What Is Q-Day? The Quantum Threat to Bitcoin Explained

Quantum computers can’t break Bitcoin’s encryption today, but new advances from Google and IBM suggest the gap is closing faster than expected. Their progress toward fault-tolerant quantum systems raises the stakes for “Q-Day“The moment when a powerful enough machine could crack older Bitcoin addresses and expose more than $711 billion in vulnerable portfolios.

The update Bitcoin to a post-quantum state will take years, which means that the work will begin long before the threat arrives. The challenge, experts say, is that no one knows when that will be, and the community has struggled to agree on how best to move forward with a plan.

This uncertainty has led to a lingering fear that a as much as a computer that can attack Bitcoin can be online before the network is ready.

In this article, we look at the quantum threat to Bitcoin and what needs to change to make the number one blockchain ready.

How a quantum attack might work

A successful attack does not seem dramatic. A quantum-enabled thief will start by scanning the blockchain for any address that has ever revealed a public key. Old wallets, reused addresses, first miner results, and many dormant accounts fall into this category.

The attacker copies a public key and runs it through a quantum computer using Shor’s algorithm. Developed in 1994 by mathematician Peter Shor, the algorithm it gives a quantum machine the ability to factor numbers and solve the discrete logarithm problem much more efficiently than any classical computer. Bitcoin’s elliptic curve signatures rely on the difficulty of those problems. With enough error-corrected qubits, a quantum computer could use Shor’s method to calculate the private key linked to the exposed public key.

As Justin Thaler, research fellow at Andreessen Horowitz and associate professor at Georgetown University, said Decryptonce the private key is recovered, the attacker can move the coins.

“What a quantum computer could do, and this is what is relevant to Bitcoin, is forge the digital signatures that Bitcoin uses today,” Thaler said. “Someone with a quantum computer could authorize a transaction to take all the Bitcoin from your accounts, or however you want to think of it, when you didn’t authorize it. That’s the concern.”

The forged signature looked real to the Bitcoin network. Nodes will accept it, miners will include it in a block, and nothing in the chain will mark the transaction as suspicious. If an attacker hits a large group of exposed addresses at once, then billions of dollars could move in minutes. Markets start to react before anyone has ever confirmed that a quantum attack has occurred.

Where will quantum computing be in 2025

In 2025, quantum computing is finally starting to feel less theoretical and more practical.

• January 2025: Google 105-qubit Willow chip showed a steep error reduction and a benchmark beyond classic supercomputers.
• February 2025: Microsoft launched its Marjoram 1 platform and reported a logical-qubit entanglement record with Atom Computing.
• April 2025: NIST superconducting qubit coherence extended to 0.6 milliseconds.
• June 2025: IBM set targets of 200 logical qubits by 2029 and over 1,000 in the early 2030s.
• October 2025: IBM tangled 120 qubits; Google confirmed a verified quantum acceleration.
• November 2025: IBM announced again chips and software targeting quantum advantage in 2026 and fault-tolerant systems by 2029.

Why Bitcoin has become vulnerable

Bitcoin signatures use elliptic curve cryptography. Spending from an address reveals the public key behind it, and that exposure is permanent. In Bitcoin’s first public key payment format, many addresses published their public keys on the chain even before the first spend. Later, pay-to-public-key-hash formats kept the key hidden until the first use.

Because their public keys have never been hidden, these oldest coins, including about 1 million Satoshi-era Bitcoin, are exposed to future quantum attacks. Moving to post-quantum digital signatures, Thaler said, requires active participation.

“For Satoshi to protect their coins, they will have to move to new post-quantum-secure wallets,” he said. “The biggest concern is the abandoned coins, worth about $180 billion, including about $100 billion believed to be Satoshi’s. These are huge sums, but they are abandoned, and that’s the real risk.”

Adding to the risk are coins linked to lost private keys. Many have been untouched for more than a decade, and without those keys, they can never be moved into quantum-resistant wallets, making them viable targets for a future quantum computer.

No one can freeze Bitcoin directly on the chain. Practical defenses against future quantum threats focus on migrating vulnerable funds, adopting post-quantum addresses, or managing existing risks.

However, Thaler noted that post-quantum encryption and digital signature schemes come with high performance costs, as they are much larger and more resource intensive than today’s lightweight 64-byte signatures.

“Today’s digital signatures are about 64 bytes. Post-quantum versions can be 10 to 100 times larger,” he said. “In a blockchain, that increase in size is a much bigger problem because each node must store those signatures forever. The management of this cost, the literal size of the data, is much more difficult here than in other systems.”

Roads for protection

Developers have floated several Bitcoin Improvement Proposals to prepare for future quantum attacks. They take different paths, from optional light protections to complete network migrations.

• BIP-360 (P2QRH): Create new “bc1r…” addresses that combine today’s elliptic curve signatures with post-quantum schemes like ML-DSA or SLH-DSA. It offers hybrid security without a hard fork, but larger signatures mean higher fees.
• Taproot Quantum-Safe: Add a hidden post-quantum branch to Taproot. If quantum attacks become realistic, miners could soft-fork to request the post-quantum branch, while users operate normally until then.
• Quantum Resistant Address Migration Protocol (QRAMP): A mandatory migration plan that moves vulnerable UTXOs to quantum-safe addresses, likely through a hard fork.
• Pay to Taproot Hash (P2TRH): Replaces visible Taproot keys with double-hashed versions, limiting exposure window without new encryption or breaking compatibility.
• Non-interactive transaction compression (NTC) via STARKs: Use zero-knowledge proofs to compress large post-quantum signatures into a single proof per block, reducing storage and fee costs.
• Commit-Reveal Schemes: Rely on hashed commits published before any quantum threat.
  • Helper UTXOs attach small post-quantum outputs to protect expenses.
  • “Poison pill” transactions allow users to pre-publish recovery paths.
  • Fawkescoin-style variants remain dormant until a true quantum computer is demonstrated.

Taken together, these proposals chart a step-by-step path to quantum security: quick, low-impact fixes like P2TRH now, and heavier upgrades like BIP-360 or STARK-based compression as the risk grows. All would require extensive coordination, and many of the post-quantum address formats and signature schemes are still under discussion.

Thaler noted that Bitcoin’s decentralization — its greatest strength — also makes major updates slow and difficult, as any new signature scheme would require broad agreement among miners, developers and users.

“Two major problems stand out for Bitcoin. First, updates take a long time, if they happen at all. Second, there are abandoned coins. Any migration to post-quantum signatures must be active, and the owners of those old wallets are gone,” said Thaler. “The community must decide what will happen to them: either agree to remove them from circulation or do nothing and let quantum-equipped attackers take them. This second path would be legally gray, and those who take the coins probably do not care.”

Most Bitcoin holders don’t need to do anything right away. A few habits go a long way in reducing risk in the long run, including avoiding reusing addresses so your public key stays hidden until you spend, and sticking with modern wallet formats.

Today’s quantum computers are nowhere near breaking Bitcoin, and predictions of when will vary widely. Some researchers see a threat in the next five yearsothers push him into the 2030but he continued investments it could speed up the timeline.