Translation: Plain Language Blockchain

The focus of this article is not the sensational question of "Will quantum computing destroy Bitcoin?" but rather whether the Bitcoin community can coordinate upgrades before the threat becomes real. The author points out that the timeline for quantum risk is tightening, with older addresses that exposed public keys early becoming targets first, and the real difficulty lies not in the cryptographic solutions themselves, but in getting a highly conservative network to reach a migration consensus in time.

1200. This is the number provided by Google Quantum AI in a milestone white paper in March 2026.

Through optimizations of Shor's algorithm, the research team demonstrates: It requires no more than 1200 logical qubits and less than 500,000 physical qubits to break the 256-bit elliptic curve encryption protecting each Bitcoin address. This number is approximately 20 times smaller than estimates that dominated this field five years ago.

IonQ's official roadmap plans to achieve 1600 logical qubits by 2028 and increase to 80,000 by 2030; IBM's quantum roadmap expects its Blue Jay system to reach 2000 logical qubits by 2033.

Threat window, a date has emerged

To understand which part of Bitcoin quantum computers will threaten, one must first understand what Bitcoin cryptographically relies on.

The security of Bitcoin relies on two different pillars. The first is SHA-256, a hashing function used to protect the mining process and address generation. The second is ECDSA, or Elliptic Curve Digital Signature Algorithm, which is responsible for the "ownership" layer. Whenever you send Bitcoin, ECDSA generates a digital signature to prove you control that wallet and authorize the transaction. The specific elliptic curve used in Bitcoin is secp256k1, which can generate public-private key pairs. Your private key is a random number; the public key is derived from the private key through elliptic curve multiplication — this calculation is easy to perform in one direction but nearly impossible to reverse-solve for any classical computer. It is this "one-wayness" that forms the entire foundation of Bitcoin's ownership security.

Quantum computers attack these two systems in completely different ways, and this distinction is crucial.

Quantum computing can indeed accelerate certain searches, but the extent is far from sufficient for any hardware currently under development to pose a real threat to Bitcoin mining systems. The mining system is not the issue.

The real key is Shor's algorithm. It can break the mathematical lock protecting each Bitcoin private key, a task that no classical computer can accomplish. According to estimates in the Google Quantum AI white paper, a machine with 1200 logical qubits could derive a private key in about 9 minutes — which is close to the time required for Bitcoin to confirm a block.

Various quantum hardware paths are converging toward this threshold. The threat timeline resembles a lower limit rather than an upper limit: As soon as any of these technical paths break through early, this window will tighten further.

Consider it 10 years. It may even be shorter.

"Collect first, decrypt later" has actually already begun

There is another version of the issue that does not have to wait until 2029 to materialize.

National intelligence agencies today do not need to possess quantum computers to extract value from Bitcoin transactions. They only need storage capacity — which is inexpensive; and patience — which agencies have in abundance. The strategy is straightforward: Record the encrypted blockchain data now, wait for future hardware to catch up, and then decrypt uniformly later. In the security field, this is known as "Harvest Now, Decrypt Later," abbreviated as HNDL. By most credible judgments, this practice is likely already happening.

For most Bitcoin transactions, this is more of an inconvenience than a survival crisis — because this data is already public, Bitcoin has always offered pseudonymity, not anonymity. But for privacy applications built on blockchain infrastructure, the threat of HNDL is deeper. Whether it is confidential transactions or encrypted cross-chain messages, as long as they are recorded today, they may be locked in a vault "waiting for the quantum key to arrive." The assumption of long-term confidentiality for these systems has actually been undermined in advance, regardless of whether users are aware of it.

There is also a second, less-discussed attack vector. Every unconfirmed transaction still lying in the memory pool broadcasts its public key before confirmation. In a world with a sufficiently capable quantum computer, this broadcast window — approximately 10 minutes for Bitcoin, sometimes longer — becomes an attack window. If an attacker can derive a private key from a public key faster than a new block is mined, they could redirect the transaction before the original one settles. This technical term is called "real-time replacement attack." This means the issue is not just about wallets that have been exposed for years; it concerns every transaction currently occurring, regarding the real-time risks once quantum hardware crosses the threshold.

The implications of this are not light: The clock on Bitcoin's vulnerability does not start ticking from 2029. For those whose data is worth collecting and storing long-term, it has already begun.

Not all Bitcoins are equally exposed

Once quantum capability genuinely arrives, it will not strike evenly across the entire network. The damage will be targeted, and the deciding factor on whom it targets is a technical difference most Bitcoin holders have never seriously considered.

Not all Bitcoin addresses bear the same risk. Older peer-to-peer K addresses permanently expose the public key on the blockchain, making them fixed targets for any future quantum attacker. Newer formats — such as peer-to-peer KH and P2WPKH — hide the public key before actually spending funds, thereby compressing the vulnerable window to a very brief moment.

The problem is that many coins still reside in the old format.

By most estimates, over 1 million Bitcoins mined by Satoshi Nakamoto are recorded in the old peer-to-peer K format. Their public keys have been chained and have been exposed for more than 17 years. No one can migrate these coins because no one possesses the corresponding private keys. If a cryptographically relevant quantum computer appears before the Bitcoin infrastructure has completed upgrades, these addresses would receive no warning — they would instantly become the top targets. Although discussions around anti-quantum hard forks do exist, for attackers, the path of least resistance is likely to be to snatch these coins immediately. Unless the community takes highly controversial collective action, "quick theft" would be the most probable outcome.

This does not equal systemic collapse, but rather a targeted collapse. The first victims of quantum capability attacks will not be randomly selected, but precisely chosen based on exposure levels. The portion of positions in Bitcoin history that is the most thoroughly exposed and of the largest volume happens to have no owners who can actively take action.

What is truly harder than physics is governance

Solutions at the cryptographic level already exist. This is not a situation where an entire industry is still awaiting scientific breakthroughs. NIST has formally finalized post-quantum cryptography standards in 2024 — CRYSTALS-Dilithium, Falcon, SPHINCS+. These algorithms are public, peer-reviewed, and available. The real question is: Can Bitcoin deploy them before the window closes?

To answer this question, one must honestly confront the costs of post-quantum migration.

The size of post-quantum signatures is much larger than the signatures currently used in Bitcoin, and in some schemes may even be hundreds of times larger. A study published in 2026 in the Journal of the British Blockchain Association (JBBA) directly modeled migration: Throughput will drop by 52% to 57%, transaction fees will increase by 2 to 3 times, and the overall storage requirements for the network will also significantly expand.

And these costs will not bring faster networks, cheaper transactions, or better user experiences. It is merely purchasing protection against a threat that has not yet truly materialized. This is a defensive "downgrade." Costs occur immediately, while benefits are abstract and happen in the future.

Now, let’s examine the governance structure that must approve this.

Bitcoin's SegWit upgrade clearly provided real and tangible performance improvements, yet it still took about two years from formal proposal to activation, and it progressed through a seriously fractured community. SegWit at least had supporters who could point to those immediately visible and quantifiable improvements. Meanwhile, post-quantum migration lacks such persuasive power. It asks the community to accept a 57% drop in throughput, pay 2 to 3 times the transaction fees, endure years of implementation risks, all for the sake of a quantum computer that does not yet exist, so that a signature scheme that is not yet truly defunct remains unbroken in the future.

So far, the Bitcoin community has proposed two solutions. BIP 360 proposes introducing a new quantum-resistant address format based on Taproot, removing the key spending paths vulnerable to quantum attacks, thus avoiding exposing the public key before a transaction occurs. BIP 361 goes further: it plans to phase out the current signing system and eventually freeze funds in wallets that have not migrated until the wallet owners complete the action. This is nearly “radical” by Bitcoin's usual standards.

In contrast, Ethereum's response seems different. Vitalik Buterin has released a "quantum emergency roadmap," attempting to address the issue on multiple levels simultaneously. The upcoming protocol upgrade will allow individual accounts to independently switch to quantum-resistant signatures without requiring a full network vote. Meanwhile, Ethereum is also replacing underlying cryptographic components that could potentially be broken by quantum computers in the future and developing compression technologies to maintain network efficiency during migration. This is a publicly driven collaborative response spearheaded by the founder, spanning multiple layers.

The gap between these two paths does not imply a criticism of Bitcoin culture. For a currency protocol, extreme conservatism is a coherent philosophy. However, when the threat timeline is dictated by outside engineering roadmaps rather than internal consensus, conservatism carries a cost. JBBA's research estimates that forming community consensus on post-quantum migration could take 10 to 15 years; while the threat window itself is also 10 to 15 years. These two numbers are essentially the same.

In 2025, reports indicated that at least one global investment institution had already removed Bitcoin from its recommendation list, with long-term quantum security uncertainty being one of the reasons. It may not be the last one. As IBM and IonQ's roadmaps become increasingly hard to ignore, due diligence frameworks will start elevating "post-quantum migration plans" from footnotes to formal projects.

The question has never been "Will it happen?" but rather "Will there be enough time?"

What is likely to happen is actually more fragmented and, to some extent, more unsettling.

The first wave will target those already exposed: peer-to-peer K addresses, early mining rewards, and the over 1 million Bitcoins mentioned from the Satoshi era. A capable quantum machine will not announce its existence through a market crash; it is more likely to reveal itself through a series of abnormal transactions: the owners of those wallets have either lost access, cannot be contacted, or have never been confirmed, while their funds are continuously drained. The relevant on-chain data has always been there and has been for many years.

The second wave is psychological. Bitcoin's value has never been solely based on technical attributes. It is also built on a belief: that rules are fixed, math is reliable, and this asset is not subject to manipulation by any actor with sufficient resources. Once a confirmed quantum breakthrough hits the headlines, this belief will face a blow that may not be quickly recoverable. BlackRock and Fidelity establishing Bitcoin ETFs is not surrounding a technical specification but a narrative. The narrative's fragility is completely different from cryptography.

The third wave entirely depends on governance. If the Bitcoin community truly acts — not symbolic discussions, but with the urgency that the timeline demands — then the protocol itself can survive, and its value logic can survive alongside it. Technically, this is feasible. Physics itself has not made Bitcoin defenseless. But this window requires the community to make some decisions that violate a long-standing instinct of the community built around "trust decentralization," "resisting change," and "maintaining deep skepticism towards all urgent narratives."

My judgment is: Bitcoin will not go to zero. But its path to survival is narrower than even the most ardent supporters would admit, and the work required along this path is greater than anything the network has done before. Physics likely gives Bitcoin until around 2033. Whether its governance can keep pace with this rhythm is the real and only outstanding question.

If you’ve read this far and are more inclined to take action rather than just observe, then:

If you hold Bitcoin in older wallet formats, first check if your address has exposed your public key. Addresses starting with "1" (peer-to-peer KH) or "bc1" (P2WPKH/P2TR) will hide the public key before you truly spend; while the earliest peer-to-peer K format will permanently expose the public key. If your wallet was created in the past decade, you're likely using the newer formats; but if you've held Bitcoin since earlier years, you’d best verify personally. Migration only requires paying a transaction fee and doesn’t require trusting any third party, so there’s no reason to delay. But this is merely a "risk reduction" action, not a cure: the public key will still be exposed when spending, the signing scheme itself is still ECDSA, which does not have quantum resistance. True quantum-safe migration still depends on the deployment of post-quantum address formats — such as P2QRH — which are currently in BIP draft stages and not yet activated on the mainnet.

If you are configuring digital assets professionally, then now you should add a column in your framework: "Post-Quantum Migration Roadmap." It should enter your due diligence checklist starting today. BlackRock has already included quantum risk disclosures in its Bitcoin ETF prospectus as of May 2025. By 2028, it is highly likely this column will enter everyone's framework — this is a prediction, but given the speed at which institutional interest is rising, it is reasonable.

If you work in policy, you also need to realize: The CBDC infrastructure and digital finance paths face the same types of threats, the same timeline, because they rely on the same elliptic curve cryptography, which Shor's algorithm can also break. For decentralized networks, migration coordination is more difficult, precisely because they lack an administrative authority. Public infrastructure does not have this excuse, but it also may not have a faster technological path.

This race is not a competition between quantum computing and Bitcoin. It is truly a contest of who evolves faster: the speed of quantum computing development or Bitcoin’s ability to make difficult collective decisions under pressure. One side has already provided a public roadmap, backed by billions of dollars in engineering resources; the other relies on rough consensus in an email list to push governance, although this consensus has yielded BIP draft proposals currently being deployed on the testnet.

From a broader perspective, the trajectory of this technology ultimately points to a broader conclusion: In a system continuously impacted by changing technical constraints, long-term resilience depends on adaptability. Rather than assuming a certain form of permanent stability, it is better to acknowledge that the system must evolve alongside the risks it faces.

Article link: https://www.hellobtc.com/kp/du/05/6331.html

Source: https://www.forbes.com/sites/digital-assets/2026/05/28/bitcoins-quantum-deadline-isnt-a-physics-problem/