Is Bitcoin Safe From Quantum Computing? What Holders Need to Know

A clear-eyed look at the quantum computing threat, the actual timeline, and what it means for your Bitcoin.

Key Takeaways:

• Quantum computing is advancing, but current systems are far from capable of breaking Bitcoin's cryptography. Breaking Bitcoin's elliptic curve cryptography would require approximately 6,000 logical qubits and over 100 million fault-tolerant operations. Public demonstrations as of early 2026 have achieved roughly 24 to 28 logical qubits. The gap is multiple orders of magnitude.
• Approximately 35% of Bitcoin's total supply sits in address types that are theoretically vulnerable to a future quantum attack, but the majority of that Bitcoin could be migrated to safer formats if holders act before a cryptographically relevant quantum computer (CRQC) arrives. About 65% of the supply is already in quantum-resistant address types.
• Bitcoin can upgrade. Proposals like BIP-360 introduce quantum-resistant address formats, and NIST has finalized post-quantum cryptography standards. The challenge is coordination across a decentralized network, which researchers estimate could take 5 to 10 years.
• If quantum computing ever reaches the level needed to threaten Bitcoin, it will threaten the entire global financial system first. Every bank, government, and internet service relies on the same cryptographic primitives. Bitcoin will not be the first domino to fall.

Quantum computing has gone from an obscure physics concept to a headline-level concern for Bitcoin holders in a remarkably short time. In January 2026, Jefferies strategist Christopher Wood removed a 10% Bitcoin allocation from a flagship portfolio, citing quantum risk. Ark Invest and Unchained published a joint report on March 11, 2026, framing the threat as a long-term journey rather than a sudden event. The topic now surfaces in institutional risk assessments, ETF filings, and client conversations with increasing frequency.

The question is no longer whether quantum computing could affect Bitcoin. The question is when, how severe the threat actually is, and what holders should do about it. The answers require separating the signal from the noise.

What Quantum Computing Actually Is

A classical computer processes information in bits, each of which is either a 0 or a 1. A quantum computer uses qubits, which can exist in a superposition of both states simultaneously. Quantum advantage comes from interference: algorithms steer these blended states so that wrong answers cancel out and right answers get amplified.

The capability that matters for Bitcoin is Shor's algorithm, which can efficiently solve the mathematical problems underlying elliptic curve cryptography (ECC). Bitcoin uses ECC through the Elliptic Curve Digital Signature Algorithm (ECDSA) to generate key pairs and authorize transactions. A sufficiently powerful quantum computer running Shor's algorithm could derive a private key from a public key, allowing an attacker to forge valid spend authorizations.

A separate algorithm called Grover's algorithm offers a quadratic speedup for brute-forcing hash functions like SHA-256, which Bitcoin uses for mining and address generation. This would reduce SHA-256's effective security from 256 bits to 128 bits, still an enormously strong level of security and not a near-term concern.

The critical gap is between theory and practice. Running Shor's algorithm at scale against Bitcoin's 256-bit ECC would require at least 2,330 logical qubits and tens of millions to billions of quantum gates. A more detailed 2023 analysis by Litinski describes a baseline approach needing roughly 6,000 logical qubits and approximately 109 million Toffoli gates per key, translating to roughly 9.4 million physical qubits in one example architecture.

As of early 2026, the most advanced public demonstrations have achieved roughly 24 to 28 logical qubits. Physical qubit counts are crossing the 1,500 threshold, but physical qubits are not what matters for cryptography. One logical qubit can require 100 to 1,000 or more physical qubits depending on hardware and error rates. The gap between current capability and what would be needed to threaten Bitcoin is not subtle. It is multiple orders of magnitude.

Not All Bitcoin Is Equally Exposed

The quantum threat does not affect all Bitcoin the same way. The vulnerability depends entirely on whether a Bitcoin address has revealed its public key on the blockchain.

When you receive Bitcoin to a modern address format, the blockchain records a hash of your public key, not the key itself. Your actual public key is only revealed when you spend from that address. If you have received Bitcoin but never spent from that address, your public key is not exposed, and a quantum computer has nothing to attack.

The Ark Invest/Unchained report estimates approximately 35% of Bitcoin's total outstanding supply sits in theoretically vulnerable address types. This includes roughly 1.7 million BTC in legacy P2PK addresses (believed to be lost), and approximately 5.2 million BTC in reused or Taproot (P2TR) addresses that could be migrated to safer formats. The majority of the supply, about 65%, is already in quantum-resistant address types.

Two distinct attack types emerge from this picture. Long-range attacks target coins whose public keys are already visible on chain, giving an attacker effectively unlimited time to derive the private key. This is the primary risk for P2PK outputs, reused addresses, and Taproot key-path outputs. Short-range attacks, by contrast, target transactions in the mempool, where the public key is briefly exposed between when a spend is broadcast and when it is confirmed in a block. Short-range attacks require a CRQC fast enough to derive a key in minutes, a capability that is many stages beyond even a CRQC that can break keys slowly over hours or days.

Even if a CRQC existed, the theft would not happen instantly. A quantum attacker would need to break each public key individually. Satoshi's estimated 1.1 million BTC, for example, is spread across roughly 22,000 separate addresses at about 50 BTC each. If breaking a single key takes one hour, cracking all of Satoshi's coins would take more than three years. If a day per key, more than 60 years.

For a deeper breakdown of exactly which address types are exposed and what holders can do to assess their own risk, see our full analysis: Which Bitcoin Is Vulnerable to Quantum Computing?

What the Timeline Actually Looks Like

The timeline for a cryptographically relevant quantum computer is genuinely uncertain, and people on both sides tend to overstate their confidence.

The conservative case, held by figures like Adam Back (CEO of Blockstream), puts the timeline at 20 to 40 years. NVIDIA's Jensen Huang has said practical quantum computing applications are roughly 20 years away. The Global Risk Institute's 2024 report positions the most likely window for CRQCs in the 2030s to 2040s.

The aggressive case suggests AI-accelerated error correction and exponential investment could compress the timeline to 10 to 15 years. Venture capitalist Nic Carter noted in late 2025 that quantum computing has shifted from a theoretical possibility to an engineering challenge.

Ark Invest's March 2026 report proposed a five-stage framework: from today's commercially useless machines (Stage 0) through eventual fast key-breaking (Stage 4). The report concluded that the threat will unfold as a gradual progression with visible milestones at each stage, not a sudden "Q-Day" event. This gives markets and the Bitcoin network time to adapt.

Google, IBM, Microsoft, and NIST share a consensus target in the mid-2030s for commercially useful quantum computing, still well below the level needed to threaten Bitcoin's cryptography. No quantum computer has outperformed a classical supercomputer on any commercially relevant application to date. Total historical investment in quantum computing has reached approximately $60 billion, and no profitable quantum computing business currently exists. The entire industry runs on belief in future potential, not current returns.

Another way to frame the timeline: quantum computers must first become commercially useful for fields like chemistry, materials science, and drug discovery (Stage 1 in the Ark framework) before they approach the far more demanding task of breaking modern cryptography. That intermediate step, which has not yet happened, provides a natural early warning signal. When quantum computers start doing things classical computers cannot do for real-world problems, the timeline to cryptographic relevance shortens meaningfully. Until then, the threat remains theoretical.

For a detailed look at why headlines about qubit counts are misleading and how to evaluate real progress, see: Quantum Computing and Bitcoin: Separating Hype From Reality

Bitcoin Has a Defense Playbook

Bitcoin is not standing still. The defense against quantum computing is well understood in principle, even though the implementation timeline is uncertain.

NIST finalized its first post-quantum cryptography (PQC) standards in August 2024, including algorithms like CRYSTALS-Dilithium (ML-DSA) for digital signatures. A fifth algorithm, HQC, was selected in March 2025. These standards are already being integrated into internet protocols: recent versions of OpenSSH and OpenSSL ship with PQC as the default.

On the Bitcoin side, BIP-360 proposes Pay-to-Tapscript-Hash (P2TSH), a new output type that removes Taproot's quantum-vulnerable key-path spend. A May 2025 Chaincode Labs research report proposed a dual-track strategy: a quick-deploy contingency path (roughly 2 years) and a thorough comprehensive path (roughly 7 years). The ecosystem is actively working through tradeoffs around signature sizes, blockchain efficiency, and governance.

The harder challenge is not cryptographic but human. Migrating billions of dollars of Bitcoin to new address types across a decentralized network requires wallet upgrades, exchange support, and voluntary action from millions of holders. Bitcoin's conservative governance model makes this slow by design, which is both its strength and its constraint.

For the full technical breakdown of BIP-360, the Chaincode dual-track, signature size tradeoffs, and the governance dilemma, see: How Bitcoin Can Defend Against Quantum Computing

The Bigger Picture

If a quantum computer ever becomes powerful enough to break Bitcoin's elliptic curve cryptography, it will also break the encryption that secures every bank account, every credit card transaction, every military communication, and every encrypted message on the internet. All of these systems rely on the same or similar cryptographic primitives.

This is not a Bitcoin problem. It is a civilizational infrastructure problem. Governments, militaries, and the largest technology companies in the world are already spending billions to address it. The defense is being built well ahead of the attack: PQC is already deployed across significant portions of global internet traffic.

Bitcoin will not be the first system that needs to upgrade. It will be one of many. And unlike centralized systems that can push updates from the top down, Bitcoin's decentralized architecture means the upgrade will take longer but will also be more resilient once complete, because no single entity can be coerced into weakening the new cryptographic standards.

The Bitcoin ecosystem is responding. Coinbase has established an Independent Advisory Board on Quantum Computing. Strategy (formerly MicroStrategy) has announced a Bitcoin Security Program. BIP-360 is actively being developed. The conversation has shifted from "should we worry" to "what's the plan."

What Holders Should Do Now

The quantum threat does not require emergency action, but it should inform how you think about custody and long-term security.

Use modern address formats and avoid address reuse. If your Bitcoin is in a wallet using SegWit address types and you have not reused addresses after spending, your public key is not exposed. This is the single most effective step any holder can take right now.

Think about your custody infrastructure. When the time comes to migrate Bitcoin to quantum-resistant address formats, the holders who are best positioned will be those whose custody setup can coordinate that migration efficiently. A holder managing a personal multisig across multiple hardware devices will need to manually generate new keys, create new addresses, and transfer funds across each device. A holder in an institutional custody arrangement can have that migration coordinated on their behalf, across all key-holding institutions, in a structured process with verification at each step.

Follow milestones, not headlines. The sober approach is to track logical qubits demonstrated (not physical qubits), logical error rates as systems scale, and fault-tolerant computations finishing correctly on non-trivial tasks. Define thresholds that trigger action. Adopt one policy: no strategy changes based on a viral tweet.

The quantum era is coming. The question is not whether Bitcoin survives it. The question is whether you are positioned so that your Bitcoin survives it with you.

Long-term Bitcoin security requires custody infrastructure that can adapt as technology evolves. Onramp's multi-institution custody holds your Bitcoin in segregated, client-titled wallets across three independent institutions, with the institutional coordination to manage key migrations and cryptographic upgrades when the time comes. Schedule a consultation to understand how the architecture works, or sign up here to get started.

Related Reading:

Which Bitcoin Is Vulnerable to Quantum Computing? Address Types, Exposure Tiers, and What You Can Do

How Bitcoin Can Defend Against Quantum Computing: BIP-360, Post-Quantum Cryptography, and the Road Ahead

Quantum Computing and Bitcoin: Separating Hype From Reality

What Is Bitcoin Custody? A Complete Guide for Long-Term Holders

What Is Multi-Institution Bitcoin Custody? A Bitcoin Custody Explainer

What Is Bitcoin Multisignature (Multisig)?