Will quantum computers break Bitcoin?
Not soon, and not without warning.
Two different attacks get lumped together under "quantum breaks Bitcoin," and they are not equally scary. One threatens signatures, one threatens mining, and neither is close to feasible on any machine that exists in 2026. The real question is not "if" the cryptography ever needs upgrading, but whether Bitcoin has the lead time to do it. It does.
No, not with any hardware that exists in 2026, and not without years of warning. Breaking a Bitcoin key with Shor's algorithm needs on the order of millions of stable logical qubits; the largest machines today have a few hundred physical qubits. Grover's attack on mining only doubles difficultydifficultyA number that Bitcoin adjusts every 2,016 blocks (roughly two weeks) to keep the average block time at 10 minutes regardless of how much hashrate is on the network. Higher difficulty means each hash has a lower chance of finding a block.Full definition. NIST already finalized post-quantum signatures in 2024, and Bitcoin can adopt them by soft fork.
- Estimates for breaking a 256-bit elliptic-curve key with Shor's algorithm run to roughly 1 to 20 million physical qubits; the best 2026 processors sit in the low hundreds of noisy qubits.
- Grover's algorithm against SHA-256Secure Hash Algorithm 256-bit (SHA-256)The cryptographic function Bitcoin uses to convert any data into a fixed-length code, used in mining and transaction verification.Full definition mining is quadratic, not exponential: it roughly halves the effective work, equivalent to a ~2x difficulty bump, not a break.
- Coins in an unspent address that has never broadcast a spend expose only a hashed public keypublic keyYour Bitcoin wallet address, what you share to receive Bitcoin. Anyone can see it but can't use it to spend your funds.Full definition (HASH160), adding a 160-bit hash barrier on top of the 256-bit key.
- The real exposure is address reuse and any address whose raw public key is already public; roughly 4 to 6 million BTCBitcoin (BTC)The ticker symbol for Bitcoin, used on exchanges and in price quotes.Full definition sit in older pay-to-public-key or reused outputs by common estimates.
- NIST finalized 3 post-quantum standards in August 2024; a Bitcoin soft fork adding a quantum-resistant signature type would give holders years to migrate coins.
A useful quantum computer would eventually threaten Bitcoin's signature scheme (ECDSAElliptic Curve Digital Signature Algorithm (ECDSA)The math Bitcoin uses to prove a transaction came from the rightful owner without ever revealing the secret code that controls the funds.), which is what proves you own your coins. It would barely dent the mining algorithm (SHA-256). But "eventually" is doing heavy lifting: the machine required is roughly a million times larger and vastly more stable than anything built by 2026, and a working attack would be visible for years while it approached. Bitcoin's answer is a soft fork to a quantum-resistant signature, and the standards for that already exist. Your only job today is to stop reusing addresses.
Which part of Bitcoin would quantum actually threaten?
Bitcoin leans on two different pieces of cryptography, and quantum computing hits them very differently. Conflating the two is why the topic sounds scarier than it is.
Threat 1 — Shor's algorithm vs. your signatures (ECDSA). Ownership in Bitcoin is proven with an elliptic-curve digital signature over the secp256k1 curve. A large fault-tolerant quantum computer running Shor's algorithm could, in principle, derive the private keyprivate keyA long secret code that proves you are the rightful owner of a chunk of Bitcoin. Anyone who copies the code can spend the Bitcoin. Wallets usually display it as 12 or 24 ordinary English words you can write on paper.Full definition from the public key, which would let an attacker forge a spend. This is the serious threat, because it attacks the thing that actually guards coins. See how Bitcoin works for where keys and signatures fit.
Threat 2 — Grover's algorithm vs. mining (SHA-256). Mining and the address-hashing layer rely on SHA-256. Grover's algorithm gives a quadratic speedup on brute-force search, which sounds dramatic but only takes the effective security of a 256-bit hash from 2256 to about 2128. In mining terms that is roughly a 2x speed advantage, comparable to a hardware generation, not a way to rewrite the chain. See proof of work.
Shor's algorithm is exponential speedup against elliptic-curve keys, which is why signatures are the exposure. Grover's algorithm is only a quadratic speedup against SHA-256, which is why mining is nearly a non-issue. "Quantum breaks Bitcoin" almost always means the signature threat, not the mining one.
Shor vs. Grover, side by side
| DIMENSION | SHOR (SIGNATURES) | GROVER (MINING) |
|---|---|---|
| Target | ECDSA over secp256k1 — derives the private key from an exposed public key. | SHA-256 — brute-forcing mining hashes and, in theory, hash preimages. |
| Speedup | Exponential. Turns a ~256-bit key from infeasible to solvable. | Quadratic. 2256 effective work drops to ~2128, still astronomically hard. |
| Practical effect | Could forge a spend from any address whose public key is known. Real threat. | Roughly a 2x mining edge — a difficulty adjustment absorbs it. Not a break. |
| Hardware needed | Roughly 1–20 million physical qubits with error correction (published estimates vary). | Far more than Shor for any meaningful mining edge; economically pointless before then. |
| 2026 status | Best processors: low hundreds of noisy physical qubits. Off by ~6 orders of magnitude. | Not remotely feasible; classical ASICs stay ahead for the foreseeable future. |
Qubit estimates are from published academic resource analyses and vary by algorithm and error-correction assumptions; figures are as of 2026 and will move as hardware and estimates improve.
Which coins are actually exposed, and which are safe?
This is the part that turns an abstract fear into something you can act on today. Shor's algorithm needs your public key to derive your private key. Whether your public key is visible depends on your address type and, crucially, whether you have ever spent from that address.
Safer: unspent modern addresses. Pay-to-public-key-hash (P2PKH) and pay-to-witness-public-key-hash (P2WPKH) addresses publish only a hash of your public key (a 160-bit HASH160), not the key itself. Until you spend from that address, the raw public key never touches the chain, so a Shor attacker has nothing to run the algorithm against, and would have to break the 160-bit hash first. Funds parked in an address that has never broadcast a spend are the best-protected coins on the network.
Exposed: reused or public-key addresses. The moment you spend from an address, your transaction reveals the raw public key in the witness/scriptSig. If you reuse that address to receive again, those new funds now sit behind an exposed key. Older pay-to-public-key (P2PK) outputs — including many coins mined in Bitcoin's first years — publish the raw public key directly and were never hashed. By common estimates, somewhere around 4 to 6 million BTC sit in P2PK or reused-address outputs with public keys already on the chain.
Use a fresh receive address for every deposit and never reuse a spent address. Modern wallets do this automatically with an HD (hierarchical deterministic) seed. It also improves your privacy. This single habit keeps your public keys hashed and unexposed — the strongest quantum protection available to a user today, at zero cost. See Bitcoin security.
How far is quantum hardware from actually doing this?
Orders of magnitude, and the gap is the whole story. The scary qubit numbers you see in the news are physical qubits, which are noisy and error-prone. Running Shor's algorithm on a 256-bit key needs logical qubits: stable, error-corrected units, each built from many physical qubits. Published resource estimates put the requirement at roughly a few thousand logical qubits, which translates to somewhere around 1 to 20 million physical qubits depending on error rates and the error-correcting code assumed.
As of 2026, the largest quantum processors publicly demonstrated operate in the range of a few hundred to about a thousand physical qubits, with error rates far too high to sustain a computation of Shor's depth. That is a gap of roughly four to six orders of magnitude in qubit count, before accounting for the coherence-time and error-rate problems that get harder as machines scale. This is not a "next product cycle" gap.
It also cannot be a surprise. Scaling from hundreds of qubits to millions of stable logical qubits is a visible, multi-year engineering march that the entire research community would watch happen. There is no plausible path where a cryptographically-relevant quantum computer appears overnight with no prior demonstrations at intermediate scales. That visibility is exactly what gives Bitcoin time to respond.
Can Bitcoin upgrade before it matters?
Yes, and the hard part — agreeing on which cryptography to switch to — is already largely solved. In August 2024, NIST finalized its first 3 post-quantum cryptography standards (including ML-DSA / FIPS 204 and SLH-DSA / FIPS 205 for signatures), the product of an 8-year public competition verify×DON'T TRUST, VERIFYClaim: NIST finalized its first 3 post-quantum encryption standards in August 2024, including signature schemes suitable for replacing classical signatures.Verify at: NIST: first 3 finalized post-quantum encryption standards ↗NIST's own release names the finalized standards and the timeline of the standardization effort.. Quantum-resistant signature algorithms are no longer research; they are published federal standards.
Bitcoin can adopt one of these as a new signature type through a soft fork — the same backward-compatible upgrade mechanism used for SegWit (2017) and Taproot (2021). A soft fork could add a quantum-resistant output type and let holders migrate coins to it well before any quantum machine gets close. Because the hardware threat arrives with years of lead time, the migration window is measured in years, not days. The ongoing standards work is tracked publicly by the NIST post-quantum cryptography project verify×DON'T TRUST, VERIFYClaim: NIST runs an ongoing, public post-quantum cryptography standardization project, so quantum-resistant algorithms are documented and available for systems like Bitcoin to adopt.Verify at: NIST CSRC: Post-Quantum Cryptography project ↗The NIST CSRC project page documents the algorithms, rounds, and status of the standardization effort..
The honest caveat: the coins genuinely at risk are those in addresses whose public keys are already exposed and whose owners never move them — lost coins, and famously the early P2PK outputs. A migration protects everyone who acts; it cannot protect keys no one controls anymore. That is a real, bounded edge case, not a systemic break. The specific algorithms a migration would draw from are the ones NIST has published and continues to standardize verify×DON'T TRUST, VERIFYClaim: The post-quantum signature schemes a Bitcoin migration would use come from NIST's finalized 2024 standards, not from unvetted or proprietary cryptography.Verify at: NIST: first 3 finalized post-quantum encryption standards ↗NIST's release identifies the finalized, publicly vetted algorithms available for adoption by any system, including a cryptocurrency..
So how worried should you actually be?
Worried enough to stop reusing addresses; not worried enough to sell anything. This is a genuine long-term research risk, not an imminent one, and I would distrust anyone who told you it is either impossible forever or an emergency this year. Both extremes are wrong.
The reason it is not an emergency: the threat requires a machine roughly a million times more capable than what exists in 2026, it would announce itself for years while scaling, the fix is a standardized soft fork, and the standards already shipped. The reason it is not nothing: "impossible today" is not "impossible ever," and the same quantum threat hits banks, TLS, and government systems — Bitcoin is not uniquely exposed, and arguably has a cleaner upgrade path than legacy finance.
Your action list is short and free: use a modern HD wallet, take a fresh address for every receive, and never reuse a spent address. Do that and your coins sit behind a hashed public key, which is the strongest position available. For the broader "is Bitcoin fragile" question, see the objections page and the skeptic's walkthrough.
No exchange, wallet maker, quantum-computing firm, or anyone else pays this site. See /how-this-site-makes-money/.
Related
- NIST: first 3 finalized post-quantum encryption standards · nist.gov
- NIST CSRC: Post-Quantum Cryptography project · csrc.nist.gov
Last updated 2026-07-04. Not financial advice. Qubit estimates and standardization status change; verify the primary sources before relying on them.