Connect with us

CRYPTO

Bitcoin’s Quantum Threat Needs 500,000 Qubits, Not Today’s 105

Quantum computers need about 500,000 qubits to crack Bitcoin’s encryption, but today’s largest working machine has only 105, keeping Q-Day years away.

Published

on

Quantum computers need fewer than 500,000 qubits to break the cryptography protecting every Bitcoin wallet, according to a paper Google Quantum AI published in March 2026. The largest machine that can run a real algorithm today holds 105 qubits. That gap hasn’t meaningfully closed in years, no matter how fast the underlying math improves.

2026 has delivered one alarming headline after another: a Jefferies strategist dumping his Bitcoin allocation over quantum fears, a theoretical nine-minute attack on live transactions, 6.9 million coins already sitting exposed on the blockchain. None of it has moved the real timeline much. Physical hardware remains the binding constraint, and hardware doesn’t compound the way software does.

The Hardware Gap No One’s Closing Yet

No quantum computer built anywhere today can run the attack Google described. The paper’s authors, a team that included Ethereum Foundation researcher Justin Drake and Stanford cryptographer Dan Boneh alongside Google’s own Quantum AI scientists, built their 500,000-qubit estimate around a machine that doesn’t exist yet. Google’s most advanced chip, Willow, holds 105 qubits, the most any machine has used to run a genuine algorithm.

IBM’s Condor chip carries more raw qubits, 1,121 of them, but its error rate runs too high to execute anything meaningful. Caltech researchers used optical tweezers in 2025 to hold 6,100 neutral atoms in place as qubits at once, an engineering feat that still didn’t involve computing anything. Holding qubits in place and computing with them remain different problems, and progress on the first keeps outpacing the second.

Milestone Qubits Detail
2019 industry estimate About 20 million physical Early benchmark for breaking 256-bit elliptic curve cryptography at scale
2025 estimate Under 1 million physical Algorithm and error-correction refinements shrink the target
Google Quantum AI, March 2026 Under 500,000 physical, about 1,200 logical Superconducting design, runtime measured in minutes once built
Caltech and Oratomic, March 2026 About 26,000 physical Neutral-atom design, estimated 10-day runtime
Google Willow chip 105 qubits Largest machine to run a real algorithm, March 2026
IBM Condor chip 1,121 qubits Largest qubit count built, too noisy for real algorithms

The pattern holds across nearly every metric that matters. Theoretical requirements keep falling. The number of qubits that can actually compute something reliably, in one machine, barely moves.

Twenty Million Qubits Down to Five Hundred Thousand

The theoretical side has moved fast. In 2019, researchers estimated that breaking 256-bit elliptic curve cryptography, the ECC math behind Bitcoin, Ethereum, and much of the encrypted internet, would take around 20 million physical qubits. By 2025 that estimate had fallen under 1 million. Early 2026 research pushed some projections as low as 100,000 qubits under specific conditions.

Google’s March paper landed at under 500,000 physical qubits and roughly 1,200 logical, error-corrected ones for a superconducting design. A separate paper from Caltech and quantum startup Oratomic argued a neutral-atom machine could do the job with about 26,000 physical qubits, running for roughly 10 days instead of minutes. Different hardware, different math, but the estimates keep moving the same direction. Software specialists such as Zapata Quantum are meanwhile closing the gap between hardware and application layers elsewhere in the quantum computing industry, since raw qubits alone don’t produce usable programs.

None of that theoretical progress has produced a bigger working machine. Analysts tracking the field put today’s hardware gap at 400 to 500 times the roughly 1,200 logical qubits an attack needs, since 2026’s best machines manage only about 100 of them. An assessment published in June 2026 separated the two quantum algorithms at play and concluded Bitcoin faces a bounded and substantially mitigable threat rather than an existential one.

Public quantum hardware has made real, if tiny, progress against actual cryptography too. In April 2026, independent researcher Giancarlo Lelli broke a 15-bit elliptic curve key on publicly accessible IBM hardware, winning a 1 BTC bounty from quantum security firm Project Eleven. It was 512 times larger than the previous public record, a 6-bit break set in September 2025. Bitcoin uses 256-bit keys. Each additional bit roughly doubles the computational challenge, so the distance between 15 and 256 is not a rounding error.

The Nine-Minute Race Hidden in Every Transaction

Bitcoin’s security rests on one mathematical assumption: you cannot work backward from a public key to the private key that generated it. Elliptic curve cryptography turns a private key into a public one through operations that run fast forward and, for classical computers, are practically irreversible.

Mathematician Peter Shor proved in 1994 that a sufficiently powerful quantum computer could reverse that math in polynomial time by solving what’s called the elliptic curve discrete logarithm problem. The algorithm doesn’t guess every possible key one by one. It uses quantum superposition to expose a repeating pattern connecting a public key to its private counterpart, then reads that pattern with a Fourier transform.

Google’s paper modeled what that looks like in practice. A quantum computer could be primed in advance, pre-computing everything that doesn’t depend on a specific key, then finish the job in about nine minutes once a target public key appears in the mempool during a live transaction. Bitcoin’s average confirmation window runs about 10 minutes, giving a hypothetical attacker just under a 41% chance of beating the original transaction to the blockchain.

Bitcoin’s 2021 Taproot upgrade complicated things further. It changed how addresses work so public keys show up on chain by default, expanding the pool of wallets exposed to this kind of attack, CoinDesk reported. Mining stays untouched either way. It runs on SHA-256 hashing, a different problem that Shor’s algorithm cannot solve.

How Many Bitcoin Are Already Exposed?

Roughly 6.9 million bitcoin, more than a third of the coins in circulation, already have their public keys sitting on the blockchain through reused addresses or early wallet formats. A working quantum computer wouldn’t need to race the mempool clock to take those. It could work through them at leisure, one at a time.

  • 6.9 million BTC sit in addresses with exposed public keys, per Coin Metrics’ State of the Network research
  • 1.7 million BTC of that total has stayed dormant since Bitcoin’s earliest Satoshi-era years
  • 35% of supply sits in address types Ark Invest considers theoretically vulnerable to a future quantum attack
  • 41% odds a primed quantum computer beats a live transaction to confirmation, per Google’s modeled attack scenario

Modern wallets limit new exposure by generating a fresh receiving address for every transaction, so a coin only becomes a target once its owner spends from an address that has already revealed its public key on chain.

Jefferies Sold the Fear, Coinbase Bought Time

Not everyone in finance is waiting calmly. In January 2026, Christopher Wood, global head of equity strategy at Jefferies, pulled Bitcoin’s entire 10% weighting from his widely followed Greed & Fear model portfolio, citing long-term quantum risk, and replaced it with a 5% allocation to physical gold and another 5% to gold mining stocks. The move rattled crypto markets for a stretch.

  • Jefferies: Christopher Wood dropped Bitcoin’s allocation entirely in January 2026, calling the quantum threat serious enough to justify an exit now
  • Ark Invest: called quantum computing a long-term consideration rather than an imminent threat, arguing real danger would surface through visible milestones that give developers time to adapt
  • Coinbase’s advisory board: a panel that includes Justin Drake and Dan Boneh concluded a capable machine remains at least two major engineering leaps away, while still urging migration to begin immediately

The board’s view is straightforward: the time to start preparing is now, not when it’s urgent.

Coinbase analysts wrote that in a blog post accompanying the board’s position paper, published in late April 2026.

Other voices go further. Chris Tam, head of quantum innovation at quantum security firm BTQ Technologies, called it the most direct and existential threat facing crypto asset networks today. Zach Pandl, head of research at Grayscale, has flagged a narrower problem: post-quantum signatures run so much larger than today’s that they could strain the block size limits chains like Bitcoin impose on every block.

Who’s Actually Building Quantum-Safe Rails

Bitcoin is the one major blockchain that hasn’t formally started migrating. Others already have a head start.

  • Ripple: running a four-phase plan targeting quantum resistance for the XRP Ledger by 2028, already testing ML-DSA signatures on its AlphaNet
  • Ethereum: formed a dedicated Post-Quantum Security team in January 2026 to build hash-based signatures into its long-term roadmap
  • Google: set an internal deadline of 2029 to finish moving its own systems to post-quantum cryptography
  • TRON: activated post-quantum signatures on its Nile testnet, giving developers a live environment to test the new math
  • Bitcoin: still discussing BIP-360, a proposed quantum-resistant address format, with no upgrade enacted yet

The algorithms already exist. The National Institute of Standards and Technology, known as NIST, finalized three post-quantum standards in August 2024: ML-KEM for key exchange, ML-DSA for signatures, and SLH-DSA as a hash-based backup, then added a fourth, HQC, in March 2025. Cloudflare says more than 60% of human-initiated web traffic to its network already runs on ML-KEM. Bitcoin’s holdup isn’t the cryptography. It’s coordinating millions of holders, some anonymous, some gone entirely, to move funds voluntarily.

Post-quantum signatures also take up far more space than the roughly 70-byte signatures Bitcoin uses now, ballooning to several kilobytes in some schemes. That’s why developers are leaning on compression tricks like aggregate signatures rather than a straight swap.

When Could Quantum Computing Actually Break Bitcoin?

Most estimates cluster between 2030 and 2045. The National Institute of Standards and Technology and the National Security Agency, or NSA, are both targeting 2035 to phase out vulnerable cryptography entirely. Justin Drake has put the odds of a working machine recovering a Bitcoin private key by 2032 at roughly 10%. Nobody in the field claims certainty.

The NSA’s newer CNSA 2.0 framework already requires all new national security systems to be quantum-safe by January 2027, well ahead of the broader 2035 deprecation goal. A survey of global cryptography experts found that a third of respondents assign 50% or better odds to a code-breaking quantum machine arriving somewhere between 2030 and 2035.

Options markets haven’t priced in much urgency either. Bitcoin’s implied volatility recently touched a nine-month low, a sign traders aren’t yet betting on a near-term shock of any kind, quantum or otherwise.

NIST wants vulnerable cryptography retired by 2035. Bitcoin, so far, hasn’t set a deadline of its own.

Frequently Asked Questions

Can Quantum Computers Steal Bitcoin Right Now?

No. No quantum computer built today combines enough error-corrected qubits to run Shor’s algorithm at the scale Bitcoin’s encryption requires. A classical computer, by contrast, would need far longer than the age of the universe to reverse a private key from a public key through brute force, which is exactly the gap quantum computing is trying to close.

What Is BIP-360?

BIP-360 is a proposed Bitcoin Improvement Proposal that would add new quantum-resistant address types to the network, letting holders voluntarily migrate funds to post-quantum signatures. It remains in the discussion stage with no enacted timeline, unlike Ripple’s or Ethereum’s already-published migration plans.

Does Quantum Computing Threaten Bitcoin Mining?

No. Mining relies on SHA-256 hashing, a completely different problem from the elliptic curve math Shor’s algorithm attacks. The relevant quantum algorithm for hashing, Grover’s, only offers a quadratic speedup rather than an exponential one. Justin Drake has said commercially viable attacks on Bitcoin mining through Grover’s algorithm are decades, possibly centuries, away.

What Happens to Bitcoin That Nobody Ever Moves?

Coins in dormant, exposed addresses, including an estimated 1.7 million from Bitcoin’s earliest years, would stay permanently vulnerable if a capable quantum computer ever arrives, since no one would move them to a safer address type. The only proposed fix involves the community eventually agreeing to freeze or retire unmigrated coins after a grace period, a decision Bitcoin’s decentralized governance has not attempted before.

Is Ethereum More Exposed Than Bitcoin?

Ethereum’s accounts are persistent and get reused, so in theory every wallet that has ever sent a transaction would be exposed if quantum computing arrived tomorrow. But Ethereum has spent roughly eight years building toward post-quantum migration and formed a dedicated security team in January 2026, while Bitcoin has not yet begun a coordinated migration of its own.

What Exactly Is Q-Day?

Q-Day is the point when quantum computers first gain the practical ability to break the public-key cryptography protecting Bitcoin, banking, and most of the internet. Mainstream expert estimates cluster between 2035 and 2045, with accelerated scenarios pulling that forward to 2030 through 2035; anything before 2030 is generally considered a low-probability tail risk.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Quantum computing’s risk to Bitcoin and other cryptocurrencies involves significant technical and forecasting uncertainty. Consult a qualified financial or security professional before making investment decisions. Figures are accurate as of publication in July 2026.

Logan Pierce is a writer and web publisher with over seven years of experience covering consumer technology. He has published work on independent tech blogs and freelance bylines covering Android devices, privacy focused software, and budget gadgets. Logan founded Oton Technology to publish clear, no nonsense tech news and reviews based on real hands on testing. He has personally tested and reviewed dozens of mid range and budget Android phones, written extensively about app privacy, and built and managed multiple WordPress publications over the past decade. Logan holds a bachelor's degree in English and studied digital marketing at a certificate level.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending