Does Quantum Computing Threaten Bitcoin?
Before you go, see it all live
100% Free · No sign-upEvery market on one screen, live and free. Here is what is waiting on the dashboard:
- Panels that rotate through more markets on their own
- An info icon on every instrument with a plain-English explainer
- Turn any card into a live news feed that stays put across refreshes
- A knowledge hub of in-depth market guides to sharpen your edge
"Quantum computers will break Bitcoin" is one of the most repeated fears in crypto, and it resurfaces every time a new quantum chip makes headlines. The honest answer is more interesting than the panic: the threat is real but narrow, most of Bitcoin is better protected than people assume, and the timeline is years to decades, not months.
This guide breaks down exactly how the threat works, which coins are actually exposed, how far off a capable quantum computer really is, and whether a genuinely quantum-resistant cryptocurrency exists. For the broader picture of quantum in markets, see quantum computing in finance and trading.
This page is for learning, not financial advice. Coins and projects are named to explain the technology, not as recommendations. Do your own research.
How the threat actually works
Bitcoin leans on two kinds of cryptography, and quantum computers treat them very differently:
- Digital signatures (the weak point). Your ownership of coins is proven by an elliptic-curve signature (ECDSA). A powerful quantum computer running Shor's algorithm could reverse that math and calculate your private key from your public key. This is the genuine threat.
- Hashing (the strong point). Mining and Bitcoin addresses rely on SHA-256 hashing. The best quantum attack here, Grover's algorithm, offers only a square-root speedup, effectively halving the security level. A 256-bit hash still leaves about 128 bits of protection, which is comfortably safe. Hashing is not the problem.
So the risk is not "quantum breaks Bitcoin" in one stroke. It is specifically that exposed public keys could have their private keys derived.
Which Bitcoin is actually at risk
This is the nuance most articles miss. A modern Bitcoin address stores only a hash of your public key. Your public key is revealed only when you spend from that address. That means:
- Never-spent-from addresses are relatively safe. The public key stays hidden behind a hash, and hashing is quantum-resilient.
- Reused addresses are exposed. Once you spend, the public key is public forever, so any coins left at that address sit behind cryptography a future quantum computer could crack.
- Old pay-to-public-key (P2PK) outputs are exposed. Bitcoin's earliest coins, including much of the roughly one million BTC attributed to Satoshi, published the public key directly on the chain.
- The broadcast window. When you send a transaction, your public key is briefly visible before it is confirmed, a short window a quantum attacker could theoretically exploit.
| Address type | Public key on the blockchain? | Quantum risk |
|---|---|---|
| Modern address, never spent from (P2PKH / P2WPKH) | No, only a hash of it | Low |
| Address reused after spending | Yes, permanently | High |
| Old pay-to-public-key (P2PK), e.g. Satoshi-era coins | Yes, published directly | High |
| Broadcast window (transaction sent, not yet confirmed) | Briefly visible | Low to moderate |
Estimates suggest several million BTC, roughly a quarter of the supply, sit in exposed or reused addresses. The practical defence available today is simple: use modern address types and do not reuse addresses.
How far off is a capable quantum computer?
The gap between today's hardware and a Bitcoin-breaking machine is enormous. Breaking elliptic-curve signatures would require a fault-tolerant quantum computer with millions of physical qubits. Current machines have on the order of a thousand noisy qubits and cannot sustain long computations.
Expert surveys generally place a cryptographically relevant quantum computer a decade or more away, with many estimates in the 2035 to 2040-plus range. The nearer-term worry is not a sudden break but harvest now, decrypt later: an attacker catalogues exposed public keys today and derives the keys once the hardware exists. That is another reason exposed and reused addresses are the real long-term concern.
Learn more: NIST Post-Quantum Cryptography
Is there really a quantum-resistant coin?
Yes. Post-quantum cryptography is not theoretical, it is standardized. In 2024 NIST finalized post-quantum algorithms (ML-DSA / Dilithium, SLH-DSA / SPHINCS+, and ML-KEM / Kyber) that resist both Shor's and Grover's algorithms. Several cryptocurrencies already build on these ideas:
- QRL (Quantum Resistant Ledger) the purpose-built one, using hash-based XMSS signatures that Shor's algorithm cannot break.
- QANplatform a layer-1 using lattice-based (CRYSTALS-Dilithium) signatures.
- IOTA, Cellframe and Mochimo which use or are moving toward post-quantum signature schemes.
- Ethereum which has a public roadmap toward quantum resistance, with developers already drafting migration plans.
| Project | Post-quantum approach | Status |
|---|---|---|
| QRL (Quantum Resistant Ledger) | Hash-based XMSS signatures | Purpose-built, live |
| QANplatform | Lattice-based (CRYSTALS-Dilithium) | Live layer-1 |
| Mochimo | Hash-based WOTS+ signatures | Live |
| Cellframe | Post-quantum signature support | Live |
| Ethereum | Post-quantum roadmap (account abstraction, hash-based options) | Planned / research |
| Bitcoin | Soft fork to a post-quantum signature scheme | Proposed, not yet deployed |
And crucially, being quantum-resistant is not exclusive to niche coins. As the table shows, Bitcoin itself can add a post-quantum signature scheme through a soft fork, and developer proposals for quantum-resistant address types already exist. The hard part is coordination and getting holders to move funds, not the cryptography.
A reality check
Quantum computing is a genuine long-term consideration for Bitcoin, but the doomsday framing is overblown. Most coins are protected by quantum-resilient hashing, the exposed slice is a known and shrinking problem, no machine capable of the attack exists, and the ecosystem has both standardized post-quantum algorithms and years of runway to deploy them.
The rational takeaway is not "sell Bitcoin" or "quantum is a hoax". It is that quantum resistance is a solvable engineering problem the industry is already working on, and the practical step available to any holder today is simply to avoid address reuse.
Reminder: educational only, not financial advice. Projects are named to explain the technology, not as recommendations. Do your own research.
Common Questions
Does quantum computing threaten Bitcoin?
Yes, in theory, but not today. A large, fault-tolerant quantum computer running Shor's algorithm could derive a private key from an exposed public key and spend those coins. But no such machine exists yet, most of Bitcoin's security relies on quantum-resilient hashing, and Bitcoin can upgrade its cryptography before a capable machine arrives. The threat is real but years to decades away.
Can a quantum computer steal Bitcoin?
Only if the public key tied to your coins is already visible on the blockchain, and only with a quantum computer far beyond anything that exists. Coins in a modern address that has never been spent from are protected, because the chain stores only a hash of the public key. The risk is concentrated in reused addresses and old pay-to-public-key outputs.
Which Bitcoin is most at risk from quantum computers?
The most exposed coins are in pay-to-public-key (P2PK) outputs from Bitcoin's early years, including much of the coins attributed to Satoshi, and in any address reused after spending. In both cases the public key is already published on chain. Estimates suggest several million BTC, roughly a quarter of supply, sit in such exposed or reused addresses.
When could quantum computers break Bitcoin?
Not soon. Breaking Bitcoin's elliptic-curve signatures would need a fault-tolerant quantum computer with millions of physical qubits; today's machines have around a thousand noisy qubits. Expert surveys generally place a cryptographically relevant quantum computer a decade or more out, with many estimates in the 2035 to 2040-plus range. The nearer-term concern is harvest-now-decrypt-later.
Is there a quantum-resistant cryptocurrency?
Yes. The Quantum Resistant Ledger (QRL) is purpose-built around hash-based XMSS signatures that Shor's algorithm cannot break. Others working on post-quantum cryptography include QANplatform, IOTA, Cellframe and Mochimo, and Ethereum has a public roadmap toward quantum resistance. These schemes use the post-quantum algorithms NIST standardized in 2024, which any chain, including Bitcoin, can eventually adopt.
Can Bitcoin be upgraded to resist quantum computers?
Yes. Bitcoin can add a post-quantum signature scheme through a soft fork, and developer proposals for quantum-resistant address types already exist. The main obstacles are coordination and getting holders to move funds to new address types, not the cryptography. Because the threat is still years away, there is time to plan and deploy such an upgrade.
What is harvest now, decrypt later?
It is the strategy of recording data protected today so it can be decrypted once quantum computers are powerful enough. For Bitcoin it means an attacker could catalogue exposed public keys now and derive the private keys years later. It is why exposed and reused addresses are the real long-term concern, even though no quantum computer can act on them yet.
Explore the markets
Partner platforms (sponsored). We may earn a commission if you sign up. Not a recommendation or financial advice.