Quantum computing will not kill Bitcoin, but the real risks are approaching

Original Title: “I”Spent“200”Hours Reading Quantum Computing Papers So You Don't Have To. btc-42">Bitcoin Is F.

Original Source: nvk

Original Compilation: Saoirse, Foresight News

TL;DR

· Bitcoin does not use encryption, but rather digital signatures. The vast majority of articles get this wrong, and the distinction is crucial.

· Quantum computers cannot break Bitcoin in 9 minutes. This description refers to a theoretical circuit; the machine itself does not exist and will not appear for at least a decade.

· Quantum mining is physically impossible. The energy required is actually greater than the total energy output of the sun.

· Bitcoin can be upgraded—successful upgrades have occurred before (SegWit, Taproot), and related work has already begun (BIP-360). But the community needs to speed up.

· The real reason for upgrades is not the quantum threat, but rather that traditional mathematics has already broken countless cryptographic systems, and secp256k1 is likely next. Quantum computers have yet to break any cryptographic system.

· There is indeed a real risk: approximately 6.26 million Bitcoin public keys have been exposed. This is not a cause for panic, but it is worth preparing for in advance.

Core Line

In one sentence, here is everything I am about to say:

The threat of quantum computing to Bitcoin is real but still far off; media reports are generally exaggerated and misleading; and the most dangerous aspect is not quantum computers, but the complacency disguised as panic or indifference.

Both those shouting "Bitcoin is doomed" and those claiming "there's nothing to worry about" are wrong. Seeing the truth requires accepting two things simultaneously:

· There is no imminent quantum threat to Bitcoin; the actual threat may be much further away than sensational headlines suggest.

· However, the Bitcoin community should still prepare in advance, as the upgrade process itself takes years.

This is not a reason for panic, but a reason for action.

I will clarify this with data and logic.

This image compares two core quantum algorithms: Shor's algorithm (left) is a "cryptographic killer" that can exponentially accelerate large number factorization and directly break RSA/ECC public key cryptography, while Grover's algorithm (right) provides quadratic speedup for unordered searches. Both highlight the disruptive nature of quantum computing, but are currently limited by error-correcting hardware that cannot be scaled.

Media Tactics: Clickbait is the Biggest Risk

Every few months, the same routine plays out:

· A quantum computing lab publishes a rigorous research paper with many limiting conditions.

· Tech media immediately writes: "Quantum computer breaks Bitcoin in 9 minutes!"

· The crypto Twitter simplifies it to: "Bitcoin is doomed."

· Your relatives and friends message you asking if you should sell quickly.

· But the original paper never said that.

In March 2026, Google's Quantum AI team published a paper stating that the number of physical qubits needed to break Bitcoin's elliptic curve cryptography could be reduced to below 500,000, a 20-fold improvement over previous estimates. This is indeed important research. Google was very cautious, not disclosing the actual attack circuit, only releasing a zero-knowledge proof.

But the paper never said: Bitcoin can be broken now, there is a clear timeline, or that everyone should panic.

Yet the headline reads: "Break Bitcoin in 9 minutes."

CoinMarketCap once published an article titled "Will AI-Accelerated Quantum Computing Destroy Bitcoin in 2026?" which explained throughout that the answer is almost certainly "no." This is a typical tactic: using sensational headlines to attract traffic, while the body is cautious and accurate. But 59% of the shared links were never clicked— for most people, the headline is the information itself.

There is a saying that captures this well: "The market prices risk very quickly. You can't steal something that goes to zero the moment you get it." If quantum computers were truly going to overturn everything, Google's own stock (which also uses similar cryptography) would have collapsed long ago. But Google's stock remains stable.

Conclusion: The headline is the real rumor. The research itself is real and worth understanding, so let's take a serious look.

What Quantum Computers Really Threaten and What They Don't

The Biggest Misconception: "Encryption"

Almost all articles discussing quantum computing and Bitcoin use the term "encryption." This is wrong, and it affects the overall understanding.

Bitcoin does not protect assets through encryption, but through digital signatures (ECDSA, later using Schnorr via Taproot). The blockchain itself is public; all transaction data is always visible to everyone, and there is nothing to "decrypt."

As Adam Back, the inventor of Hashcash cited in the Bitcoin white paper, said: "Encryption means data is hidden and can be decrypted. Bitcoin's security model is based on signatures to prove ownership without exposing the private key."

This is not just a matter of semantics. It means that the most urgent quantum threat of "collecting now, decrypting later" does not fundamentally apply to Bitcoin asset security. There is no encrypted data to collect; the exposed public keys are already publicly available on the chain.

Two Quantum Algorithms: One is a Real Threat, One is Ignorable

· Shor's Algorithm (Real Threat): Provides exponential speedup for the underlying mathematical problems of digital signatures, allowing the private key to be derived from the public key and enabling the forgery of transaction signatures. This is what we really need to worry about.

· Grover's Algorithm (Not a Threat): Only provides quadratic speedup for hash functions like SHA-256, which sounds scary, but is entirely unrealistic upon calculation.

A 2025 paper titled "Kardashev-Level Quantum Computing and Bitcoin Mining" calculated that at Bitcoin's current difficulty, quantum mining would require:

· Approximately 10²³ physical qubits (currently, there are only about 1,500 globally)

· Approximately 10²⁵ watts of energy (the sun's total output is about 3.8×10²⁶ watts)

To mine Bitcoin using a quantum computer would require energy equivalent to about 3% of the sun's total output. Humanity is currently at 0.73 on the Kardashev scale; to mine with a quantum computer would require energy levels only achievable by a Type II civilization, which humanity cannot reach now and is physically almost impossible to achieve.
(Note: In relation to the Kardashev scale: Type I: can fully utilize the energy of a planet (Earth); Type II: can utilize the total energy of an entire star (the sun))

In comparison: even with the most ideal design, a quantum miner's computing power would only be about 13.8 GH/s; while a regular Antminer S21 can reach 200 TH/s. The speed of traditional ASIC miners is 14,500 times that of quantum miners.

Ultimately, quantum mining is not feasible. It is impossible now, impossible in 50 years, and may never be possible. If someone claims that quantum computers can "break Bitcoin mining," they are confusing two completely different algorithms.

Eight Claims Circulating, 7.5 of Which are Wrong

Claim 1: "Once quantum computers appear, all Bitcoin will be stolen overnight."

The fact is, only Bitcoin with exposed public keys face security risks. Modern Bitcoin addresses (P2PKH, P2SH, SegWit) do not reveal public keys until you initiate a transfer. As long as you never reuse an address and have never sent assets from that address, your public key will not appear on the blockchain.

The specific breakdown is as follows:

· Class A (Directly at Risk): About 1.7 million BTC use the old P2PK format, with public keys fully exposed.

· Class B (At Risk but Fixable): About 5.2 million BTC are in reused addresses and Taproot addresses, and users can mitigate the risk by migrating.

· Class C (Temporarily Exposed): Each transaction's public key is temporarily exposed for about 10 minutes while waiting to be packed in the mempool.

According to estimates from Chaincode Labs, approximately 6.26 million BTC are at risk of public key exposure, accounting for about 30%-35% of the total supply. This is indeed a significant number, but it is far from "all Bitcoin."

Claim 2: "Satoshi's coins will be stolen, causing a crash to zero."

Partly true, partly false: Satoshi holds about 1.1 million BTC in P2PK format, with public keys fully exposed, which indeed makes them high-risk assets. However:

· Quantum computers capable of breaking these private keys do not currently exist.

· Countries that master early quantum technology will prioritize intelligence and military systems, rather than staging a "public theft of Bitcoin" (as stated by the Quantum Canary Research Group).

· Expanding from the current approximately 1,500 qubits to hundreds of thousands will require years of engineering breakthroughs, and progress is highly uncertain.

Claim 3: "Bitcoin cannot upgrade—it's too slow and governance is chaotic."

This claim is not correct, but it is not entirely without merit. Bitcoin has successfully completed several major upgrades in its history:

· SegWit (2015-2017): Highly controversial, nearly failed, and directly led to the Bitcoin Cash fork, but ultimately succeeded.

· Taproot (2018-2021): Launched smoothly, taking about 3.5 years from proposal to mainnet launch.

The mainstream anti-quantum proposal BIP-360 was officially included in the Bitcoin BIP repository in early 2026, adding the bc1z address type and removing the key path spending logic in Taproot that is vulnerable to quantum attacks. This proposal is still in draft status, and the testnet has been running the Dilithium post-quantum signature instruction set.

Ethan Heilman, co-author of BIP-360, estimates that the complete upgrade cycle will take about 7 years: 2.5 years for development and review, 0.5 years for activation, and 4 years for ecosystem migration. He admits: "This is just a rough estimate; no one can give a precise timeline."

Objective conclusion: Bitcoin can upgrade and has already initiated upgrades, but it is still in the early stages and needs to speed up. Claiming "it is completely impossible to upgrade" is wrong, and claiming "the upgrade has already been completed" is also untrue.

Claim 4: "We only have 3-5 years left."

This is highly unlikely, but we cannot be completely complacent. Experts estimate a wide range of timelines:

· Adam Back (inventor of Hashcash, cited in the Bitcoin white paper): 20-40 years

· Jensen Huang (CEO of NVIDIA): Practical quantum computers still need 15-30 years

· Scott Aaronson (quantum computing authority at the University of Texas at Austin): Refuses to give a timeline and states that breaking RSA may require "hundreds of billions in investment"

· Craig Gidney (Google Quantum AI): The probability of achieving this before 2030 is only 10%; he also believes that under current conditions, it is difficult to see another 10-fold optimization in qubit demand, and the optimization curve may have flattened.

· A survey of 26 quantum security experts: The probability of risk appearing within 10 years is 28%-49%

· Ark Invest: "This is a long-term risk, not an imminent one."

It is worth noting that Google's Willow chip broke the quantum error correction threshold by the end of 2024. This means that for every level of error correction code improved, the logical error rate will decrease by a fixed factor (Willow is 2.14). This error suppression effect increases exponentially, but the actual expansion speed entirely depends on hardware, which could be logarithmic, linear, or extremely slow. Breaking the threshold only indicates that expansion is feasible, not that it will be achieved quickly, easily, or inevitably.

Additionally, Google's March 2026 paper did not disclose the actual attack circuit, only releasing a zero-knowledge proof. Scott Aaronson also cautioned that future researchers may no longer disclose estimates of the resources needed to break cryptography. Therefore, we may not be able to detect the arrival of the "quantum crisis day" long in advance.

Even so, building a computer with hundreds of thousands of fault-tolerant qubits remains a massive engineering challenge. The most advanced quantum computers cannot even factor numbers larger than 13 digits, while breaking Bitcoin's cryptography is equivalent to factoring a number of about 1300 digits. This gap cannot be closed overnight, but the technological trend is worth noting rather than ignoring.

Claims 5-8: Quick Clarifications

"Quantum computing will destroy mining"

Wrong. The energy demand is close to the sun's total output, see section two for details.

"Collect data now, decrypt later"

This does not apply to asset theft (the blockchain itself is public), and only has a minor impact on privacy, making it a secondary risk.

"Google said it would break Bitcoin in 9 minutes"

Google refers to a theoretical circuit running on a non-existent machine with 500,000 qubits, which would take about 9 minutes. Google has explicitly warned against such panic rhetoric and has concealed the details of the attack circuit.

"Post-quantum cryptography technology is not mature"

The National Institute of Standards and Technology (NIST) has completed the standardization of algorithms such as ML-KEM, ML-DSA, and SLH-DSA. The algorithms themselves are mature; the challenge lies in deploying them within the Bitcoin system, not inventing them from scratch.

Five Issues I Truly Worry About

An article that completely denies everything will lose credibility. Here are five issues that deeply concern me:

· The estimated number of qubits needed to break cryptography continues to decline, although this trend may be slowing. In 2012, it was estimated that breaking cryptographic systems would require 1 billion qubits; by 2019, it had dropped to 20 million; by 2025, it was below 1 million. In early 2026, Oratomic claimed that only 10,000 physical qubits would be needed using a neutral atom architecture.

However, it is worth noting that all nine authors of that study are shareholders of Oratomic, and the 101:1 physical to logical qubit conversion ratio they based their estimates on has never been validated (the historical actual ratio is closer to 10,000:1).

It should also be clarified that a computation task that takes "9 minutes" on Google's superconducting architecture would take 10²⁶⁴ days to complete on neutral atom hardware—these are completely different devices with vastly different computation speeds. Gidney himself has stated that the algorithm optimization curve may have entered a plateau. Even so, no one knows when the tipping point between "required qubit count" and "existing qubit count" will arrive. The most objective conclusion is that there is currently significant uncertainty.

· The range of public key exposure is expanding, not shrinking. The latest and most widely promoted address format, Taproot, will publicly expose adjusted public keys on-chain, leaving quantum attackers with an unlimited offline cracking window. Bitcoin's most recent upgrade ironically weakened its quantum security, which is a thought-provoking irony.

Moreover, the issue is not limited to on-chain addresses: Lightning Network channels, hardware wallet connections, multi-signature schemes, and extended public key sharing services are all designed to spread public keys. In a world where fault-tolerant quantum computers (CRQC) become a reality, when the entire system is built around public key sharing, "protecting public key privacy" is simply not realistic. BIP-360 is just the first step, far from a complete solution.

· The governance process of Bitcoin is slow, but there is still a time window. Since November 2021, the Bitcoin underlying protocol has not activated a soft fork for over four years, remaining in a state of stagnation. Google plans to complete its quantum migration by 2029, while the most optimistic estimate for Bitcoin is 2033.

Considering that practical quantum computers capable of breaking cryptography are likely still very far off (most reliable predictions suggest the 2040s, or they may never be realized), there is currently no urgent crisis, but we must not become complacent. The earlier preparations begin, the more relaxed the later stages will be.

· Satoshi's Bitcoin is an unsolvable game theory problem. About 1.1 million BTC are stored in P2PK addresses, and since no one holds the corresponding private keys (or Satoshi has disappeared), these assets can never be migrated. Whether choosing to ignore, freeze, or destroy them will have serious consequences; there is no perfect solution.

· The blockchain is a permanently locked target list for attacks. All exposed public keys will be recorded permanently for free, and various national agencies can now prepare and wait for the right moment. Defense requires proactive collaboration from multiple parties, while attacks only require patience.

These are real challenges, but there is another side worth noting.

Why the Quantum Threat May Be Extremely Distant, or May Never Arrive

Several serious physicists and mathematicians (not extremists) believe that achieving fault-tolerant quantum computing at the scale needed for cryptographic breaking may face fundamental barriers at the level of physics, not just engineering challenges:

· Leonid Levin (Boston University, co-proposer of NP completeness): "Quantum amplitudes need to be precise to hundreds of decimal places, but humanity has never found any physical law that holds true beyond about 12 decimal places." If nature does not allow precision beyond about 12 decimal places, the entire field of quantum computing will hit a physical ceiling.

· Michel Dyakonov (University of Montpellier, theoretical physicist): A 1000-qubit system needs to control about 10³⁰⁰ continuous parameters simultaneously, far exceeding the total number of subatomic particles in the universe. His conclusion is: "Impossible, forever impossible."

· Gil Kalai (Hebrew University, mathematician): Quantum noise has irreducible correlation effects that worsen with increasing system complexity, making large-scale quantum error correction fundamentally unachievable. His conjecture has not been proven after 20 years, but his experimental predictions have shown some deviations, with both pros and cons.

· Tim Palmer (University of Oxford, physicist): His rational quantum mechanics model predicts that quantum entanglement has a hard limit of about 1000 qubits, far below the scale needed for cryptographic breaking.

These are not fringe views. Existing evidence clearly supports this judgment: so far, practice has shown that quantum computing capable of threatening cryptographic systems is either much harder to achieve in reality than in theory, or is fundamentally impossible due to unknown laws of the physical world. A fitting analogy is self-driving cars: they demonstrate well, attract massive investment, yet have claimed for over a decade that "they will mature in five years."

Most media assume "quantum computers will eventually break cryptography; it's just a matter of time," which is not a conclusion drawn from evidence, but rather an illusion created by the hype cycle.

The Core Motivation for Upgrades is Unrelated to Quantum

This is a key fact that few mention (thanks to @reardencode for pointing this out):

· So far, no cryptographic systems have been broken by quantum computers;

· Countless cryptographic systems have been broken by classical mathematical methods.

DES, MD5, SHA-1, RC4, SIKE, the Enigma machine... all fell to clever mathematical analysis, not quantum hardware. SIKE was once a final candidate for post-quantum cryptography by NIST, but in 2022, a researcher completely broke it using a regular laptop in just one hour. Since the advent of cryptographic systems, classical cryptanalysis has continuously overturned various encryption schemes.

The secp256k1 elliptic curve used by Bitcoin could become ineffective at any moment due to a mathematical breakthrough, without the need for quantum computers. It only takes a top-notch number theorist to make new progress on the discrete logarithm problem. This has not happened yet, but the history of cryptography is a history of "proven secure" systems continuously being found to have vulnerabilities.

This is the real reason Bitcoin should adopt alternative cryptographic schemes: not because quantum computers are imminent—they may never appear; but because for a network worth trillions of dollars, relying solely on a single cryptographic assumption is a risk that rigorous engineering must proactively guard against.

The panic hype related to quantum actually obscures this more understated but more real risk. Ironically, the preparations made to address the quantum threat (BIP-360, post-quantum signatures, hash alternatives) can also defend against classical cryptanalysis attacks. People are doing the right thing for the wrong reasons, which is fine—as long as it can ultimately be implemented.

What Should You Do?

If you hold Bitcoin:

· There is no need to panic. The threat is real but still distant; you have ample time.

· Stop reusing addresses. Each reuse exposes the public key; please use a new address for receiving.

· Keep an eye on the progress of BIP-360. After the anti-quantum address is launched, migrate your assets in a timely manner.

· Long-term holders can keep funds in addresses that have never sent out assets, keeping the public key hidden.

· Don't be swayed by headlines; read the original papers. The content is more interesting than the reports and not as scary.

If you are a Bitcoin developer:

· BIP-360 needs more reviewers; the testnet is running, and the code needs urgent scrutiny.

· The 7-year upgrade cycle needs to be compressed; for every year of delay, the safety buffer shrinks.

· Initiate governance discussions about old unspent transaction outputs (UTXOs); Satoshi's Bitcoin will not self-protect, and the community needs a plan.

If you just saw a sensational headline: remember, 59% of shared links were never clicked. Headlines are meant to stir emotions; the papers are meant to provoke thought. Go read the original.

Conclusion

The threat of quantum computing to Bitcoin is not black and white; there is a middle ground. On one end is "Bitcoin is finished, sell everything quickly," and on the other end is "quantum is a scam, there is no risk," both extremes are wrong.

The truth lies in a rational and feasible middle ground: Bitcoin faces clear engineering challenges, with known parameters and ongoing research, time is tight but manageable—provided the community maintains a reasonable sense of urgency.

The most dangerous aspect is not quantum computers, but the cyclical public discourse that swings between panic and indifference, preventing people from rationally addressing a problem that can essentially be solved.

Bitcoin has survived the block size debate, exchange hacks, regulatory shocks, and the disappearance of its founder; it can also withstand the quantum era. But the premise is that the community must start preparing steadily now, without panic or complacency, advancing with the robust engineering mindset that underpins Bitcoin's strength.

The house is not on fire, and it may never catch fire from the direction everyone is worried about. But cryptographic assumptions are never permanently valid. The best time to reinforce the foundations of cryptography is always before a crisis arrives, not after.

Bitcoin has always been built by a group of people who plan ahead for threats that have not yet materialized. This is not paranoia; it is engineering thinking.

References: This article references a total of 66 research documents from two major thematic wiki libraries, covering quantum computing resource estimation, Bitcoin vulnerability analysis, rumor psychology, and content dissemination mechanism research. Core sources include Google's Quantum AI Lab (2026), the paper "Quantum Mining under the Kardashev Scale" (2025), BIP-360 proposal documents, research by Berger and Milkman (2012), the "2020 Rumor Handbook," and discussions by industry practitioners such as Tim Urban, Dan Lu, and patio11. Complete wiki materials are open for peer review.