Quantum risk to Bitcoin
the ten-year problem
Key facts
- 2029Google estimate
- Threat window
- Mar 2026Google paper
- Research
- ECDSAelliptic-curve
- Vulnerable scheme
- Millionsof coins
- Exposed supply
The ten-year problem. Google research published in March 2026 suggested quantum computers capable of breaking current public key cryptography could arrive by 2029, considerably earlier than prior estimates.
The 2029 estimate
The quantum threat to Bitcoin moved from a distant hypothetical to a dated concern in March 2026, when Google published research suggesting that quantum computers capable of breaking current public-key cryptography could arrive by 2029. That estimate is considerably earlier than most prior forecasts, and it is the number now driving the debate. Whether or not 2029 proves accurate, a credible timeline measured in years rather than decades changes how seriously the risk has to be taken.
Where the exposure lies
The exposure is specific, and understanding it deflates some of the alarm. The vulnerability lies in ECDSA, the elliptic-curve signature scheme Bitcoin uses, and it only bites once a public key is exposed on the chain. That covers the earliest coins, held in pay-to-public-key outputs where the key is visible by design, and any address that has been reused after spending from it, because spending reveals the key. A quantum computer of sufficient power could derive the private key from an exposed public key and move the coins. Estimates of the vulnerable supply run into the millions of coins, a figure that includes the dormant Satoshi-era holdings that have never moved. Funds sitting behind an unused, modern address that has never revealed its public key are far better protected, which is why the quantum threat to Bitcoin is uneven rather than universal.
The migration problem
The harder part is the fix. Defending against the quantum threat to Bitcoin requires a consensus change to adopt post-quantum signature schemes, the kind of upgrade catalogued through the standards process at NIST and proposed for Bitcoin through its improvement proposals. A network with no central authority cannot simply mandate an upgrade; it has to persuade a decentralised set of participants to agree, and then it has to move coins into the new, quantum-resistant format. For active users that is a manageable migration. For dormant coins it is close to intractable, because moving them requires a signature that only the lost or absent owner can produce. That asymmetry is the crux: the coins most exposed to a future quantum computer are precisely the ones least able to be moved to safety, since the keys that would authorise the move are gone.
A governance problem in disguise
This is where the problem reveals its true shape. The cryptography is the visible part, while the binding constraint is governance: the quantum threat to Bitcoin is a coordination problem wearing a cryptography costume. Deciding whether, when and how to migrate exposed coins forces the network to confront questions it has always avoided. What happens to funds whose owners never respond? Can the community agree to freeze or invalidate vulnerable outputs to deny them to an attacker, and who holds the authority to make that call? These are political questions about legitimacy and control, and they are far harder than writing the replacement signature scheme. NIST can standardise the cryptography and the improvement proposals can specify the format, yet neither can decide, on the network’s behalf, what to do about coins whose owners will never speak for them.
What to watch
None of this argues for panic. The timeline is uncertain, the exposure is partial, and the standards work is already under way. What it argues for is attention, because the migration, if it is needed, will take years of coordination that has to begin well before any machine can actually break a key. The people who should be watching most closely are long-term holders with old, reused addresses, for whom moving to a fresh address is cheap insurance today. For the underlying hardware progress that sets the clock on all of this, see our quantum explainers, which track how close the machines actually are. The quantum threat to Bitcoin is real, distant enough to prepare for and near enough that preparation should begin now.
More in Crypto Explained
All Crypto Explained →- Bitcointhe asset, the cycle and the current drawdown
- Spot Bitcoin ETFsthe demand engine in reverse
- The CLARITY Actthe bill the whole market is waiting on
- Ethereumthe settlement layer under pressure
- Fusaka and PeerDASwhat shipped in December 2025
- Glamsterdamthe next hard fork and the parallel execution bet