- Bitcoin’s network is overwhelmingly secure, with a hash rate equivalent to more than a million El Capitan-class supercomputers - far beyond the reach of both classical and today’s quantum machines. The primary long-term quantum risk lies not with the network itself, but with individual wallets whose public keys become exposed.
- The Bitcoin ecosystem will need to take challenging steps to mitigate individual wallet risk, but it has a pathway to do this and we believe it will succeed.
- A cryptographically relevant quantum computer (CRQC) capable of breaking Bitcoin’s elliptic-curve signatures would require 5,000–10,000 logical qubits - orders of magnitude beyond today’s 105-qubit devices like Google’s Willow. Estimates for “Q-Day” vary widely, but Bitcoin has ample time to implement quantum-resistant upgrades, while millions of dormant legacy coins remain the only meaningful point of vulnerability.
- Traditional financial institutions face quantum risk much earlier, as they depend on long-lived RSA/ECC keys for authentication and interbank communications. Once quantum computers can break these, systemic attacks on banks become possible - long before Bitcoin’s decentralized architecture or active wallets are meaningfully threatened.
Introduction
Quantum computing has entered a new phase, marked by notable breakthroughs such as Google's 105-qubit Willow processor and rapid progress across the broader research landscape.
While today's quantum machines remain far from threatening Bitcoin's cryptography, these developments have rekindled interest in the long-term implications for the world's most secure decentralized monetary network.
With Bitcoin operating at over one zeta hash per second, equivalent to more than a million El Capitan-class supercomputers, it is clear that the network itself is extraordinarily robust.
Yet the conversation is shifting toward a more nuanced question: not whether quantum computing can overpower Bitcoin's global hash rate, but whether future quantum capabilities could expose vulnerabilities at the individual wallet level. This report examines that risk, recent expert commentary on “Q-Day,” and the evolving roadmap toward quantum-resistant Bitcoin.
How much of a threat to Bitcoin is it really?
Bitcoin is the single most secure decentralised computer network in existence. The Bitcoin network currently sports an immense hash rate of slightly more than 1 zeta hash per second (1 * 10^21 hashes per second) and counting.
If measured in terms of numbers of the fastest supercomputers on earth called “El Capitan”, it would be equivalent to approximately 1.2 million of these that are securing the Bitcoin network.[1] This amount of computing power is made possible via decentralisation.
El Capitan's classical computing power is still far ahead of Google's Willow chip if we compare them using a simple “hash-equivalent” framework. Even with generous assumptions, Willow only reaches the equivalent of about 30-300 kH/s, while El Capitan reaches roughly 0.83 PH/s. In other words, El Capitan delivers about ten orders of magnitude rawer, hash-like operations per second then Google's Willow.
However, this comparison is only a rough illustration. Classical FLOPs (Floating Operations per second) and quantum gates are not the same thing, and quantum processors are not designed to compete on sheer throughput.
Their advantage comes from using fundamentally different algorithms that can solve certain problems much more efficiently than classical systems. So, while a quantum chip looks weak when forced into a “SHA-256 mining” analogy for Bitcoin, it can still outperform the world's best supercomputers on specific tasks that are well-suited to quantum computation.
So, the whole Bitcoin network is most likely not at risk by quantum computing.
Let's focus on individual wallets though:
A Bitcoin private key is a 256-bit number (256 1s or 0s), so there are:
2²⁵⁶ possible private keys ≈ 1.16 × 10⁷⁷ different combinations.
Going back to our supercomputer El Capitan, even if you gave El Capitan perfect mining/brute-force software and used all of its peak performance for nothing but key guessing, the answer is still:
The fastest supercomputer El Capitan would need on the order of 10⁵¹ years to brute-force / trial-and-error a single random 256-bit Bitcoin private key.[2]
- So, it is essentially impossible to brute-force a Bitcoin private key.
However, there is a potential vulnerability in Bitcoin's cryptography that could be exploited via the so-called Shor's algorithm in the long run.
Bitcoin is based on eliptic-curve cyptography which includes a public and a private key (also used in Ethereum).
Think of the public key as your publicly known mailbox/address while your private key is the secret key to open and send mails from that mailbox.
The important aspect to understand is that both private key and public key are mathematically connected.
Shor's algorithm does not brute-force a Bitcoin private key - it mathematically derives it from the public key by solving the so-called elliptic-curve discrete logarithm problem, which is normally infeasible for classical computers.
Key risk: Once a public key is exposed on-chain, a sufficiently large quantum computer could, in principle, run Shor's algorithm to recover the corresponding private key, bypassing the enormous trial-and-error described above entirely.
For Bitcoin, this would require the attacker to observe the public key when a transaction is broadcast to the network and then complete the quantum computation before the transaction is confirmed - typically within about ten minutes.[3]
Achieving this in practice is unrealistic today but could become more likely in the future depending on the advancements of quantum computing. Today's quantum processors are many orders of magnitude short of these requirements, but the underlying attack mechanism is well understood.
When could we expect Quantum Computing to become threat (to private keys)?
In this context, experts often tend to mention the so-called “Q-Day”, i.e. the moment when quantum computers become powerful enough to break today's cryptographic systems, including Bitcoin's elliptic-curve signatures.
Expected Timeline of “Q-Day” by different experts:
- Charles Edwards - Quantum computers may threaten Bitcoin encryption by 2029.[4]
- Vitalik Buterin - 20 % chance that quantum computers capable of breaking current cryptography could arrive before 2030.[5]
- Adam Back - no meaningful quantum threat for at least 20–40 years (i.e. 2045-2065).[6]
- Chamath Palihapitiya - time frame is very much not clear and it's not in the immediate time horizon.[7]
As one can see, the estimates about the Q-Day can vary widely and there is still much uncertainty around whether it could still pose a threat considering potential security upgrades in the future.
For instance, Adam Back argues that Bitcoin could add quantum secure signatures, as the evaluation continues and be quantum ready, long before cryptographically relevant quantum computers arrive.
It is important to highlight in this context that Bitcoin's code is not static but constantly evolves via so-called Bitcoin Improvement Proposals (BIPs). It is very likely that a BIP will be proposed to roll out quantum secure signatures in the future.
Nonetheless, many dormant legacy coins, i.e. those that remain unspent will most likely not upgrade to potential quantum-resistant addresses in the future because the control over these coins has simply been lost.
According to estimates by Glassnode, around 3.391 million BTC are “provably lost”, i.e. are considered to be unclaimed miner rewards, BTC sent to burn addresses or BTC sent to ‘OPRETURN'. Any bitcoins with a holding period of more than 10 years with no recorded transfer are generally considered to be “provably lost” as well.
If one included the early mined coins by founder Satoshi Nakamoto (approximately 1 million BTC) around 4.5 million BTC (~22.5%) would potentially be vulnerable to quantum computing in the future.
Other experts even state that around 6.5 million BTC are potentially vulnerable to quantum computing.[8]
This is the worst case scenario though and not our base case.
Note though that a certain share of this amount could unexpectedly move ahead of Q-Day as many of those provably lost coins are simply held by early bitcoin adopters with a holding period of more than 10 years (the cutoff period for provably lost coins).
Also note that this amount wouldn't hit the market simultaneously as individual wallets still need a significant amount of time and energy to be accessed with relevant quantum computers. Nonetheless, sophisticated attackers will most likely focus on lucrative “honey pots” like the Satoshi wallets mentioned above.
A back-of-the-envelope estimate suggests that a recovery and complete sale of the Satoshi wallet BTC supply could hypothetically lead to a bitcoin price decline of approximately -45% all else equal.[9]
Besides, note that a “cryptographically relevant quantum computer” (CRQC) - capable of breaking Bitcoin's signature scheme - would need on the order of 5,000–10,000 logical qubits, which in practice means hundreds of thousands to millions of physical qubits.
In comparison, Google's Willow processor currently has 105 physical qubits.
So, Willow is still four to five orders of magnitude too small to pose any cryptographic risk for Bitcoin.
Hence, major Bitcoin developer communities like Presidio Bitcoin also believe that we are “very far away” from such a machine, noting that current quantum hardware hasn't yet connected two logical qubits to each other reliably.[10]
Nonetheless, migration strategies for Bitcoin are already being discussed - such as adopting post-quantum signatures and handling these legacy coins mentioned above - that must be planned well in advance of Q-Day.[11]
Fortunately, there are ways for the system to proactively take steps to neutralize the quantum-related wallet risk:
- For wallets that are dormant but still active - i.e., a wallet that someone has just not bothered to move in 10 years - the owner must make a one time transaction to move the bitcoin to a more modern wallet. We expect that to happen.
- For wallets that are truly abandoned - where the key is lost or the owner has passed away or for another reason (including, potentially, Satoshi's wallets) - the community will need to vote on an uncomfortable decision. Does it set a date by which wallets must be moved or the assets are frozen on the chain? Or does this violate the nature of bitcoin? We expect a wide-ranging discussion around this in the coming years.
Our point is that the risk is acknowledged. The community is unlikely to stand by while quantum users steal up to 4.5 million bitcoin; instead, we expect robust discussion, hard decisions, and ultimately a solution.
We do not expect it will be easy, and it will require some soul searching by the Bitcoin community, but it is something the community can do.
Key development to watch ahead of Q-Day would be an increasing frequency of systemic attacks on traditional financial architecture like banks.
Traditional financial institutions are structurally more exposed to quantum threats because they rely heavily on outdated cryptography like RSA embedded throughout their authentication, payment, and interbank communication systems.
[…] quantum computing advances also accelerate the emergence of security risks, particularly the potential to break public-key encryption, which is vital for securing digital systems such as online banking and government communications. While the timeline for quantum computing's full potential remains uncertain, the associated quantum security risks are already at play. WEF, 2025[12]
Once quantum computers can break these, attackers could impersonate servers, decrypt traffic, or forge transactions at the institutional level - well beyond the reach of consumer-facing safeguards. Two-factor authentication offers no protection here, as it secures only user logins, not the underlying cryptographic foundations that quantum computers would directly compromise.
Outlook and Conclusion
Bitcoin remains the most secure monetary network in excistence due to its decentralised nature and immutability. Unlike the traditional banking system, attackers require a very significant amount of scarce physical energy and computing power to compromise the Bitcoin network.
The centralised nature of the traditional banking system makes it also more vulnerable to attacks as these legacy systems are often exposed to a single-point-of-failure and are based on rather obsolete cryptography.
Therefore, regardless of the timeline, adverse effects from quantum computing will most-likely affect traditional financial infrastructure first before becoming a serious threat to the Bitcoin network.
That being said, legacy Bitcoin wallets which likely won't upgrade to quantum-resistant signatures in the future are at risk. In the worst case, around 4.5 million legacy bitcoins could be at risk by quantum computing in the future based on our estimations.
However, it is worth noting that the key risk will mainly stem from a potential sale of those legacy coins and not from a corruption of the Bitcoin network itself.
Bottom Line
- Bitcoin’s network is overwhelmingly secure, with a hash rate equivalent to more than a million El Capitan-class supercomputers - far beyond the reach of both classical and today’s quantum machines. The primary long-term quantum risk lies not with the network itself, but with individual wallets whose public keys become exposed.
- The Bitcoin ecosystem will need to take challenging steps to mitigate individual wallet risk, but it has a pathway to do this and we believe it will succeed.
- A cryptographically relevant quantum computer (CRQC) capable of breaking Bitcoin’s elliptic-curve signatures would require 5,000–10,000 logical qubits - orders of magnitude beyond today’s 105-qubit devices like Google’s Willow. Estimates for “Q-Day” vary widely, but Bitcoin has ample time to implement quantum-resistant upgrades, while millions of dormant legacy coins remain the only meaningful point of vulnerability.
- Traditional financial institutions face quantum risk much earlier, as they depend on long-lived RSA/ECC keys for authentication and interbank communications. Once quantum computers can break these, systemic attacks on banks become possible - long before Bitcoin’s decentralized architecture or active wallets are meaningfully threatened.
[1]
Using ~3,385 operations per double-SHA-256 hash and El Capitan’s 2.821×10¹⁸ FLOPs/s, we get ≈8.3×10¹⁴ hashes/s (≈0.83 PH/s). Matching a 1 ZH/s network (10²¹ hashes/s) would therefore require ≈10²¹ ÷ 8.3×10¹⁴ ≈ 1.2×10⁶ El Capitans. Note though that, in reality, using El Capitan for bitcoin mining would be wildly inefficient compared with off-the-shelf ASIC miners.
[2]
Brute-forcing a 256-bit key requires ~2²⁵⁶ ≈ 1.16×10⁷⁷ guesses. Even giving El Capitan the impossible advantage of testing one key per operation (2.8×10¹⁸ ops/s), it would need (1.16×10⁷⁷)/(2.8×10¹⁸) ≈ 1.3×10⁵¹ years - about 10⁴¹ times the age of the universe.
[3]
Achieving this in practice demands thousands of stable logical qubits, millions of physical qubits after error correction, and the ability to execute roughly 10¹¹–10¹² high-fidelity quantum gates. Note that Google’s Willow only possesses 105 physical qubits right now.
[9]
Based on current data by Glassnode: (1 mn BTC / 2.9 mn BTC) * -1.3 = -45%; based on the average sensitivity of BTC drawdowns to whale exchange inflows.
[11]
Ibid.
