The risk of Bitcoin's cryptography being crackable with a quantum computer in the near-term just escalated dramatically. While it isn't time for the coin's developers to scramble to implement protections just yet, its biggest-ever threat is now undeniably much nearer than it ever was before.
Craig Gidney’s recent paper titled "How to factor 2048 bit RSA integers with less than a million noisy qubits" recalculates Shor’s algorithm resources, showing that under one million physical qubits could factor a 2048-bit RSA key -- an astronomical reduction from prior estimates that called for ~20 million qubits to accomplish the same task.
The threat is serious enough that BlackRock, the world’s largest asset manager, updates its Bitcoin ETF prospectus to single out quantum as a material risk, warning:
“if quantum computing advances sufficiently, the cryptography underlying the Bitcoin network could become ineffective, potentially compromising wallets and resulting in losses to shareholders,” |
Treating this as a distant possibility is reckless. Here's what the research shows and what it means for Bitcoin’s encryption risk.
Quantum Computing’s Sudden Acceleration
Gidney’s paper proposes a 95% reduction in the physical-qubit overhead for RSA-2048. According to ComputerWeekly, a 1 million qubit machine at those error rates could break RSA-2048 in roughly a week. Google’s Willow chip provides 105 qubits with low crosstalk and a surface-code roadmap hinting at scalable logical-qubit growth.
Institutional risk models once assumed a gradual S-curve, suggesting that risk of a cryptographic threat to Bitcoin would be negligible before 2030, moderate by 2035, and, a critical risk by around 2040. Gidney’s optimization erases 95% of the qubit overhead overnight, and Microsoft’s early-2025 lattice-surgery improvements reduced gate depth on Shor-type workloads. Yet engineering challenges remain: error correction typically demands thousands of physical qubits per logical qubit.
This renewed focus on hardware breakthroughs and algorithmic refinements has energized investors, who increasingly see quantum computing not as a distant curiosity but as a near-term business opportunity. The industry’s funding landscape reflects this pivot, and capital is flowing faster as timelines compress. VC for quantum startups rebounded above $5 billion in 2024 after dipping in 2023.
The synthesis is that there's now more capital and faster labs, all animated by tighter timelines.
The implications of quantum advances are especially alarming for Bitcoin’s cryptography. Investors and developers alike are scrambling to understand the order and speed of these vulnerabilities once these quantum thresholds are crossed.
The Math Behind ECDSA’s “Moat”
Both RSA’s integer-factor problem and ECC’s discrete-log problem reduce to period finding, which is the core subroutine Shor’s algorithm leverages, so it applies equally to cracking RSA-2048 and ECDSA-256.
Gideny's prior analysis from 2019 had estimated that roughly 20 million physical qubits could break a single ECDSA-256 key within 24 hours at 1% error rates, which is significantly higher than the 13 million figure sometimes attributed elsewhere.
Algorithm | Qubits Required (Physical) | Time to Break | Source | Gap vs. Willow |
|---|---|---|---|---|
Factor RSA-2048 | 1,000,000 | < 1 week | ~ 9,500× | |
Break ECDSA-256 | 20,000,000 | ~ 1 day | ~ 190,000× |
One key thing to appreciate here is that the starting assumptions for these calculations matter -- and that's putting it very lightly. Ekerå & Gidney’s ECDSA estimate presumes error rates drop from approximately 1% to 0.1%. A breakthrough, such as a topological qubit design for example, could reduce that even further.
The takeaway here is that timelines are probability clouds, not calendar appointments. The prevailing estimates of the probabilities involved are themselves very fluid (and likely inaccurate) in the grand scheme of things.
What Fails First? Wallets, Exchanges, or the Chain Itself
Most crypto addressess conceal public keys until a spend reveals them; addresses reused across multiple transactions expose those keys on-chain, allowing a quantum adversary to extract the private key the moment it appears.
Multisig wallets raise the bar but remain vulnerable if any signer’s key is unrotated. Custodial hot wallets that rotate keys weekly expand the attack window.
Early-failure scenarios include:
Sweeping Reused-Address UTXOs: Once a reused address reveals its public key, a quantum adversary could broadcast a spending transaction preemptively
Exchange Withdrawal Front-Running: If an exchange uses the same public key to sign withdrawals at predictable intervals, a quantum adversary could preemptively sweep funds
A cascading failure could resemble “Mt. Gox in reverse” wherein coins vanish not through operational missteps or mismanaged liquidity but rather cryptographic sudden death. Consensus rules would remain intact, but balances would evaporate.
Building a Post-Quantum Bitcoin
Although the timeline for quantum threats remains uncertain, the Bitcoin developer community has begun taking preemptive steps to defend against potential quantum attacks. This forward-looking approach aims to minimize the risk of catastrophic losses by adopting a layered defense strategy that includes protocol upgrades, key management improvements, and adoption of post-quantum cryptographic standards.
Multiple mitigation paths are already under development:
QRAMP Hard Fork: Draft BIP forces UTXO migration into post-quantum addresses on a defined schedule; CoinDesk’s April 5 2025 report explains the proposal
Hybrid Signatures (ECDSA + Dilithium / Kyber): Combining classical ECDSA with a lattice-based scheme lets nodes verify both within one script. Early tests show < 5 percent performance degradation but roughly double signature sizes
Transport-Layer Defense (BIP 324): Encrypting peer-to-peer handshakes hides public keys; BIP 324 merged in late 2024 and targets mid-2025 activation
NIST Post-Quantum Standards: NIST in 2025 finalized the FIPS for encryption and Dilithium for signatures; these algorithms offer clear migration paths
These mitigation strategies illustrate a range of technical and organizational responses to the looming quantum threat. Some approaches are relatively mature and could be deployed quickly, while others remain in the research or testing phases, each presenting its own trade-offs in terms of implementation complexity, user adoption, and impact on network security.
The table below summarizes these efforts, highlighting their current maturity, lead actors, key hurdles, and anticipated short-term impact.
Mitigation Path | Maturity | Lead Actors | Key Hurdle | Short-Term Impact |
|---|---|---|---|---|
QRAMP Hard Fork | Draft BIP (pre-proposal-stage) | Independent Devs | Achieving network consensus | High when activated |
Hybrid Signatures | Testnet | BTQ & Community | Signature-size bloat | Medium |
Transport-Layer Defense (BIP 324) | Activated in 2023 but opt-in | Bitcoin Core | Client upgrades | Medium (network privacy) |
Pay-to-Lattice Script | Research | University Labs | Audit tooling & standards | Low (est. 3 years to deploy) |
Address-Reuse Ban | Ready | Wallet Software | User inertia | High for exposed UTXOs |
Custodian Key Rotation (per block) | Pilot | Exchanges | Withdrawal latency & UX | Medium |
These strategies range from immediate (address hygiene) to multi-year (protocol changes). Rotating keys on every spend, shortening settlement windows, or leveraging Lightning’s sub-day finality can mitigate Bitcoin encryption risk now, albeit with some additional overhead that might not pay off for years.
Choose Your Mitigation Path Now
BlackRock’s amended IBIT prospectus warns that “if quantum computing advances sufficiently, the cryptography underlying the Bitcoin network could become ineffective, potentially compromising wallets and resulting in losses to shareholders.” Their risk horizon of five to seven years aligns with other estimates placing a fully fault-tolerant, million-qubit machine between 2028–2032.
However, scaling from Willow’s 105 qubits to 1,000,000 qubits requires roughly 13.2 doublings (105 × 2¹³ ≈ 860,000), not nine. If hardware complexity doubled annually, which would be a pace unseen since 2015, it would still take around 13 years, placing RSA vulnerability around 2038.
That estimate omits yield, error-correction overhead, new cooling technology, and other engineering factors, suggesting a conservative window of 2035 to 2040. But with focused investment and effort, hardware-based obstacles can sometimes be quickly overcome. Ignoring these nuances risks underpreparing.
Here's the immediate checklist for what to do:
Self-Custody Owners: Sweep any coin whose public key is already exposed into a new post-quantum address as soon as such addresses exist
Wallet Users: Pressure vendors for concrete Dilithium or Falcon integration dates; avoid addresses lacking PQC support as soon as it's technically feasible to do so
Exchanges: Rotate signing keys at least hourly (weekly is obsolete)
Developers & Investors: Track Willow’s successors and public performance benchmarks (logical-qubit counts)
All Stakeholders: Contribute to open-source PQC tooling (audits, reference libraries, hardware-wallet firmware)
Many scientific and financial organizations, including the National Academies and McKinsey, still expect a large-scale quantum computer capable of breaking RSA or ECDSA no earlier than 2032–2040, citing unresolved engineering bottlenecks in error-rate suppression, cryogenic scaling, and fabrication yield. Yet Gidney’s and Ekerå’s optimizations suggest better timelines if breakthroughs persist.
The bottom line here is that Bitcoin is not doomed, but complacency needs to be put to rest, and soon. Cryptographic confidence is the bedrock of Bitcoin’s value; if that erodes, markets will price in quantum risk long before the first large-scale quantum computer arrives. Decide now whether quantum defense is optional or existential. Markets won’t wait.
To keep up with the latest in blockchain technology and quantum computing, join us on X and subscribe to our newsletter.
Sources:
Noisy quantum hardware could crack RSA-2048 in seven days, ComputerWeekly (2025-05-29)
Meet Willow, our state-of-the-art quantum chip, Google Blog (2024-12-09)
Google says it has cracked a quantum computing challenge with new chip, Reuters (2024-12-09)
Steady progress in approaching the quantum advantage, McKinsey & Company (2024-04-24)
Peer-to-Peer Encryption (BIP 324), Bitcoin Improvement Proposals
Quantum Computing: Progress and Prospects, National Academies (2024)
