Supplementary Education
Is Your Bitcoin Safe?
The Quantum Computing Threat Explained
⏱ Estimated reading time: 28 minutes
🔍 Last fact-checked:
⚖ License: CC BY-SA 4.0 ⓘ · ✍ by Marius
Intermediate
Quantum computers could one day crack the encryption protecting every Bitcoin wallet. That moment has a name: Q-Day. Nobody knows when it will arrive — but ~6.9 million BTC (worth over $470 billion) already sits in wallets with exposed public keys. Bitcoin's first defense — BIP-360 — has been formally proposed and merged into Bitcoin's BIP repository. The clock is ticking.
Why This Matters
Quantum computing poses arguably the biggest long-term threat to Bitcoin and the entire cryptocurrency ecosystem. If a quantum computer becomes powerful enough, it could derive private keys from public keys — effectively stealing any Bitcoin stored in a wallet with an exposed public key. That moment has a name: Q-Day.
For years, the crypto community has largely dismissed this threat. "We're decades away," the argument goes. But on March 31, 2026, a paper from Google Quantum AI changed the calculus. The researchers demonstrated that improved quantum algorithms could break the elliptic curve cryptography used by Bitcoin with roughly 20 times fewer resources than previously estimated — approximately 1,200 logical qubits and fewer than 500,000 physical qubits, with attack circuits running in minutes, not hours.
The estimated market exposure: more than $600 billion across Bitcoin, Ethereum, and stablecoins, according to CryptoRank's analysis of the paper.
Nobody is saying a quantum attack is imminent. Google itself does not claim such a machine exists today. But the gap between "theoretical" and "practical" just narrowed dramatically. And in a system where billions of dollars are at stake and protocol upgrades take years, "not yet" is not the same as "not urgent."
Fortunately, Bitcoin is not standing still. In February 2026, a proposal called BIP-360 was added to Bitcoin's official improvement proposal repository — the project's first official step toward quantum resistance. This article explains the threat, the defense, and what you should do today.
How Bitcoin's Cryptography Works
To understand the quantum threat, you need to understand what Bitcoin actually uses to keep your coins safe. There are two cryptographic pillars:
Pillar 1: Digital Signatures (ECDSA)
When you send Bitcoin, you prove ownership by signing the transaction with your private key. Bitcoin uses the Elliptic Curve Digital Signature Algorithm (ECDSA) over a specific curve called secp256k1. The math works like a one-way door:
- Private key → Public key: Easy. Multiply a large number by a point on the elliptic curve. Any computer can do this instantly.
- Public key → Private key: Essentially impossible with classical computers. You would need to perform approximately 2128 operations — more than the number of atoms in the observable universe.
This asymmetry is what makes Bitcoin work. Your public key (or a hash of it) serves as your address. Your private key proves you own the coins. Nobody can reverse the math — with a classical computer.
Pillar 2: Hashing (SHA-256)
Bitcoin's second cryptographic primitive is SHA-256, used for:
- Proof-of-Work mining: Miners repeatedly hash block headers to find a valid nonce.
- Address generation: Most modern Bitcoin addresses are the hash of a public key (e.g., P2PKH, P2WPKH), adding an extra layer of protection.
- Merkle trees: Transaction integrity within each block.
The key distinction: ECDSA is the vulnerable target. SHA-256 is not. This difference is critical to understanding which Bitcoin are at risk and which are relatively safe.
| Component | Algorithm | Classical Security | Quantum Threat |
|---|---|---|---|
| Digital signatures | ECDSA / secp256k1 | ~2128 operations | Broken by Shor's algorithm |
| Address hashing | SHA-256 + RIPEMD-160 | 256-bit | Reduced to 128-bit (still strong) |
| Proof-of-Work mining | SHA-256 | Hard | Faster with Grover's (moderate) |
| Merkle tree integrity | SHA-256 | Collision-resistant | Not meaningfully affected |
Source: Bitcoin protocol specifications, NIST post-quantum cryptography standards
What Quantum Computers Can Break
Quantum computers threaten Bitcoin through two algorithms. Only one is truly dangerous.
Shor's Algorithm — The Real Threat
Shor's algorithm, published by mathematician Peter Shor in 1994, can solve the Elliptic Curve Discrete Logarithm Problem (ECDLP) in polynomial time. In plain English: given a public key, a sufficiently powerful quantum computer running Shor's algorithm could calculate the corresponding private key. Once you have the private key, you control the wallet.
For Bitcoin's secp256k1 curve, this would require an estimated 1,200–1,450 logical qubits and under 500,000 physical qubits using advanced error correction, according to the March 2026 Google Quantum AI paper. Prior estimates put this figure closer to 10 million physical qubits — making Google's findings a 20x reduction in the expected hardware requirements.
Critically, the attack only works when the public key is known. If your coins sit behind a hash (as in P2PKH or P2WPKH addresses), Shor's algorithm has nothing to work with — until you spend and the public key is revealed.
Grover's Algorithm — Moderate, Not Existential
Grover's algorithm provides a quadratic speedup for brute-force searches. Applied to SHA-256, it effectively halves the security level from 256 bits to 128 bits. While 128-bit security sounds like a dramatic reduction, it remains astronomically strong — well beyond any foreseeable attack capability.
A quantum-equipped miner would gain a modest advantage in the Proof-of-Work race, but it would not break mining or undermine Bitcoin's consensus mechanism. The real danger is Shor's algorithm targeting ECDSA — not Grover's algorithm targeting SHA-256.
How Much Bitcoin Is at Risk?
Not all Bitcoin addresses are equally vulnerable. The risk depends entirely on whether the public key has been exposed.
Address Types by Vulnerability
| Address Type | Format | Public Key Exposure | Quantum Risk |
|---|---|---|---|
| P2PK Pay-to-Public-Key |
Raw public key | Permanently on-chain | Critical — unlimited attack time |
| P2TR Pay-to-Taproot |
bc1p... | Tweaked key on-chain | High — key-path reveals public key |
| P2PKH Pay-to-Public-Key-Hash |
1... | Only when spent (or reused) | Medium — brief mempool window |
| P2WPKH Pay-to-Witness-Public-Key-Hash |
bc1q... | Only when spent | Lower — hash protects key |
| P2MR (BIP-360) Pay-to-Merkle-Root |
bc1z... | Never (script-path only) | Quantum-resistant design |
Source: Bitcoin protocol, BIP-360 specification
The Numbers
Project 11's Bitcoin Risk List — the most comprehensive tracker of quantum-vulnerable Bitcoin — counts exactly 6,876,473 BTC in wallets with exposed public keys, worth roughly $470 billion. That is approximately a third of Bitcoin's total supply.
| Category | Estimated BTC | ~USD Value | Details |
|---|---|---|---|
| P2PK (legacy) | ~1.7M BTC | ~$112.6B | Includes Satoshi's ~1M BTC. Public keys permanently on-chain. Zero protection. |
| Taproot (P2TR) | Variable | — | All bc1p addresses expose tweaked public keys. Growing as Taproot adoption increases. |
| Reused addresses | Millions | — | Any address that has sent a transaction has its public key permanently exposed. |
| Dormant vulnerable | ~2.3M BTC | ~$152.3B | Cross-type vulnerable coins per Google's analysis. |
| Total exposed keys | ~6.87M BTC | ~$470B | Per Project 11 Risk List. |
Source: Project 11 Bitcoin Risk List, CryptoRank analysis
The Mempool Window
Even "safe" addresses have a brief vulnerability window. When you spend Bitcoin from a P2PKH or P2WPKH address, your public key is revealed in the transaction sitting in the mempool waiting for confirmation. In theory, a quantum attacker could derive your private key during this window (typically ~9 minutes for the next block) and broadcast a competing transaction stealing the remaining funds. Google's paper estimates this "on-spend" attack would have roughly a 41% success rate per attempt, according to CryptoRank.
This is why never reusing addresses and spending full UTXOs (leaving no change to a now-exposed address) matter even with hash-protected address types.
Harvest Now, Decrypt Later (HNDL): This attack strategy means that adversaries could archive Bitcoin transaction data today and decrypt exposed private keys once quantum hardware matures. Coins in legacy P2PK and Taproot (bc1p) addresses face long-range attacks even before Q-Day arrives. The blockchain is public and permanent — every exposed public key is already recorded and waiting.
When Could Q-Day Arrive?
The honest answer: nobody knows. And the range of expert opinions is uncomfortably wide.
Expert Estimates
| Who | Role | Estimate |
|---|---|---|
| Adam Back | Blockstream CEO, cypherpunk | 20–40 years (no current risk) |
| Hunter Beast | BIP-360 author | Compares modern QC to 1950s classical computing |
| Justin Drake | Ethereum Foundation | ≥10% chance by 2032 |
| Vitalik Buterin | Ethereum creator | Could crack ECDSA as early as 2028 |
| Anatoli Yakovenko | Solana co-founder | 50/50 chance within 5 years (from Sep 2025) |
| David Carvalo | NowProtocol CEO | "Far more immediate" — community is "asleep at the wheel" |
Source: Public interviews and statements, CryptoRank, The Quantum Insider
Note the pattern: those closest to quantum computing research tend to be more alarmed than those in the Bitcoin community. After Google's March 2026 paper, Justin Drake said his confidence in a Q-Day by 2032 had "risen sharply."
Quantum Hardware Milestones
| Organization | System | Qubits | Year |
|---|---|---|---|
| Willow | 105 physical qubits | 2024 | |
| IBM | Kookaburra | Modular processor (3×1,386 = 4,158 qubits at system level) | 2026 (est.) |
| Microsoft | Majorana | 1 topological qubit (new approach) | 2025 |
| IBM | Starling (roadmap) | 200 logical qubits (~10,000 physical) | 2028 |
| IonQ | Roadmap | 2,000,000 physical qubits | 2030 |
| Google estimate for Shor attack | <500,000 physical qubits | Unknown | |
Source: Google Quantum AI, IBM, Microsoft, IonQ public roadmaps
The gap between today's ~1,400 physical qubits and the ~500,000 needed is enormous. But progress in quantum computing has historically been non-linear — breakthroughs in error correction, new qubit technologies (topological qubits, photonic systems), and algorithmic improvements can compress timelines dramatically. Google's 20x reduction in estimated requirements came not from hardware advances but from better algorithms.
The Q-Day Prize
Project 11 has put up a 1 BTC bounty (the "Q-Day Prize") for anyone who can break elliptic curve cryptography using a quantum computer. The deadline: April 5, 2026. Nobody has claimed it. But the existence of the prize underscores the seriousness with which researchers are treating the timeline.
BIP-360: Bitcoin's First Step
On February 11, 2026, a Bitcoin Improvement Proposal called BIP-360 was added to Bitcoin's official BIP repository — marking the project's first formal step toward quantum resistance. The proposal was authored by Hunter Beast (pseudonymous developer), Ethan Heilman, and Isabel Foxen Duke.
What BIP-360 Does
BIP-360 introduces a new output type called Pay-to-Merkle-Root (P2MR), with addresses starting with bc1z. The core idea: remove the mechanism that exposes public keys on-chain.
Here's the problem it solves: Taproot (P2TR) introduced "key-path spending," which reveals a tweaked public key on the blockchain. This was a design choice for efficiency — but it creates a quantum attack surface. BIP-360 eliminates key-path spending entirely, committing instead to the Merkle root of a script tree. The public key is never exposed.
In the proposal's own words: "A simple, low-risk [change] that creates options for using Bitcoin in a quantum-resistant way and a conservative first step in this effort."
What BIP-360 Does NOT Do
- Does not replace ECDSA or Schnorr signatures. The existing signature schemes remain in place. BIP-360 only removes the key-path exposure pattern. Fully post-quantum signatures would be a much larger protocol change.
- Does not protect against on-spend attacks. When you spend from a P2MR output, the public key is still briefly revealed in the transaction data. Defending against this requires future upgrades.
- Does not migrate existing coins. Old UTXOs in P2PK, P2PKH, P2TR, or any other format remain in their current state. Users must choose to move funds to bc1z addresses. Bitcoin is a decentralized network — nobody can force a migration.
- Does not specify a post-quantum signature algorithm. As PostQuantum.com notes, BIP-360 is a framework that "leaves space for NIST-standardized ML-DSA or SLH-DSA" in the future.
BTQ Technologies: Proof It Works
On March 20, 2026, BTQ Technologies announced the first working implementation of BIP-360 on their Bitcoin Quantum testnet (v0.3.0). The testnet has attracted 50+ miners, processed 100,000+ blocks, and includes contributions from 100+ developers. It also implements Dilithium-based post-quantum signature opcodes — going beyond BIP-360's scope to test what a fully quantum-resistant Bitcoin might look like, according to Bitcoin.com's reporting.
This is significant: BIP-360 is no longer just a specification on paper. It has been built, tested, and validated in a live (testnet) environment.
The Fun Fact
Hunter Beast originally wanted bc1z addresses to use "r" for "resistant" — but SegWit versioning rules meant the upgrade would have jumped from version 1 to version 3, skipping version 2. This apparently upset some Bitcoin developers. So "z" it is.
Beyond BIP-360
BIP-360 is a first step — deliberately minimal and conservative. Several other proposals address the gaps it leaves behind.
Hourglass: Damage Control
Also authored by Hunter Beast, Hourglass takes a different approach: instead of preventing quantum attacks, it limits their impact. The mechanism is simple — restrict P2PK coins to one input per block and prevent the creation of new P2PK outputs.
Without Hourglass, a quantum attacker could theoretically steal all ~7 million exposed BTC in a single day. With Hourglass, the process would stretch across approximately 34,000 blocks (~8 months). Quantum computers would have to compete against each other to claim the same keys — and would effectively become miners bidding for block space, which would actually benefit Bitcoin miners through higher fees.
Hourglass is a safety net: imperfect, but a massive improvement over doing nothing.
Post-Quantum Signature Schemes
For true, long-term quantum resistance, Bitcoin will eventually need to replace ECDSA/Schnorr with post-quantum signature algorithms. The leading candidates:
| Scheme | Type | Strengths | Weaknesses |
|---|---|---|---|
| SPHINCS+ (SLH-DSA) | Hash-based | Strongest security assumptions; relies only on hash functions (already quantum-resistant) | Very large signatures (~8–49 KB vs. ECDSA's ~72 bytes) |
| Dilithium (ML-DSA) | Lattice-based | Smaller and faster than hash-based; NIST standardized | Relies on lattice assumptions; larger than ECDSA |
| Hybrid schemes | Combined | Pairs SPHINCS+ or Dilithium with current Schnorr signatures for dual security | Complexity; requires careful protocol design |
Source: NIST post-quantum cryptography standards, BTQ Technologies
None of these are in official Bitcoin Improvement Proposals yet. BTQ Technologies has tested Dilithium opcodes on their testnet, but production deployment is years away. As Binance's analysis notes, BIP-360 "formally puts quantum resistance on Bitcoin's road map for the first time" — but the road is long.
The Freeze/Burn Debate
Some voices in the Bitcoin community — including cypherpunk Jameson Lopp and Bitcoin Core developer Matt Corallo — have proposed freezing or even burning BTC that is deemed lost or dormant. This would include Satoshi's coins.
The argument: if those coins are going to be stolen by a quantum attacker anyway, better to remove them from circulation than let an attacker dump them on the market and crash the price.
The counterargument is powerful: once you modify the protocol to invalidate coins, you undermine the foundational principle that no third party controls your Bitcoin. As the Coin Bureau's Guy summarized: "That kind of intervention would set a dangerous precedent. Once you start modifying the protocol to confiscate or invalidate coins, you undermine the very principles that made Bitcoin valuable in the first place."
It would damage Bitcoin's narrative as a digital store of value, shake institutional confidence, and set a precedent that could be exploited for political or regulatory purposes in the future. The Hourglass proposal offers a less destructive middle ground.
The Implementation Reality
Bitcoin upgrades are notoriously slow. This is by design — a $1+ trillion network cannot afford to move fast and break things. But the pace of change creates a tension with the quantum timeline.
How Long BIP-360 Will Take
According to Ethan Heilman, co-author of BIP-360:
"Three years until it activates. This assumes two and a half years to get the BIPs done and the code reviewed and tested, assuming everyone wants it, half a year to activate."
But activation is only the beginning. After that:
"If we're lucky, 90% will have updated 5 years after the activation. The bigger the perceived danger, the faster this will happen."
That is 8 years from proposal to broad adoption — and that only covers BIP-360, the first and simplest step. Full post-quantum signatures would require additional, more complex soft forks.
Historical Precedent
| Upgrade | Concept | Activation | Broad Adoption | Total Time |
|---|---|---|---|---|
| SegWit | ~2012 | Aug 2017 | ~2020 | ~8.5 years |
| Taproot | ~2018 | Nov 2021 | ~2025 | ~7.5 years |
| BIP-360 | Jun 2024 | ~2029 (est.) | ~2034 (est.) | ~10 years (est.) |
| Full PQ sigs | TBD | TBD | TBD | Additional 7+ years |
Source: Bitcoin protocol upgrade history, BIP-360 author estimates
The uncomfortable math: if BIP-360 reaches broad adoption around 2034 and full post-quantum signatures need another 7+ years after that, Bitcoin might not be fully quantum-resistant until the early 2040s. Whether Q-Day arrives before or after that date is the central uncertainty.
This is why Heilman emphasizes: "The bigger the perceived danger, the faster this will happen." A credible quantum threat would compress timelines dramatically. But waiting for the threat to materialize before acting is the worst possible strategy for a network that takes a decade to deploy changes.
What You Can Do Today
There is no immediate quantum threat to Bitcoin. No panic required. But there are practical steps you can take today to position your coins for the best possible protection — both now and when quantum-resistant upgrades arrive.
1. Never Reuse a Bitcoin Address
Every time you spend from an address, the public key is revealed on-chain forever. Reusing that address means any future incoming funds sit behind a known public key — a sitting target for a future quantum attacker. Most modern wallets generate new addresses automatically. Make sure yours does.
2. Use P2WPKH Addresses for Long-Term Storage
Native SegWit addresses starting with bc1q provide the best quantum protection available today. Your public key is hidden behind a double hash (SHA-256 + RIPEMD-160) and is only exposed when you spend. For cold storage holding coins you don't plan to move for years, bc1q is the safest current option.
3. Avoid Taproot for Long-Term Cold Storage
Taproot addresses (bc1p) expose a tweaked version of your public key on the blockchain. While this requires a more sophisticated quantum attack than raw P2PK, it is still more vulnerable than hash-protected addresses. For coins you plan to hold for the long term, bc1q is safer than bc1p.
4. Keep Your Wallet Software Updated
When BIP-360 activates and wallets begin supporting P2MR (bc1z) addresses, you will want to migrate your funds as early as possible. Staying on current wallet versions ensures you won't miss the update. Follow your wallet provider's release notes.
5. Spend Full UTXOs When Possible
When you send a transaction, if change is returned to the same address, that address now has an exposed public key with funds still sitting in it. Spending the full UTXO (or using a new change address, which most wallets do by default) eliminates this risk.
Quick Reference
| Action | Why | Difficulty |
|---|---|---|
| Never reuse addresses | Prevents permanent public key exposure | Easy (most wallets do this automatically) |
| Use bc1q for cold storage | Hash-protected; strongest current defense | Easy |
| Avoid bc1p for long-term holds | Taproot exposes tweaked public key | Easy (check your wallet settings) |
| Keep wallet software updated | Be ready for P2MR (bc1z) support | Easy |
| Watch for BIP-360 activation | Migrate to bc1z when available | Requires action (future) |
Source: Bitcoin best practices, BIP-360 recommendations
Risks to consider: Quantum computing timelines are uncertain. Predictions about Q-Day arrival, BIP-360 adoption speed, and fund vulnerability are analytical estimates, not certainties. This is education about emerging risks, not investment advice.
Figures current as of April 2026. Quantum computing and Bitcoin's quantum-resistance roadmap are fast-evolving fields. For the latest data on vulnerable Bitcoin, see Project 11's Risk List. For BIP-360 specification updates, see bip360.org. For quantum computing developments, follow The Quantum Insider.
Key Takeaways
- The threat is real but not imminent. No quantum computer can break Bitcoin today. But Google's March 2026 paper slashed hardware estimates by 20x, compressing the timeline significantly. The gap between "theoretical" and "practical" is narrowing.
- Not all Bitcoin is equally at risk. ~6.87 million BTC (~$470B) already has exposed public keys. The most vulnerable: ~1.7M BTC in legacy P2PK addresses (including Satoshi's coins) and all Taproot (bc1p) addresses. Hash-protected bc1q addresses are safer.
- BIP-360 is Bitcoin's first defense — a new address type (P2MR / bc1z) that eliminates public key exposure. It was added to Bitcoin's official repository in February 2026 and has a working testnet implementation. But it does not replace ECDSA or protect against all attack vectors.
- Full quantum resistance is 10+ years away. BIP-360 alone needs ~3 years to activate and ~5 more for broad adoption. Full post-quantum signatures (replacing ECDSA entirely) require additional soft forks and could take another 7+ years beyond that.
- The Q-Day timeline is uncertain. Expert estimates range from 2028 (Vitalik Buterin) to 20–40 years (Adam Back). The uncomfortable truth: nobody knows, and the downside risk is catastrophic.
- You can act today. Use bc1q addresses, never reuse them, avoid Taproot for cold storage, keep wallet software updated. These simple steps reduce your quantum attack surface to near zero with current technology.
- The freeze/burn debate is a minefield. Proposals to invalidate Satoshi's coins or other dormant BTC would protect the price but undermine Bitcoin's core principle: no third party controls your coins. Hourglass offers a less destructive safety net.
- This article will be kept updated. Quantum computing and Bitcoin's defense against it are fast-moving targets. Bookmark this page and check back for updates as milestones are reached.
Frequently Asked Questions
Can quantum computers break Bitcoin right now?
No. As of April 2026, no quantum computer exists that can break Bitcoin's ECDSA encryption. The most powerful quantum computers have around 1,000–1,400 qubits, but cracking Bitcoin's secp256k1 curve requires an estimated 1,200+ logical qubits with very low error rates — equivalent to fewer than 500,000 physical qubits using advanced error correction. Current machines are far too noisy and small. However, a March 2026 paper from Google Quantum AI reduced prior estimates by roughly 20x, compressing the timeline significantly.
How much Bitcoin is vulnerable to quantum attacks?
According to Project 11's Bitcoin Risk List, approximately 6.87 million BTC (worth ~$470 billion) currently sits in wallets with exposed public keys. This includes ~1.7 million BTC in legacy P2PK addresses — including Satoshi Nakamoto's estimated 1 million BTC — where public keys are permanently visible on-chain. All Taproot (bc1p) addresses also expose public keys. Addresses using P2PKH or P2WPKH formats only expose keys when funds are spent.
What is BIP-360 and how does it protect Bitcoin?
BIP-360 is a Bitcoin Improvement Proposal published in February 2026 that introduces a new address type called Pay-to-Merkle-Root (P2MR), using bc1z addresses. It removes Taproot's key-path spending — the mechanism that exposes public keys on-chain — by committing directly to a Merkle root of script paths instead. BIP-360 is a "conservative first step" that reduces public key exposure but does not replace Bitcoin's existing signature schemes (ECDSA/Schnorr) with post-quantum alternatives. Full quantum resistance will require additional future upgrades.
When is Q-Day expected to arrive?
Nobody knows for certain. Expert estimates range widely: Adam Back (Blockstream CEO) says 20–40 years; Vitalik Buterin has warned it could be as early as 2028; Justin Drake (Ethereum Foundation) sees at least a 10% chance by 2032; and Solana co-founder Anatoli Yakovenko gave a 50/50 probability within 5 years. Google's March 2026 paper compressed the hardware requirements significantly, moving the timeline closer. The honest answer is that Q-Day could arrive anywhere between the early 2030s and the 2050s — and that uncertainty is exactly why preparation matters now.
Are my Bitcoin safe if I use a modern wallet?
It depends on your address type. If you use P2WPKH addresses (starting with bc1q) and never reuse addresses, your public key is only exposed briefly when you spend — making a quantum attack extremely difficult with current or near-term technology. Taproot addresses (bc1p) are more vulnerable because they expose a tweaked public key on-chain. Legacy P2PK addresses are the most vulnerable. For maximum security today: use bc1q addresses, never reuse them, and keep your wallet software updated to be ready for BIP-360 (bc1z) support when it arrives.
What happens to Satoshi's 1 million Bitcoin?
Satoshi's coins are stored in legacy P2PK addresses where the public key is permanently visible on-chain. A sufficiently powerful quantum computer could derive the private keys and move those coins. The community is deeply divided: some (including Jameson Lopp and Matt Corallo) have proposed freezing or burning vulnerable dormant coins, while others argue this would undermine Bitcoin's core principle that no third party can control your coins. The Hourglass proposal offers a middle path — rate-limiting P2PK withdrawals to one per block, stretching a potential theft from hours to roughly 8 months.
Does quantum computing threaten Bitcoin mining?
Not existentially. Bitcoin mining relies on SHA-256, which is affected by Grover's algorithm — but Grover only provides a quadratic speedup, effectively halving SHA-256's security from 256 bits to 128 bits. A 128-bit security level is still extremely strong and would require astronomical quantum resources to exploit. The real threat is to Bitcoin's signature scheme (ECDSA), not its mining algorithm.
How long will it take to make Bitcoin fully quantum-resistant?
According to Ethan Heilman, co-author of BIP-360, activating BIP-360 alone will take approximately 3 years (2.5 years for code review and testing, plus 0.5 years for activation). After activation, reaching 90% ecosystem adoption — wallets, custodians, payment processors, Lightning nodes — could take another 5 years. Full post-quantum signature schemes (replacing ECDSA/Schnorr entirely) would require additional, more complex soft forks. Historically, SegWit took ~8.5 years and Taproot took ~7.5 years from concept to widespread adoption. Realistically, full quantum resistance is 7–10+ years away.
📝 Update Log
- April 1, 2026: Initial publication. Covers BIP-360 (Feb 2026), BTQ testnet v0.3.0 (Mar 20, 2026), Google Quantum AI paper (Mar 31, 2026), Project 11 Risk List data, and expert Q-Day estimates through April 2026.
Continue Learning
See also: Bitcoin vs Gold · What Is Truly Bitcoin — The Protocol · Bitcoin Economics · Glossary
Further Reading
- BIP-360 Specification — official Bitcoin Improvement Proposal for post-quantum addresses (P2MR / bc1z).
- Project 11: Bitcoin Risk List — live tracker of quantum-vulnerable Bitcoin by address type.
- Google Quantum AI Paper (March 2026) — the research that compressed quantum attack estimates by 20x.
- Coin Bureau: The Urgent Quantum Computing Risk — companion video this article supplements (April 2026).
- Forbes: Bitcoin Took Its First Step Against Quantum Computers — accessible overview of BIP-360 and what it means.
- Mastering Bitcoin by A. Antonopoulos & D. Harding — comprehensive reference on ECDSA, secp256k1, and Bitcoin's cryptographic foundations (CC BY-SA 4.0).
Written and approved by Marius, AI-assisted using Claude (Anthropic) and Perplexity, with references curated from open-access and credible third-party sources. All AI-generated content is reviewed, fact-checked, and edited by the author before publication.
Help Improve This Section
Have expertise in quantum computing or cryptography? We welcome corrections, expansions, and translations. All content is CC BY-SA 4.0 licensed with full author credit.
Email Your Contribution →Research assistance by Perplexity AI. All facts independently verified.