Quantum computing will not kill Bitcoin, but the real risk is approaching.

Original Title:「I」Spent「200」Hours Reading Quantum Computing Papers So You Don’t Have To. Bitcoin Is F.

Original Source: nvk

Original Compilation: Saoirse, Foresight News

TL;DR

· Bitcoin doesn’t use encryption—it uses digital signatures. Almost all the articles get this wrong, and the difference matters a great deal.

· Quantum computers can’t crack Bitcoin in 9 minutes. This description is only for a theoretical circuit, the machine itself doesn’t exist, and it won’t exist for at least ten years.

· Quantum mining is physically completely impossible. The energy it would require is actually more than the total energy output of the Sun.

· Bitcoin can absolutely be upgraded—there was a successful upgrade before (Segregated Witness, Taproot), and related work has already started (BIP-360). But the community needs to move faster.

· The real reason for upgrading isn’t a quantum threat; traditional math has broken countless cryptographic systems already, and secp256k1 is very likely next. Quantum computers have not broken any cryptographic system so far.

· There is indeed a real risk: the public keys of about 6.26 million Bitcoins have been exposed. This isn’t something to panic about, but it’s worth preparing for in advance.

Main Narrative

In one sentence, here’s everything I’m going to cover next:

The threat to Bitcoin from quantum computing is real, but it’s still far away; media coverage is broadly inaccurate and exaggerated; and the most dangerous thing isn’t quantum computers—it’s complacency or panic disguised as either “everything is fine” or “everything is over.”

Whether it’s people shouting “Bitcoin is finished,” or those claiming “nothing to worry about, don’t make a big deal,” they’re both wrong. Seeing the truth requires accepting two things at once:

· Bitcoin currently has no looming quantum threat; the practical threat could be far farther out than clickbait headlines suggest.

· But the Bitcoin community should still prepare early, because the upgrade process itself takes years.

This isn’t a reason to panic—it’s a reason to act.

Below, I’ll lay it out with data and logic.

This figure compares two major quantum algorithms: Shor’s algorithm (left) provides exponential acceleration for factoring large numbers—making it a “cryptography killer” that directly breaks public-key cryptography like RSA/ECC; Grover’s algorithm (right) provides a quadratic-speedup quantum accelerator for unstructured search. Together they show the disruptive potential of quantum computing, but so far it’s still limited by error-correction hardware that can’t yet be deployed at scale.

Media Playbook: Sensational Titles Are the Biggest Hazard

Every few months, the same show comes around again:

· A quantum computing lab publishes a rigorous research paper with lots of limiting conditions.

· Tech media instantly turns it into: “Quantum computer cracks Bitcoin in 9 minutes!”

· Crypto Twitter simplifies it to: “Bitcoin is dead.”

· Your friends and relatives message you asking whether you should sell right away.

· But the original paper doesn’t say any of that.

In March 2026, Google’s Quantum AI team published a paper stating that the amount of physical qubits needed to break Bitcoin’s elliptic-curve cryptography could be reduced to below 500k, improving on earlier estimates by 20x. This is indeed important research. Google is being very cautious: it didn’t disclose an actual attack circuit, and instead only released a zero-knowledge proof.

But the paper never said: Bitcoin can be cracked right now, with a clear timeline, or that people should panic.

Yet the headline is: “Crack Bitcoin in 9 minutes.”

CoinMarketCap previously published “Will AI-accelerated quantum computing destroy Bitcoin in 2026?” The body of the article explains that the answer is almost certainly “no.” That’s the classic play: use a sensational title to drive traffic, but keep the wording careful in the main text. However, the link that got 59% of shares still wasn’t opened by anyone—because for most people, the headline is the information.

As someone put it perfectly: “The market prices risk extremely fast. You can’t steal something that once you touch it, it goes to zero.” If quantum computing really were going to upend everything, Google itself—using the same kind of cryptography—would have seen its stock price collapse long ago. But Google’s stock has stayed steady.

Conclusion: The title is the real rumor. The research itself is real and worth understanding—so let’s read it seriously.

What Quantum Computers Really Threaten—and What They Don’t

The biggest misconception: “Encryption”

Almost all articles about quantum computing and Bitcoin use the word “encryption.” That’s wrong—and it’s wrong in a way that affects everything.

Bitcoin doesn’t protect assets with encryption; it relies on digital signatures (ECDSA, later using Schnorr through Taproot). The blockchain itself is public: all transaction data is forever visible to everyone. There’s nothing that needs to be “decrypted.”

As Adam Back, the inventor of Hashcash (cited in Bitcoin’s whitepaper), said: “Encryption means data is hidden and can be decrypted. Bitcoin’s security model is based on signatures—used to prove ownership, without exposing private keys.”

This isn’t pedantry. It means the most urgent “collect now, decrypt later” quantum threat to Bitcoin’s asset security basically doesn’t hold. There is no encrypted data to collect; the public key is already openly published on-chain.

Two Quantum Algorithms: One Is a Real Threat; the Other Is Negligible

· Shor’s algorithm (a real threat): Exponential acceleration for the underlying math problem of digital signatures, enabling recovery of private keys from public keys and forging transaction signatures. This is what actually needs worrying.

· Grover’s algorithm (not a threat): Only provides quadratic-speedup for hash functions like SHA-256. It sounds scary, but once you compute it, it’s clearly completely unrealistic.

A 2025 paper, “Cardashov-Scale Quantum Computing and Bitcoin Mining,” calculates that given Bitcoin’s current difficulty, quantum mining would require:

· About 10²³ physical qubits (there are only about 1,500 globally)

· About 10²⁵ joules of energy (the Sun’s total output is about 3.8×10²⁶ joules)

To mine Bitcoin with a quantum computer, the energy required is about 3% of the Sun’s total output. Humans are only at a 0.73 Kardashev civilization level. To mine with quantum computers would require energy so large that only a Type II civilization could manage. Humans can’t reach that—and physically it’s nearly impossible.
(Note: Kardashev civilization levels: Type I can fully utilize the energy of a single planet (Earth); Type II can utilize the energy of an entire star (the Sun))

In comparison: even with the most ideal design, quantum mining rigs’ compute power is only about 13.8 GH/s; whereas a standard Antminer S21 can reach 200 TH/s. Traditional ASIC miners are faster than quantum miners by about 14.5kx.

In short, quantum mining simply doesn’t hold up. It’s impossible now, impossible 50 years from now, and even impossible forever. If someone claims that quantum computers can “crack Bitcoin mining,” they’re mixing up two completely different algorithms.

Eight Popular Claims Circulating—7.5 of Them Are Wrong

Claim 1: “The moment quantum computers arrive, all Bitcoin will be stolen overnight”

The reality is: only Bitcoins whose public keys have already been exposed have a security risk. Modern Bitcoin address types (P2PKH, P2SH, Segregated Witness) don’t publish your public key until after you initiate a transfer. As long as you never reuse addresses and never send funds from that address, your public key won’t appear on the blockchain.

Here’s the breakdown:

· Tier A (direct risk): About 1.7 million BTC using old P2PK address format, where the public key is fully exposed.

· Tier B (risk exists but is fixable): About 5.2 million BTC sitting in reused addresses and Taproot addresses, where users can migrate to avoid the risk.

· Tier C (brief exposure): For about 10 minutes while each transaction waits in the mempool to be packaged, the public key is temporarily exposed.

According to Chaincode Labs’ estimates, a total of about 6.26 million BTC has public-key exposure risk, roughly 30%–35% of total supply. The number is indeed not small, but it’s absolutely not “all Bitcoin.”

Claim 2: “Satoshi’s coins will be stolen—dump them and they’ll go to zero”

Half right, half wrong. About 1.1 million BTC held by Satoshi use the P2PK format, with the public key fully exposed, so they are indeed high-risk assets. But:

· Quantum computers capable of cracking those private keys don’t exist at all.

· Countries that have early quantum capabilities would prioritize intelligence and military systems, not stage a “public media farce of openly stealing Bitcoin” (Quantum Canary Research Group language).

· Expanding from today’s roughly 1,500 quantum bits to the hundreds of thousands scale needs years of engineering breakthroughs, with highly uncertain progress.

Claim 3: “Bitcoin can’t be upgraded—too slow and governance is a mess”

This claim isn’t correct, but it’s not entirely without basis. Bitcoin has successfully completed multiple major upgrades in its history:

· Segregated Witness (SegWit, 2015–2017): Extremely controversial, nearly failed, led directly to a Bitcoin Cash fork, but ultimately succeeded in going live.

· Taproot (2018–2021): Deployed smoothly, taking about 3.5 years from proposal to mainnet activation.

The anti-quantum mainstream方案 BIP-360 was officially added to the Bitcoin BIP repository in early 2026. It introduces a new bc1z address type and removes the key-path spending logic in Taproot that is more vulnerable to quantum attacks. At present, this proposal is still in draft status, and testnets have run Dilithium post-quantum signature instruction sets.

BIP-360 co-author Ethan Heilman estimates the full upgrade cycle is about 7 years: 2.5 years for development and review, 0.5 years for activation, and 4 years for ecosystem migration. He admits: “This is only a rough estimate—nobody can give an exact timeline.”

Objective conclusion: Bitcoin can be upgraded, and the upgrade has already begun—but it’s still in its early stages and needs faster progress. Claiming “it’s completely impossible to upgrade” is wrong, and claiming “it’s already completed” is also not true.

Claim 4: “We only have 3–5 years left”

Probably not true, but you also can’t completely ignore it. Experts give extremely wide time ranges:

· Adam Back (Hashcash inventor; cited in Bitcoin’s whitepaper): 20–40 years

· Jensen Huang (CEO of Nvidia): Practical quantum computing still requires 15–30 years

· Scott Aaronson (quantum computing authority at the University of Texas at Austin): Refuses to give a timeline and says breaking RSA might require “a billion-dollar level investment”

· Craig Gidney (Google Quantum AI): Only a 10% probability of it happening before 2030; also believes that with current conditions, quantum-bit requirements are unlikely to see another 10x optimization, and the optimization curve may already be flattening

· 26-bit quantum security experts survey: 28%–49% probability of risk emerging within 10 years

· Ark Invest: “This is a long-term risk, not an imminent one.”

Worth noting: Google’s Willow chip reached the quantum error-correction threshold by the end of 2024. This means that with each additional level of error-correcting code, the logical error rate drops by a fixed coefficient (Willow is 2.14). The suppression effect improves exponentially, but the actual scaling speed depends entirely on hardware—it could be logarithmic, linear, or extremely slow. Crossing the threshold only means scaling is feasible, not that it will be fast, easy, or inevitable.

Also, in its March 2026 paper, Google didn’t disclose an actual attack circuit, only a zero-knowledge proof. Scott Aaronson has also warned that future researchers may not keep disclosing resource estimates for cracking passwords. So we might not be able to detect the “quantum crisis day” coming far in advance.

Even so, building a computer with tens of thousands of fault-tolerant qubits is an enormous engineering challenge. The most advanced quantum computers today can’t factor large integers beyond 13 digits, while cracking Bitcoin would be equivalent to factoring about 1,300-digit numbers. This gap can’t be closed overnight, but the technology trend is worth paying attention to—not ignoring it.

Claims 5–8: Quick Clarifications

“Quantum computing will destroy mining”

Wrong. The energy requirement is close to the Sun’s total output; see Part 2.

“Collect data now, decrypt it later”

This doesn’t apply to stealing assets (the blockchain is public by nature), and only affects privacy to some extent—so it’s a secondary risk.

“Google says Bitcoin can be cracked in 9 minutes”

Google is referring to a theoretical circuit runtime of about 9 minutes on a nonexistent machine with 500k quantum bits. Google itself has clearly warned against such panic-inducing statements and withheld the attack-circuit details.

“Post-quantum cryptography isn’t mature yet”

The National Institute of Standards and Technology (NIST) in the U.S. has completed standardization of ML-KEM, ML-DSA, SLH-DSA, and other algorithms. The algorithms themselves are mature; the difficulty is deploying them in Bitcoin systems—not inventing something from scratch.

The Five Issues I’m Really Concerned About

A debunking article that denies everything would lose credibility. Here are the five issues that deeply worry me:

· Estimates of the number of qubits needed to break cryptography keep trending downward, although that trend may be slowing. In 2012, cracking cryptographic systems was estimated to require 1 billion qubits; by 2019 it dropped to 20 million; by 2025 it was already below 1 million. In early 2026, Oratomic claimed that with a neutral-atom architecture, only 10k physical qubits would be enough to achieve cracking.

But it’s worth noting: all nine authors of that study are Oratomic shareholders, and the conversion ratio between 101:1 physical qubits and logical qubits used by their estimates has never been verified (the historical real ratio is closer to 10,000:1).

It’s also important to clarify: on Google’s superconducting architecture, the calculation task said to take “9 minutes” would take 10²⁶⁴ days on neutral-atom hardware—two completely different devices with wildly different compute speeds. Gidney himself also says the algorithm-optimization curve may already have reached a plateau. Even so, no one knows when the inflection point between “qubits required” and “qubits available” will arrive. The most objective conclusion is that uncertainty is currently extremely high.

· The scope of public-key exposure is expanding, not shrinking. Bitcoin’s newest and most widely adopted address format, Taproot, will publish adjusted public keys on-chain, leaving quantum attackers with endless offline cracking windows. Bitcoin’s most recent upgrade actually weakened post-quantum security—an irony worth thinking about.

Beyond on-chain addresses, the problem isn’t limited there either: Lightning Network channels, hardware wallet connections, multisignature schemes, and extended public key sharing services all tend to spread public keys by design. In a world where fault-tolerant quantum computing capable of password cracking (CRQC) becomes real, when the entire system is built around public-key sharing, “protecting public-key privacy” is fundamentally unrealistic. BIP-360 is only a first step and nowhere near a complete solution.

· Bitcoin governance is slow, but there is still a time window. Since November 2021, Bitcoin’s base protocol has not activated a soft fork for more than four years and has been in long-term stagnation. Google plans to complete its own post-quantum migration in 2029, while the most optimistic Bitcoin estimates push it to 2033.

Given that practical-level cryptographic-breaking quantum computers are likely still far away (most reliable predictions say into the 2040s, or possibly never), this is not an emergency crisis today—but you absolutely can’t use that to become complacent. The earlier preparation starts, the more relaxed the later stages will be.

· Satoshi’s Bitcoin is an unsolvable game-theory problem. About 1.1 million BTC are stored in P2PK addresses. Because nobody holds the corresponding private keys (or Satoshi is gone), these assets can never be migrated. Whether you choose to leave them alone, freeze them, or destroy them, there will be serious consequences—there is no perfect solution.

· Blockchains are a permanent target list for attack. All exposed public keys are recorded forever. Institutions in each country can begin preparations right now and simply wait for the moment. Defense requires proactive coordination among multiple parties, while attack only needs patience.

These are real challenges—but there’s another side worth considering.

Why the Quantum Threat Could Be Extremely Far Away—or Never Come At All

Several serious physicists and mathematicians (not extremists) believe that reaching the scale of fault-tolerant quantum computing needed for cryptographic breaking could face fundamental obstacles at the level of physics, not just engineering difficulty:

· Leonid Levin (Boston University; co-proposer of NP-completeness): “Quantum amplitudes need to be precise to hundreds of decimal places, yet no physical law has ever been discovered that holds with precision beyond a handful of decimal digits. ” If nature doesn’t allow precision beyond about 12 decimal digits, the entire quantum computing field would hit a physical ceiling.

· Michel Dyakonov (University of Montpellier; theoretical physicist): A system with 1,000 qubits requires controlling about 10³⁰⁰ continuous parameters simultaneously—far beyond the total number of subatomic particles in the universe. His conclusion: “Impossible—forever impossible.”

· Gil Kalai (Hebrew University; mathematician): Quantum noise has inseparable correlation effects that grow worse as system complexity increases, making large-scale quantum error correction fundamentally unachievable. His conjecture has survived 20 years without being proven, but experiments also show some deviations from predictions—both pros and cons.

· Tim Palmer (Oxford University; physicist): His rational quantum mechanics model predicts a hard upper limit of about 1,000 qubits for quantum entanglement, far below the scale required to break cryptography.

These aren’t fringe viewpoints. Existing evidence clearly supports this judgment: so far, practical demonstrations that could threaten cryptographic systems either have turned out to be much harder in reality than in theory, or are fundamentally impossible due to unknown laws in the physical world. A good analogy is self-driving cars: the demo looks great, attracts huge investment, yet for more than a decade it has kept claiming “we’re only five years away.”

Most media default to the assumption “quantum computers will eventually break cryptography—it’s just a matter of time.” That isn’t a conclusion derived from evidence; it’s a narrative created by the hype cycle.

The Core Motivation for Upgrades—Unrelated to Quantum

This is a key fact that few people mention (thanks to @reardencode for pointing it out):

· Cryptographic systems broken by quantum computers so far: 0;

· Cryptographic systems broken by classical mathematics: countless.

DES, MD5, SHA-1, RC4, SIKE, the Enigma machine… all fell due to sophisticated mathematical analysis rather than quantum hardware. SIKE was once a finalist in NIST’s post-quantum cryptography efforts, but in 2022 a researcher used an ordinary laptop computer to break it in under an hour. Since the invention of cryptographic systems, classical cryptanalysis has constantly overturned many kinds of cryptography.

Bitcoin’s secp256k1 elliptic curve could fail at any time due to a mathematical breakthrough, without needing quantum computing at all. You’d only need a top number theorist to make new progress on the discrete logarithm problem. That hasn’t happened yet—but the history of cryptography is exactly a history of “systems proven secure” repeatedly being found to have vulnerabilities.

That is the real reason Bitcoin should adopt alternative cryptography: not because quantum computers are coming—since they might never arrive—but because for a network worth trillions of dollars, relying on a single cryptographic assumption is a risk that rigorous engineering must proactively mitigate.

Quantum-related panic hype, ironically, can obscure this lower-profile but more real vulnerability. The preparation for quantum threats (BIP-360, post-quantum signatures, hash-based alternatives) would also defend against classical cryptanalysis attacks. People did the right things for the wrong reasons, and that’s fine—as long as it ultimately gets implemented.

What Should You Do, Specifically?

If you hold Bitcoin:

· No need to panic. The threat is real, but it’s still far away, and you have plenty of time.

· Stop reusing addresses. Each time you reuse one, your public key gets exposed—use a new address for receiving.

· Watch BIP-360 progress. After post-quantum addresses are introduced, migrate your assets in time.

· Long-term holding allows you to keep funds in addresses that have never been spent from, keeping your public key hidden.

· Don’t get swept along by the headline—read the original paper. The content is more interesting, and far less scary than the coverage.

If you’re a Bitcoin developer:

· BIP-360 needs more people to review. The testnet has run; the code urgently needs inspection.

· The 7-year upgrade cycle needs to be compressed. For every year of delay, the security buffer shrinks by one step.

· Start governance discussions around old unspent transaction outputs (UTXOs). Satoshi’s Bitcoin won’t self-protect—so the community needs a plan.

If you just saw a sensational headline: remember, 59% of the shared links are never clicked. The title exists to stir emotions; the paper exists to trigger thinking. Read the original text.

Conclusion

The threat from quantum to Bitcoin isn’t black or white; there’s a middle ground. On one end: “Bitcoin is over—sell everything now.” On the other: “Quantum is a scam—no risk at all.” Both extremes are wrong.

The truth lies in a rational, feasible middle zone: Bitcoin faces clear engineering challenges; parameters are known and development is ongoing; time is tight but manageable—provided the community maintains a reasonable sense of urgency.

The most dangerous thing isn’t quantum computing—it’s the recurring media cycle that oscillates between panic and indifference, preventing people from rationally viewing an essentially solvable problem.

Bitcoin has survived the block-size wars, theft of exchanges, regulatory shocks, and the disappearance of its founder. It can also make it through the quantum era. But only if the community starts steady preparation from now—no panic, no sitting on your hands—and moves forward with the robust engineering mindset that makes Bitcoin strong in the first place.

A house isn’t on fire and may even never catch fire in the direction everyone worries about. But encryption assumptions never remain permanently valid. The best time to harden cryptographic foundations is always before a crisis, not after.

Bitcoin has always been built by people who laid groundwork for threats that haven’t even happened. This isn’t paranoia—it’s engineering thinking.

References:

This article draws on 66 research papers from two major topic Wiki databases, covering quantum computing resource estimates, Bitcoin vulnerability analysis, debunking psychology, and research on content dissemination mechanisms. Core sources include Google’s Quantum AI lab (2026), the paper “Quantum Mining Under the Kardashev Scale” (2025), the BIP-360 proposal documentation, Berger and Milchman research (2012), “The 2020 Debunking Handbook,” and writings from industry practitioners such as Tim Eubanks, Dan Luu, patio11, and others. Full wiki materials are open for peer review.