Attention, not panic: mapping Bitcoin's quantum horizon

The pace of quantum discussions around Bitcoin keeps accelerating but the takeaway remains unchanged: this warrants attention, not panic. Rapid protocol changes are not currently necessary, nor are they guaranteed to produce better outcomes than doing nothing. However, it is becoming increasingly important to watch this space more closely.

By now most people already know that some bitcoin UTXOs carry a theoretical quantum vulnerability. But nothing suggests this vulnerability is under imminent threat of being exploited, nor likely to be as catastrophic as suggested by the most pessimistic doomers. Avihu Levy's recent discovery also clarifies that the vast majority of current UTXOs can already be spent in a quantum-safe manner without any protocol changes, effectively neutering the most catastrophic scenario (albeit in a hacky and expensive way)—effectively giving Bitcoin holders an emergency exit if Cryptographically Relevant Quantum Computers (CRQCs) were to somehow materialise overnight. There is as always nuance in this topic so let’s get into it.

A recent Google whitepaper rekindled quantum worries in the media

On March 30, 2026, Google released a security notice alongside a research whitepaper arguing that Shor's Algorithm can be run roughly 20x more efficiently than previously thought. The same day, a separate academic paper made a substantially similar argument: that Shor's Algorithm can run at cryptographically relevant speeds using a number of qubits orders of magnitude smaller than scientific consensus estimated less than a year ago.

Accompanying media headlines were frankly unhinged. "Bitcoin can be hacked in 9 minutes" is an absurd and unserious thing to say. While the papers' actual findings are significant, nothing even remotely warranting such headlines has been put forward. 

If correct, and if meaningful engineering progress follows, the theoretical results weaken (not invalidate; weaken) one of the arguments I made in a recent article against worst-case severity scenarios, and soften my case for treating the threat without too much urgency. Thus far though, we still haven’t seen any technological breakthroughs of worrying degree, so the material change in circumstance is small.

Said differently, these papers advance mathematical theory, not engineering. They do make the necessary engineering problems look less outlandish, but those problems remain nowhere near solved. The required technical progress is many orders of magnitude above current levels, across several independent sub-technologies that must each advance substantially and operate flawlessly in concert.

So for now, my existing position holds: the threat is addressable, and we must be extremely careful not to rush new cryptography into Bitcoin. Should quantum engineering rapidly accelerate, I may need to accept that increased urgency is warranted. But the risk of moving too fast remains greater than the risk of moving too slow.

My suggestion to investors is to keep watching this over the next decade. Those who are concerned should consider supporting the Bitcoin development community. Vetting and testing post-quantum cryptography is difficult work requiring sustained funding. Also watch price signals beyond bitcoin. If CRQCs were genuinely imminent, a great many assets outside of the digital asset industry would need repricing, particularly in the broader financial sector.

The papers are serious enough to warrant increased attention, but not panic

Google's announcement carries several hallmarks of genuine seriousness. The whitepaper is co-authored by Dan Boneh, professor of computer science at Stanford and a heavyweight in cryptography and blockchain technology. But perhaps even more tellingly, Google has declined to publish the actual circuits, providing instead a zero-knowledge proof that they know them rather than risk handing that information to bad actors.

Google has also revised its recommended migration date from mid-2035 to 2029. Three years from now. That is not a move a company of Google's scale is likely to make over an unimportant result.

The second paper comes from a less prominent startup, so I interpret their results with more caution. That said, the two approaches to speeding up Shor's algorithm compound, making their potential combination particularly powerful. Over the next few years I will watch closely for any sign of progressive academic blackouts in this field. If researchers customarily start withholding circuitry and technology, or go suspiciously quiet, that would be a signal to pay sharply closer attention.

Both are bad, but panic is more dangerous than complacency

Panic is worse than complacency because Bitcoin currently works. Hasty changes risk breaking it for reasons unrelated to quantum computers. All current public-key cryptography rests on unprovable assumptions. There is no proof that Elliptic Curve Cryptography (ECC) cannot be broken by classical computers, and history is littered with cryptographic techniques that fell to ordinary hardware. We should always search for better approaches, quantum-motivated or not. But we should vet any alternative with great rigour before implementing it.

Cryptographic changes to Bitcoin must never be rushed. The risks of weaknesses, backdoors, and other vulnerabilities are real. Post-Quantum Cryptography (PQC) deployment presents challenges not primarily of implementation difficulty, but of inadequate vetting and computational inefficiency.

Research on quantum defence is also moving fast. Premature commitment to proposed PQC risks implementing solutions that prove inefficient, rapidly obsolete, or worst of all: vulnerable to non-quantum attacks. Increased attention is warranted at this point. Panic is not. All proposed solutions need careful evaluation within Bitcoin's existing, conservative improvement process.

In a world where CRQCs exist, ECDSA will have to be replaced

Failure of imagination has been the pitfall of many a project over the years, so let’s consider the scary scenarios. Should CRQCs materialise, the only durable fix to Bitcoin's quantum vulnerability is replacing the Elliptic Curve Digital Signature Algorithm (ECDSA) with a PQC alternative. The transition is straightforward in technical terms; picking the right solution is not.

PQC schemes fall into five families: lattice-, hash-, code-, multivariate-, and isogeny-based. All are younger and less battle-tested than the protocols they replace. To demonstrate the dangers inherent, one candidate, the Supersingular Isogeny Diffie-Hellman protocol, has already been broken by a classical attack. Research into quantum algorithms targeting lattice-based schemes (the most promising family, and the one NIST has standardised) remains ongoing and unresolved.

The performance cost is also substantial. ECDSA signatures in Bitcoin run 64 to 73 bytes. Falcon, a post-quantum alternative example deployed on Algorand, runs to 1,280 bytes, roughly 18 times larger. Verification overhead raises denial-of-service concerns. Composite signatures, which layer a PQC scheme over a classical one for belt-and-braces security, cost even more. With a fixed block size, post-quantum signatures mean fewer transactions per block. The 2017 block size war demonstrated exactly how combustible that topic is.

The question of inactive P2PK coins could still get ugly

There are millions of dormant P2PK coins where the owners are either uninterested in, or unable to, move to hash-protected UTXOs. If CRQCs eventually materialise, these coins would be vulnerable and we have written about this scenario in more detail here. 

Many people worry about the potential market impact of these coins coming back to the market and want to get ahead of the issue. Three established options exist for handling dormant quantum-vulnerable assets. None are clean.

Do Nothing leaves the protocol unchanged, allowing anyone with a CRQC to harvest dormant coins. It preserves property rights and avoids confiscatory precedent, but accepts a potential supply shock if those coins re-enter circulation rapidly. I have argued in favor of this option in previous work as I see outright expropriation as a much worse outcome than the potential return to the market of a few million bitcoin. 

Burn renders dormant assets unspendable after a set date, preventing the supply shock but permanently expropriating any owner who failed to migrate in time. There is already a BIP outlining a method for doing this but opposition is strong.

Hourglass limits the rate at which dormant coins can be spent, throttling the supply shock without outright confiscation and generating a fee windfall for miners. An informal poll at the 2025 Presidio Bitcoin Quantum Summit found roughly equal support for all three, which tells you everything about where consensus currently stands.

Both Burn and Hourglass could technically be implemented as soft forks, since restricting valid transactions is a narrowing of protocol rules. Whether a decisive majority of miners and node operators would agree is another matter entirely.

In my opinion Do Nothing remains the least harmful option in a list of only harmful choices. The BIP proposed by Daniel Buchner, which allows users to send coins to UTXOs that support several as-yet-undecided future post-quantum signature types, strengthens that position further. For users worried about CRQCs, Buchner's BIP provides something they "can incorporate right now to quell anxiety... without modifying Bitcoin's key/signature handling until (if) Q-Day ever happens."

The authors of the Google whitepaper propose a fourth option: the Bad Sidechain. Some dormant assets have off-chain proofs of ownership (mnemonic seed phrases, cryptographic attestations) that a quantum attacker cannot recover but a legitimate owner can present. A special-purpose pegged sidechain could accept CRQC-recovered coins for adjudication, verify ownership claims, and return assets to rightful owners before reintroduction to the main chain, governed by a consortium modelled on the Liquid Federation with post-quantum smart contract infrastructure. This maximises value returned to legitimate owners at the cost of considerably greater technical, legal, and political complexity.

Since quantum recovery is theft, governments might have to get Involved

Governments face their own constrained menu of options, given that quantum recovery likely constitutes theft under almost all legal jurisdictions.

Regulated Destruction is not viable. No government can unilaterally erase dormant assets from the Bitcoin blockchain; doing so would require re-mining over a decade of chain history.

Transaction Censorship, requiring domestic miners to reject spends of dormant coins, is technically feasible but self-defeating. Foreign miners would simply include those transactions, as happened when OFAC sanctioned Tornado Cash in 2022: participation fell, transactions were delayed, but settlement was never prevented. Forcing domestic miners to reject foreign blocks would trigger a hard fork, drive mining offshore, and almost certainly destroy the value of the censored chain. Effective censorship would require coordinated compliance from miners representing roughly 85% of global hashrate, a multi-lateral prisoner's dilemma that individual governments have strong incentives to defect from.

More realistic government options include Digital Salvage, treating dormant assets as effectively abandoned property under frameworks analogous to maritime salvage or escheatment, with a CRQC operator acting as a government-contracted auditor transferring custody to state authorities. The US Revised Uniform Unclaimed Property Act could provide a partial blueprint, though its ‘holder’ requirements map poorly onto a decentralised ledger with no controlling party. 

Alternatively, a National Security Response would have governments use their own CRQCs to acquire and burn dormant assets before rogue actors do. Blunter, but it sidesteps the coordination problem.

Investors: watch facts, not headlines

Quantum computing risk is neither binary nor immediate. It remains a long-dated tail risk with several severity levels. The key question for portfolio positioning is whether Bitcoin upgrades its cryptography faster than quantum hardware matures into cryptographically relevant capability, or whether that level is ever reached at all.

On the technical side, a soft fork to post-quantum signatures is feasible and should not present major political problems if CRQCs appear genuinely imminent. If implemented, it solves the largest and most durable problem. A hard fork to resolve the dormant P2PK coin issue will likely prove far more contentious, while also being less critical if left unresolved. I have doubts a clean solution will be agreed upon.

If the market begins pricing CRQCs as a non-negligible probability, the discount rate applied to long-duration bitcoin holdings should shift. Implementation rates of NIST's post-quantum standards (already finalised) are worth watching as an indicator of how serious the broader ecosystem perceives this issue. So are asset prices themselves, and not only bitcoin.

I am watching closely how markets respond to announcements like these. Both Google's whitepaper and this article have focused almost entirely on Bitcoin. But banking and payment infrastructure across essentially every sector that moves money or sensitive data digitally also depends on ECDSA as the dominant public-key cryptography standard. If markets appear broadly unconcerned by a Q-day deadline apparently brought forward by several years into a largely unprepared global economy, one of two things is true: significant pricing inefficiencies are at play, or the results are overhyped.