From one billion to 10,000: over two decades, the estimated qubit requirements to attack Bitcoin’s cryptography have dropped by five orders of magnitude. Two papers released yesterday significantly accelerate this trend.
Two research papers released on Tuesday have fundamentally shifted the debate around Bitcoin’s quantum resilience. Google’s Quantum AI team lowered the estimated threshold for an attack on Bitcoin’s cryptography to below 500,000 physical qubits. A parallel paper by Oratomic and Caltech pushes that figure down to 10,000 reconfigurable atomic qubits. Previous estimates were in the millions.
For investors, the question is no longer whether quantum computers can break Bitcoin’s encryption. Among cryptographers, that is largely undisputed. The key issue is timing and whether the network will be prepared. As hardware advances accelerate while decentralized consensus remains slow, a widening gap is emerging that institutional portfolio managers are increasingly factoring into their allocation decisions.
Subscribe to our newsletter
The best articles of the week, directly delivered into your mailbox.
How quantum computers could attack Bitcoin
Bitcoin relies on two cryptographic primitives: ECDSA (Elliptic Curve Digital Signature Algorithm) for transaction signatures and SHA-256 for mining. Shor’s algorithm can break ECDSA exponentially faster than classical computers, while SHA-256 is considered far more resilient, with a quantum attack expected to reduce mining efficiency rather than fully compromise it.
Until Monday, the consensus estimate was that an attacker would need more than 13 million physical qubits to break ECDSA within a day. Google’s latest whitepaper revises this sharply downward. According to the new estimates, fewer than 500,000 physical qubits could be sufficient to solve ECDLP-256 within minutes. Oratomic’s neutral-atom approach lowers the threshold further to around 26,000 qubits for a computation time of 10 days, with a theoretical minimum of 10,000 qubits.
Google’s Willow chip, introduced in December 2024, currently operates at 105 qubits. This reduces the gap to a cryptographically relevant quantum computer from a factor of 100,000 to below 5,000. Oratomic co-founder Manuel Endres has already demonstrated arrays of 6,100 neutral-atom qubits at Caltech.
There is also a more subtle risk. During a Bitcoin transaction, the public key remains exposed in the mempool for roughly 10 minutes before block confirmation. Google’s paper models this exact attack vector: a quantum adversary could derive the private key in around nine minutes, implying a 41% success probability within a single block interval. Even more concerning is the “harvest now, decrypt later” strategy, where attackers collect exposed keys today and decrypt them once sufficient quantum capabilities become available. The US Federal Reserve analyzed this scenario in a September 2025 working paper.
How many Bitcoin are vulnerable?
Project Eleven estimates around 6.7 million BTC as quantum-vulnerable, roughly 33% of circulating supply. Google’s whitepaper points to a similar magnitude at 6.9 million BTC. Chaincode Labs arrives at a broader range of 20% to 50%, or 4 to 10 million BTC. All estimates apply a wide definition, including any address with an exposed public key.
CoinShares, however, offers a more restrained view. It estimates that only around 10,200 BTC would have a meaningful market impact in a hypothetical theft scenario. The remainder is spread across more than 32,000 addresses with an average of 50 BTC each, making large-scale extraction time-intensive even with advanced quantum capabilities.
The risk is also highly concentrated. Around 1.7 million BTC from the Satoshi era, mined between 2009 and 2011, are held in P2PK addresses with permanently exposed public keys, representing close to 9% of total supply. More modern formats such as P2WPKH only expose the key upon spending, providing a limited time buffer. Taproot addresses (P2TR) account for roughly 32.5% of all UTXO outputs but hold less than 1% of total supply. Still, Google’s research casts Taproot in a new light: by default exposing public keys, it may expand the effective quantum attack surface.
"The migration to post-quantum standards could easily take 5 to 10 years due to the complexity of decentralized consensus." - Jameson Lopp, Bitcoin security expert
Hardware breakthroughs: Willow, Majorana, and the path to one million qubits
Google’s Willow chip solved a benchmark task using the Quantum Echoes algorithm around 13,000 times faster than the most powerful classical supercomputer. Impressive, but still insufficient for cryptographic attacks. Its 105 qubits fall far short of what is required.
Microsoft’s Majorana 1, introduced in February 2025, takes a different approach. The processor uses topological qubits based on a novel indium arsenide and aluminum material system, targeting up to one million qubits on a single chip. Built-in error correction aims to reduce overhead by a factor of ten.
The new estimates nonetheless reshape the risk profile. The prior consensus called for 1,500 to 2,600 logical qubits, translating into 13 to 300 million error-corrected physical qubits. Google’s paper lowers this to around 1,200 logical qubits and fewer than 500,000 physical qubits. Oratomic’s architecture suggests a range of 10,000 to 26,000 physical qubits. Over two decades, estimated requirements have thus dropped by five orders of magnitude, from roughly one billion to below 10,000.
Google has set March 25, 2029 as an internal deadline for its own post-quantum migration, significantly ahead of the previous industry consensus of 2030 to 2035.
BIP-360 and the post-quantum upgrade path
BIP-360, proposed in 2025, introduces a new Bitcoin address type supporting post-quantum signatures such as Dilithium. It leverages Pay-to-Merkle-Root (P2MR) with SegWit version 2 and bech32m addresses in the bc1z format, enabling a gradual migration without forcing a network-wide change.
On March 20, 2026, BTQ Technologies deployed the first functional implementation on a Bitcoin testnet. More than 50 miners participated in version 0.3.0, mining over 100,000 blocks. However, the gap between testnet and mainnet remains significant. Chaincode Labs described Bitcoin’s post-quantum efforts in May 2025 as being in an “early, exploratory phase.” BIP-360 co-author Ethan Heilman estimates a full migration would take at least seven years, even if initiated immediately.
A key technical constraint remains unresolved. Post-quantum keys are substantially larger than current ones, often several kilobytes in size. This increases transaction fees, storage requirements and bandwidth usage. Under Bitcoin’s 1 MB block limit, this presents a material scaling challenge.
Crucially, BIP-360 is only a first step. It removes Taproot’s quantum-vulnerable key path but does not replace ECDSA or Schnorr signatures with quantum-resistant schemes. Achieving full security would require additional BIPs. For context, SegWit took around 8.5 years to reach broad adoption, Taproot 7.5 years, while Google is targeting its own migration by 2029.
Regulatory standards are outpacing Bitcoin
While Bitcoin is still debating, regulators are already setting the pace. The National Institute of Standards and Technology finalized three post-quantum standards in August 2024 (FIPS 203, 204, 205), based on CRYSTALS-Kyber, CRYSTALS-Dilithium and SPHINCS+. In March 2025, HQC was selected as a fifth algorithm. NIST mathematician Dustin Moody stated that HQC is intended as a backup standard built on a different mathematical foundation than ML-KEM.
The US government has set clear timelines. Federal agencies must submit post-quantum transition plans by April 2026. The EU is targeting quantum resilience for critical infrastructure by 2030. Google is already integrating quantum-resistant signatures into Android 17, Chrome and its cloud services.
Bitcoin, by contrast, faces structural constraints. Protocol changes require broad consensus across thousands of independent actors, with no central authority to mandate upgrades. The same decentralization that underpins Bitcoin’s resilience also slows adaptation. For investors, this implies a shift in perspective: quantum risk is not a reason for panic, but it has become materially more tangible. Monitoring Taproot adoption, progress around BIP-360 and custodian-level address hygiene is increasingly relevant for long-term allocations.
