What is Q-Day? The quantum threat to Bitcoin explained

Source: PortaldoBitcoin Original Title: What is Q-Day? The quantum threat to Bitcoin explained Original Link: Currently, quantum computers cannot break Bitcoin's encryption, but new advancements from Google and IBM indicate that the gap is closing faster than expected.

The progress towards fault-tolerant quantum systems raises the stakes for the so-called “Q-Day” — the moment when a sufficiently powerful machine could break old Bitcoin addresses and expose over $711 billion in vulnerable wallets.

Updating Bitcoin to a post-quantum state will take years, which means that the work needs to start well before the threat arrives. The challenge, experts say, is that no one knows when this will happen — and the community struggles to agree on how to move forward with a plan.

This uncertainty creates a persistent fear that a quantum computer capable of attacking Bitcoin may emerge before the network is ready.

In this article, we will look at the quantum threat to Bitcoin and what needs to change to prepare the world's leading blockchain.

How a quantum attack would work

A successful attack wouldn't seem like something spectacular. A thief with a quantum computer would start scanning the blockchain for any address that has ever revealed a public key. Old wallets, reused addresses, miner outputs from the early network, and dormant accounts fall into this category.

The attacker would copy a public key and execute it on a quantum computer using Shor's algorithm. Developed in 1994 by mathematician Peter Shor, the algorithm allows a quantum machine to factor large numbers and solve the discrete logarithm problem much more efficiently than any classical computer.

The elliptic curve signatures of Bitcoin depend on the difficulty of these problems. With sufficient qubits and error correction, a quantum computer could use Shor's method to calculate the private key linked to the exposed public key.

As explained by Justin Thaler, associate researcher at Andreessen Horowitz and professor at Georgetown University, once the private key is recovered, the attacker could move the coins.

“What a quantum computer could do — and this is what matters for Bitcoin — is forge the digital signatures that Bitcoin uses today,” Thaler said. “Someone with a quantum computer could authorize a transaction withdrawing all the Bitcoins from your account, even without your permission. That is the concern.”

The forged signature would appear legitimate to the Bitcoin network. Nodes would accept it, miners would include it in a block, and nothing on the blockchain would indicate that the transaction is suspicious. If an attacker targeted a large set of exposed addresses at once, billions of dollars could be moved in minutes. The market would react even before there was confirmation that a quantum attack was happening.

The state of quantum computing in 2025

In 2025, quantum computing finally began to seem less theoretical and more practical.

• January 2025: Google's 105-qubit Willow chip showed significant error reduction and performance superior to classical supercomputers.
• February 2025: Microsoft launched its Majorana 1 platform and reported a record logical entanglement of qubits with Atom Computing.
• April 2025: NIST expanded the coherence of superconducting qubits to 0.6 milliseconds.
• June 2025: IBM has set goals of 200 logical qubits by 2029 and more than 1,000 by the early 2030s.
• October 2025: IBM entangled 120 qubits; Google confirmed verified quantum acceleration.
• November 2025: IBM announced new chips and software focused on quantum advantage in 2026 and fault-tolerant systems by 2029.

Why has Bitcoin become vulnerable?

Bitcoin signatures use elliptic curve cryptography. Spending from an address reveals the public key behind it, and this exposure is permanent. In the initial pay-to-public-key format, many addresses published their public keys on the blockchain even before the first transaction. Later formats, pay-to-public-key-hash, kept the key hidden until the first use.

Since your public keys have never been hidden, these older coins — including about 1 million Bitcoins from the Satoshi era — are exposed to future quantum attacks. Migrating to post-quantum digital signatures, Thaler explained, requires active measures.

“For Satoshi to protect his coins, it would be necessary to move them to new wallets safe from quantum attacks,” he said. “The biggest concern is the abandoned coins, about $180 billion, including approximately $100 billion that are believed to belong to Satoshi. These are immense values, but they are abandoned — and that is the real risk.”

Increasing the risk are the coins associated with lost private keys. Many have been untouched for over a decade and, without those keys, will never be able to be transferred to quantum-resistant wallets, becoming viable targets for future attacks.

No one can freeze Bitcoins directly on the blockchain. Practical defenses against future quantum threats focus on migrating vulnerable funds, adopting post-quantum addresses, or managing existing risks.

However, Thaler noted that post-quantum cryptography and digital signature schemes bring high performance costs, as they are much larger and heavier than the current 64-byte signatures.

“Current digital signatures are about 64 bytes. Post-quantum versions can be 10 to 100 times larger,” he said. “In a blockchain, this size increase is a much bigger problem because each node needs to store these signatures forever. Managing this cost, the literal size of the data, is much more difficult here than in other systems.”

Paths to Protection

Developers have already proposed several Bitcoin Improvement Proposals (BIPs) to prepare the network against quantum attacks. They follow different paths — from optional protections to complete migrations of the network.

• BIP-360 (P2QRH): creates new addresses “bc1r…” that combine elliptic curve signatures with post-quantum schemes such as ML-DSA or SLH-DSA. It offers hybrid security without a hard fork, but larger signatures imply higher fees.
• Quantum-Safe Taproot: adds a post-quantum hidden branch to Taproot. If quantum attacks become realistic, miners could adopt a soft fork to require the use of this branch, while users operate normally until then.
• Quantum-Resistant Address Migration Protocol (QRAMP): mandatory migration plan that moves vulnerable UTXOs to quantum-safe addresses, likely via hard fork.
• Pay to Taproot Hash (P2TRH): replaces visible Taproot keys with doubly hashed versions, limiting exposure without breaking compatibility or using new cryptography.
• Non-Interactive Transaction Compression (NTC) via STARKs: uses zero-knowledge proofs to compress large post-quantum signatures into a single proof per block, reducing storage costs and fees.
• Commit-Reveal Schemes: based on hashed commitments published before any quantum threat.
  • Helper UTXOs examine small post-quantum outputs to secure spending.
  • “Poison pill” transactions allow pre-publishing recovery paths.
  • Variants in the style of Fawkescoin remain dormant until a real quantum computer is demonstrated.

Together, these proposals outline a gradual path to quantum security: quick and low-impact fixes, such as P2TRH, now — and heavier updates, such as BIP-360 or compression via STARKs, as the risk increases. All would require broad coordination, and many post-quantum address formats and signature schemes are still under initial discussion.

Thaler highlighted that the decentralization of Bitcoin — its greatest strength — also makes it slow and difficult to update, as any new signature scheme would require broad consensus among miners, developers, and users.

“Two major problems stand out for Bitcoin. First, updates take a long time, if they happen at all. Second, there are abandoned coins. Any migration to post-quantum signatures needs to be active, and the owners of those old wallets have disappeared,” Thaler said.

“The community needs to decide what to do with them: either agree to remove them from circulation or do nothing and let invaders with quantum computers take them. The second path would be legally ambiguous — and those who took them would probably not care.”

Most Bitcoin holders do not need to act immediately. Some habits already help to reduce long-term risk — such as avoiding address reuse, keeping the public key hidden until spending, and using modern wallets.

Today's quantum computers are still far from breaking Bitcoin, and predictions about when this will happen vary widely. Some researchers see a threat within five years; others, only in the 2030s — but ongoing investments could accelerate this timeline.