Bitcoin preps for quantum risk

Bitcoin’s quantum problem used to live in the category of someday. Then Google moved it closer. On March 31, Google Quantum AI published a whitepaper arguing that the elliptic-curve cryptography used by Bitcoin could be broken with far fewer quantum resources than earlier estimates assumed. The paper says Shor’s algorithm could solve the secp256k1 problem with roughly 1,200 to 1,450 logical qubits, and on a fast superconducting machine that could translate to fewer than 500,000 physical qubits and a runtime measured in minutes. Google did not claim such a machine exists now. It claimed the gap is smaller than people were acting like it was. That is why Bitcoin developers stopped treating quantum risk as a distant theory and started talking about migration. The danger is not that Bitcoin’s hash function suddenly fails. It is that Bitcoin signatures depend on a public-key system that quantum computers are built to attack. Once a public key is exposed, a powerful enough machine could work backward to the private key and steal the coins. That creates two different problems. One is old coins whose public keys are already visible on-chain. The other is “on-spend” attacks, where a user broadcasts a transaction, reveals a public key in the process, and gives an attacker a short window to race them before confirmation. Google’s paper sharpened that second threat by arguing that the first useful machines for this job would likely be fast-clock systems, not the slower architectures people often imagine. Bitcoin has been circling this issue for a while. A May 2025 report from Chaincode Labs estimated that 20% to 50% of bitcoin in circulation could be vulnerable under a cryptographically relevant quantum threat, with about 6.26 million BTC in its executive summary and a broader range of 4 million to 10 million BTC across scenarios. The report split the problem into long-range attacks against permanently exposed keys and short-range attacks against transactions in flight. It also made the ugly part plain: some of the most exposed coins are exactly the ones least likely to move, including early outputs and lost funds. That turns a cryptography problem into a governance problem. Because if owners can migrate, Bitcoin can adapt. If they cannot, the network has to decide what to do with coins that a quantum attacker could seize but their original owners will never touch. That is the argument developers keep calling, in blunt terms, burn versus steal. Do nothing, and a future attacker may loot dormant outputs and dump the proceeds into the market. Intervene, and Bitcoin has to violate its usual instinct that valid old coins remain spendable forever. There is no elegant answer hiding here. There is only a choice about which rule change does less damage. That is why the most serious work now is not about magic quantum-proofing. It is about transition machinery. One proposal now in the Bitcoin Improvement Proposal repository, BIP 360, sketches a new output type called Pay to Merkle Root, or P2MR, designed to support more flexible spending conditions and post-quantum migration paths. It is not a complete fix for every attack surface. It is a scaffold for moving funds into safer constructions without trying to swap out Bitcoin’s entire cryptographic base in one leap. Other proposals go further and contemplate deadlines, freezes, or forced migration for especially old and exposed outputs. The common theme is that the hard part is no longer inventing a signature scheme. The hard part is getting a conservative network to coordinate around one. That coordination will take years, which is exactly why the timeline matters now. Chaincode Labs argued in 2025 that the most plausible window for cryptographically relevant quantum computers was 2030 to 2035, while warning that breakthroughs could pull that forward. Google’s new paper did not put a date on Bitcoin’s failure. It did something more important. It made the engineering target look finite. And once a threat has numbers attached to it, Bitcoin can no longer pretend it is philosophical. The network has to decide how coins move from exposed addresses to safer ones before the first machine that can steal them arrives.