The quantum threat to bitcoin feels very quantum in and of itself. You do not know if it is real or not until you open Schrödinger's box, and nobody can agree on whether there is actually a cat inside. But every few months the cycle repeats, a careful research paper gets published, the press condenses it into a terrifying headline, your uncle texts you about selling, and the actual paper says nothing of the sort.

Google's March 2026 quantum computing paper was the latest trigger. "Google cracks bitcoin in 9 minutes" was the version that traveled. The paper itself described a hypothetical machine that does not exist, running an algorithm against a type of math problem that bitcoin's mining does not even use, under conditions that assume every unsolved engineering challenge has already been solved. But most people who share links never click through to read them, so the headline becomes the message.

I've stayed on top of the quantum computing topic as it relates to bitcoin over the years, so I had enough baseline knowledge to avoid panicking when the headlines hit. But when something like this surfaces and smart people are taking it seriously, it is healthy to re-question your assumptions, look carefully at the new information, and update what you know. So that is what I did. And I want to share what I found, because this topic clearly keeps some people from moving ahead with buying bitcoin after they have become interested in it, and that can be an expensive mistake if the fear turns out to be overblown.

Case in point, last year I presented to the CEO and CFO of an S&P 500 company about bitcoin. The CEO is an engineer by background, and the quantum question was one of his major blockers, both for buying personally and for putting bitcoin on the company's balance sheet. That conversation happened before Google's paper even came out. The fear was already there.

People have been warning about the quantum threat to bitcoin for a very long time, and it has not really progressed in the way the headlines or the doom peddlers suggest.

The pattern is always the same. Google's Sycamore chip caused a panic in 2019. The Willow chip did it again in December 2024. The resource-estimate paper in March 2026 kicked off another round. Each time, a few weeks pass, the actual researchers weigh in, and the timeline turns out to be roughly what it was before, a decade or more away, give or take a lot of uncertainty.

That does not mean you should ignore it. It means you should understand it well enough to know what is actually at risk, what is not, and what you can do about it right now.

⚡ What Is Actually At Risk

The single most important fact that mainstream coverage consistently misses is that bitcoin uses signatures, not encryption. Nobody is decrypting your bitcoin. There is no vault to crack open, no file to unlock, and no harvest-now-decrypt-later scenario where someone records your transactions today and breaks them open with a future quantum computer. That applies to encrypted communications like email or messaging. Bitcoin does not work that way.

What bitcoin does use is a digital signature, a mathematical proof that you own what you are spending. Your wallet has a private key and a public key derived from it. When you send bitcoin, your public key gets revealed on the blockchain, and the signature proves you have the corresponding private key without actually showing it.

The quantum threat boils down to one specific attack. A sufficiently powerful quantum computer could, in theory, reverse-engineer your private key from your public key using something called Shor's algorithm. Think of it like someone figuring out your password by watching you type, except they would need a computer that nobody has built yet, running a program that has never been executed at the required scale.

There is a second quantum algorithm called Grover's that theoretically speeds up the brute-force guessing bitcoin miners do. This sounds scary until you run the numbers. You would need roughly 3% of the Sun's total energy output to use Grover's algorithm to outcompete a $2,000 mining machine. Bitcoin mining is not at risk from quantum computing, not now and not in any foreseeable future.

One more thing worth knowing. The largest number ever factored by a quantum computer running Shor's algorithm is 15. Not a typo. The commonly cited "21" was a 2012 experiment that hardcoded the answer into the circuit, which made the result circular. A 1981 Commodore VIC-20 could factor 15. We are a very long way from the kind of machine that would threaten bitcoin's signature scheme.

🧅 Layers of Exposure

Not all bitcoin is equally at risk. There are layers to this, and where you sit depends on what kind of addresses your bitcoin lives in.

• Satoshi-era addresses (2009-2012): public key permanently visible, oldest address format, about 1.7M BTC at risk, mostly presumed lost. These are the canary in the coal mine.

• Addresses you've spent from before: your public key got exposed when you sent a transaction, about 5.2M BTC in this bucket. Move funds to a fresh address you have never spent from.

• Newer Taproot addresses: public key visible by design, a newer format with a known tradeoff. This bucket is growing, and a fix is in development.

• Modern wallets (SegWit, single-use): your public key stays hidden until you spend. This is the majority of active bitcoin, and you are not in the acute risk tier.

Add it up and roughly 35% of the total bitcoin supply is quantum-exposed in some form. That sounds alarming until you look at what exposed actually means in practice.

Take Satoshi's coins, the most commonly cited doomsday scenario. His roughly 1.1 million bitcoin sits across approximately 22,000 separate addresses, each holding about 50 BTC. Even if a quantum computer existed today that could crack one key per hour, draining all of Satoshi's coins would take roughly two and a half years of continuous, uninterrupted operation. At one key per day, it is about sixty years.

Your situation is probably better. If you are using a modern wallet with SegWit addresses and you do not reuse addresses, which is the default on platforms like Unchained, your public key is not exposed on-chain until the moment you spend. A quantum attacker would need to intercept your transaction in the mempool and crack your key before it gets confirmed in a block, which is a roughly ten-minute window. And if you are using multisig, they would need to crack two or three keys within that same window. Multisig does not make you quantum-proof, but it raises the difficulty significantly.

Exchanges, by the way, have historically been some of the worst offenders when it comes to address reuse. If you are holding bitcoin on an exchange that reuses deposit addresses, your exposure is higher than it needs to be, and that is true regardless of quantum.

⏰ How Far Away Is This?

The best quantum computers publicly known today operate at roughly 1,000 physical qubits. Google's 2026 paper estimates you would need fewer than 500,000 physical qubits to break bitcoin's signature scheme. That is a gap of three orders of magnitude, roughly 500x.

The institutional consensus from Google, IBM, Microsoft, and NIST converges on the mid-2030s as the earliest realistic window for a cryptographically relevant quantum computer. Individual researchers spread wider. Craig Gidney at Google Quantum AI puts a 10% probability on a machine by 2030, Bruce Schneier targets around 2039, Scott Aaronson flatly refuses to give a date, and Daniel Bernstein, the founder of the post-quantum cryptography field, has publicly said he hopes quantum computing somehow fails. When the founder of the field that exists specifically to defend against quantum computers says that, it tells you something about the current state of play.

There is an important nuance here called the step-function problem. Quantum computing will not give us gradual warning by cracking progressively larger numbers like 15, then 50, then 200, then bitcoin's key size. That is not how the physics works. You get nothing for years, then a small demonstration, then at some point a machine capable of attacking real-world cryptography. As Scott Aaronson put it, you do not get a small nuclear explosion before the big one.

But "at some point" is doing a lot of work there. Google's own estimates show a 30x increase in physical qubits and a 32,000x increase in the number of operations needed to go from a small demonstration to an actual bitcoin-threatening attack. That is a massive engineering gap. The step is not vertical. It has real width, probably measured in years, during which the bitcoin community would see the threat developing and have time to respond.

And there is a meaningful cohort of serious physicists, including Tim Palmer at Oxford, Gil Kalai, Mikhail Dyakonov, and Leonid Levin, who argue that large-scale fault-tolerant quantum computing may be fundamentally impossible, not just difficult. These are not cranks. They are credentialed skeptics raising structural objections to whether the error-correction scaling that fault tolerance requires can actually work.

One last data point. The quantum computing industry has received over $40 billion in funding and generates less than $1 billion in revenue. Corporate insiders are selling stock at a 216-to-1 ratio versus buying. Follow the money, not the press releases.

🔑 The Bigger Risk Might Be Classical Math

Bitcoin developer @reardencode has pointed out that the number of production cryptographic systems broken by quantum computers is zero. The number broken by classical mathematicians with pencil and paper is long: DES, MD5, SHA-1, RC4, Enigma. Every cryptographic casualty in history was killed by a mathematician, not a physicist.