The Thesis
The conventional discourse on quantum computing’s threat to Bitcoin is binary and unhelpful. Skeptics dismiss it as science fiction decades away. Maximalists acknowledge it but defer it as a problem for future generations. Both positions fail to engage with the actual dynamics: the mathematics is unambiguous, the timeline is uncertain but narrowing, and the path to mitigation exists but requires coordination that Bitcoin’s governance structure makes difficult.
This brief presents M31’s assessment of the quantum threat to Bitcoin—not as distant speculation but as a risk that demands present attention. The core finding: Bitcoin faces a genuine cryptographic vulnerability to sufficiently powerful quantum computers, but the threat is narrower than commonly understood, the timeline is probably longer than alarmists suggest, and viable solutions exist if the community acts before the window closes.
The investment implications are nuanced. This is not a thesis for shorting Bitcoin—the timeline remains too uncertain and the adaptation path too clear. Rather, it is a framework for understanding a systemic risk that most market participants are ignoring, and for identifying the live players building the post-quantum infrastructure that will become essential.
“Cryptography is typically bypassed, not broken. But quantum computing represents the rare case where the mathematics itself becomes vulnerable—not through implementation flaws but through fundamental algorithmic advantage.”
— M31 Research Assessment
The Technical Reality
Understanding the quantum threat requires distinguishing between Bitcoin’s two cryptographic foundations, which face categorically different vulnerabilities.
ECDSA: The Vulnerable Layer
Bitcoin uses the Elliptic Curve Digital Signature Algorithm (ECDSA) with the secp256k1 curve to secure ownership. When you spend bitcoin, you prove ownership by providing a digital signature that could only have been generated by the private key corresponding to your public key. The security assumption is that deriving the private key from the public key is computationally infeasible—a problem that would take classical computers longer than the age of the universe to solve.
Shor’s algorithm, developed in 1994, demonstrated that a sufficiently powerful quantum computer could solve this problem in polynomial time. The mathematical relationship that makes ECDSA secure against classical computers—the discrete logarithm problem on elliptic curves—becomes tractable on a quantum computer with enough stable qubits. This is not a theoretical speculation; the mathematics is proven. The only question is when quantum hardware will reach the required capability.
SHA-256: The Secure Layer
Bitcoin’s proof-of-work mining uses SHA-256, a cryptographic hash function. Here the quantum threat is far less severe. Grover’s algorithm provides a quadratic speedup for searching unstructured databases, which translates to effectively halving the bit-security of hash functions. SHA-256’s 256-bit security becomes approximately 128-bit security against quantum attack—still far beyond practical vulnerability.
This distinction matters enormously. Mining is not at risk. The blockchain’s integrity is not at risk. What is at risk is the ownership layer—the ability to spend bitcoin that belongs to addresses whose public keys have been exposed.
Vulnerability Summary
- ECDSA Signatures: Vulnerable to Shor’s algorithm. Public key exposure enables private key derivation. Existential threat to affected addresses.
- SHA-256 Mining: Grover’s algorithm provides only quadratic speedup. 256-bit security becomes ~128-bit. No practical threat.
- Address Hashing: Unused addresses only expose hash of public key. Protected until first spend reveals full public key.
- P2PK Addresses: Early Bitcoin addresses expose public key directly. Permanently vulnerable including Satoshi’s coins.
The Exposure Window
The critical nuance is when public keys become exposed. Bitcoin addresses are derived from public keys through a hashing process. An address that has never sent a transaction only reveals the hash of its public key—insufficient for quantum attack. The full public key is only revealed when you sign a transaction to spend from that address.
This creates a crucial distinction between vulnerable and protected bitcoin. Addresses that have sent transactions have exposed their public keys and remain vulnerable until the funds are moved to a new address. Addresses that have only received bitcoin remain protected by the hash function barrier.
However, there is a critical attack window even for “protected” addresses: the period between when you broadcast a transaction and when it is confirmed in a block. During this window—typically 10-60 minutes—your public key is visible in the mempool. A sufficiently fast quantum computer could theoretically derive your private key and broadcast a competing transaction before yours confirms. This attack vector is more demanding but not impossible.
The Timeline Question
The central uncertainty is not whether quantum computers will eventually threaten Bitcoin’s cryptography—they will—but when. This timeline determines whether the threat is an urgent crisis or a manageable transition.
Current State of Quantum Computing
As of early 2026, the most advanced quantum computers operate with approximately 1,000-1,500 physical qubits. IBM’s latest systems and Google’s Willow processor represent the current frontier. These machines can perform certain computations faster than classical computers but remain far from cryptographically relevant.
The gap between current capability and cryptographic threat is substantial but narrowing. Breaking Bitcoin’s ECDSA implementation would require an estimated 2,500-4,000 logical qubits with low error rates. Due to error correction requirements, this translates to roughly 1-10 million physical qubits depending on the architecture and error rates achieved.
Google claims “quantum supremacy” with 53-qubit Sycamore processor. Performs specific calculation faster than classical computers. No cryptographic relevance.
IBM unveils 1,121-qubit Condor processor. Demonstrates scaling path but error rates remain prohibitive for useful computation.
Google’s Willow chip demonstrates exponential error reduction. First credible path to fault-tolerant quantum computing.
Multiple systems exceed 1,000 qubits. Error correction improving but logical qubit counts remain low. NIST finalizes post-quantum cryptography standards.
Consensus estimate for cryptographically relevant quantum computers (CRQC). Wide uncertainty range reflects fundamental unpredictability of engineering breakthroughs.
The Uncertainty Problem
Projecting quantum computing timelines is notoriously difficult. The field has experienced both unexpected breakthroughs and prolonged plateaus. Expert estimates for cryptographically relevant quantum computers range from 2030 to 2050+, with the median around 2035-2040.
However, several factors suggest the timeline may compress. Government investment has accelerated dramatically—the U.S., China, and EU have collectively committed over $50 billion to quantum research. Private sector investment exceeds $3 billion annually. The talent pipeline has expanded significantly. And Google’s recent error correction breakthrough suggests the path to fault tolerance may be shorter than previously assumed.
For risk assessment purposes, M31 uses a planning horizon of 10-15 years to cryptographic relevance—aggressive enough to demand action, conservative enough to avoid panic. But we assign meaningful probability (~15%) to the timeline being substantially shorter due to unforeseen breakthroughs.
Exposure Analysis
Not all bitcoin faces equal quantum risk. Analyzing the distribution of exposed versus protected coins reveals the actual scope of vulnerability.
Permanently Exposed: P2PK Addresses
The earliest Bitcoin transactions used Pay-to-Public-Key (P2PK) format, which directly embeds the public key in the transaction output. These addresses have no hash protection—the public key is permanently visible on the blockchain regardless of whether funds have been spent.
Approximately 1.8 million BTC sits in P2PK addresses, including an estimated 1.1 million BTC attributed to Satoshi Nakamoto. These coins are permanently vulnerable to quantum attack with no remediation path other than spending them to a quantum-resistant address before an attacker can act.
The Satoshi coins present a unique dynamic. They have never moved in over 15 years and are widely presumed lost or intentionally locked. A quantum computer capable of breaking ECDSA would enable their theft—potentially crashing confidence in Bitcoin even if the technical response were swift.
Conditionally Exposed: Reused Addresses
Modern Bitcoin addresses use Pay-to-Public-Key-Hash (P2PKH) or newer formats that only expose the public key when funds are spent. However, many users reuse addresses—receiving bitcoin to an address from which they have previously spent. These addresses have exposed public keys and remain vulnerable until funds are moved.
Analysis of the UTXO set suggests approximately 4-5 million BTC sits in addresses with exposed public keys. This represents roughly 20-25% of the total supply and includes many active wallets that simply haven’t followed best practices around address reuse.
| Category | Estimated BTC | % of Supply | Vulnerability |
| P2PK (Permanently Exposed) | ~1.8M BTC | ~9% | Immediate upon CRQC |
| Reused Addresses | ~3-4M BTC | ~15-20% | Exposed until migrated |
| Fresh Addresses | ~14-15M BTC | ~70% | Mempool attack window only |
The Mempool Attack Vector
Even bitcoin in fresh addresses faces a theoretical attack window. When you broadcast a transaction, your public key becomes visible in the mempool before the transaction confirms. A quantum computer fast enough to derive private keys in minutes could intercept transactions, derive the private key, and broadcast a competing transaction stealing the funds.
This attack requires a CRQC capable of sub-minute key derivation—significantly more demanding than breaking exposed addresses where there is no time pressure. Most analysts consider this attack vector a later-stage concern, but it represents the ultimate limitation of pre-quantum cryptography regardless of address hygiene.
Live Players
The quantum threat to Bitcoin creates opportunity for two categories of live players: those building quantum computers, and those building quantum-resistant cryptography. Both warrant attention.
Quantum Computing Players
Willow chip’s error correction breakthrough represents most credible path to fault tolerance. If any organization reaches CRQC first, Google is the leading candidate. Not investable directly but signals timeline compression.
Live Player · Timeline Signal
Highest qubit counts and most aggressive public roadmap. Condor (1,121 qubits) and Heron systems show consistent scaling. More transparent than Google about progress and challenges.
Live Player · Public Market (IBM)
Pure-play quantum computing with differentiated trapped ion approach. Higher fidelity per qubit than superconducting competitors. If ion trap architecture proves superior for error correction, IonQ leads. High-risk, high-reward position.
Live Player · Public Market
Largest private quantum company ($700M+ raised). Photonic approach could enable room-temperature operation and faster scaling. High conviction internally but limited external validation. GlobalFoundries manufacturing partnership suggests serious execution.
Live Player · Private (Watch for IPO)
Post-Quantum Cryptography Players
Founded 2009—building PQC before it was fashionable. NIST standardization process participant. Enterprise and government clients. If PQC becomes mandatory for financial infrastructure, Post-Quantum is positioned to capture enterprise transition market.
Live Player · Private
Purpose-built quantum-resistant blockchain using XMSS signatures. Small market cap, limited adoption, but technically sound implementation. Asymmetric bet: if quantum threat timeline compresses, QRL captures flight-to-safety premium.
Live Player · Token Market
The critical variable. Bitcoin’s decentralized governance makes protocol changes slow and contentious. Post-quantum signature scheme proposals exist but no clear activation path. If Bitcoin Core cannot coordinate upgrade before CRQC, the vulnerability becomes existential.
Critical Dependency · No Direct Investment
The Solutions
The quantum threat is solvable. Post-quantum cryptographic schemes exist that resist both classical and quantum attack. The challenge is implementation—particularly for a decentralized protocol with no central authority to mandate upgrades.
NIST Post-Quantum Standards
In August 2024, NIST finalized its first post-quantum cryptographic standards after an eight-year evaluation process. The selected algorithms—ML-KEM (Kyber) for key encapsulation and ML-DSA (Dilithium), FN-DSA (FALCON), and SLH-DSA (SPHINCS+) for digital signatures—represent the cryptographic community’s best current answer to quantum threats.
For Bitcoin specifically, the signature schemes are most relevant. SPHINCS+ offers the most conservative security assumptions (based only on hash functions) but produces large signatures (~8-50KB versus ECDSA’s ~72 bytes). Dilithium and FALCON offer smaller signatures (~2-3KB) but rely on lattice-based assumptions that, while extensively studied, have shorter security track records.
| Scheme | Basis | Signature Size | Security Confidence |
| ECDSA (Current) | Elliptic Curves | ~72 bytes | Quantum-vulnerable |
| SPHINCS+ | Hash Functions | 8-50 KB | Highest (conservative) |
| Dilithium | Lattices | ~2.4 KB | High (newer assumptions) |
| FALCON | Lattices | ~1.3 KB | High (complex implementation) |
Bitcoin’s Upgrade Path
Bitcoin could adopt post-quantum signatures through a soft fork—a backwards-compatible protocol upgrade. Several proposals exist, including QuBit (BIP-360), which would introduce a new address type using post-quantum signatures. The technical path is clear; the governance path is not.
Bitcoin’s consensus-driven upgrade process is designed for conservatism. The Taproot upgrade, a relatively uncontroversial enhancement, took years from proposal to activation. A post-quantum upgrade would be more complex, potentially contentious, and would require coordination across exchanges, wallets, and custodians to be effective.
Bitcoin Post-Quantum Upgrade Requirements
- New Address Format: Introduce PQ-secured addresses (likely via soft fork). Users must actively migrate funds to new addresses.
- Signature Scheme Selection: Community must agree on which PQ scheme(s) to support. Trade-offs between signature size and security assumptions.
- Wallet Ecosystem Update: Hardware wallets, software wallets, exchanges must all support new address types.
- Migration Incentives: Users must be motivated to move funds from legacy addresses. Exposed coins may require special handling.
- Timeline Pressure: Upgrade must complete before CRQC arrival. Current governance velocity suggests this requires starting soon.
The Satoshi Problem
The ~1.1 million BTC in addresses attributed to Satoshi Nakamoto presents a unique challenge. These coins sit in P2PK addresses with permanently exposed public keys. They have never moved and are widely assumed to be inaccessible—either because Satoshi lost the keys, died, or deliberately abandoned them.
A quantum computer capable of breaking ECDSA could spend these coins. This creates several uncomfortable scenarios. The coins could be stolen by a quantum attacker, destroying confidence in Bitcoin’s security. They could be moved by Satoshi themselves using quantum computing, revealing they were waiting for this capability. Or the Bitcoin community could attempt to freeze or burn these coins preemptively—a contentious action that would violate core principles of immutability.
There are no clean solutions. The Satoshi coins represent a structural vulnerability that cannot be patched through protocol upgrades. This is a known unknown that markets are not pricing.
Implications
The quantum threat to Bitcoin generates several investment-relevant implications beyond the direct exposure analysis.
Bitcoin Remains the Central Case
Despite the quantum vulnerability, Bitcoin remains the most important cryptocurrency to assess. It is the largest by market cap, the most decentralized, and the most likely to retain long-term relevance. If Bitcoin successfully navigates the post-quantum transition, it validates the asset class’s resilience. If it fails, the entire digital asset space faces an existential credibility crisis.
The quantum threat is therefore not primarily an argument for alternative cryptocurrencies. It is an argument for paying attention to Bitcoin’s governance capacity and the timeline of post-quantum upgrades.
Governance as Critical Variable
Bitcoin’s decentralized governance—often cited as its greatest strength—becomes a potential weakness in the face of required protocol upgrades. The question of whether Bitcoin can coordinate a post-quantum transition before quantum computers become cryptographically relevant is fundamentally a question about governance capacity.
Monitoring signals include: progress on QuBit or similar proposals, developer consensus on signature scheme selection, exchange and wallet announcements of post-quantum support, and broader community discussion of timeline urgency. Absence of these signals should be interpreted bearishly.
PQC as Infrastructure Investment
Post-quantum cryptography is not a Bitcoin-specific requirement. Every system relying on public-key cryptography—which includes essentially all secure digital communication—faces the same transition requirement. Financial infrastructure, government systems, healthcare, telecommunications—all must migrate to post-quantum standards.
Companies building PQC solutions are positioned to capture a mandatory infrastructure upgrade across the entire digital economy. This is not speculative demand; NIST standards are finalized, and regulatory requirements are beginning to emerge. The PQC transition will happen; the only questions are timeline and market structure.
Quantum Computing as Accelerant
Investment in quantum computing should be viewed partly through the lens of its cryptographic implications. A breakthrough that accelerates the path to CRQC would immediately reprice quantum-vulnerable assets and quantum-resistance solutions. Monitoring quantum computing progress is therefore relevant to any position in digital assets or cryptographic infrastructure.
M31 7-Signal Assessment
Applying the M31 framework to the quantum threat as an investment thesis:
| Signal | Score | Assessment |
| Suppression Signal | 55/100 | Mixed. Dismissed by Bitcoin maximalists, hyped by quantum companies and Bitcoin skeptics. Neither full suppression nor consensus acceptance. |
| Scientific Unlock | 8/10 | Mathematics is settled. Shor’s algorithm proven. NIST standards finalized. No scientific uncertainty—only engineering timeline. |
| Political Timing | 7/10 | Governments heavily invested in quantum computing. National security implications of cryptographic breaks. Regulatory pressure for PQC adoption emerging. |
| Historical Pattern | 8/10 | Strong match to prior cryptographic transitions (DES→AES, MD5→SHA). Pattern: long denial, sudden urgency, rushed migration. |
| TAM | 9/10 | All public-key cryptography globally. Bitcoin (~$1T), broader crypto ($2-3T), plus all digital infrastructure requiring PQC migration. |
| Investability | 6/10 | Limited pure-play options. IonQ public. PQC companies mostly private. Indirect exposure through IBM, Google. QRL for asymmetric bet. |
| Timing / Snapback | 5/10 | 10-15 year likely timeline with high uncertainty. Could compress with breakthrough. Early positioning required but patience necessary. |