Quantum vulnerability in Bitcoin: a manageable risk

The non-zero future possibility of practical quantum computers keeps generating significant debate around its potential impact on Bitcoin's cryptographic security. This is of course both healthy and a necessary precaution for a multi-trillion dollar value storage system. However, while the technology presents theoretical challenges, the practical risks remain distant and can be addressed through straightforward measures. 

For institutional investors, understanding this issue requires separating speculation (and unfortunately, a significant amount of self-serving grift) from evidence-based analysis. Bitcoin's quantum vulnerability is not an immediate crisis but a foreseeable engineering consideration, with ample time for adaptation.

Summary of key points

• Quantum Vulnerability Overview: Theoretical risks from Shor's algorithm exposing keys in ECDSA/Schnorr and Grover's weakening SHA-256; threats distant, limited to ~1.7M BTC in P2PK addresses (8% supply), minimal potential for market disruption (see last point below)

• Security Framework: Relies on elliptic curves for authorization and hashes for protection; quantum can't change 21M cap or skip proof-of-work. Modern P2PKH/P2SH hide keys until spent; 25% vulnerability claims overstate mitigable temporary risks

• Timeline & Feasibility: Breaking secp256k1 within a practical amount of time (<1 year) needs 10-100,000 times the current number of logical qubits; relevant quantum tech at least 10 years off. Long-term attacks can take place over years—could become feasible within a decade; short-term (mempool attacks) need <10-min computations—infeasible in anything but the very long term (decades)

• Pros of Aggressive Interventions (e.g., soft/hard forks for QR formats or burning coins): Proactively secures network, protects against unexpected technological breakthroughs offers migration paths, signals adaptability, boosts investor confidence

• Cons of Aggressive Interventions: Risks bugs from unvetted crypto; potentially wastes scarce development resources on unproved or inefficient solutions, invites more changes; assumes dormant coins lost, causing coercion/theft; threatens neutrality; erodes property rights, decentralisation, immutability, trust

• Market Impact: Realistically limited to ~10k btc that could be suddenly and unexpectedly brought to market from compromised private keys; would in the end resemble routine trades; owners can migrate voluntarily; remaining coins sit in 34k individual ~50 btc addresses, would take decades to steal even with the most wildly optimistic technological breakthroughs

Analysing the problem properly requires depth and nuance

Bitcoin's security framework relies on two primary cryptographic elements: elliptic curve digital signature algorithms (ECDSA or Schnorr on secp256k1) for transaction authorisation, and hash functions like SHA-256 for mining and address protection. ECDSA creates asymmetric key pairs, where deriving a private key from a public one is computationally infeasible on classical systems. SHA-256 provides one-way hashing, with similarly infeasible reversal.

Quantum algorithms introduce specific concerns. It is a common misconception that they break cryptography as a system, but this is not the case. Below, we have summarised the effects of practical quantum computers on a list of common cryptographic functions.

The main problem at hand is the 256-bit ECDSA (now Schnorr, but subject to the same issue) signature algorithm used for authorising bitcoin transactions. Shor's algorithm could potentially solve the discrete logarithm problem underlying elliptic curves, exposing private keys if public keys are revealed. 

Grover's algorithm reduces the effective security of symmetric hashes like SHA-256 from 256 bits to 128 bits, but this still renders brute-force attacks impractical due to enormous computational demands, keeping addresses shielded by hashes secure. As for mining, a quantum computer could potentially be a rather fast mining computer, but whether it would be economical compared to ASICs is entirely unclear (and also unimportant given the automatic difficulty adjustment embedded into Bitcoin). Importantly, quantum computing can not alter Bitcoin's fixed 21-million supply cap or bypass proof-of-work requirements for block validation.

The exposure is limited to addresses where public keys are visible, primarily legacy Pay-to-Public-Key (P2PK) outputs, which hold approximately 1.6 million btc—about 8% of the total supply. However, only 10,200 of those coins sit in UTXOs that could cause any appreciable market disruption if they are stolen by a quantum computer. The remaining ~1.6 million all sit in 32,607 individual, ~50 btc UTXOs, that would take millenia to unlock even in the most outlandishly optimistic scenarios of technological progression in quantum computing. We have covered this in more detail here.

More modern address formats, such as Pay-to-Public-Key-Hash (P2PKH), or Pay-to-Script-Hash (P2SH), conceal public keys behind hashes, remaining secure until funds are spent. Claims of 25% vulnerability often include temporary risks, such as reused exchange addresses, which can be easily mitigated through best practices, and would come with multi-year warnings of technological progression before becoming dangerous, leaving ample time for simple behavioral changes.

We are nowhere near dangerous territory

As of early 2026, quantum threats are not imminent. Breaking secp256k1 would require quantum systems with millions of logical qubits—far beyond current capabilities.

According to researchers, in order to reverse a public key within one day, an attacker would require a quantum computer with fault tolerance and error limitation performance that has currently not been achieved, and 13 million physical qubits — about 100,000 times more than the largest current quantum computer [1]. In order to break it within an hour [2], it would have to be 3 million times better than current quantum computers. “To break current asymmetric cryptography, one would need something in the order of millions of qubits. Willow, Google’s current computer, is 105 qubits. And as soon as you add one more qubit, it becomes exponentially more difficult to maintain the coherence system”, cybersecurity firm Ledger CTO Charles Guillemet confirmed to CoinShares. We have done a more detailed analysis of the above here.

Recent advancements, including demonstrations by Google and others, represent progress but fall short of the scale needed for real-world attacks on Bitcoin.  

Estimates suggest cryptographically relevant (not necessarily practically dangerous) quantum computers may not emerge until the 2030s or later, with some analyses projecting 10-20 years. 

Long-term exposures such as P2PK addresses would then be vulnerable to computations that could be on the order of years Short-term exposures, such as public keys visible in the mempool during transactions, would demand computations in less than 10 minutes.

There are both pros and cons to aggressive interventions

Proposals to address this through aggressive interventions, such as softforking in unvetted or technologically premature quantum-resistant address formats, or worse, hard forks to burn vulnerable coins, warrant extreme caution. Such actions could not only cause unintended technological disasters through the inadvertent introduction of critical bugs, it could also undermine Bitcoin's core principles of property rights and decentralisation, potentially eroding trust without necessity.

Introducing new address formats before the cryptography underpinning them is fully understood and proven is extremely risky and not advisable. We have to keep in mind that before practical quantum computers exist, we cannot know whether quantum resistant cryptography provably works. Moreover, if we prematurely select quantum resistant addresses, we risk spending scarce development resources on implementing solutions that turn out to be inefficient at best, and rapidly obsolete or outright faulty at worst.

We fundamentally don’t know whether the vulnerable coins are dormant or lost, as evidenced by occasional movements from long-inactive addresses. Owners have sufficient opportunity to relocate funds voluntarily themselves, and unclaimed assets could naturally transition if quantum capabilities advance.

For the perceivable future, market implications appear limited. Only a small portion of vulnerable btc, around 10,200 in certain P2PK categories, might affect liquidity if compromised rapidly and suddenly. These events would likely resemble routine large-scale transactions rather than causing systemic disruption. The greater concern is preserving Bitcoin's immutability and neutrality, which could be jeopardised by premature protocol changes.

Securing Bitcoin against quantum risks is feasible and non-disruptive. “Bitcoin can adopt post-quantum signatures. Schnorr signatures [a technical implementation from a previous upgrade] paved the way for more upgrades, and Bitcoin can continue evolving defensively”, Cryptographer Dr. Adam Back told CoinShares. A soft fork could introduce quantum-resistant signatures, allowing seamless integration of new cryptographic standards. Existing proposals, such as Bitcoin Improvement Proposals (BIPs), outline pathways for this evolution. Users can migrate funds to secure addresses at their discretion, while monitoring quantum developments—perhaps using exposed legacy stacks as indicators of progress.

For institutional investors, the key insight is that quantum risks are contained, with an extended timeline for resolution. Bitcoin's architecture provides built-in resilience, enabling proactive adaptations. As sound money in a digital era, bitcoin merits consideration based on its fundamentals, rather than overstated technological threats.

[1] The estimation of ‘physical cubits’ is a bit of a tricky thing since there are many different types of cubits, and they do not have the same performance or characteristics. Given the knowledge level of our audience, we have therefore opted for readability, simplification and generalisability over pure accuracy in this paper.

[2] This is considered a key vulnerability timeframe because even public keys hidden behind SHA-256 are visible to the network for a short period of time when they are in the process of being spent but are still waiting to be added to a block by a miner.