Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
A new quantum countdown website projects a two– the three-year window for quantum computers to break widely used public key cryptography, placement Bitcoin in his purpose
Sites like The Quantum Doom Clock, operated by Postquant Labs and Hadamard Gate Inc., package aggressive guesses about qubit scale and error rates into a timeline covering the late 2020s to early 2030s for a cryptographically relevant quantum computer.
This framing doubles as product marketing for the post-quantum tool, but you need to read the fine print to notice that disclosure.
According to the Quantum Doom ClockRecent resource estimates that compress logical-qubit counts, combined with optimistic hardware error trends, suggest that the physical-qubit class required to break the ECC falls in the range of a few million under favorable models.
Clock presets rely on exponential hardware growth and improving fidelity with scaling, while runtime and error correction costs are treated as surmountable on a short fuse.
Government standards bodies do not treat a break from 2027 to 2031 as a base case.
The US National Security Agency’s CNSA 2.0 guidance recommends that National Security Systems should complete their transition to post-quantum algorithms by 2035, with milestones in place before then, a timeline echoed by the UK’s National Cyber Security Centre.
This requires identifying quantum-sensitive services by 2028, prioritizing high-priority migrations by 2031, and completing them by 2035.
The policy horizon serves as a practical risk compass for institutions that must plan capital budgets, vendor dependencies and compliance programs, involving a multi-year migration arc rather than a two-year cliff.
The lab’s progress is real and relevant, but it doesn’t show the combination of scale, consistency, logic gate quality and T-gate factory production that Shor’s algorithm required at Bitcoin’s breaking parameters.
According to Caltech, a neutral atom array with 6,100 qubits achieved 12.6-second coherence with high-fidelity transport, an engineering step toward fault tolerance rather than a demonstration of low-error logic gates at suitable code distances.
Google’s Willow chip work highlights algorithms and hardware advances on 105 qubits, claiming exponential error suppression with scaling on specific functions. Meanwhile, IBM demonstrated a real-time error correction control loop running on commodity AMD hardware, which is a step toward plumbing systems’ fault tolerance.
None of these set pieces remove the dominant overhead that earlier resource studies identified for classical targets such as RSA and ECC under surface code assumptions.
A widely cited 2021 analysis by Gidney and Ekerå estimated that factoring RSA-2048 in about eight hours would require about 20 million noisy physical qubits at about 10⁻³ physical error rates, underscoring how the distillation factories and code distance total units more than the number of raw devices.
For Bitcoin, the first material vector is key exposure in the chain rather than harvest-now-decrypt-later attacks against SHA-256. According to Bitcoin Optech, outputs that already reveal public keys, such as legacy P2PK, reused P2PKH after spending, and some Taproot paths, will become targets once a cryptographically relevant machine exists.
At the same time, the typical P2PKH remains protected from hashing until it is spent. Key contributors and researchers outline multiple containment and upgrade paths, including signatures once Lamport or Winternitz, P2QRH address formats, and proposals to quarantine or force rotation of insecure UTXOs.
The supporters behind BIP-360 they claim that more than 6 million BTC are held in quantum-exposed outputs through P2PK, SegWit reused, and Taproot, which is best understood as an upper limit by advocates rather than a consensus metric.
The economics of migration matter as much as the physics.
With NIST now finalizing FIPS-203 for key encapsulation and FIPS-204 for signatures, wallets and exchanges can implement the chosen family today.
According to NIST FIPS-204, ML-DSA-44 has a public key of 1,312 bytes and a signature of 2,420 bytes, which are orders of magnitude larger than those of secp256k1.
Under current block constraints, replacing a typical P2WPKH input token with a post-quantum signature and public key would increase the size per input from tens of virtual bytes to several kilobytes. This will compress throughput and push fees higher, unless paired with aggregation, friendly batch verification builds, or commit-reveal models that move data en masse off the hot paths.
Institutions with multiple exposed-pubkey UTXOs have an economic incentive to de-expose and methodically rotate before a scramble concentrates demand in a single fee spike window.
The divergences between an aggressive clock in marketing and institutional roadmaps can be summarized as a set of input hypotheses.
Recent papers that reduce logical qubit counts for factoring and discrete log problems may make a physical qubit target appear a few million closer, but only under assumed physical error rates and code distances that remain beyond what labs demonstrate at scale.
The mainstream lab view reflects stepwise device scaling where adding qubits can erode quality, with a path toward 10⁻⁴ to 10⁻⁵ error rates as the code distance increases.
A conservative reading places material limits, control complexity, and factory T production as frequency limiters that extend times into the 2040s and beyond, without developments.
The policy drumbeat to complete migrations by 2035 aligns more with stepwise and conservative cases than with exponential hardware trajectories.
| Case | Hardware and error path | Physical Qubits for ECC-256* | The first window | Primary sources |
|---|---|---|---|---|
| Aggressive marketing | Exponential qubit growth, errors ≤10⁻³ improving with scaling | A few million | Late 2020 to early 2030 | Quantum Doom Clock |
| Mainstream laboratory | Stepwise scaling, error reduction with code distance | Many millions | Mid 2030s to 2040s | CNSA 2.0, UK NCSC |
| Conservatives | Logistics growth, slower loyalty gains, factory bottlenecks | Tens of millions + | Years 2040 to 2050+ | Quantum Doom Clock |
* Totals depend on surface code distance, logic gate error targets and T-gate distillation throughput. See Gidney and Ekerå (2021).
The forward markers to watch are concrete.
- Peer-reviewed demonstrations of long-lived logic gates, not just memory, at code distances around 25 with logic error rates below 10⁻⁶.
- Practical T-gate distillation factories that provide throughput for algorithms with 10⁶-plus logic qubits.
- Bitcoin Improvement Proposals that advance post-quantum signature pathways from prototype to implementable standard, including formats that keep mass artifacts off the hot trail.
- The public commitments from the big exchanges and the custodians to rotate the exposed results, which would distribute the rate pressure over time.
The utility of the Doom Clock is narrative, compressing uncertainty into urgency that channels a vendor solution.
The risk compass that matters for engineering and capital planning is anchored by the now-finalized NIST standards, government migration deadlines around 2035, and laboratory milestones that will mark true inflection points for fault tolerance.
According to NIST’s FIPS-203 and FIPS-204, the tool path is available today, which means that wallets and services can start exposing keys and testing larger signatures without accepting a two-year premise.
Bitcoin’s hash-then-reveal design choices already delay exposure until it spends time on common paths, and the network’s playbook includes multiple rotation and containment options when credible signals, not vendor clocks, indicate it’s time to proceed.
However, it is worth remembering that when quantum computers make Bitcoin’s encryption vulnerable, other legacy systems are also exposed. Banks, social media, financial applications, and many more will have backdoors left wide open.
The collapse of society is a greater risk than the loss of some crypto if legacy systems are not updated.
For those who argue that Bitcoin updates will be slower than those of banks, etc., remember this, some ATMs and other banking infrastructure around the world are still in operation. Windows XP.
