Parallect
April 6, 2026·20 min read·4 providers

Quantum Threat to Bitcoin: 5–7 Year Migration Window

Quantum computers unlikely to break Bitcoin signatures within 5 years, but faster advances and exposed public keys mean starting post‑quantum migration now

Key Finding

Most experts do not expect a cryptographically relevant quantum computer that can break current cryptography to arrive in the next 5–7 years; many place the practical threat in the 2030s–2040s, with only low probability assigned to near-term arrival.

high confidenceSupported by openai, gemini-lite, grok-premium, perplexity
Justin Furniss
Justin Furniss

@Parallect.ai and @SecureCoders. Founder. Hacker. Father. Seeker of all things AI

openaigemini-litegrok-premiumperplexity

Cross-Provider Analysis: Quantum Computing Threat to Bitcoin Encryption

Date: April 6, 2026 | Query: Quantum computing timeline, Bitcoin/SHA-256 vulnerability, post-quantum cryptography

Executive Summary

  • The quantum threat to Bitcoin's signature layer is real but not imminent. All four providers independently confirm that a cryptographically relevant quantum computer (CRQC) capable of breaking Bitcoin's ECDSA/Schnorr signatures is most likely 5–15+ years away, with expert surveys assigning only single-digit to ~14% probability within 5 years [3]. However, March 2026 research from Google Quantum AI has dramatically compressed theoretical qubit requirements by ~20×, narrowing the engineering gap faster than anticipated [3].

  • SHA-256 is not the primary vulnerability. There is near-universal consensus across all providers that Grover's algorithm reduces SHA-256's effective security from 256 to ~128 bits — still computationally infeasible — making Bitcoin's proof-of-work and chain integrity substantially safer than its signature layer [3]. The existential risk is concentrated in ECDSA/Schnorr via Shor's algorithm.

  • Approximately 6.7 million BTC (~35% of supply) are immediately at risk on Q-Day. These coins reside in legacy P2PK outputs (including Satoshi's ~1 million BTC), address-reused UTXOs, and Taproot key-path outputs where public keys are already exposed on-chain [3]. A CRQC capable of solving a 256-bit key in ~9 minutes would outpace Bitcoin's 10-minute block window [2].

  • Bitcoin's migration path exists but is dangerously slow. BIP-360 (Pay-to-Merkle-Root/P2QRH) represents a first step toward quantum resistance, but the BIP's own co-authors estimate a full ecosystem transition could take 7+ years after activation [38]. Google has set a 2029 internal PQC migration deadline [7], while NIST targets 2035 [2] — creating a governance race against an uncertain but accelerating threat.

  • The 5–7 year window is a planning horizon, not a predicted attack date. Mosca's theorem (X + Y > Z) dictates that organizations must begin migration well before a CRQC arrives [5]. Given Bitcoin's decentralized governance, the 5–7 year window should be treated as the start of the migration process, not the deadline for completing it.

Cross-Provider Consensus

1. CRQC Is Not Imminent Within 5 Years, But the Timeline Is Accelerating

Providers: OpenAI, Gemini, Grok, Perplexity | Confidence: HIGH

All four providers independently confirm that expert consensus places a practical CRQC in the 2030s–2040s range, not within 5 years. Grok cites specific probability distributions: ~5–14% within 5 years, 19–49% within 10 years, 51–70% within 15 years [2]. OpenAI notes "only a single-digit probability" for the 5-year window [5]. Perplexity frames it as "5–15+ years under most credible scenarios" [1]. Gemini explicitly states "most cryptographers and industry analysts place the arrival of a practical quantum threat in the 2030s to 2040s." All providers simultaneously acknowledge that March 2026 Google research has accelerated the theoretical timeline faster than anticipated [3].

2. SHA-256 Is Not the Critical Vulnerability — ECDSA/Schnorr Is

Providers: OpenAI, Gemini, Grok, Perplexity | Confidence: HIGH

Universal agreement that Grover's algorithm provides only a quadratic speedup against SHA-256, reducing security from 256 to ~128 bits [3]. All providers agree 128-bit quantum security remains computationally infeasible with any foreseeable technology. The critical vulnerability is Shor's algorithm applied to the elliptic curve discrete logarithm problem (ECDLP) underlying ECDSA and Schnorr signatures [2]. Grok adds that even the quadratic speedup on proof-of-work would not meaningfully undermine difficulty adjustment [14].

3. Google's March 2026 Research Dramatically Lowered Qubit Requirements

Providers: OpenAI, Grok, Perplexity (corroborated by Gemini implicitly) | Confidence: HIGH

Three providers explicitly cite the March 2026 Google Quantum AI whitepaper showing optimized circuits requiring ~1,200 logical qubits and ~90 million Toffoli gates — translating to fewer than 500,000 physical qubits in a superconducting architecture with surface-code error correction [3]. This represents a ~20× reduction from prior estimates like Litinski 2023. OpenAI additionally notes a parallel Caltech/OrQonic result suggesting ~26,000 physical qubits in neutral-atom architectures over ~10 days [2]. Grok corroborates both findings [2].

4. ~6.7 Million BTC Are Immediately Vulnerable on Q-Day

Providers: OpenAI, Grok, Perplexity | Confidence: MEDIUM-HIGH

Three providers cite the ~6.7 million BTC figure (~35% of supply) as the upper-bound estimate for coins with already-exposed public keys [3]. This includes P2PK outputs (~1.7 million BTC per Grok [13]), Satoshi's ~1 million BTC [2], and address-reused UTXOs. Perplexity appropriately flags this as "plausible as an upper bound" rather than a precise figure [1]. Gemini does not independently quantify this figure, slightly reducing confidence.

5. BIP-360 Is Bitcoin's Primary Quantum-Resistance Proposal, But Insufficient Alone

Providers: OpenAI, Grok | Confidence: HIGH

Both providers confirm BIP-360 (Pay-to-Merkle-Root / P2QRH) as the leading current proposal, introducing a new output type that removes the quantum-vulnerable key-path spend and supports future PQC signature integration [4]. Both note it is explicitly "step one" requiring follow-on BIPs for specific PQC signature schemes. Both estimate a full transition could take 5–7+ years after activation [2]. Gemini and Perplexity acknowledge the upgrade pathway exists without naming BIP-360 specifically.

6. NIST Has Standardized PQC Algorithms; Google Targets 2029 Migration

Providers: OpenAI, Grok, Perplexity | Confidence: HIGH

All three confirm NIST's 2024 standardization of ML-KEM, ML-DSA/Dilithium, and SLH-DSA/SPHINCS+ [36]. All confirm Google's internal 2029 deadline for PQC migration across its authentication services [7], with Grok and OpenAI explicitly noting this is a risk-management deadline, not a prediction that CRQC arrives in 2029 [2].

7. The 10-Minute Block Window Creates a Critical Attack Vulnerability

Providers: OpenAI, Grok, Perplexity | Confidence: HIGH

Three providers independently identify the same attack vector: when a user broadcasts a transaction, the public key is revealed in the mempool. If a CRQC can solve a 256-bit key in ~9 minutes [2], it could derive the private key and broadcast a competing transaction before the original is confirmed. This makes the 10-minute block interval a critical security boundary, not just a performance metric [2].

Unique Insights by Provider

OpenAI

  • Taproot's quantum vulnerability is specifically highlighted as among the worst cases. OpenAI uniquely emphasizes that Taproot (BIP-341) key-path spends expose the raw public key directly in the scriptPubKey at the moment of spending, making Taproot outputs particularly vulnerable — a counterintuitive finding given Taproot was Bitcoin's most recent major upgrade [9]. This matters because Taproot adoption has been growing, potentially increasing the vulnerable UTXO set over time.
  • The "freezing Satoshi's coins" debate is surfaced. OpenAI uniquely raises the governance controversy around proposals to freeze P2PK outputs (including Satoshi's ~1 million BTC) to prevent quantum theft, noting this would be "extraordinarily controversial" and "against Bitcoin's ethos" [2]. This is a live policy debate with no clean resolution.
  • The Caltech/OrQonic 26,000-qubit result in neutral-atom architectures is cited as a parallel March 2026 finding alongside Google's work [2], suggesting the resource compression is not limited to a single research group or architecture.

Gemini

  • Explicit framing of Google's 2029 deadline as a risk-management signal, not a CRQC prediction. Gemini most clearly articulates the distinction between a migration deadline and a threat arrival date, cautioning against conflating the two. This is the most important interpretive contribution for non-technical readers who may misread Google's 2029 target as a prediction of imminent cryptographic collapse.
  • The "manageable engineering challenge" framing. Gemini uniquely characterizes Bitcoin's PQC migration as a "manageable engineering challenge rather than an existential crisis," providing the most optimistic but grounded counterweight to alarmist narratives. This framing is supported by Bitcoin's demonstrated ability to execute soft forks (SegWit, Taproot).
  • Narrative misinterpretation warning. Gemini explicitly flags that "the narrative that Bitcoin will be 'broken' in 5–7 years is largely driven by misinterpretations of quantum research and the conflation of different cryptographic risks" — a media-literacy point absent from other providers.

Grok

  • Specific probability distributions from expert surveys. Grok is the only provider to cite quantified probability ranges from the Global Risk Institute's Quantum Threat Timeline Report [2]: ~5–14% within 5 years, 19–49% within 10 years, 51–70% within 15 years. This granularity is essential for risk-weighted decision-making.
  • Mosca's Theorem explicitly invoked. Grok is the only provider to formally state Mosca's theorem (X + Y > Z, where X = data lifetime, Y = migration time, Z = time to CRQC) [5], providing the theoretical framework for why organizations must act now even if CRQC is decades away.
  • Quantum influence on mining economics flagged as speculative second-order risk. Grok uniquely raises (while appropriately flagging as speculative) the possibility that quantum computing could indirectly affect mining centralization or hashrate economics through confidence shifts [18]. This is a second-order systemic risk not addressed by other providers.
  • Specific breakdown of P2PK exposure: ~1.7 million BTC in clear P2PK vs. the broader 6.7 million BTC figure that includes reused addresses [13], providing important granularity for risk stratification.

Perplexity

  • NISQ era technical specifications. Perplexity provides the most technically precise characterization of current quantum hardware: 50–300 qubits per chip, error rates of 10⁻³ to 10⁻⁴ per gate, and a ~1,000:1 physical-to-logical qubit overhead for error correction [1]. This grounds abstract claims about "noisy qubits" in concrete engineering parameters.
  • Taproot script-path vs. key-path distinction. Perplexity uniquely notes that not all Taproot outputs use key-path spending — script-path spends are safer — providing important nuance to the blanket "Taproot is vulnerable" claim [1].
  • Grover's PoW speedup quantified precisely. Perplexity calculates that for a 32-bit target difficulty, Grover's algorithm provides a ~2^16 speedup (~65,000× effective hash rate increase) [1]. While this sounds alarming, it is offset by difficulty adjustment — a nuance other providers mention but don't quantify.
  • NIST standardization competition timeline. Perplexity notes the competition ran from 2016–2022 [1], contextualizing the 2024 final standards as the culmination of an 8-year process — relevant for understanding how long Bitcoin's own PQC standardization might take.

Contradictions and Disagreements

Contradiction 1: Current Qubit Counts — How Many Does Google Actually Have?

OpenAI states Google has devices "in the tens or low hundreds of qubits" [1] and Grok specifically cites Google's Willow chip at ~105 qubits [2]. Perplexity, however, states "Google has not yet demonstrated a single chip with >100 qubits in commercial deployment" and suggests "recent systems operate in the 50–70+ qubit range" [1]. This is a direct factual contradiction. Google's Willow chip (announced December 2024) is widely reported at 105 qubits, suggesting Perplexity's figure may be outdated or referring to a different metric (e.g., commercially deployed vs. research systems). Readers should verify against Google's current published hardware specifications.

Contradiction 2: IBM's 1,386-Qubit Target — Achieved or Projected?

OpenAI presents IBM's ~1,386-qubit multi-chip module as a roadmap target [1]. Perplexity explicitly cautions that "the specific target of 1,386 qubits by 2025 should be treated as a planning projection rather than a confirmed 2025 achievement" [1]. This distinction matters significantly: if IBM achieved this milestone, it represents a major step toward the qubit counts needed for cryptographic attacks; if it remains a projection, the gap is larger. No provider confirms actual 2025 achievement. This requires direct verification from IBM's published results.

Contradiction 3: Severity of the 5–7 Year Threat Window

OpenAI and Grok treat the 5–7 year window as a precautionary planning horizon with low probability of actual CRQC arrival [2]. Gemini goes further, explicitly calling the "broken in 5–7 years" narrative a "misinterpretation." However, OpenAI also cites [6] that "some crypto proponents have speculated a sufficiently powerful quantum computer may be able to break ECDSA in as little as 2–5 years" — while calling it an "outlier." The tension is between: (a) the theoretical resource compression shown in March 2026 papers suggesting the algorithmic problem is closer to solved than thought, and (b) the engineering gap remaining enormous. These are not mutually exclusive, but providers weight them differently.

Contradiction 4: BIP-360 Naming Convention

OpenAI refers to BIP-360 as "Pay-to-Merkle-Root (P2MR)" [6]. Grok refers to it as both "P2QRH" (Pay-to-Quantum-Resistant-Hash) and "P2MR" interchangeably [3]. This may reflect genuine evolution in the BIP's naming during drafting, or conflation of related but distinct proposals. Readers should consult the current BIP repository directly to confirm the canonical name and scope.

Contradiction 5: Quantification of At-Risk BTC

Grok distinguishes ~1.7 million BTC in clear P2PK outputs [13] from the broader ~6.7 million BTC figure that includes reused addresses. OpenAI and Perplexity cite the 6.7 million figure without this granular breakdown [9]. The difference matters for risk assessment: P2PK coins are immediately vulnerable on Q-Day with no transaction required; reused-address coins require the owner to attempt a spend first. These are meaningfully different threat scenarios that the 6.7 million aggregate figure obscures.

Detailed Synthesis

The State of Quantum Hardware: Still NISQ, But Accelerating

As of April 2026, quantum computing hardware remains firmly in the Noisy Intermediate-Scale Quantum (NISQ) era [1]. Leading gate-based systems operate with hundreds to just over a thousand physical qubits, characterized by error rates of 10⁻³ to 10⁻⁴ per gate and no practical quantum error correction at scale [1]. IBM's Heron processor has 133 qubits [1], with roadmap targets for multi-chip modules approaching ~1,386 qubits — though Perplexity cautions this should be treated as a planning projection rather than a confirmed achievement [1]. Google's Willow chip operates at approximately 105 qubits [2], though Perplexity disputes whether this has been demonstrated in commercial deployment.

The critical engineering bottleneck is not raw qubit count but fault-tolerant logical qubits. Perplexity notes that practical quantum error correction requires a physical-to-logical qubit overhead of approximately 1,000:1 or worse [1], meaning a system capable of running Shor's algorithm at cryptographic scale would need millions of physical qubits even if the logical qubit requirement is in the thousands. Grok confirms that error-corrected logical qubits remain at single digits to low tens in breakthrough demonstrations [2], and that scaling to the thousands needed for cryptographic attacks "requires major advances in error correction, coherence, and architecture" [7].

The March 2026 Inflection Point: Google's Resource Compression

The most significant development in the quantum-cryptography threat landscape is the March 2026 Google Quantum AI whitepaper, independently confirmed by OpenAI, Grok, and Perplexity [3]. The paper presents optimized quantum circuits for the elliptic curve discrete logarithm problem requiring approximately 1,200 logical qubits and ~90 million Toffoli gates — translating to fewer than 500,000 physical qubits in a superconducting surface-code architecture, with a runtime of approximately 9 minutes per 256-bit ECC key [2].

This represents a roughly 20× reduction in qubit requirements compared to the Litinski 2023 estimates that had previously anchored expert planning [2]. OpenAI additionally notes a parallel result from Caltech/OrQonic suggesting the attack might be achievable with as few as ~26,000 physical qubits in neutral-atom architectures, at the cost of a ~10-day runtime [2]. Grok corroborates that "other 2025–2026 papers suggest ~10,000–26,000 qubits in neutral-atom systems for ECC-256" [3].

The interpretive challenge is significant: these results demonstrate that the algorithmic problem of breaking ECC is closer to solved than previously thought, but the engineering problem of building a machine with 500,000 high-quality, error-corrected physical qubits remains enormous. As OpenAI notes, "the gap between theoretical breaking of encryption and practical engineering is much narrower than previously assumed" [4] — but it has not closed. Gemini provides the most measured interpretation: Google's 2029 PQC migration deadline is "a risk management deadline, not a prediction of the arrival of a CRQC."

Expert Probability Distributions: What the Surveys Actually Say

Grok provides the most granular expert survey data, drawn from the Global Risk Institute's Quantum Threat Timeline Reports [2]: approximately 5–14% probability of CRQC within 5 years, 19–49% within 10 years, and 51–70% within 15 years. OpenAI corroborates that "only a single-digit probability was assigned to encryption-breaking quantum capability in the next ~5 years" and that "roughly half of surveyed quantum specialists thought there's >50% chance within 15 years" [5]. The consensus view, per OpenAI, is "probably not by 2030, but more likely by 2035–2040" [5].

Perplexity frames this as "5–15+ years under most credible scenarios" [1], while Gemini notes that "breakthroughs in error correction could potentially accelerate this timeline." Grok explicitly notes that "timelines have accelerated slightly from prior years due to hardware, error-correction, and algorithmic gains" [2]. The March 2026 Google results will likely shift these probability distributions upward in the next survey cycle, though no provider has yet quantified by how much.

Bitcoin's Cryptographic Architecture: A Tale of Two Vulnerabilities

The Signature Layer (Critical Risk): Bitcoin's ECDSA and Schnorr signatures rely on the elliptic curve discrete logarithm problem on secp256k1. Shor's algorithm solves ECDLP in polynomial time, meaning a sufficiently powerful quantum computer could derive any private key from its corresponding public key [2]. The attack requires the public key to be known — which is the case for all P2PK outputs, any address that has previously sent a transaction (reuse), and Taproot key-path spends at the moment of broadcast.

OpenAI uniquely highlights that Taproot (BIP-341), Bitcoin's most recent major upgrade, is particularly vulnerable in its key-path spending mode because the raw public key appears directly in the scriptPubKey [9]. Perplexity adds the important nuance that Taproot script-path spends are safer [1], meaning not all Taproot outputs are equally exposed. The attack window for any spend is approximately 10 minutes — Bitcoin's block interval — during which a CRQC capable of solving a 256-bit key in ~9 minutes could theoretically front-run the transaction [2].

The Hash Layer (Low Risk): SHA-256 faces a fundamentally different and far less severe quantum threat. Grover's algorithm provides a quadratic speedup on brute-force searches, reducing SHA-256's effective security from 256 bits to ~128 bits [3]. All providers agree that 128-bit quantum security remains computationally infeasible with any foreseeable technology. Perplexity quantifies the PoW speedup precisely: for a 32-bit target difficulty, Grover's algorithm provides a ~2^16 speedup (~65,000× effective hash rate) [1] — but Bitcoin's difficulty adjustment mechanism would neutralize this advantage at the network level. Grok adds that "no known quantum attacks beyond Grover meaningfully threaten Bitcoin's hash-based components" [14].

The At-Risk UTXO Set: Grok provides the most granular breakdown: approximately 1.7 million BTC sit in clear P2PK outputs with permanently exposed public keys [13], while the broader ~6.7 million BTC figure cited by OpenAI and Perplexity [9] includes address-reused UTXOs and other exposure categories. Satoshi Nakamoto's estimated ~1 million BTC, mined in 2009–2010 using P2PK format, are included in the immediately vulnerable category [2]. OpenAI raises the politically charged proposal that these coins might need to be "frozen" to prevent quantum theft, while noting this would be "extraordinarily controversial" and "against Bitcoin's ethos" [2].

The Post-Quantum Cryptography Landscape

NIST completed its multi-year PQC standardization competition in 2024, finalizing ML-KEM (for encryption), ML-DSA/Dilithium (for signatures), and SLH-DSA/SPHINCS+ (for signatures) [36]. These algorithms are designed to resist both classical and quantum attacks, based on mathematical problems (lattice problems, hash-based constructions) believed to be hard for quantum computers.

For Bitcoin specifically, lattice-based or hash-based signatures are the leading candidates [15]. The primary engineering challenge is signature size: ECDSA signatures are approximately 64–70 bytes [15], while PQC signatures can be significantly larger — a meaningful concern for Bitcoin's block space economics and transaction throughput.

Google has set an internal 2029 deadline for completing PQC migration across its authentication services and products [7], described by Grok as "a concrete deadline" and "risk-management response to faster-than-expected progress" rather than a prediction that CRQC arrives in 2029 [2]. The U.S. government's NIST targets 2035 for federal systems [2]. Cloudflare has also published PQC migration timelines [29].

Bitcoin's Migration Path: BIP-360 and the Governance Challenge

BIP-360 (Pay-to-Merkle-Root / P2QRH) represents Bitcoin's primary current proposal for quantum resistance [4]. The proposal introduces a new output type that removes the quantum-vulnerable key-path spend, forces all spends through tapscript (never a raw public key), and creates a framework for future PQC signature scheme integration [6]. It is explicitly framed as "step one," with follow-on BIPs required for specific PQC signature algorithms [2].

The governance challenge is formidable. Grok notes that "Bitcoin's decentralized governance makes coordination slower" and that proposals "lack broad consensus" and "lack funding equivalent to other ecosystems" [2]. BIP-360's own co-authors estimate a full ecosystem transition could take 7 years after activation [38]. Perplexity contextualizes this against NIST's own 8-year standardization process (2016–2024) [1]. Grok invokes Mosca's theorem to argue that organizations must begin migration well before CRQC is expected [5] — a principle that applies to Bitcoin's community governance as much as to enterprise IT.

Short-term mitigations available today include avoiding address reuse, using fresh addresses for each transaction, and monitoring exposed keys [18]. Long-term mitigation requires the soft fork pathway, wallet software upgrades, user education, and backward compatibility management during transition [18].

Evidence Explorer

Select a citation or claim to explore evidence.

Go Deeper

Follow-up questions based on where providers disagreed or confidence was low.

What is the current verified physical qubit count and error rate for Google's Willow chip, and has IBM achieved its ~1,386-qubit multi-chip module target?

Providers directly contradict each other on Google's qubit count (50–70 vs. 105+) and disagree on whether IBM's roadmap target was achieved vs. projected. These are foundational facts for any timeline assessment, and the discrepancy suggests at least one provider is using outdated or mischaracterized data.

DisagreementXS tier
Investigate this →

How does the March 2026 Google Quantum AI whitepaper's resource estimates compare to the Caltech/OrQonic neutral-atom result, and what are the practical engineering differences between the two attack architectures?

Both results were published in March 2026 and represent dramatically different qubit counts (500,000 vs. 26,000) and runtimes (9 minutes vs. 10 days). Understanding which architecture is more feasible to build determines whether the threat horizon is measured in years or decades. Only OpenAI and Grok cite both results, and no provider synthesizes them.

Low ConfidenceM tier
Investigate this →

What is the current status of BIP-360 in Bitcoin's development process — has it achieved BIP repository acceptance, what is the activation mechanism being proposed, and what is the realistic timeline to miner/node supermajority adoption?

Providers agree BIP-360 exists and is "step one," but provide inconsistent naming (P2MR vs. P2QRH) and no concrete governance timeline beyond "5–7+ years." Given that Bitcoin's governance process is the critical path for quantum resistance, the specific activation mechanism and stakeholder alignment status are essential for any planning exercise.

Low ConfidenceS tier
Investigate this →

What is the on-chain economic impact of migrating Bitcoin to PQC signature schemes, specifically: how much larger are PQC signatures vs. ECDSA, what is the fee and block space impact, and how does this affect Lightning Network and layer-2 protocols?

Multiple providers note that PQC signatures are "significantly larger" than ECDSA's 64–70 bytes, but no provider quantifies this or analyzes second-order effects on transaction economics, fee markets, or layer-2 protocols that depend on specific transaction size assumptions. This is a critical practical barrier to adoption that could delay migration beyond governance timelines.

ImplicationM tier
Investigate this →

What governance and legal mechanisms exist to handle the ~6.7 million BTC in quantum-vulnerable UTXOs — specifically, is there any credible path to protecting or migrating dormant coins (including Satoshi's ~1 million BTC) without violating Bitcoin's immutability principles?

OpenAI raises the "freeze Satoshi's coins" proposal as "extraordinarily controversial" but does not analyze alternatives. A sudden Q-Day event affecting 35% of Bitcoin's supply would be a systemic shock with no clear resolution mechanism. The governance, legal, and market implications of this scenario are entirely unaddressed across all four providers, representing the largest analytical gap in the research.

ImplicationL tier
Investigate this →

Key Claims

Cross-provider analysis with confidence ratings and agreement tracking.

195 claims · sorted by confidence
1

Most experts do not expect a cryptographically relevant quantum computer that can break current cryptography to arrive in the next 5–7 years; many place the practical threat in the 2030s–2040s, with only low probability assigned to near-term arrival.

high·openai, gemini-lite, grok-premium, perplexity·aicoin.comcryptonews.netpostquantum.com+2·
2

Google set an internal 2029 deadline to migrate its systems to post-quantum cryptography (PQC).

high·openai, gemini-lite, grok-premium·blog.googleqtonicquantum.com·
3

Shor’s algorithm can solve the elliptic curve discrete logarithm problem (ECDLP) in polynomial time.

high·openai, grok-premium, perplexity·cointelegraph.comcryptonews.netinteractivecrypto.com+2·
4

Taproot key-path spending can expose the public key and is quantum-vulnerable.

high·openai, grok-premium, perplexity·ccn.comcryptonews.netibm.com·
5

Legacy Bitcoin P2PK outputs directly expose a public key on-chain, making them vulnerable when the key is exposed or remains unspent.

high·openai, grok-premium, perplexity·ccn.comcryptonews.netibm.com·
6

State-of-the-art gate-based quantum systems have on the order of tens to a few hundred physical/noisy qubits, with some leading systems reaching a few hundred to just over a thousand qubits.

high·openai, grok-premium, perplexity·bip360.orgpostquantum.comibm.com·
7

Optimized Google Quantum AI circuits require roughly 1,200 to 1,450 logical qubits.

high·openai, grok-premium·cointelegraph.comqtonicquantum.cominteractivecrypto.com+1·
8

In a superconducting architecture with surface-code error correction, the Google Quantum AI result translates to fewer than 500,000 physical qubits and a runtime of roughly 9 minutes (a few minutes) to crack a 256-bit ECC key.

high·openai, grok-premium·cointelegraph.comqtonicquantum.cominteractivecrypto.com+1·
9

Some coinbase outputs and early Satoshi outputs from 2009–2010 use P2PK.

high·openai, perplexity·cryptonews.netibm.com·
10

Google’s 2029 deadline is a concrete target set as a risk-management response to faster-than-expected progress, and it is six years ahead of U.S. NIST’s 2035 target.

high·openai, grok-premium·blog.googleqtonicquantum.com·
11

A prior research estimate put about 6.7 million BTC in addresses meeting public-key exposure criteria, and that total includes Satoshi’s estimated 1 million BTC.

high·openai, perplexity·cryptonews.netibm.com·
12

The NISQ era is characterized by quantum hardware with roughly 50–300 qubits per chip and no practical large-scale quantum error correction.

high·openai, perplexity·ibm.com·
13

Google’s Willow has approximately 105 qubits; other devices from Google, Rigetti, IonQ, and similar companies are also in the tens to low hundreds of qubits.

high·openai, grok-premium·bip360.orgpostquantum.comibm.com·
14

IBM’s Heron processor has 133 qubits, and IBM’s roadmap targets scaling via multi-chip modules to about 1,386 qubits by 2025.

high·openai, perplexity(grok-premium disagrees)·bip360.orgpostquantum.comibm.com·
15

In late March 2026, Google Quantum AI researchers announced optimized quantum circuits for the elliptic curve discrete log problem.

high·openai·qtonicquantum.com·

Sources

24 unique sources cited across 195 claims.

Government1 source
15
nist.govvia openai, gemini-lite, grok-premium
2 claims
News & Media5 sources
Bitcoin bulls face quantum signature‑theft risk on 6.7m exposed BTC
cryptonews.netvia openai, perplexity, grok-premium, gemini-lite
37 claims
benzinga.com
benzinga.comvia openai, grok-premium, gemini-lite, perplexity
33 claims
etftrends.com
etftrends.comvia gemini-lite
22 claims
Could quantum computing threaten Satoshi Nakamoto’s 1 million Bitcoin?
cointelegraph.comvia openai, grok-premium, perplexity, gemini-lite
16 claims
Google Slashes Quantum Cracking Estimates 20X, Bitcoin and - The Daily Coins
thedailycoins.iovia grok-premium, perplexity, openai
10 claims

Topics

quantum computing bitcoinpost-quantum cryptographysha-256 vulnerabilityecdsa schnorr quantumquantum timeline 2026-2035BIP-360 p2qrhcryptocurrency quantum risk

Share this research

Share:

Research synthesized by Parallect AI

Multi-provider deep research — every angle, synthesized.

Start your own research