Developers are exploring post-quantum signatures and potential migration paths.
Quantum computers can’t break Bitcoin’s encryption today, but new advances from Google and IBM suggest the gap is closing faster than expected. Their progress toward fault-tolerant quantum systems raises the stakes for “Q-Day,” the moment when a sufficiently powerful machine could crack older Bitcoin addresses and expose more than $711 billion in vulnerable wallets.
Upgrading Bitcoin to a post-quantum state will take years, which means the work has to begin long before the threat arrives. The challenge, experts say, is that no one knows when that will be, and the community has struggled to agree on how best to move forward with a plan.
This uncertainty has led to a lingering dread that a quantum computer that can attack Bitcoin may come online before the network is ready.
In this article, we will look at the quantum threat to Bitcoin and what needs to change to make the number one blockchain ready.
A successful attack would not look dramatic. A quantum-enabled thief would start by scanning the blockchain for any address that has ever revealed a public key. Old wallets, reused addresses, early miner outputs, and many dormant accounts fall into that category.
The attacker copies a public key and runs it through a quantum computer using Shor’s algorithm. Developed in 1994 by mathematician Peter Shor, the algorithm gives a quantum machine the ability to factor large numbers and solve the discrete logarithm problem far more efficiently than any classical computer. Bitcoin’s elliptic-curve signatures rely on the difficulty of those problems. With enough error-corrected qubits, a quantum computer could use Shor’s method to calculate the private key tied to the exposed public key.
As Justin Thaler, research partner at Andreessen Horowitz and associate professor at Georgetown University, told Decrypt, once the private key is recovered, the attacker can move the coins.
“What a quantum computer could do, and this is what’s relevant to Bitcoin, is forge the digital signatures Bitcoin uses today,” Thaler said. “Someone with a quantum computer could authorize a transaction taking all the Bitcoin out of your accounts, or however you want to think of it, when you did not authorize it. That’s the worry.”
The forged signature would look real to the Bitcoin network. Nodes would accept it, miners would include it in a block, and nothing on-chain would mark the transaction as suspicious. If an attacker hit a large group of exposed addresses at once, then billions of dollars could move within minutes. Markets would start reacting before anyone ever confirmed that a quantum attack was happening.
In 2025, quantum computing finally started to feel less theoretical and more practical.
Bitcoin’s signatures use elliptic-curve cryptography. Spending from an address reveals the public key behind it, and that exposure is permanent. In Bitcoin’s early pay-to-public-key format, many addresses published their public keys on-chain even before the first spend. Later pay-to-public-key-hash formats kept the key hidden until the first use.
Because their public keys were never hidden, these oldest coins, including roughly 1 million Satoshi-era Bitcoin, are exposed to future quantum attacks. Switching to post-quantum digital signatures, Thaler said, takes active involvement.
“For Satoshi to protect their coins, they’d have to move them into new post-quantum-secure wallets,” he said. “The biggest concern is abandoned coins, about $180 billion worth, including roughly $100 billion believed to be Satoshi’s. Those are huge sums, but they’re abandoned, and that’s the real risk.”
Adding to the risk are coins tied to lost private keys. Many have sat untouched for more than a decade, and without those keys, they can never be moved into quantum-resistant wallets, making them viable targets for a future quantum computer.
No one can freeze Bitcoin directly on-chain. Practical defenses against future quantum threats focus on migrating vulnerable funds, adopting post-quantum addresses, or managing existing risks.
However, Thaler noted that post-quantum encryption and digital signature schemes come with steep performance costs, since they’re far larger and more resource-intensive than today’s lightweight 64-byte signatures.
“Today’s digital signatures are about 64 bytes. Post-quantum versions can be 10 to 100 times larger,” he said. “In a blockchain, that size increase is a much bigger issue because every node must store those signatures forever. Managing that cost, the literal size of the data, is far harder here than in other systems.”
Developers have floated several Bitcoin Improvement Proposals to prepare for future quantum attacks. They take different paths, from light optional protections to full network migrations.
Taken together, these proposals sketch a step-by-step path to quantum safety: quick, low-impact fixes like P2TRH now, and heavier upgrades like BIP-360 or STARK-based compression as the risk grows. All of them would need broad coordination, and many of the post-quantum address formats and signature schemes are still early in discussion.
Thaler noted that Bitcoin’s decentralization — its greatest strength — also makes major upgrades slow and difficult, since any new signature scheme would need broad agreement across miners, developers, and users.
“Two major issues stand out for Bitcoin. First, upgrades take a long time, if they happen at all. Second, there are the abandoned coins. Any migration to post-quantum signatures has to be active, and owners of those old wallets are gone,” Thaler said. “The community must decide what happens to them: either agree to remove them from circulation or do nothing and let quantum-equipped attackers take them. That second path would be legally gray, and the ones seizing the coins likely wouldn’t care.”
Most Bitcoin holders don’t need to do anything right away. A few habits go a long way in reducing long-term risk, including avoiding reusing addresses so your public key stays hidden until you spend, and sticking with modern wallet formats.
