IBM is committing more than USD 10 billion to quantum computing over the next five years. For the first time, the roadmap names concrete milestones for fault-tolerant systems, and it therefore reassesses the quantum computing Bitcoin risk along a clearer timeline.
Quantum computers use quantum mechanics such as superposition and entanglement instead of classical bits. As a result, they solve certain computational problems exponentially faster. This includes factoring large numbers, on which asymmetric cryptography such as Bitcoin's ECDSA relies. However, today's systems with a few hundred physical qubits are not yet sufficient for a real cryptography attack. IBM has operated the IBM Quantum Network since 2017, which today spans more than 340 partner organizations. In addition, more than 90 IBM quantum systems run worldwide, more than the rest of the industry combined. The new commitment covers research, capital expenditure, production scaling, and acquisitions. Furthermore, a cornerstone is the founding of Anderon, the world's first dedicated quantum wafer fab. IBM is contributing USD 1 billion in cash there.
IBM's roadmap: From Kookaburra to Starling
The 2026 processor Kookaburra opens the sequence, the first modular chip that stores and processes error-corrected information at the same time. As a result, the architecture shifts from pure computing power toward reliable quantum memory on a single building block. In that same year, IBM also expects partners to demonstrate a verified quantum advantage for the first time. This refers to a provable edge over classical computers on a concrete problem. For 2027, Cockatoo follows, connecting two Kookaburra modules via so-called L-couplers. These steps build on the hardware progress of late 2025, when IBM entangled 120 qubits in a GHZ state and shortly afterward unveiled the 120-qubit processor Nighthawk.
The decisive threshold, however, is Starling, announced for 2029 and based at the Poughkeepsie plant in New York. The system is set to provide 200 logical qubits and execute 100 million quantum gates, roughly 20,000 times more operations than today's machines. A logical qubit consists of many physical qubits that jointly detect and correct errors. Consequently, 200 logical qubits already require thousands of physical units. According to the plan, Blue Jay then follows with 2,000 logical qubits and one billion quantum operations. The roadmap thus increases the order of magnitude tenfold again compared with Starling.
This roadmap rests on a broad developer ecosystem and a long contract history. IBM's open-source software Qiskit is used by roughly 70% of all quantum developers worldwide and has so far executed more than 4 trillion quantum circuits. Moreover, since the launch of the IBM Quantum Network in 2017, the company has signed contracts worth around USD 1.1 billion. Anderon provides the production foundation for this and is additionally backed by the U.S. Department of Commerce. CEO Arvind Krishna frames the situation by saying the quantum age is no longer ahead but has already begun.
Subscribe to our newsletter
The best articles of the week, directly delivered into your mailbox.
How many qubits does a Bitcoin attack need
Bitcoin secures its transaction signatures through ECDSA on the secp256k1 curve. Shor's algorithm could break this method on a sufficiently powerful, fault-tolerant quantum computer. To do so, it reverses the underlying one-way mathematical function. A Google Quantum AI paper estimated in March 2026 that secp256k1 could be attacked with fewer than 500,000 physical qubits under certain hardware assumptions. Between that order of magnitude and IBM's Starling target of 200 logical qubits, a considerable gap therefore remains in 2029. Accordingly, IBM expert Jeff Crume places the so-called Q-Day, meaning the moment of a cryptographically relevant system, between 2030 and 2035.
"I rarely have the argument anymore about whether quantum computing is real or whether we should take it seriously, because in the long run reality will settle that argument on its own." - Ethan Heilman, cryptographer and BIP-360 co-author.
The more pressing near-term risk, however, lies in the principle of "harvest now, decrypt later." Attackers can collect blockchain data today and decrypt it later, once sufficiently strong quantum hardware becomes available. This is especially relevant because of the public keys on the blockchain. They remain permanently visible and, unlike in centralized systems, cannot be hidden after the fact. Around 6.9 million BTC sit in wallets with visible public keys. Of these, 1.7 million BTC fall on older address formats with a permanently exposed key and are therefore considered especially vulnerable.
Not all cryptographic building blocks are equally at risk. Bitcoin's hash function SHA-256 is only quadratically weakened by Grover's algorithm, from 256 to effectively 128 bits of security, and is therefore regarded as robust. Consequently, the ECDSA signature scheme remains the far more pressing problem, since Shor's algorithm would not merely weaken it but fundamentally break it.
Bitcoin's structural problem with migration
Centralized actors such as banks can quietly replace outdated encryption through a software update. With Bitcoin, by contrast, all nodes must agree to a change by consensus, which makes migration far harder. In addition, there is the size problem: a current Bitcoin signature spans 64 bytes, whereas the post-quantum standard ML-DSA spans 2,420 bytes, roughly 38 times as much. As a result, a switch could lower transaction throughput by up to 90%. This would raise fees and place additional strain on the already limited block capacity.
The Bitcoin community is discussing several technical answers to this. BIP-360 proposes gradually moving vulnerable coins to safer addresses, while the Hourglass concept would gradually restrict unmoved coins. Moreover, around 1 million BTC concentrate on eleven large addresses that could serve as an early warning system. If anything unusual moves there, that would be a possible signal of an ongoing attack. Unlike a software update at a bank, however, each of these steps requires broad agreement across the network.
Finally, regulatory deadlines set the outer frame. NIST published the first finalized post-quantum standards FIPS 203, 204, and 205 in August 2024 and recommends completing the migration by 2035. The NSA, by contrast, sets 2030 as a mandatory date for national security systems under CNSA 2.0. This external timeline raises the pressure on all parties and overlaps with the Q-Day window projected by IBM.
How other crypto networks are responding
Elsewhere, the industry is already moving more concretely. Coinbase convened a six-member independent advisory board that includes Scott Aaronson, Dan Boneh, Justin Drake, Sreeram Kannan, Yehuda Lindell, and Dahlia Malkhi. In addition, the Ethereum Foundation already founded a dedicated quantum research team back in 2025. By comparison, Bitcoin's own process around BIP-360 remains open and without a binding schedule.
Beyond the large networks, too, there are concrete measures. Algorand likewise executed the first post-quantum transaction. Optimism set a fixed cut-off date for migration with its "Flag Day" in January 2036. Solana, meanwhile, optionally offers a "Winternitz Vault" with hash-based signatures considered quantum-resistant. Furthermore, in March 2025 NIST selected HQC as a fourth standard candidate, in order to secure algorithm diversity and avoid depending on a single method.
A look beyond the crypto industry shows how far the transition has already progressed elsewhere. Apple iMessage, Signal, and Zoom have long supported post-quantum cryptography, and Meta migrated its internal systems to the new standards in 2026. While these providers carry out the switch quietly, blockchain networks must negotiate every step in open consensus. Ultimately, this very difference determines how much lead time Bitcoin really still has against IBM's timeline.
