Quantum computers cannot crack Bitcoin’s cryptography today, but rapid advances by Google, IBM, and academic teams have intensified concern inside the digital asset industry that “Q-Day”—the point at which a sufficiently powerful quantum machine can compromise older Bitcoin addresses—may arrive sooner than previously assumed. The risk centers on early wallets and reused addresses that have exposed public keys, while developers debate post-quantum signatures and long-term migration paths for the network.

The quantum risk to Bitcoin’s signatures

The technical path for a successful attack is straightforward in concept, if demanding in practice. A quantum-equipped adversary would scan the blockchain for addresses that have already revealed their public keys—common among the earliest pay-to-public-key outputs, reused addresses, and long-dormant accounts. In a “harvest now, decrypt later” approach, the attacker could store those keys and, once a fault-tolerant machine exists, apply Shor’s algorithm to derive the corresponding private keys. Because Bitcoin’s elliptic-curve signatures rest on problems that quantum computers can accelerate, a sufficiently large, error-corrected device could ultimately forge valid transactions from those exposed addresses. To the network, such signatures would appear legitimate, be relayed by nodes, and be mined into blocks. If many vulnerable wallets were drained at once, funds could start moving within minutes, potentially prompting market reactions before confirmation of a coordinated attack.

Q-Day moves from theory toward planning

Long treated as a distant threat, the timeline tightened for many observers after a March 2026 Google whitepaper suggested certain cryptographic systems might be broken earlier than expected. Around the same period, new research from Caltech and Google proposed that future quantum computers could undermine elliptic-curve schemes with fewer qubits and computational steps than earlier estimates indicated. The discussion spilled into crypto circles when Bitcoin security researcher Justin Drake argued there is at least a 10% chance that by 2032 a quantum computer could recover a secp256k1 ECDSA private key from an exposed public key. While estimates vary widely, the cluster of results pushed the conversation from “if” toward “when,” with Google also setting a 2029 deadline to be quantum-ready.

The state of quantum computing

Momentum built across the quantum field in 2025 and 2026. Google’s 105‑qubit Willow chip reported sharp error reduction and a benchmark beyond classical supercomputers. Microsoft rolled out its Majorana 1 platform and, with Atom Computing, reported record logical‑qubit entanglement. NIST extended superconducting qubit coherence to 0.6 milliseconds. IBM set targets of 200 logical qubits by 2029 and more than 1,000 in the early 2030s, later demonstrating 120‑qubit entanglement, while Google confirmed a verified quantum speed‑up. Caltech unveiled a 6,100‑qubit neutral‑atom system operating at 99.98% accuracy. IBM followed with new chips and software aimed at attaining quantum advantage in 2026 and fault‑tolerant systems by 2029.

Industry and government responses also quickened. In January 2026, Coinbase formed an independent advisory board on quantum computing and blockchain security. In April, Italian researcher Giancarlo Lelli used a publicly available quantum computer to crack a simplified elliptic curve cryptography key, underscoring the direction of travel even if real‑world Bitcoin keys remain out of reach. In May, the U.S. Department of Commerce committed $2 billion to quantum development. In June, France said it would stop certifying technologies that are not quantum‑safe, and later that month President Donald Trump signed two executive orders to expand U.S. quantum capabilities and accelerate the shift to quantum‑resistant encryption. Christopher Tam of BTQ Technologies argued the U.S. government’s 2031 deadline for federal agencies to migrate high‑value assets is too slow given industry progress, saying he would have set a more urgent pace.

Why older Bitcoin addresses are exposed

Bitcoin’s design reveals a public key when funds are spent, and the earliest pay‑to‑public‑key format displayed keys on‑chain even before the first spend. Later pay‑to‑public‑key‑hash formats reduced exposure by keeping keys hidden until use. The oldest coins—including roughly 1 million Satoshi‑era BTC—never benefited from those protections and are therefore long‑term targets if a capable quantum computer emerges. That exposure is compounded by abandoned and lost‑key wallets. Moving those balances into post‑quantum‑secure addresses would require active participation by owners—an obvious hurdle when keys are gone or holders are unreachable. As a result, the community faces a difficult choice: leave the coins in place and accept that attackers could eventually seize them, or contemplate policies that remove abandoned balances from circulation—each option carrying technical, social, and legal complications.

Technology use case: post‑quantum signatures and their costs

Developers are evaluating post‑quantum signature schemes to harden the network, but those protections come with trade‑offs. Today’s Bitcoin signatures are about 64 bytes; post‑quantum alternatives can be 10 to 100 times larger. On a blockchain, where every node stores signatures indefinitely, that size increase translates into substantial fees and persistent storage costs. Any mitigation must therefore balance security with throughput and long‑term data growth.

Paths to protection now under discussion

Several proposals sketch potential routes to prepare Bitcoin for a post‑quantum world:

  • BIP‑360 (P2QRH) would introduce “bc1r…” addresses using hybrid protection that combines current elliptic‑curve signatures with schemes such as ML‑DSA or SLH‑DSA. It avoids a hard fork but increases fees due to larger signatures.
  • BIP‑361 proposes phasing out existing signature schemes and freezing coins that fail to migrate to quantum‑resistant addresses.
  • Quantum‑Safe Taproot would add a hidden post‑quantum branch. If attacks become realistic, miners could soft‑fork to require the post‑quantum path without changing everyday usage in the meantime.
  • Quantum‑Resistant Address Migration Protocol (QRAMP) outlines a mandatory migration of vulnerable UTXOs to quantum‑safe addresses, likely via a hard fork.
  • Pay to Taproot Hash (P2TRH) would replace visible Taproot keys with double‑hashed versions, narrowing the exposure window while keeping compatibility.
  • Non‑Interactive Transaction Compression (NTC) via STARKs would compress many large post‑quantum signatures into a single zero‑knowledge proof per block to reduce on‑chain overhead.
  • Commit‑reveal schemes would rely on hashed commitments made before a quantum threat, including helper UTXOs, “poison pill” recovery paths, and Fawkescoin‑style variants that remain dormant unless a practical quantum computer is demonstrated.

Taken together, these ideas point to a phased approach: immediate, low‑impact mitigations such as P2TRH; optional hybrid security through BIP‑360; and heavier lifts like NTC‑based compression as risk grows. Progress, however, depends on broad coordination across miners, developers, and users—never easy in a decentralized ecosystem where major upgrades are intentionally slow.

Market impact and user practices

Most Bitcoin holders face no immediate action items. Basic operational hygiene helps reduce long‑run risk, including avoiding address reuse so public keys remain concealed until spending, and relying on modern wallet formats. Still, the stakes are significant: more than $452 billion in vulnerable wallets have been identified by outside researchers, and an attack draining a cluster of exposed addresses could move funds rapidly and unsettle markets before a consensus formed on what was happening.

Outlook

Forecasts differ on timing. Some researchers see a credible threat emerging within five years, others push the horizon into the 2030s, and continued public and private investment could compress those estimates. What is clear is that upgrading Bitcoin to a post‑quantum footing will take years, making early, coordinated work essential even while present‑day quantum computers remain too small and unstable to threaten real‑world cryptography. This article was updated in July 2026.