How many qubits are needed to break Bitcoin?

Approximately 4,000 error-corrected (logical) qubits running Shor's algorithm could break the ECDSA secp256k1 elliptic curve cryptography that Bitcoin uses for transaction signing. Due to quantum error correction overhead, this translates to roughly 4 million physical qubits at today's error rates (around 0.1%). With improved error rates (below 0.01%), the physical qubit requirement could drop to hundreds of thousands, but this still far exceeds current hardware.

When will quantum computers threaten cryptocurrency?

Most experts estimate the 2030s at the earliest, with many placing the timeline in the 2040s or beyond. IBM's roadmap targets 100,000+ qubits by 2033. Google aims for a useful error-corrected quantum computer by 2029, but "useful" does not mean "cryptographically relevant." Even the most aggressive estimates require approximately a 4,000x increase in physical qubit count plus a 100x improvement in error rates compared to 2026 hardware.

Is my Bitcoin safe from quantum computers?

Yes, for the foreseeable future. The quantum threat to Bitcoin is real but distant. The most vulnerable bitcoins are those in addresses where the public key has been exposed (reused addresses or those with prior outgoing transactions), which represent roughly 25% of all BTC. Bitcoin stored in addresses that have never made outgoing transactions are protected by SHA-256 hashing in addition to ECDSA, adding another layer of quantum resistance. The Bitcoin community has years to implement post-quantum cryptographic upgrades before quantum computers become a credible threat.

What is Shor's algorithm?

Shor's algorithm, discovered by mathematician Peter Shor in 1994, is a quantum algorithm that can factor large integers and compute discrete logarithms exponentially faster than any known classical algorithm. This is relevant to Bitcoin because ECDSA relies on the difficulty of the elliptic curve discrete logarithm problem (ECDLP). A sufficiently large, error-corrected quantum computer running Shor's algorithm could derive a Bitcoin private key from its public key. However, the algorithm requires thousands of logical qubits with very low error rates, which is far beyond current hardware.

What is post-quantum cryptography?

Post-quantum cryptography (PQC) refers to cryptographic algorithms designed to be secure against attacks by both classical and quantum computers. In August 2024, NIST finalized three post-quantum standards: FIPS 203 (ML-KEM, based on CRYSTALS-Kyber) for key encapsulation, FIPS 204 (ML-DSA, based on CRYSTALS-Dilithium) for digital signatures, and FIPS 205 (SLH-DSA, based on SPHINCS+) for hash-based signatures. These use mathematical problems — lattice-based and hash-based — that quantum computers cannot efficiently solve. Bitcoin could adopt hash-based signature schemes like SPHINCS+ to become quantum-resistant.

Which quantum companies are closest to breaking encryption?

No quantum company is close to breaking modern encryption. The leaders in qubit count and error correction — IBM (1,121 qubits with Condor), Google (105 qubits with Willow, below-threshold error correction), Quantinuum (56 qubits, highest fidelity at 99.9975%), and Atom Computing (1,180-qubit neutral atom array) — are all orders of magnitude away from the roughly 4 million physical qubits needed. The focus across the industry is on achieving fault tolerance and quantum advantage for scientific computing, not breaking cryptography.

Should I sell my Bitcoin because of quantum computing?

The quantum threat alone is not a reason to sell Bitcoin in 2026. The timeline for cryptographically relevant quantum computers is measured in decades, not years. Bitcoin's protocol can be upgraded through soft forks to use post-quantum signature schemes, and the Bitcoin Core development community is already researching these upgrades. Multiple major cryptocurrencies and blockchain platforms are also exploring quantum-resistant cryptography. The quantum threat is a long-term engineering challenge, not an imminent existential risk to cryptocurrency.

QUANTUM.INTEL

IONQForte+36.AQ.LiveIBM.QCondor+1121.QubitsQNTNMHelios+48.LogQubitsPSIQNTMPhotonic+$1B.SeriesERGTIAnkaa-3+99.5%.FidelQBTSAdv2+5000.QubitsQUERAAquila+256.QubitsSNDX.AQAQ+AI+$500M.SerEPASQLNeutral+EUR152M.SerBXNDUBorealis+SPAC.$302MINFLQColdAtom+SPAC.$540MFUND.YTD2025-26$6.2B.Raised

Home/Is Quantum Computing a Threat to Bitcoin?

QUANTUM THREAT ANALYSIS // CRYPTOGRAPHY

Can Quantum Computers Break Bitcoin?

Q: Can quantum computers break Bitcoin?

Not today, and not for at least a decade. Breaking Bitcoin's ECDSA secp256k1 signatures requires approximately 4,000 logical qubits, which translates to roughly 4 million physical qubits at current error rates. The largest quantum processor in 2026 has approximately 1,200 physical qubits with error rates roughly 1,000x too high for cryptographic attacks. The gap between current quantum capabilities and what is needed to threaten Bitcoin is enormous.

Bitcoin's ECDSA secp256k1 signatures could theoretically be broken by a quantum computer running Shor's algorithm with approximately 4,000 logical qubits. In practice, this requires roughly 4 million physical qubits at current error rates. The largest quantum processor in 2026 has approximately 1,200 physical qubits with error rates roughly 1,000 times too high. This page provides a technical breakdown of the gap between current quantum hardware and what would be needed to threaten Bitcoin, plus the post-quantum cryptography upgrades already underway.

Published: March 2026 | Updated: March 2026 | Source: quantumintel.tech

Logical Qubits to Break ECDSA

~4,000

Physical Qubits Needed

~4 Million

Current Best Processor

~1,200 qubits

Estimated Threat Timeline

2030s-2040s

BTC Market Cap at Risk

$1.7T+

NIST PQC Standards

3 (Aug 2024)

SECTION 01 // THE TECHNICAL REALITY

The Technical Reality: What's Needed vs. What Exists

Bitcoin uses two cryptographic primitives that a quantum computer could theoretically attack. For transaction signing, Bitcoin employs ECDSA with the secp256k1 elliptic curve. For mining (proof-of-work), it uses SHA-256 hashing. Shor's algorithm threatens ECDSA; Grover's algorithm theoretically weakens SHA-256, but only offers a quadratic speedup (effectively halving the key length from 256 to 128 bits), which is insufficient for a practical attack.

The primary quantum threat to Bitcoin is therefore an attack on ECDSA signatures using Shor's algorithm. Here is what that attack would require versus what exists today:

Metric	Required to Break ECDSA-256	Current State (2026)
Physical Qubits	~4,000,000	~1,200 (IBM Condor)
Logical Qubits	~4,000	12 demonstrated (Quantinuum)
Two-Qubit Gate Error Rate	<0.001% (10⁻⁵)	~0.025% (Quantinuum H2 best)
Coherence Time Needed	Hours (for full computation)	Microseconds to seconds
Gate Operations per Run	~10⁹ (billions)	~10³ before decoherence

Sources: IBM Quantum roadmap, Quantinuum published fidelity data, arXiv:2112.00655 (Gidney & Ekerå qubit estimates). Data as of March 2026.

SECTION 02 // ATTACK MECHANICS

How Would a Quantum Attack on Bitcoin Work?

A quantum attack on Bitcoin would target the elliptic curve discrete logarithm problem (ECDLP) underlying ECDSA. When a Bitcoin user signs a transaction, they use a private key to produce a signature that includes the corresponding public key. Shor's algorithm can reverse this process: given a public key, it can compute the private key in polynomial time on a sufficiently large quantum computer.

There are two attack scenarios:

LONG-RANGE ATTACK (EXPOSED PUBLIC KEYS)

Approximately 25% of all Bitcoin (roughly 4-5 million BTC) sits in addresses where the public key has been revealed through prior transactions. An attacker with a cryptographically relevant quantum computer could derive the private keys for these addresses without any time constraint. This includes early Satoshi-era coins using pay-to-public-key (P2PK) format.

TRANSACTION-INTERCEPTION ATTACK (10-MINUTE WINDOW)

When a user broadcasts a transaction, the public key is revealed in the mempool before the transaction is confirmed in a block. An attacker would need to derive the private key, construct a competing transaction, and get it mined — all within roughly 10 minutes (one Bitcoin block interval). This is an extremely demanding constraint even for a powerful quantum computer. Estimates suggest a quantum computer would need to break ECDSA in under 10 minutes, which would require approximately 317 million physical qubits using current architectures.

KEY NUANCE

Grover's algorithm poses a theoretical threat to SHA-256 mining, but only provides a quadratic speedup. This effectively reduces SHA-256 from 256-bit to 128-bit security, which is still computationally infeasible to brute-force. The practical threat to Bitcoin is Shor's algorithm against ECDSA, not Grover's against SHA-256.

SECTION 03 // ROADMAP ANALYSIS

Quantum Computing Roadmaps vs. Bitcoin Security

Every major quantum computing company has published hardware roadmaps. None of them project reaching the qubit counts needed to threaten Bitcoin before the 2030s, and most estimates place the timeline significantly later.

Company	Current (2026)	Roadmap Target	Could Threaten BTC?
IBM	1,121 qubits (Condor), 156 qubits (Heron)	100,000+ qubits by 2033	Not before mid-2030s at earliest
Google	105 qubits (Willow)	Useful error-corrected QC by 2029	Error-corrected, not cryptographically relevant. 2040s+
Quantinuum	56 qubits (H2), 99.9975% fidelity	Universal fault-tolerant QC	Highest fidelity but far too few qubits. 2040s+
IonQ	36 algorithmic qubits (Forte Enterprise)	1,024 qubits by 2028	Scaling too slow for crypto threat. 2040s+
Atom Computing	1,180-qubit array	Error-corrected systems	Large array but high error rates. 2040s+
Microsoft	8 topological qubits (Majorana 1)	1M qubits (long-term)	Earliest credible path if topology works. Late 2030s+

Sources: Company roadmaps, investor presentations, and published research. Threat timelines are quantumintel.tech estimates based on extrapolating current error correction overhead.

SECTION 04 // POST-QUANTUM DEFENSE

Post-Quantum Cryptography: How Bitcoin Can Upgrade

The cryptographic community is not waiting for quantum computers to arrive. NIST finalized three post-quantum cryptographic standards in August 2024, providing algorithms that resist both classical and quantum attacks:

Standard	Algorithm	Type	Based On	Relevance to Bitcoin
FIPS 203	ML-KEM (CRYSTALS-Kyber)	Key Encapsulation	Lattice-based	Not directly applicable (Bitcoin does not use key exchange)
FIPS 204	ML-DSA (CRYSTALS-Dilithium)	Digital Signature	Lattice-based	Potential ECDSA replacement, but large signatures (~2.4 KB)
FIPS 205	SLH-DSA (SPHINCS+)	Digital Signature	Hash-based	Strong candidate for Bitcoin: relies only on hash function security

Bitcoin's Upgrade Path

Bitcoin can adopt post-quantum signatures through a soft fork, similar to the Taproot upgrade activated in November 2021. The most discussed approaches include:

Hash-based signatures (SPHINCS+/SLH-DSA)

Relies only on the security of hash functions, which quantum computers cannot efficiently break. The trade-off is significantly larger signatures (~7-49 KB vs. 64 bytes for ECDSA), increasing transaction size and blockchain storage requirements.

Lattice-based signatures (CRYSTALS-Dilithium/ML-DSA)

Offers smaller signatures than hash-based schemes (~2.4 KB) but relies on the hardness of lattice problems, which are less battle-tested than hash functions. Widely considered secure but with a shorter track record.

Hybrid approach (ECDSA + PQC)

Use both a classical ECDSA signature and a post-quantum signature simultaneously during a transition period. This ensures security even if either scheme is broken, at the cost of larger transactions.

Commit-then-reveal schemes

Users commit to a transaction hash before revealing the public key, reducing the window of vulnerability. This can be implemented without changing the signature algorithm itself and is compatible with Bitcoin's existing scripting capabilities.

SECTION 05 // VERDICT

Bottom Line

QUANTUMINTEL.TECH ASSESSMENT

No, quantum computers cannot break Bitcoin today or in the near future.

The gap between current quantum capabilities (~1,200 noisy physical qubits) and what is needed (~4 million error-corrected physical qubits) is enormous. Even the most optimistic industry roadmaps place a cryptographically relevant quantum computer in the 2030s at the earliest, with most independent researchers estimating the 2040s or later.

Bitcoin has time to upgrade to post-quantum signature algorithms. NIST finalized three post-quantum standards in 2024 (FIPS 203, 204, 205), and the Bitcoin Core development community is actively researching how to integrate hash-based or lattice-based signatures through a soft fork. Multiple viable upgrade paths exist.

The quantum threat to Bitcoin is real but distant. It is an engineering challenge to be solved over the next decade, not an imminent crisis. Investors and holders should monitor quantum computing progress but should not make financial decisions based on the current state of quantum technology.

Threat Level (2026)

None

Threat Level (2030s)

Low-Moderate

Threat Level (2040s+)

Significant if no upgrade

Upgrade Feasibility

High

SECTION 06 // FAQ

Frequently Asked Questions

← Error Correction Tracker Quantum Modality Guide →

RELATED INTELLIGENCE

Quantum Advantage Timeline: When Will It Matter? →Superconducting vs Trapped Ion vs Photonic Qubits →Every Quantum Computing Company: Complete List →