The quantum countdown of Bitcoin is not a physics problem.

Plain Language Blockchain

The main focus of this article is not sensational questions like "Will quantum computing destroy Bitcoin," but whether the Bitcoin community can complete upgrades and coordination before threats truly materialize. The author points out that the timeline for quantum risk is tightening, with early exposed public keys of old addresses becoming targets first, and the real challenge is not the cryptographic schemes themselves, but getting a highly conservative network to reach migration consensus in time.

1200. This is the number given by Google Quantum AI in a milestone white paper published in March 2026.

By optimizing the implementation of Shor's algorithm, the research team demonstrates: Cracking the 256-bit elliptic curve encryption protecting each Bitcoin address requires no more than 1200 logical qubits and fewer than 500k physical qubits. Compared to estimates from five years ago, which dominated this field, this number has shrunk by about 20 times.

IonQ’s official roadmap plans to achieve 1,600 logical qubits by 2028, and increase to 80k by 2030; IBM’s quantum roadmap expects its Blue Jay system to reach 2,000 logical qubits by 2033.

Threat window, a date has already been set

To understand which part of Bitcoin is threatened by quantum computers, first understand what Bitcoin’s cryptography is based on.

Bitcoin’s security relies on two different pillars. The first is SHA-256, a hash function used to protect mining and address generation. The second is ECDSA, the elliptic curve digital signature algorithm, which handles “ownership.” Every time you send Bitcoin, ECDSA generates a digital signature to prove you control the wallet and authorize the transaction. Bitcoin uses the secp256k1 elliptic curve, which can generate key pairs. Your private key is a random number; the public key is derived from the private key via elliptic curve multiplication—this calculation is easy in one direction but nearly impossible to reverse with any classical computer. This “one-wayness” forms the entire basis of Bitcoin ownership security.

Quantum computing can accelerate certain searches, but not enough to pose a realistic threat to any hardware currently under development for Bitcoin mining. Mining systems are not the problem.

Various quantum hardware approaches are converging toward this threshold. The threat timeline is more like a lower bound than an upper bound: as soon as any of these technological routes makes an early breakthrough, this window will be further compressed.

Think of it as 10 years. Or even less.

“Collect first, decrypt later” has already begun

There’s another version of this problem that doesn’t have to wait until 2029.

Today, state-level intelligence agencies don’t need to have quantum computers to extract value from Bitcoin transactions. They only need storage capacity—and that’s cheap—and patience, which organizations are never short of. The strategy is straightforward: record the encrypted blockchain data now, and decrypt it all when hardware catches up in the future. In security circles, this is called “Harvest Now, Decrypt Later,” abbreviated as HNDL. Most credible assessments suggest this practice is already happening.

For most Bitcoin transactions, this is more of an inconvenience than a survival threat—because the data is public, and Bitcoin has always provided pseudonymity rather than true anonymity. But for privacy applications built on blockchain infrastructure, HNDL poses a deeper threat. Whether it’s confidential transactions or encrypted cross-chain messages, anything recorded today could be locked in a “waiting for quantum keys” safe. The long-term confidentiality assumptions of these systems are already being undermined in advance, whether users realize it or not.

There’s also a less-discussed attack vector. Each unconfirmed transaction in the mempool broadcasts its public key before confirmation. In a world with sufficiently capable quantum computers, this broadcast window—about 10 minutes for Bitcoin, sometimes longer—becomes an attack window. If an attacker can derive the private key from the public key faster than the network confirms the transaction, they can redirect it before settlement. This technique is called “real-time replacement attack.” It means the issue isn’t just about wallets that have been exposed for years; it’s about every ongoing transaction, and the real-time risk once quantum hardware surpasses the threshold.

The implications are significant:## Not all Bitcoin addresses are equally exposed

Not all Bitcoin addresses face the same risk. Early P2PK addresses expose the public key permanently on the blockchain, making them fixed targets for future quantum attackers. Newer formats—such as P2WPKH, P2TR—hide the public key until the funds are spent, shrinking the vulnerable window to a brief moment.

The problem is, many coins still reside in old formats.

This isn’t a systemic collapse, but a targeted one. The first victims of quantum attacks won’t be random; they’ll be precisely those with the most exposed keys. And the largest, most thoroughly exposed holdings in Bitcoin history are held by owners who have not taken any proactive measures.

The real challenge is governance, more than physics

Cryptographic solutions already exist. This isn’t a scenario where the entire industry is waiting for scientific breakthroughs. NIST has officially finalized post-quantum cryptography standards—CRYSTALS-Dilithium, Falcon, SPHINCS+—by 2024. These algorithms are public, peer-reviewed, and available. The real question is: Can Bitcoin deploy them before the window closes?

Post-quantum signatures are much larger than today’s Bitcoin signatures—sometimes hundreds of times bigger. A 2026 study published in the Journal of the British Blockchain Association (JBBA) modeled migration: throughput could drop by 52% to 57%, fees could double or triple, and overall network storage requirements would grow significantly.

Now, consider the governance structure needed to approve such a change.

SegWit upgrade, which offered real and tangible performance improvements, took about two years from proposal to activation, and was pushed through a community deeply divided. SegWit had visible, quantifiable benefits. Post-quantum migration lacks such immediate incentives. It demands acceptance of a 57% throughput reduction, paying 2-3 times higher fees, and enduring years of implementation risk—just to prepare for a future quantum computer that may never crack a signature scheme that’s not yet broken.

So far, the Bitcoin community has proposed only two plans. BIP 360 suggests introducing a new quantum-resistant address format based on Taproot, removing vulnerable key spending paths to hide public keys before spending. BIP 361 goes further: it plans to phase out current signature schemes and eventually freeze funds in wallets that haven’t migrated, until owners take action. By Bitcoin standards, this is already quite aggressive.

Vitalik Buterin has published a “Quantum Emergency Roadmap,” attempting to address the issue on multiple levels. The gap between these two paths doesn’t mean criticism of Bitcoin culture. For a monetary protocol, extreme conservatism can be a coherent philosophy. But when the threat timeline is dictated by external engineering roadmaps rather than internal consensus, conservatism comes at a cost. JBBA’s research estimates that reaching community consensus on post-quantum migration could take 10 to 15 years; and the threat window itself is also 10 to 15 years. These two numbers are essentially the same.

In 2025, reports indicated that at least one major global investment firm had removed Bitcoin from its recommended list, citing long-term quantum security uncertainties. It may not be the last. As IBM and IonQ’s roadmaps become harder to ignore, due diligence frameworks will start elevating “post-quantum migration plans” from footnotes to formal projects.

The question is never “Will it happen,” but “Will it be in time”

What’s actually going to happen is more granular—and, to some extent, more unsettling.

The first wave will target those already exposed: The second wave is psychological. Bitcoin’s value has never been solely based on technical attributes. It’s also built on a belief: rules are fixed, math is reliable, and this asset isn’t manipulable by any actor with enough resources. Once a quantum breakthrough hits headlines, that belief could take a hit that’s hard to recover from. BlackRock and Fidelity launching Bitcoin ETFs aren’t just about technical specs—they’re about narratives. The fragility of these narratives has nothing to do with cryptography.

The third wave depends entirely on governance. My judgment is: Bitcoin won’t go to zero. But its path to survival is narrower than even its most ardent supporters admit, and the work required is more difficult than anything the network has done before. Physics probably gives Bitcoin until around 2033. Whether its governance can keep pace is the real open question.

If you hold Bitcoin in older wallet formats, check whether your addresses have exposed public keys. Addresses starting with “1” (P2PKH) or “bc1” (P2WPKH/P2TR) hide the public key until spent; early P2PK addresses will expose the key permanently. If your wallet was created in the past decade, you likely use newer formats; but if you’ve held Bitcoin since early days, it’s wise to verify. Migration costs just a transaction fee, no third-party trust needed, and there’s no reason to delay. But this is only a “risk reduction” step, not a full solution: public keys are still exposed when spending, and ECDSA signatures are not quantum-resistant. Truly quantum-safe migration depends on deploying post-quantum address formats—like P2QRH—which are still in BIP draft stages and not yet active on mainnet.

If you’re managing digital assets professionally, add a column to your framework: If you’re involved in policy work, understand that: CBDC infrastructure and digital finance systems face the same threats and timelines, because they rely on the same elliptic curve cryptography that Shor’s algorithm can break. Decentralized networks face even greater coordination challenges, lacking centralized authority. Public infrastructure has no such excuse, but it may not have faster technical pathways either.

The real competition is: the development speed of quantum computing versus the ability of Bitcoin to make difficult collective decisions under pressure—who’s faster. From a broader perspective, this technology’s trajectory ultimately points to a larger conclusion: in a system continually affected by technological constraints and evolving risks, long-term resilience depends on adaptability. Instead of assuming perpetual stability, it’s better to accept that systems must evolve alongside the risks they face.

Article link: https://www.hellobtc.com/kp/du/05/6331.html

Source: