Why is Quantum Computing a Threat to Bitcoin and Crypto?

Quantum computing threatens Bitcoin and crypto for one narrow reason: a powerful enough quantum computer could work backward from a wallet's public key to its private key, then sign transactions and move the funds. The math that makes that reversal practically impossible for today's computers does not hold up against a quantum machine running the right algorithm.

That machine does not exist yet. But the conversation shifted this year. On June 22, President Trump signed two executive orders on quantum technology, one to build a powerful quantum computer and one to harden federal systems against quantum attacks. Three months earlier, Google Quantum AI published research showing the attack on Bitcoin's cryptography needs far less hardware than experts had assumed. Together, the policy push and the research moved quantum from a distant worry to a deadline people are now planning around.

What exactly is at risk?

Most coverage gets this part wrong, so it is worth being precise. Bitcoin and nearly every major chain secure transactions with elliptic curve cryptography, specifically ECDSA on the secp256k1 curve. Your public key is easy to calculate from your private key, but reversing that step is the hard problem that keeps your coins safe. Classical computers cannot do it in any useful timeframe.

Shor's algorithm, published by Peter Shor in 1994, changes that. On a large, error-corrected quantum computer, it solves the reversal efficiently, turning a problem that would take classical machines longer than the age of the universe into one that takes minutes. That is the core threat, and it targets digital signatures.

A second quantum method, Grover's algorithm, is often cited but matters far less here. It speeds up the brute-forcing of hash functions like SHA-256, which Bitcoin uses for mining and addresses. The catch is that the speedup is only quadratic, roughly cutting 256-bit security to 128-bit equivalent, and the network can raise the difficulty to compensate. Mining is not the weak point. Signatures are.

Why is Bitcoin especially exposed?

Bitcoin's history works against it. According to on-chain data cited in Bitcoin's own developer proposals, more than 34% of all $BTC, somewhere between 6.5 and 6.9 million coins, sit in addresses that have already revealed a public key on-chain as of March 1, 2026. That includes roughly 1.7 million $BTC in early Pay-to-Public-Key outputs, some of it believed to belong to Satoshi Nakamoto.

There are two attack shapes to understand:

• At-rest: An attacker uses a quantum computer to derive private keys from public keys already exposed on the chain, like dormant early coins. There is no time pressure here, which makes it the nearer-term risk.
• On-spend: An attacker intercepts a transaction in the mempool and forges a competing one before the original confirms. On the fastest quantum architectures, research puts the key derivation at about 9 minutes on average, compared with Bitcoin's 10-minute block time. Under deliberately attacker-favorable assumptions (a single-signature target, fast key propagation, no network defenses), the paper models a success probability of just under 41% per block. The odds drop sharply on faster chains, to under 3% for Litecoin's 2.5-minute blocks, because there is less time to finish the math. This scenario still needs a faster machine than the at-rest case.

The danger is not that Bitcoin's chain breaks. It is direct theft of funds, plus the confidence shock that would follow if old, supposedly lost coins suddenly started moving.

What is Bitcoin doing about it?

Two proposals are live, and they show how hard this is to coordinate.

BIP-360, assigned in February 2026 and already in testnet, introduces a new quantum-resistant output type (described as Pay-to-Quantum-Resistant-Hash or Pay-to-Merkle-Root). It protects newly created coins by keeping the vulnerable key off-chain and using NIST-approved post-quantum signatures instead.

BIP-361, published April 14, 2026 by Jameson Lopp (@lopp) and five co-authors, tackles the harder question of the legacy coins BIP-360 cannot help. Titled "Post Quantum Migration and Legacy Signature Sunset," it lays out a phased plan: about three years after activation, the network stops allowing sends to old address types; about two years after that, it stops honoring old signatures entirely, freezing any coins that never migrated. A third phase, still in research, would let rightful owners reclaim frozen funds using a zero-knowledge proof tied to their seed phrase.

This is where Bitcoin's culture collides with itself. Freezing coins, even to protect them, runs against the "your keys, your coins" principle many holders treat as sacred. Supporters counter that doing nothing guarantees those coins get stolen later, which is its own loss and a messier one. BIP-361 has no activation timeline and remains a draft.

How exposed is the rest of crypto?

The vulnerability is industry-wide, because most chains lean on the same family of elliptic curve math.

Ethereum is the most active responder. The Ethereum Foundation stood up a dedicated Post-Quantum Security team in January 2026, and Vitalik Buterin (@VitalikButerin) published a roadmap in February naming four exposed layers: account signatures (ECDSA), validator signatures (BLS), data availability (KZG commitments), and zero-knowledge proofs. Its leading strategy is account abstraction via EIP-8141, which is being considered for the Hegotá hard fork in the second half of 2026, allowing individual accounts to opt into quantum-safe signatures without forcing the whole network to switch at once. On the consensus side, Ethereum plans to swap BLS for a hash-based scheme called leanXMSS. The Foundation is targeting core post-quantum infrastructure around 2029.

Solana faces the same exposure through its Ed25519 signatures. Its two main client teams, Anza and Firedancer, have both converged on Falcon, a NIST lattice-based scheme, and published a phased migration plan in April 2026.

Which projects are already resistant or moving fast?

A handful of chains are worth tagging here, either because they were built quantum-safe or because they have concrete plans:

• QRL (Quantum Resistant Ledger): Quantum-safe from genesis, using hash-based XMSS signatures. Small-cap, but technically pure on this one issue.
• Algorand (ALGO): The furthest along among large chains. Falcon signatures are already in production for its state proofs, with Falcon transaction signatures in active development.
• Stellar (XLM): Published a Quantum Preparedness Plan on June 9, 2026, starting with ML-DSA signature verification in Soroban smart contracts, then opt-in quantum-safe signers in 2027.
• $XRP Ledger: Published a four-phase roadmap in April 2026 targeting full post-quantum readiness by 2028, with validator testing underway.
• Cardano (ADA): Running Project Nightstream, a lattice-based effort that starts by protecting historical ledger data with post-quantum checkpoints.
• Starknet: Its STARK proofs already rely on hash functions rather than elliptic curves, making them quantum-resistant by design.

The common toolkit is NIST's post-quantum standards, finalized in August 2024: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA, also called Dilithium), and FIPS 205 (SLH-DSA, or SPHINCS+). Falcon's standard (FN-DSA) is expected to follow around 2027. The shared challenge is that these signatures are larger than what chains use today, which means bigger transactions and real performance costs to swallow.

So how worried should you be?

Not panicked, but not complacent either. No cryptographically relevant quantum computer exists today. The best current machines run a few thousand noisy physical qubits with at most around a hundred error-corrected logical ones. Google's paper estimated the attack would need roughly 1,200 to 1,450 logical qubits and fewer than 500,000 physical qubits, about a 20-fold drop from the prior best estimate of around 9 million. That is a smaller gap than the field believed a year ago, but still a large one, and the fault-tolerant hardware to cross it does not exist yet.

Estimates for "Q-Day" cluster around the end of this decade. Google set an internal 2029 deadline to migrate its own systems. The research firm Project Eleven puts the baseline at 2033. Ethereum researcher Justin Drake (@drakefjustin), co-author of the Google paper, pegs it at 10% by 2030 and 50% by 2032.

The reason to care now is timing, not imminence. Migrating a decentralized network takes years of coordination, and exposed data can be quietly harvested today to crack once a capable machine arrives, the "harvest now, decrypt later" problem. The chains moving early are not reacting to an attack. They are buying themselves a bit of runway. The threat is still years out. The work to stay ahead of it is too, and that is the part the industry has finally stopped postponing.

Sources

• The White House Executive Order "Ushering in the Next Frontier of Quantum Innovation," signed June 22, 2026, establishing the QC-ADDS effort.
• Nextgov/FCW Reporting on the second order and the 2030 and 2031 post-quantum migration deadlines for federal systems.
• Google Quantum AI Resource estimates for breaking secp256k1: 1,200 to 1,450 logical qubits and under 500,000 physical qubits.
• BIP-361 Post Quantum Migration and Legacy Signature Sunset, including the over-34% exposed-supply figure and the phased freeze plan.
• BIPs.dev Full BIP-361 text, authors, and phase structure.
• ethereum.org Ethereum's post-quantum roadmap, EIP-8141, and account abstraction strategy.
• pq.ethereum.org The Ethereum Foundation Post-Quantum team's research hub and priority list.
• Algorand Falcon-signed state proofs since 2022, the first post-quantum mainnet transaction, and the end-of-2027 resilience roadmap.
• Stellar The Quantum Preparedness Plan, published June 9, 2026, with ML-DSA in Soroban and the staged account migration.
• Ripple The $XRP Ledger four-phase post-quantum roadmap targeting full readiness by 2028.