- Google’s March 2026 paper estimates a key-breaking quantum attack could run on fewer than 500,000 physical qubits, with practical attacks possible in the 2027–2030 window.
- NIST finalized three post-quantum standards in March 2025, including ML-DSA and ML-KEM, giving developers a clear migration path for quantum-resistant systems.
- Bitcoin’s signature scheme is the vulnerable layer, not its mining hash — exposed public keys during transactions are the specific attack surface Shor’s algorithm could exploit.
In late March 2026, Google’s quantum research team published a paper that paused the cryptocurrency community. The paper showed that breaking Bitcoin’s encryption might require far fewer computational resources than anyone had previously estimated. The threat of a cryptographically relevant quantum computer — one powerful enough to crack the math protecting digital signatures — moved perceptibly closer.
Frontierbeat covered the proposal to freeze quantum-vulnerable Bitcoin addresses earlier this month, including BIP-361, which would impose deadlines for migrating all Bitcoin to quantum-resistant addresses — including Satoshi’s long-dormant coins. For most readers, the reaction was some version of: “What exactly is quantum-resistant cryptography, and how worried should I actually be?”
This is the explainer that question requires.
How Encryption Works Today — and Why Quantum Computers Threaten It
Most of the cryptography protecting digital assets, financial transactions, and secure communications today is built on mathematical problems that are easy to check but hard to solve. The most common is the elliptic curve discrete logarithm problem (ECDLP): given a public key derived from a private key through elliptic curve multiplication, there is no efficient way to work backward and recover the private key — using classical computers.
Bitcoin’s signature scheme (ECDSA), Ethereum’s transaction validation, and most of the internet’s HTTPS connections all rely on this hardness assumption.
Quantum computers change the math. A sufficiently powerful quantum computer running Shor’s algorithm — a quantum algorithm published in 1994 — can solve ECDLP efficiently. It does not just speed up the brute-force search; it fundamentally alters the computational complexity of the problem.
Wikipedia’s post-quantum cryptography article notes that most widely used public-key algorithms could be solved on a sufficiently powerful quantum computer. The question is how powerful, and how soon that machine arrives.
How Far Away Is the Threat, Actually?
Current quantum computers are not a threat. Today’s machines suffer from high error rates and limited qubit counts that make them unsuitable for running Shor’s algorithm at the scale needed to crack 256-bit elliptic curve keys.
Google’s March 2026 paper updated its resource estimates: it showed that circuits capable of executing a key-breaking attack could run on a superconducting quantum computer with fewer than 500,000 physical qubits, using less than 1,200 logical qubits and 90 million Toffoli gates. That is significantly fewer resources than earlier estimates required. The company’s timeline for practical quantum attacks remains 2029, based on its assessment of hardware development rates.
Webopedia’s review of post-quantum crypto projects summarized the consensus: practical attacks are possible in the 2027–2030 window, assuming continued progress in fault-tolerant qubit development. Current machines lack the fault-tolerant qubit counts needed for an attack. But the window between “doesn’t exist yet” and “too late to migrate” is narrower than it might appear — particularly for systems like Bitcoin, which require rare decentralized consensus to change.
What Post-Quantum Cryptography Actually Is
Post-quantum cryptography (PQC) refers to cryptographic algorithms that are secure against both classical and quantum computers. They are not quantum algorithms themselves — they run on ordinary hardware. What makes them quantum-resistant is that the mathematical problems they rely on are believed to be hard for quantum computers to solve, unlike ECDLP.
The leading PQC approaches use different mathematical foundations:
Lattice-based cryptography relies on problems involving high-dimensional geometric structures — specifically, finding the shortest vector in a lattice. These problems appear to be hard for both classical and quantum algorithms.
Hash-based signatures use the properties of cryptographic hash functions, which are quantum-resistant under the assumption that Grover’s algorithm provides at most a quadratic speedup (reducing effective key size but not breaking the scheme). XMSS (Extended Merkle Signature Scheme) is the most established hash-based signature standard.
Code-based cryptography relies on the difficulty of decoding random linear codes — a problem that has been studied for decades and has no known quantum algorithm that makes it tractable.
As of March 2025, NIST finalized three PQC standards: FIPS 203 (ML-KEM, for key encapsulation), FIPS 204 (ML-DSA, also known as CRYSTALS-Dilithium, for digital signatures), and FIPS 205 (SLH-DSA, for stateless hash-based signatures). These are the benchmarks the industry is now migrating toward.
Bitcoin’s Specific Problem
Bitcoin’s exposure to quantum computers is specific and worth understanding precisely. SHA-256, the hash function used in Bitcoin’s proof-of-work mining, is quantum-resistant in the sense that Grover’s algorithm only provides a quadratic speedup — not enough to break it at current parameters.
The vulnerable part is the signature scheme. Every Bitcoin transaction requires the sender to produce an ECDSA signature using their private key. When a transaction is broadcast to the network, the public key is exposed in the mempool for roughly ten minutes before it is mined into a block. During that window, a quantum computer running Shor’s algorithm could theoretically derive the private key from the public key and create a fraudulent transaction — stealing the funds before the legitimate transaction confirms.
Addresses that have never spent Bitcoin — meaning the public key has never been revealed — are safer, because there is no public key to attack. Satoshi’s coins, which have never moved, fall into this category. But they also represent a governance challenge: any forced migration deadline could result in permanently destroying those coins if Satoshi cannot or does not migrate them.
BIP-361, as Frontierbeat reported, would impose a phased deadline for migrating all Bitcoin to quantum-resistant addresses. Missing the deadline means frozen coins — including all dormant addresses, including Satoshi’s. The hard cryptographic problem is already solved. The hard governance problem is not.
What Is Actually Being Built
BTQ Technologies announced in October 2025 a successful demonstration of a quantum-resistant Bitcoin implementation using NIST-approved ML-DSA (the new name for CRYSTALS-Dilithium), calling it Bitcoin Quantum Core Release 0.2. Their roadmap targeted enterprise pilots in Q1 2026 and mainnet deployment with migration tools in Q2 2026.
Naoris Protocol launched its quantum-resistant blockchain mainnet in April 2026, using NIST-standardized post-quantum algorithms and reporting over 106 million processed transactions and blocking of 603 million security threats during testing. The system incorporates what it calls an “irreversible security transition” — once a wallet migrates to post-quantum keys, it cannot revert.
For Bitcoin itself, a companion proposal called SHRIMPS offers post-quantum signatures three times smaller than current NIST standards, specifically designed for Bitcoin’s block space limits. Neither BIP-361 nor SHRIMPS delivers full quantum immunity on its own. A complete base-layer transition requires coordinated upgrades across hardware wallets, exchanges, node operators, and users — a coordination problem that is harder than the cryptography.
What to Actually Do
For most individuals holding cryptocurrency today, the near-term action is simple: use addresses that have not previously spent funds (unexposed public keys), keep software and hardware wallets updated, and monitor whether the exchanges and custodians you use are incorporating PQC into their roadmaps.
For organizations building financial infrastructure — payment systems, institutional custody, smart contract platforms — the NIST standards provide a clear migration path. The algorithms are finalized. The implementation challenge is real but tractable. The timeline, per Google’s 2029 estimate, is not comfortable.
The window between “quantum computers can’t break this yet” and “quantum computers routinely break this” will likely be shorter than the time needed to migrate a decentralized network with billions of dollars in held assets. That is why the conversation is happening now, even though the threat is not here yet.
See also: Bitcoin BIP-361 and the Satoshi Wallet Question | Caltech 6,100-Qubit Quantum Record
