How many qubits are needed to break Bitcoin?

Estimates vary, but breaking Bitcoin's 256-bit elliptic curve cryptography would likely require several million logical qubits. Because each logical qubit requires roughly 1,000 physical qubits for error correction, the total physical qubit count needed is in the billions. Current quantum computers have around 1,000 to 1,200 noisy physical qubits, so we are many orders of magnitude away from this threshold.

Is my crypto safe from quantum computers right now?

Yes, for now. No existing quantum computer can break the cryptography used by Bitcoin, Ethereum, or other major blockchains. The threat is real but not imminent. NIST estimates that a cryptographically relevant quantum computer is unlikely before 2035 at the earliest. You should use modern address formats, avoid reusing addresses, and stay informed about post-quantum developments.

What is post-quantum cryptography?

Post-quantum cryptography refers to cryptographic algorithms designed to be secure against both classical and quantum computers. In 2024, NIST finalized standards for post-quantum algorithms including CRYSTALS-Kyber for key exchange and CRYSTALS-Dilithium for digital signatures. These algorithms are based on mathematical problems like lattice problems that quantum computers cannot efficiently solve.

Are any cryptocurrencies quantum-resistant?

No major cryptocurrency is fully quantum-resistant today. Bitcoin, Ethereum, and most blockchains use elliptic curve cryptography that is theoretically vulnerable to quantum attacks. Some smaller projects are experimenting with lattice-based or hash-based signature schemes, but these have not been battle-tested at scale. Both Bitcoin and Ethereum developers are actively researching post-quantum upgrades.

Can Quantum Computers Break Bitcoin? The Quantum Threat to Crypto in 2026

Q: Can quantum computers break Bitcoin?

In theory, yes. A sufficiently powerful quantum computer could use Shor's algorithm to break the elliptic curve cryptography (ECDSA) that protects Bitcoin private keys. However, no quantum computer exists today that is anywhere close to powerful enough. Breaking Bitcoin's 256-bit ECDSA would require millions of logical qubits, while current machines have around 1,000 noisy physical qubits. Most experts estimate this capability is at least 10 to 20 years away.

TL;DR: Quantum computers could theoretically break the cryptography protecting Bitcoin and most other cryptocurrencies, but the technology needed is likely 10 to 20+ years away. No existing quantum computer comes close to posing a threat today. The crypto industry is aware of the risk and actively researching post-quantum solutions, but migrating entire blockchains will be one of the biggest challenges in crypto history. For now, use modern address formats, do not reuse addresses, and stay informed.

Why people are worried

Bitcoin and most cryptocurrencies rely on elliptic curve cryptography (ECDSA) to secure private keys. When you create a crypto wallet, a private key is generated, and from it a public key is derived using elliptic curve math. The security of this system depends on the fact that it is computationally infeasible to reverse the process -- to figure out a private key from a public key.

That assumption holds true against classical computers. But in 1994, mathematician Peter Shor developed an algorithm that changes the equation entirely.

Shor's algorithm

A quantum algorithm that can efficiently solve the mathematical problems underlying elliptic curve cryptography and RSA encryption. On a sufficiently powerful quantum computer, Shor's algorithm could derive a private key from a public key in hours or days rather than the billions of years it would take a classical computer.

CRQC (Cryptographically Relevant Quantum Computer)

A quantum computer powerful and stable enough to actually run Shor's algorithm against real-world cryptographic keys. No CRQC exists today. Building one requires millions of logical qubits with extremely low error rates -- far beyond current technology.

Post-quantum cryptography

Cryptographic algorithms designed to resist attacks from both classical and quantum computers. These are typically based on mathematical problems like lattice problems that even quantum computers cannot efficiently solve. NIST finalized the first post-quantum standards in 2024.

If a CRQC were built, an attacker could take a public key visible on the blockchain, run Shor's algorithm, derive the corresponding private key, and steal all the funds in that address. That is the core of the threat.

How far away is the threat?

The gap between today's quantum computers and a CRQC is enormous. Here is where things stand:

Current state: IBM and Google have built quantum processors with roughly 1,000 to 1,200 physical qubits. These are noisy, error-prone, and cannot run Shor's algorithm against real cryptographic keys.
What is needed: Breaking Bitcoin's 256-bit ECDSA would require several million logical qubits. Each logical qubit requires approximately 1,000 physical qubits for error correction. That means billions of stable physical qubits -- roughly a million times more than we have today.
Expert estimates: Most quantum computing researchers place a CRQC at 10 to 20+ years away. NIST has estimated that a CRQC is unlikely before 2035 at the earliest.
But progress is accelerating: Quantum computing investment is growing rapidly, error correction techniques are improving, and breakthroughs can be unpredictable. The timeline could shorten if there are unexpected advances in qubit stability or architecture.

The honest answer is that nobody knows exactly when a CRQC will arrive. It could be 15 years. It could be 30. But it is unlikely to be 5, and it is almost certainly not today.

What is actually vulnerable?

Not all Bitcoin addresses face the same level of quantum risk. The key factor is whether the public key is exposed on-chain.

High-risk: pay-to-public-key (p2pk) addresses

In Bitcoin's earliest days, transactions used a format called pay-to-public-key (p2pk), where the full public key is stored directly on the blockchain. Approximately 1.7 million BTC -- worth over $170 billion at current prices -- sit in these old p2pk addresses. This includes the coins believed to belong to Satoshi Nakamoto.

Because the public key is permanently visible, a quantum attacker with a CRQC could take their time to derive the private key. There is no time pressure. These addresses are the most vulnerable.

Lower-risk: modern address formats

Modern Bitcoin addresses (p2pkh, p2sh, bech32) store only a hash of the public key on-chain. The actual public key is only revealed when you spend from the address -- it is broadcast as part of the transaction. This means a quantum attacker would only have the window between when you broadcast a transaction and when it is confirmed in a block (typically 10 to 60 minutes) to derive your private key and submit a competing transaction.

This is a much harder attack but not impossible, especially if quantum computers become fast enough to run Shor's algorithm in minutes rather than hours.

Practical takeaway: If you hold Bitcoin, using modern address formats (bech32 / bc1 addresses) and never reusing addresses significantly reduces your quantum exposure. Each time you spend from an address and reveal the public key, move any remaining funds to a fresh address.

What about other cryptocurrencies?

The quantum threat is not unique to Bitcoin. Ethereum and the vast majority of blockchains use the same family of elliptic curve cryptography (secp256k1 or similar curves). If a quantum computer can break Bitcoin's ECDSA, it can break Ethereum's, Solana's, and most other chains' signature schemes too.

Some differences exist in how exposed each chain is. For example, Ethereum accounts always have their public key derivable from past transactions, making them potentially more exposed than unspent Bitcoin addresses using modern formats. But broadly, the quantum threat applies across the entire cryptocurrency ecosystem, not just Bitcoin.

What is being done?

The cryptography and blockchain communities are not ignoring this threat. Significant work is underway:

NIST post-quantum standards (finalized 2024)

The U.S. National Institute of Standards and Technology spent years evaluating post-quantum cryptographic algorithms and finalized its first standards in 2024:

CRYSTALS-Kyber (now ML-KEM) -- a lattice-based algorithm for key encapsulation and key exchange.
CRYSTALS-Dilithium (now ML-DSA) -- a lattice-based algorithm for digital signatures, which is the most relevant for blockchain applications.

These algorithms are designed to resist quantum attacks while remaining efficient enough for practical use. They are already being adopted by major tech companies for traditional internet security.

Bitcoin post-quantum research

Bitcoin developers are actively researching how to integrate post-quantum signature schemes into the protocol. The challenge is that post-quantum signatures are significantly larger than ECDSA signatures (often 2 to 10 times larger), which would increase transaction sizes and impact scalability. There are ongoing discussions in the Bitcoin development community about soft-fork approaches to introduce quantum-resistant signature options.

Ethereum's approach

Ethereum co-founder Vitalik Buterin has publicly discussed quantum-resistant upgrades and has outlined potential migration paths. Ethereum's account abstraction features could make the transition smoother by allowing wallets to adopt new signature schemes without requiring a hard fork for every user. However, a full transition remains a major engineering challenge.

Newer chains and experimental approaches

Some newer blockchain projects are exploring lattice-based cryptography and hash-based signature schemes from the ground up. While these projects are less battle-tested, they serve as useful experiments for the broader ecosystem.

The migration challenge

Having post-quantum algorithms available is only half the battle. Actually migrating a live, decentralized blockchain with hundreds of billions of dollars at stake is an entirely different problem.

Coordination: Every wallet, exchange, mining pool, and application on the network needs to upgrade. This requires broad consensus in a system specifically designed to resist centralized control.
Transaction size: Post-quantum signatures are much larger than current ECDSA signatures, increasing block space requirements and potentially raising fees.
Lost wallets and dormant coins: This is perhaps the hardest problem. Millions of BTC sit in wallets where the owners have lost their keys, died, or simply stopped participating. These coins -- including Satoshi's estimated 1 million BTC -- can never be migrated to quantum-resistant addresses because no one can sign a migration transaction.
The freeze debate: Some have proposed that vulnerable addresses with exposed public keys should be frozen once quantum computers become a real threat. Others argue that freezing coins -- even provably abandoned ones -- violates the fundamental property rights that make Bitcoin valuable. There is no consensus on this.

The migration will likely take years, will require multiple protocol upgrades, and will be one of the most complex coordination challenges in blockchain history.

What should you do?

The quantum threat is real but not imminent. Here is a practical approach:

Do not panic. No quantum computer today can threaten your crypto. The timeline is measured in decades, not months.
Use modern address formats. For Bitcoin, use bech32 (bc1) addresses. These only expose your public key when you spend, limiting the attack window.
Do not reuse addresses. Each time you spend from an address (revealing your public key), send any remaining funds to a new address.
Stay informed. Follow developments in post-quantum cryptography and blockchain upgrade proposals. When migration tools become available, use them promptly.
Diversify across cryptographic systems. Holding assets across different blockchains with different upgrade timelines may reduce your concentrated exposure to any single migration failure.
Focus on risks that are real today. Scams, exchange collapses, smart contract exploits, and poor security practices are far more likely to cause you losses than quantum computers.

The bottom line

Quantum computing is a serious long-term risk to cryptocurrency, not an immediate crisis. The cryptography that protects Bitcoin and other blockchains will eventually need to be upgraded, and the industry knows this. Post-quantum algorithms already exist and are being standardized. The hard part is not the math -- it is the migration.

Transitioning a global, decentralized, permissionless financial network to new cryptographic foundations while preserving the security and value of hundreds of billions of dollars in existing assets will be one of the biggest challenges in blockchain history. But it is a challenge the industry has years -- likely decades -- to solve.

In the meantime, the best thing you can do is understand the fundamentals of how blockchain works, practice good security habits, and keep your risk exposure at a level you can live with.

Understand your real exposure. See exactly which tokens you hold, their volatility, and your concentration risk.

Try CleanSky Free →

Choisir la langue

Can quantum computers break Bitcoin? The quantum threat to crypto in 2026