signatures, not hashing

Quantum computing is not one magic key that unlocks everything. Two different algorithms hit two different parts of Bitcoin very differently. Get this one asymmetry and you understand the whole debate. Tap a card to read the plain-English why.

Signatures — ECDSA
Broken by Shor's algorithm
At risk — breakable

Shor's algorithm solves the elliptic-curve discrete-log problem in polynomial time. A future cryptographically-relevant quantum computer (CRQC) could derive your private key from a public key that is already visible on-chain. This is not "harder" — it is solved. Fact

If your public key is exposed, the signature scheme is the weak point.
Hashing & mining — SHA-256
Only dented by Grover's algorithm
Largely safe

Grover's algorithm gives only a quadratic speedup — it cuts brute force from ~2256 to ~2128, which is still astronomically infeasible, and is trivially mitigated by longer hashes. So mining and address hashing stay largely safe. Fact

No "break" here — just a speed bump, fixable if it ever mattered.

The whole story in one line: quantum breaks the lock that proves ownership (signatures), not the lock that secures the ledger (hashing).

Source: Shor / Grover analysis via postquantum.com; Google Quantum AI ECDLP work.Estimateon all "future CRQC" capability.

How far away is it, really? The qubit reality gap

Headlines count physical qubits. Breaking Bitcoin needs error-corrected logical qubits — and roughly 1,000 noisy physical qubits are needed to build one good logical one. That gap is the load-bearing caveat. The bars below are to scale.

Largest machines today — noisy, not error-corrected≈ 1,000 physical
Estimated to break secp256k1 — error-corrected Estimate≈ 300k–500k physical [estimate]

That is ~1,200–1,450 logical qubits, which maps to well under ~500,000 physical, error-correctedqubits (surface code). Today's hardware is orders of magnitude short. Anchor: Gidney (Google, May 2025) lowered RSA-2048 to under ~1M noisy physical qubits; Bitcoin's 256-bit curve needs fewer resources than RSA-2048, so ECC could fall first. Estimate

Source: Google Quantum AI ECDLP-256; Gidney arXiv:2505.15917 (preprint). Curated constant, manually reviewed 2026-06-20.

What is actually exposed? A range, not a scary single number

How much Bitcoin is quantum-vulnerable depends entirely on methodology, so we show it as a range. The honest answer is "roughly a quarter to a third" — and a large chunk of that is hygiene you can fix.

25–33%

of BTC in circulation, potentially exposed Estimate

≈ 4M–6.9M BTC. Source: Deloitte (~25% / ~4M); other 2026 analyses up to ~one-third (Project Eleven).

Address typeStatusWhy
P2PK (pay-to-public-key)VulnerablePubkey on-chain since 2009 (~2M BTC, Satoshi-era)
Reused P2PKHVulnerablePubkey revealed on first spend; reuse leaves it exposed (~2.5M BTC)
P2PKH never reusedSaferOnly the hash is on-chain; pubkey shown only at spend
Mining / SHA-256 PoWSafeGrover is quadratic-only

"Harvest now, decrypt later": blockchains publish the harvestable material permanently and cannot be re-encrypted, so exposed public keys are a clean long-horizon target. That is real — and it is why hygiene matters now, not a reason to panic. Spending from a reused address briefly puts your pubkey in the public mempool; a future CRQC could in principle front-run it. Hypothetical, contingent on a CRQC existing, not exploitable today. Estimate

Is my coin exposed? A 30-second self-check

This is a pure learning tool. It connects to nothing, asks for no address, and collects nothing. You answer about how you hold — it explains where you sit and the free fix.

Are any of your coins in a P2PK (pay-to-public-key) output — e.g. very old, Satoshi-era, or early-mining coins?

Full guidance (works without JavaScript):

How you holdWhere you sitFree fix
P2PK / Satoshi-era / early-mining coinsVulnerableMove them to a fresh, never-spent modern address so only a hash is on-chain.
You reuse the same address to receive repeatedlyVulnerableStop reusing; sweep to a fresh address and use a new one each time.
Modern wallet, each address used once, never reusedSaferKeep doing that. Only the hash is public until you spend; stay non-reusing.

This tool never asks for and never accepts a seed phrase, private key, passphrase, or wallet address. There is no field that could hold a secret. Never type those into any website, including this one.

When? A band of uncertainty, not a "Q-Day"

Anyone selling you a single "Q-Day" date is selling marketing. The Global Risk Institute's 2025 expert survey (26 experts) gives probabilities over time — shown here as a shaded band, because experts genuinely disagree.

10 yrs · 28–49%15 yrs · 51–70%20262031203620412045
Rising likelihood over timeEstimate Expert elicitation — not a prediction

Source: Global Risk Institute, Quantum Threat Timeline Report 2025. Credible range ≈ 10–20 years, mass risk early-to-mid 2030s, wide bands. Experts disagree — treat any fixed date as marketing.

What you can do today — free, right now

Two address-hygiene moves protect most personally-held, fixable risk. No tools to buy, no signup.

Do-it-now · #1
Never reuse an address

Use a fresh receive address each time. A non-reused P2PKH only ever shows its hash on-chain — the pubkey stays hidden until you spend.

Do-it-now · #2
Move exposed coins to a fresh address

If coins sit in a P2PK or a reused address, send them to a brand-new, never-spent address so only a hash is published. Fact

What the protocols are already doing

NIST PQC standards

FIPS 204 ML-DSA (signature replacement), FIPS 205 SLH-DSA, FIPS 203 ML-KEM. Finalized 2024-08-14.

Finalized & published
Bitcoin BIP-360 (P2QRH)

Quantum-resistant outputs merged to the BIP repo; testnet work in 2026.

Exists — not consensus-active
Ethereum PQC

Account abstraction lets accounts opt into PQC signatures; EF formed a PQ team Jan 2026.

Proposals — timing estimated

Sources: NIST (FIPS 203/204/205); Bitcoin Magazine / bip360.org; ethereum.org & pq.ethereum.org. "Exists, not active" labels are deliberate.

The calm, honest summary

No false comfort, no doom. Six grounded talking points — and the one residual risk hygiene can't fix.

  • No quantum computer today is within orders of magnitude of breaking secp256k1. (Google ECDLP / Gidney 2025)

  • Hashing and mining stay safe — Grover is only a quadratic speedup. (postquantum.com)

  • The defenses already exist: NIST finalized post-quantum standards in 2024. (NIST)

  • Migration paths are in motion — Bitcoin BIP-360, Ethereum PQC. (bip360.org / ethereum.org)

  • You can protect most personal risk today, for free, with address hygiene. (actionable now)

  • Experts put the credible window at roughly 10–20 years, with wide disagreement. (GRI QTTR 2025) Estimate

The honest residual: roughly 4M BTC in permanently-exposed addresses (including lost Satoshi-era coins) cannot be protected by individual hygiene — a real network-level concern that migration timing must address. That is precisely why this topic deserves calm attention, not panic and not dismissal.
Sources & citations (every hard number traces here)

Trade-press sources (postquantum.com, crypto.news) are secondary syntheses; primary standards/preprints are linked above.

Your keys. Your call. Our map.

We never touch your money, keys, or trades. By design. This page is education only and not financial, legal, or security advice. How we get paid →

Reviewed 2026-06-20 · quantum facts curated, manually refreshed (no live feed).

Stay calm, stay safe

Understand the threat, then breathe.

Education only, not financial advice. Every future capability and date here is an estimate — experts disagree.