CRYPTO
Bitcoin’s Quantum Threat Needs 500,000 Qubits, Not Today’s 105
Quantum computers need about 500,000 qubits to crack Bitcoin’s encryption, but today’s largest working machine has only 105, keeping Q-Day years away.
Quantum computers need fewer than 500,000 qubits to break the cryptography protecting every Bitcoin wallet, according to a paper Google Quantum AI published in March 2026. The largest machine that can run a real algorithm today holds 105 qubits. That gap hasn’t meaningfully closed in years, no matter how fast the underlying math improves.
2026 has delivered one alarming headline after another: a Jefferies strategist dumping his Bitcoin allocation over quantum fears, a theoretical nine-minute attack on live transactions, 6.9 million coins already sitting exposed on the blockchain. None of it has moved the real timeline much. Physical hardware remains the binding constraint, and hardware doesn’t compound the way software does.
The Hardware Gap No One’s Closing Yet
No quantum computer built anywhere today can run the attack Google described. The paper’s authors, a team that included Ethereum Foundation researcher Justin Drake and Stanford cryptographer Dan Boneh alongside Google’s own Quantum AI scientists, built their 500,000-qubit estimate around a machine that doesn’t exist yet. Google’s most advanced chip, Willow, holds 105 qubits, the most any machine has used to run a genuine algorithm.
IBM’s Condor chip carries more raw qubits, 1,121 of them, but its error rate runs too high to execute anything meaningful. Caltech researchers used optical tweezers in 2025 to hold 6,100 neutral atoms in place as qubits at once, an engineering feat that still didn’t involve computing anything. Holding qubits in place and computing with them remain different problems, and progress on the first keeps outpacing the second.
| Milestone | Qubits | Detail |
|---|---|---|
| 2019 industry estimate | About 20 million physical | Early benchmark for breaking 256-bit elliptic curve cryptography at scale |
| 2025 estimate | Under 1 million physical | Algorithm and error-correction refinements shrink the target |
| Google Quantum AI, March 2026 | Under 500,000 physical, about 1,200 logical | Superconducting design, runtime measured in minutes once built |
| Caltech and Oratomic, March 2026 | About 26,000 physical | Neutral-atom design, estimated 10-day runtime |
| Google Willow chip | 105 qubits | Largest machine to run a real algorithm, March 2026 |
| IBM Condor chip | 1,121 qubits | Largest qubit count built, too noisy for real algorithms |
The pattern holds across nearly every metric that matters. Theoretical requirements keep falling. The number of qubits that can actually compute something reliably, in one machine, barely moves.

Twenty Million Qubits Down to Five Hundred Thousand
The theoretical side has moved fast. In 2019, researchers estimated that breaking 256-bit elliptic curve cryptography, the ECC math behind Bitcoin, Ethereum, and much of the encrypted internet, would take around 20 million physical qubits. By 2025 that estimate had fallen under 1 million. Early 2026 research pushed some projections as low as 100,000 qubits under specific conditions.
Google’s March paper landed at under 500,000 physical qubits and roughly 1,200 logical, error-corrected ones for a superconducting design. A separate paper from Caltech and quantum startup Oratomic argued a neutral-atom machine could do the job with about 26,000 physical qubits, running for roughly 10 days instead of minutes. Different hardware, different math, but the estimates keep moving the same direction. Software specialists such as Zapata Quantum are meanwhile closing the gap between hardware and application layers elsewhere in the quantum computing industry, since raw qubits alone don’t produce usable programs.
None of that theoretical progress has produced a bigger working machine. Analysts tracking the field put today’s hardware gap at 400 to 500 times the roughly 1,200 logical qubits an attack needs, since 2026’s best machines manage only about 100 of them. An assessment published in June 2026 separated the two quantum algorithms at play and concluded Bitcoin faces a bounded and substantially mitigable threat rather than an existential one.
Public quantum hardware has made real, if tiny, progress against actual cryptography too. In April 2026, independent researcher Giancarlo Lelli broke a 15-bit elliptic curve key on publicly accessible IBM hardware, winning a 1 BTC bounty from quantum security firm Project Eleven. It was 512 times larger than the previous public record, a 6-bit break set in September 2025. Bitcoin uses 256-bit keys. Each additional bit roughly doubles the computational challenge, so the distance between 15 and 256 is not a rounding error.
The Nine-Minute Race Hidden in Every Transaction
Bitcoin’s security rests on one mathematical assumption: you cannot work backward from a public key to the private key that generated it. Elliptic curve cryptography turns a private key into a public one through operations that run fast forward and, for classical computers, are practically irreversible.
Mathematician Peter Shor proved in 1994 that a sufficiently powerful quantum computer could reverse that math in polynomial time by solving what’s called the elliptic curve discrete logarithm problem. The algorithm doesn’t guess every possible key one by one. It uses quantum superposition to expose a repeating pattern connecting a public key to its private counterpart, then reads that pattern with a Fourier transform.
Google’s paper modeled what that looks like in practice. A quantum computer could be primed in advance, pre-computing everything that doesn’t depend on a specific key, then finish the job in about nine minutes once a target public key appears in the mempool during a live transaction. Bitcoin’s average confirmation window runs about 10 minutes, giving a hypothetical attacker just under a 41% chance of beating the original transaction to the blockchain.
Bitcoin’s 2021 Taproot upgrade complicated things further. It changed how addresses work so public keys show up on chain by default, expanding the pool of wallets exposed to this kind of attack, CoinDesk reported. Mining stays untouched either way. It runs on SHA-256 hashing, a different problem that Shor’s algorithm cannot solve.
How Many Bitcoin Are Already Exposed?
Roughly 6.9 million bitcoin, more than a third of the coins in circulation, already have their public keys sitting on the blockchain through reused addresses or early wallet formats. A working quantum computer wouldn’t need to race the mempool clock to take those. It could work through them at leisure, one at a time.
- 6.9 million BTC sit in addresses with exposed public keys, per Coin Metrics’ State of the Network research
- 1.7 million BTC of that total has stayed dormant since Bitcoin’s earliest Satoshi-era years
- 35% of supply sits in address types Ark Invest considers theoretically vulnerable to a future quantum attack
- 41% odds a primed quantum computer beats a live transaction to confirmation, per Google’s modeled attack scenario
Modern wallets limit new exposure by generating a fresh receiving address for every transaction, so a coin only becomes a target once its owner spends from an address that has already revealed its public key on chain.
Jefferies Sold the Fear, Coinbase Bought Time
Not everyone in finance is waiting calmly. In January 2026, Christopher Wood, global head of equity strategy at Jefferies, pulled Bitcoin’s entire 10% weighting from his widely followed Greed & Fear model portfolio, citing long-term quantum risk, and replaced it with a 5% allocation to physical gold and another 5% to gold mining stocks. The move rattled crypto markets for a stretch.
- Jefferies: Christopher Wood dropped Bitcoin’s allocation entirely in January 2026, calling the quantum threat serious enough to justify an exit now
- Ark Invest: called quantum computing a long-term consideration rather than an imminent threat, arguing real danger would surface through visible milestones that give developers time to adapt
- Coinbase’s advisory board: a panel that includes Justin Drake and Dan Boneh concluded a capable machine remains at least two major engineering leaps away, while still urging migration to begin immediately
The board’s view is straightforward: the time to start preparing is now, not when it’s urgent.
Coinbase analysts wrote that in a blog post accompanying the board’s position paper, published in late April 2026.
Other voices go further. Chris Tam, head of quantum innovation at quantum security firm BTQ Technologies, called it the most direct and existential threat facing crypto asset networks today. Zach Pandl, head of research at Grayscale, has flagged a narrower problem: post-quantum signatures run so much larger than today’s that they could strain the block size limits chains like Bitcoin impose on every block.
Who’s Actually Building Quantum-Safe Rails
Bitcoin is the one major blockchain that hasn’t formally started migrating. Others already have a head start.
- Ripple: running a four-phase plan targeting quantum resistance for the XRP Ledger by 2028, already testing ML-DSA signatures on its AlphaNet
- Ethereum: formed a dedicated Post-Quantum Security team in January 2026 to build hash-based signatures into its long-term roadmap
- Google: set an internal deadline of 2029 to finish moving its own systems to post-quantum cryptography
- TRON: activated post-quantum signatures on its Nile testnet, giving developers a live environment to test the new math
- Bitcoin: still discussing BIP-360, a proposed quantum-resistant address format, with no upgrade enacted yet
The algorithms already exist. The National Institute of Standards and Technology, known as NIST, finalized three post-quantum standards in August 2024: ML-KEM for key exchange, ML-DSA for signatures, and SLH-DSA as a hash-based backup, then added a fourth, HQC, in March 2025. Cloudflare says more than 60% of human-initiated web traffic to its network already runs on ML-KEM. Bitcoin’s holdup isn’t the cryptography. It’s coordinating millions of holders, some anonymous, some gone entirely, to move funds voluntarily.
Post-quantum signatures also take up far more space than the roughly 70-byte signatures Bitcoin uses now, ballooning to several kilobytes in some schemes. That’s why developers are leaning on compression tricks like aggregate signatures rather than a straight swap.
When Could Quantum Computing Actually Break Bitcoin?
Most estimates cluster between 2030 and 2045. The National Institute of Standards and Technology and the National Security Agency, or NSA, are both targeting 2035 to phase out vulnerable cryptography entirely. Justin Drake has put the odds of a working machine recovering a Bitcoin private key by 2032 at roughly 10%. Nobody in the field claims certainty.
The NSA’s newer CNSA 2.0 framework already requires all new national security systems to be quantum-safe by January 2027, well ahead of the broader 2035 deprecation goal. A survey of global cryptography experts found that a third of respondents assign 50% or better odds to a code-breaking quantum machine arriving somewhere between 2030 and 2035.
Options markets haven’t priced in much urgency either. Bitcoin’s implied volatility recently touched a nine-month low, a sign traders aren’t yet betting on a near-term shock of any kind, quantum or otherwise.
NIST wants vulnerable cryptography retired by 2035. Bitcoin, so far, hasn’t set a deadline of its own.
Frequently Asked Questions
Can Quantum Computers Steal Bitcoin Right Now?
No. No quantum computer built today combines enough error-corrected qubits to run Shor’s algorithm at the scale Bitcoin’s encryption requires. A classical computer, by contrast, would need far longer than the age of the universe to reverse a private key from a public key through brute force, which is exactly the gap quantum computing is trying to close.
What Is BIP-360?
BIP-360 is a proposed Bitcoin Improvement Proposal that would add new quantum-resistant address types to the network, letting holders voluntarily migrate funds to post-quantum signatures. It remains in the discussion stage with no enacted timeline, unlike Ripple’s or Ethereum’s already-published migration plans.
Does Quantum Computing Threaten Bitcoin Mining?
No. Mining relies on SHA-256 hashing, a completely different problem from the elliptic curve math Shor’s algorithm attacks. The relevant quantum algorithm for hashing, Grover’s, only offers a quadratic speedup rather than an exponential one. Justin Drake has said commercially viable attacks on Bitcoin mining through Grover’s algorithm are decades, possibly centuries, away.
What Happens to Bitcoin That Nobody Ever Moves?
Coins in dormant, exposed addresses, including an estimated 1.7 million from Bitcoin’s earliest years, would stay permanently vulnerable if a capable quantum computer ever arrives, since no one would move them to a safer address type. The only proposed fix involves the community eventually agreeing to freeze or retire unmigrated coins after a grace period, a decision Bitcoin’s decentralized governance has not attempted before.
Is Ethereum More Exposed Than Bitcoin?
Ethereum’s accounts are persistent and get reused, so in theory every wallet that has ever sent a transaction would be exposed if quantum computing arrived tomorrow. But Ethereum has spent roughly eight years building toward post-quantum migration and formed a dedicated security team in January 2026, while Bitcoin has not yet begun a coordinated migration of its own.
What Exactly Is Q-Day?
Q-Day is the point when quantum computers first gain the practical ability to break the public-key cryptography protecting Bitcoin, banking, and most of the internet. Mainstream expert estimates cluster between 2035 and 2045, with accelerated scenarios pulling that forward to 2030 through 2035; anything before 2030 is generally considered a low-probability tail risk.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Quantum computing’s risk to Bitcoin and other cryptocurrencies involves significant technical and forecasting uncertainty. Consult a qualified financial or security professional before making investment decisions. Figures are accurate as of publication in July 2026.
-
NEWS1 month agoGoogle Search Profiles Build a Follow Graph Inside Discover
-
GAMING1 month agoMicrosoft Xbox Layoffs Start in July as Sharma Slams 3% Margin
-
AI3 weeks agoOracle Cuts 21,000 Jobs in a Year, Cites AI in 10-K Filing
-
AI1 month agoMoonshot AI Targets $30 Billion in China’s Fastest AI Funding Sprint
-
AI6 days agoWhatsApp Meta Business Agent Reaches India, With a New Pricing Meter
-
NEWS1 month agoOppo’s ColorOS 17 Eligibility List Leaves A-Series Buyers Behind
-
AI1 month agoSpaceX’s Google Deal Turns a Rocket Company Into a Cloud Landlord
-
AI3 weeks agoGoogle DeepMind and A24 Sign $75 Million AI Partnership Deal
