Quantum Computing Won't Kill Bitcoin, But the Real Risk Is Approaching

Original Title: "I Spent 200 Hours Reading Quantum Computing Papers So You Don't Have To. Bitcoin Is F.

Original Source: nvk

Original Translation: Saoirse, Foresight News

TL;DR

· Bitcoin does not use encryption, but rather uses digital signatures. The vast majority of articles have gotten this wrong, and the distinction is crucial.

· A quantum computer cannot crack Bitcoin in 9 minutes. This description is only of a theoretical circuit, the machine itself does not exist, and won't for at least a decade.

· Quantum mining is physically impossible. The energy it would require is actually more than the total energy output of the sun.

· Bitcoin can indeed be upgraded—has been successfully upgraded before (SegWit, Taproot), and related work has been initiated (BIP-360). But the community needs to pick up the pace.

· The real motivation for upgrading is not the quantum threat, but rather that traditional math has broken countless cryptographic systems, and secp256k1 is likely next. Quantum computers have yet to break any cryptographic systems.

· There is indeed a real vulnerability: the public keys of about 6.26 million bitcoins have been exposed. This is not a cause for panic, but it is worth being prepared in advance.

Main Thread

To summarize everything I'm about to say in one sentence:

The threat of quantum to Bitcoin is real but still far off; media reports are generally inaccurate and exaggerated; and the most dangerous thing is not quantum computing, but a disguised attitude of panic or indifference.

Both those who cry out "Bitcoin is doomed" and those who claim "it's all fine, don't overreact" are wrong. Seeing the truth requires accepting two things simultaneously:

· There is no imminent quantum threat to Bitcoin at present, and the actual threat may be much further off than sensationalist headlines suggest.

· However, the Bitcoin community should still be prepared in advance, as the upgrade process itself will take several years.

This is not a reason to panic, but a reason to act.

Below, I will explain with data and logic.

This image compares two core quantum algorithms: the Shor's algorithm (left) is a "crypto killer" that exponentially accelerates large number factorization, directly breaking RSA/ECC and other public-key cryptosystems, while the Grover's algorithm (right) provides quadratic speedup for unsorted database search, showcasing the disruptive power of quantum computation. However, both are currently hindered by the inability to implement error correction at scale.

Media Tactic: Sensational Headlines Are the Biggest Risk

Every few months, the same script is replayed:

· A certain quantum computing lab publishes a rigorous research paper with numerous caveats.

· Tech media promptly turns it into: "Quantum Computer Breaks Bitcoin in 9 Minutes!"

· The crypto community on Twitter simplifies it to: "Bitcoin is doomed."

· Your relatives and friends message you asking if they should sell quickly.

· But the original paper never claimed any of that.

In March 2026, the Google Quantum AI team published a paper stating that the physical quantum bit requirement to break Bitcoin's elliptic curve cryptography could be reduced to below 500,000, a 20x improvement from previous estimates. This is indeed significant research. Google was very cautious, did not disclose the actual attack circuit, and only released zero-knowledge proofs.

However, the paper never said that Bitcoin can now be broken, provided a specific timeline, or suggested that people should panic.

Yet the headline read: "Bitcoin Broken in 9 Minutes."

CoinMarketCap once published an article titled "Will AI-Accelerated Quantum Computing Destroy Bitcoin by 2026?", where the body of the text almost definitively explained that it "will not." This is a typical tactic: use a sensational headline to gain traffic, while the body remains cautiously accurate. Yet 59% of the shared links were never clicked — for most people, the headline is the information.

There is a saying: "The market prices risk very quickly. You cannot steal something that goes to zero as soon as you touch it." If quantum computers were truly set to disrupt everything, Google's stock (which also uses similar cryptography) would have collapsed long ago. But Google's stock remains stable.

Conclusion: The Title Is the Real Misconception. The Research Itself Is Genuine and Worth Understanding, So Let's Take It Seriously.

What Quantum Computers Truly Threaten and Do Not Threaten

Biggest Misconception: "Encryption"

Almost all articles discussing quantum and Bitcoin use the word "encryption." This is incorrect and significantly misleading.

Bitcoin does not rely on encryption to protect assets; instead, it relies on digital signatures (ECDSA, later transitioning to Schnorr through Taproot). The blockchain itself is public, with all transaction data permanently visible to everyone, and there is nothing to "decrypt."

As Hashcash inventor Adam Back, referenced in the Bitcoin whitepaper, has stated: "Encryption means data is hidden and can be decrypted. Bitcoin's security model is based on signatures used to prove ownership without revealing the private key."

This is not a semantic argument. It means that the most pressing quantum threat of "collect now, decrypt later" does not fundamentally jeopardize Bitcoin asset security. There is no encrypted data to collect, and the exposed public keys are inherently public on the blockchain.

Two Quantum Algorithms: One Is a Real Threat, One Can Be Ignored

· Shor's Algorithm (Real Threat): Exponentially speeds up the underlying mathematical problem of digital signatures, allowing derivation of private keys from public keys and signature forgery. This is the actual cause for concern.

· Grover's Algorithm (Not a Threat): Only provides a square root speedup for hash functions like SHA-256, which sounds ominous but is entirely impractical.

A 2025 paper on "Calderdian-Level Quantum Computing and Bitcoin Mining" calculates that to mine Bitcoin using a quantum computer at the current difficulty:

· Approximately 10²³ physical quantum bits would be needed (currently, there are only around 1500 globally)

· Approximately 10²⁵ watts of power (the total solar output is around 3.8×10²⁶ watts)

To mine Bitcoin with a quantum computer, you would require energy equivalent to around 3% of the total solar output. Humanity is currently at a 0.73 Calderdian civilization level, and to mine Bitcoin with a quantum computer would necessitate energy levels achievable only by a Type II civilization, which humanity is far from reaching, making it nearly physically impossible to achieve.
(Note: Referring to Calderdian civilization levels: Type I: Can fully utilize the energy of one planet (Earth); Type II: Can harness all the energy of an entire star (the Sun))

By comparison: Even in the most ideal design, a quantum mining machine would only have about 13.8 GH/s of computing power; whereas a regular Antminer S21 can achieve 200 TH/s. The speed of a traditional ASIC mining machine is 14,500 times that of a quantum mining machine.

Ultimately, quantum mining is simply not feasible. It's not possible now, not in 50 years, and not even forever. If someone claims that a quantum computer can "break Bitcoin mining," they have confused two completely different algorithms.

8 Popular Claims, of Which 7.5 are False

Claim 1: "Once quantum computers appear, all Bitcoins will be stolen overnight."

In reality, only Bitcoins with exposed public keys are at risk. Modern Bitcoin address types (P2PKH, P2SH, SegWit) do not reveal the public key until you initiate a transaction. As long as you never reuse an address and have never spent from that address, your public key will not appear on the blockchain.

Specifically:

· Grade A (Directly at Risk): Approximately 1.7 million BTC are in old P2PK format addresses, with fully exposed public keys.

· Grade B (At Risk but Fixable): Approximately 5.2 million BTC are in reused addresses and Taproot addresses, and users can mitigate the risk by migrating.

· Grade C (Briefly Exposed): Within about 10 minutes while a transaction waits in the mempool to be mined, the public key is temporarily exposed.

According to Chaincode Labs' estimation, there are roughly 6.26 million BTC at risk of public key exposure, accounting for approximately 30%–35% of the total supply. The quantity is indeed significant, but it is by no means "all Bitcoins."

Claim 2: "Satoshi Nakamoto's coins will be stolen, crashing the market to zero."

Half true, half false: Approximately 1.1 million BTC held by Satoshi Nakamoto are in P2PK format addresses with fully exposed public keys, indeed making them high-risk assets. However:

· A quantum computer capable of cracking these private keys simply does not currently exist.

· Nations with early quantum technology will prioritize targeting intelligence and military systems rather than staging a "publicly stealing Bitcoin spectacle" (Quantum Canary Research Group).

· Scaling from the current approximately 1500 qubits to the order of hundreds of thousands will require several years of engineering breakthroughs and is highly uncertain in progress.

Argument 3: "Bitcoin Cannot Upgrade – Too Slow, Governance Chaos"

This argument is not entirely correct, but it is not completely without merit. Bitcoin has successfully completed several significant upgrades in its history:

· Segregated Witness (SegWit, 2015–2017): Highly controversial, almost failed, leading directly to the Bitcoin Cash fork, but eventually successfully activated.

· Taproot (2018–2021): Smooth activation, taking about 3.5 years from proposal to mainnet.

The post-quantum resistance proposal BIP-360 was formally added to the Bitcoin BIP library in early 2026, introducing the bc1z address type and removing the quantum-vulnerable key path spending logic from Taproot. The proposal is currently in a draft state, and the testnet is running the Dilithium post-quantum signature scheme.

Ethan Heilman, a co-author of BIP-360, estimates a full upgrade cycle to take about 7 years: 2.5 years for development and review, 0.5 years for activation, and 4 years for ecosystem migration. He admitted, "This is just a rough estimate, and no one can provide an exact timeline."

Objective Conclusion: Bitcoin can upgrade, has initiated upgrades, but is still in its early stages and needs to accelerate progress. Claiming "impossible to upgrade" is incorrect, and claiming "upgrade completed" is equally invalid.

Argument 4: "We Only Have 3–5 Years Left"

Likely not true, but not to be entirely dismissed. Experts' estimates vary widely:

· Adam Back (Hashcash Inventor, Bitcoin Whitepaper Cited): 20–40 years

· Jensen Huang (NVIDIA CEO): Practical quantum computing is still 15–30 years away

· Scott Aaronson (Quantum Computing Authority, University of Texas at Austin): Refuses to provide a timetable and indicates breaking RSA could require "tens of billions of dollars in investment"

· Craig Gidney (Google Quantum AI): Probability of achieving by 2030 is only 10%; also believes that under current conditions, it is very difficult for quantum bit requirements to see another 10x improvement, and the optimization curve may have already flattened

· Survey of 26 Quantum Security Experts: Probability of risk emerging within 10 years is 28%-49%

· Ark Invest: "Belongs to long-term risks, not imminent ones"

It is worth noting that Google's Willow chip broke the quantum error correction threshold by the end of 2024. This means that for each increase in error correction code distance, the logical error rate will decrease by a fixed factor (Willow is 2.14). This error suppression effect experiences an exponential improvement, but the actual rate of expansion depends entirely on hardware and could be logarithmic, linear, or extremely slow. Breaking the threshold only signifies that expansion is feasible, not fast, easy, or guaranteed.

In addition, in its paper in March 2026, Google did not publicly present the actual attack circuit; it only released a zero-knowledge proof. Scott Aaronson also warns that future researchers may no longer disclose the resource estimates needed to break the code. Therefore, we may not be able to detect the arrival of "quantum doomsday" well in advance.

Nevertheless, building a fault-tolerant quantum computer with hundreds of thousands of qubits remains a huge engineering challenge. Even the most advanced quantum computers today cannot factor numbers larger than 13 digits, while breaking Bitcoin's encryption is equivalent to factoring about a 1300-digit number. This gap cannot be bridged overnight, but the technological trend is worth paying attention to, not ignoring.

Statements 5-8: Quick Clarifications

"Quantum Computing Will Destroy Mining"

False. Energy consumption requirements are close to the total output of the Sun; see Part Two for more details.

"Collect Data Now, Decrypt in the Future"

Not applicable to asset theft (the blockchain itself is public); it only has a certain impact on privacy, which is a minor risk.

"Google Claims It Can Break Bitcoin in 9 Minutes"

Google is referring to a theoretical circuit running time of about 9 minutes on a non-existent 500,000-qubit machine. Google itself has expressly warned against such panic-inducing statements and has withheld details of the attack circuit.

“Post-Quantum Cryptography Technology Is Not Yet Mature”

The National Institute of Standards and Technology (NIST) has completed the standardization of algorithms such as ML-KEM, ML-DSA, and SLH-DSA. The algorithms themselves are mature, and the challenge lies in their deployment and implementation in the Bitcoin system, rather than inventing them from scratch.

The Five Issues I Am Truly Worried About

An all-encompassing debunking article will lose credibility. Here are the five issues that deeply concern me:

· The estimated number of quantum bits required to break encryption continues to decrease, although this trend may be slowing down. In 2012, breaking encryption systems was estimated to require 1 billion quantum bits; by 2019, it had decreased to 20 million; by 2025, it was already below 1 million. In early 2026, Oratomic announced that only 10,000 physical quantum bits were needed to achieve decryption using a neutral atom architecture.

However, it is worth noting that the nine authors of this study are all Oratomic shareholders, and the assumed 101:1 physical-to-logical quantum bit conversion ratio has never been validated (historically closer to 10,000:1). It also needs to be made clear that a computing task that takes "9 minutes" on Google's superconducting architecture would take 10^264 days on neutral atom hardware—these are completely different devices with vastly different computing speeds. Gidney himself has stated that the algorithm's optimization curve may have plateaued. Even so, no one knows when the turning point between the "required number of quantum bits" and the "existing number of quantum bits" will occur. The most objective conclusion is that there is currently a high level of uncertainty.

· The scope of public key exposure is expanding, not shrinking. The latest and most widely adopted address format in Bitcoin, Taproot, will publicly reveal the tweaked public key on-chain, leaving an infinite offline decryption window for quantum attackers. The most recent Bitcoin upgrade actually weakened its post-quantum security, a paradox that is worthy of deep thought.

Moreover, the issue is not limited to on-chain addresses: the Lightning Network channels, hardware wallet connections, multi-signature schemes, and extended public key sharing services all inherently spread public keys. In a world where fault-tolerant quantum computers (FTQC) with cryptographic decryption capabilities become a reality, building an entire system around public key sharing makes "protecting public key privacy" fundamentally unrealistic. BIP-360 is just a starting point and far from a complete solution.

· The Bitcoin governance process is slow but still has a time window. Since November 2021, the Bitcoin underlying protocol has not activated a soft fork for over four years, remaining in a long-standing stalemate. Google plans to complete its own system's post-quantum migration by 2029, while the most optimistic estimate for Bitcoin is also by 2033.

Considering that practical quantum computing capable of breaking cryptographic algorithms is likely still far away (most reliable forecasts suggest it may not happen until the 2040s or even may never be achieved), the current situation is not an immediate crisis. However, complacency is not an option. The earlier preparedness efforts begin, the better.

· Satoshi Nakamoto's Bitcoin holdings present an unsolvable game theory problem. Around 1.1 million BTC is stored in P2PK addresses, and due to either no one possessing the corresponding private keys (or Satoshi Nakamoto's disappearance), these assets can never be moved. Regardless of choosing to leave them untouched, freeze, or destroy them, all options entail serious consequences, with no perfect solution.

· The blockchain is a perpetually listed target for attacks. All exposed public keys will be permanently recorded free of charge, allowing national entities to start preparations now and wait for the opportune moment. Defense requires proactive collaboration from multiple parties, while attacks only require patient waiting.

These are real challenges, but there is another side to the story that deserves attention.

Why the Quantum Threat May Be Extremely Distant or Even Never Materialize

Several eminent physicists and mathematicians (not extremists) believe that achieving fault-tolerant quantum computing at the scale necessary for cryptographic breakthroughs may face fundamental physical barriers, beyond just engineering challenges:

· Leonid Levin (Boston University, co-inventor of NP completeness): "Quantum amplitude needs to be precise to hundreds of decimal places, but no physical law known to humans holds to such precision beyond a dozen or so decimal places." If nature does not allow for precision beyond approximately 12 decimal places, the entire field of quantum computing would hit a physical ceiling.

· Michel Dyakonov (University of Montpellier, theoretical physicist): A system of 1,000 qubits would require controlling about 10^300 continuous parameters simultaneously, vastly exceeding the total number of subatomic particles in the universe. His conclusion is, "Impossible, forever impossible."

· Gil Kalai (Hebrew University, mathematician): Quantum noise exhibits irreducible correlated effects that worsen as system complexity increases, rendering large-scale quantum error correction fundamentally unachievable. His conjecture, unproven after 20 years, has also shown partial deviations in experimental predictions, presenting a mixed bag of pros and cons.

· Tim Palmer (University of Oxford, physicist): His rational quantum mechanics model predicts a hard limit for the existence of quantum entanglement at around 1000 qubits, far below the scale required for cryptographic breaking.

All of these are not fringe views. Existing evidence also strongly supports this assessment: practical experience so far shows that quantum computing capable of threatening cryptographic systems is either far more difficult to achieve in reality than in theory or fundamentally impossible due to unknown laws of the physical world. A very apt analogy is with self-driving cars: great demos, massive investment, but for over a decade it has been claimed that they are "just five years away from maturity."

Most media default to "quantum computers will eventually crack encryption, it's just a matter of time," but this is not a conclusion drawn from evidence; it is a mirage created by hype cycles.

The Core Driver for Upgrade, Unrelated to Quantum

This is a key fact that few people mention (thanks to @reardencode for pointing this out):

· Number of cryptographic systems broken by quantum computers to date: 0;

· Number of cryptographic systems broken by classical mathematical methods: countless.

DES, MD5, SHA-1, RC4, SIKE, Enigma machine... all have fallen to sophisticated mathematical analysis, not quantum hardware. SIKE was once the NIST's post-quantum cryptography finalist, only to be entirely broken in 2022 by a researcher using a regular laptop in just one hour. Since the inception of cryptographic systems, classical cryptanalysis has been continuously undermining various encryption schemes.

The secp256k1 elliptic curve used in Bitcoin could become obsolete at any time due to a mathematical breakthrough, completely independent of quantum computing. All it would take is a leading number theorist to make progress on the discrete logarithm problem. This has not happened yet, but the history of cryptography is a history of "proven secure" systems being continually found vulnerable.

This is the real reason why Bitcoin should adopt alternative cryptographic schemes: not because quantum computers are imminent—they may never materialize—but because for a network worth trillions of dollars, relying solely on a single cryptographic assumption is a risk that rigorous engineering must proactively mitigate.

The quantum-related panic and hype, on the contrary, overshadow this more understated yet more real risk. Ironically, the preparations made to address the quantum threat (BIP-360, post-quantum signatures, hash-based alternatives) also protect against classical cryptanalysis attacks. People are doing the right thing for the wrong reasons, but that's okay—as long as the implementation eventually happens.

What Should You Really Do?

If You Hold Bitcoin:

· Do not panic. The threat is real but still distant, giving you plenty of time.

· Stop reusing addresses. Each reuse exposes the public key; use a new address for each transaction.

· Follow the progress of BIP-360. Once quantum-resistant addresses are introduced, promptly transfer your assets.

· For long-term holding, consider keeping your funds in an address that has never been spent from to keep the public key hidden.

· Don't get caught up in the headlines; read the original research paper. The content is more interesting than the news coverage and not as scary.

If You Are a Bitcoin Developer:

· BIP-360 needs more review; the testnet is live, and the code requires thorough scrutiny.

· The 7-year upgrade cycle needs to be shortened. Each year of delay reduces the security margin.

· Initiate a governance discussion on dealing with old, unspent transaction outputs (UTXOs). Satoshi's Bitcoin does not self-protect; the community needs a solution.

If you have just seen a sensational headline, remember, 59% of forwarded links are never clicked. Headlines are designed to provoke emotions; the paper is meant to provoke thoughts. Go read the original.

Conclusion

The threat of quantum to Bitcoin is not black or white but exists in a gray area. On one end is "Bitcoin is doomed, sell everything now," and on the other end is "Quantum is a hoax, no risk at all," both extremes are wrong.

The truth lies in a rational and practical middle ground: Bitcoin faces a clear engineering challenge with known parameters and ongoing research and development. Time is short but manageable—provided the community maintains a reasonable sense of urgency.

The most dangerous thing is not quantum computers but the oscillation between panic and disregard in public opinion, preventing people from rationally addressing a fundamentally solvable issue.

Bitcoin has survived the block size debate, exchange hacks, regulatory pressures, and the disappearance of its founder, and it can also transition to the quantum era. But this requires the community to start preparing steadily now, without panic, without complacency, advancing with the robust engineering mindset that Bitcoin relies on.

The house is not on fire, and it may never burn from the direction everyone fears. But cryptographic assumptions have never remained valid indefinitely. The best time to strengthen the cryptographic foundation is always before a crisis hits, not after.

Bitcoin has always been built by a group of people who plan for threats that have not yet occurred. This is not paranoia; this is engineering thinking.

References:

This article references a total of 66 research papers from two major thematic wikis, covering quantum computing resource estimation, Bitcoin vulnerability analysis, debunking psychology, and content propagation mechanisms. Key sources include the Google Quantum AI Lab (2026), the "Quantum Mining at the Caldas Novas Scale" paper (2025), the BIP-360 proposal document, the Berge and Milkman study (2012), the "2020 Debunking Handbook," and discussions by industry practitioners like Tim Urban, Dan Luu, and patio11. All wiki materials undergo open peer review.

Original Article Link