What Is Q-Day? The Quantum Threat to Bitcoin Explained

Quantum computers can’t break Bitcoin’s encryption today, but new advances from Google and IBM suggest the gap is closing faster than expected. Their progress toward fault-tolerant quantum systems raises the stakes for “Q-Day,” the moment when a sufficiently powerful machine could crack older Bitcoin addresses and expose more than $711 billion in vulnerable wallets.

Upgrading Bitcoin to a post-quantum state will take years, which means the work has to begin long before the threat arrives. The challenge, experts say, is that no one knows when that will be, and the community has struggled to agree on how best to move forward with a plan.

This uncertainty has led to a lingering dread that a quantum computer that can attack Bitcoin may come online before the network is ready.

In this article, we will look at the quantum threat to Bitcoin and what needs to change to make the number one blockchain ready.

How a quantum attack would work

A successful attack would not look dramatic. A quantum-enabled thief would start by scanning the blockchain for any address that has ever revealed a public key. Old wallets, reused addresses, early miner outputs, and many dormant accounts fall into that category.

The attacker copies a public key and runs it through a quantum computer using Shor’s algorithm. Developed in 1994 by mathematician Peter Shor, the algorithm gives a quantum machine the ability to factor large numbers and solve the discrete logarithm problem far more efficiently than any classical computer. Bitcoin’s elliptic-curve signatures rely on the difficulty of those problems. With enough error-corrected qubits, a quantum computer could use Shor’s method to calculate the private key tied to the exposed public key.

As Justin Thaler, research partner at Andreessen Horowitz and associate professor at Georgetown University, told Decrypt, once the private key is recovered, the attacker can move the coins.

“What a quantum computer could do, and this is what’s relevant to Bitcoin, is forge the digital signatures Bitcoin uses today,” Thaler said. “Someone with a quantum computer could authorize a transaction taking all the Bitcoin out of your accounts, or however you want to think of it, when you did not authorize it. That’s the worry.”

The forged signature would look real to the Bitcoin network. Nodes would accept it, miners would include it in a block, and nothing on-chain would mark the transaction as suspicious. If an attacker hit a large group of exposed addresses at once, then billions of dollars could move within minutes. Markets would start reacting before anyone ever confirmed that a quantum attack was happening.

Where quantum computing stands in 2025

In 2025, quantum computing finally started to feel less theoretical and more practical.

• January 2025: Google’s 105-qubit Willow chip showed steep error reduction and a benchmark beyond classical supercomputers.
• February 2025: Microsoft rolled out its Majorana 1 platform and reported record logical-qubit entanglement with Atom Computing.
• April 2025: NIST extended superconducting qubit coherence to 0.6 milliseconds.
• June 2025: IBM set targets of 200 logical qubits by 2029 and more than 1,000 in the early 2030s.
• October 2025: IBM entangled 120 qubits; Google confirmed a verified quantum speed-up.
• November 2025: IBM announced new chips and software aimed at quantum advantage in 2026 and fault-tolerant systems by 2029.

Why Bitcoin has become vulnerable

Bitcoin’s signatures use elliptic-curve cryptography. Spending from an address reveals the public key behind it, and that exposure is permanent. In Bitcoin’s early pay-to-public-key format, many addresses published their public keys on-chain even before the first spend. Later pay-to-public-key-hash formats kept the key hidden until the first use.

Because their public keys were never hidden, these oldest coins, including roughly 1 million Satoshi-era Bitcoin, are exposed to future quantum attacks. Switching to post-quantum digital signatures, Thaler said, takes active involvement.

“For Satoshi to protect their coins, they’d have to move them into new post-quantum-secure wallets,” he said. “The biggest concern is abandoned coins, about $180 billion worth, including roughly $100 billion believed to be Satoshi’s. Those are huge sums, but they’re abandoned, and that’s the real risk.”

Adding to the risk are coins tied to lost private keys. Many have sat untouched for more than a decade, and without those keys, they can never be moved into quantum-resistant wallets, making them viable targets for a future quantum computer.

No one can freeze Bitcoin directly on-chain. Practical defenses against future quantum threats focus on migrating vulnerable funds, adopting post-quantum addresses, or managing existing risks.

However, Thaler noted that post-quantum encryption and digital signature schemes come with steep performance costs, since they’re far larger and more resource-intensive than today’s lightweight 64-byte signatures.

“Today’s digital signatures are about 64 bytes. Post-quantum versions can be 10 to 100 times larger,” he said. “In a blockchain, that size increase is a much bigger issue because every node must store those signatures forever. Managing that cost, the literal size of the data, is far harder here than in other systems.”

Paths to protection

Developers have floated several Bitcoin Improvement Proposals to prepare for future quantum attacks. They take different paths, from light optional protections to full network migrations.

• BIP-360 (P2QRH): Creates new “bc1r…” addresses that combine today’s elliptic-curve signatures with post-quantum schemes like ML-DSA or SLH-DSA. It offers hybrid security without a hard fork, but the bigger signatures mean higher fees.
• Quantum-Safe Taproot: Adds a hidden post-quantum branch to Taproot. If quantum attacks become realistic, miners could soft-fork to require the post-quantum branch, while users operate normally until then.
• Quantum‑Resistant Address Migration Protocol (QRAMP): A mandatory migration plan that moves vulnerable UTXOs to quantum-safe addresses, likely through a hard fork.
• Pay to Taproot Hash (P2TRH): Replaces visible Taproot keys with double-hashed versions, limiting the exposure window without new cryptography or breaking compatibility.
• Non-Interactive Transaction Compression (NTC) via STARKs: Uses zero-knowledge proofs to compress large post-quantum signatures into a single proof per block, lowering storage and fee costs.
• Commit-Reveal Schemes: Rely on hashed commitments published before any quantum threat.
  • Helper UTXOs attach small post-quantum outputs to protect spends.
  • “Poison pill” transactions let users pre-publish recovery paths.
  • Fawkescoin-style variants stay dormant until a real quantum computer is demonstrated.

Taken together, these proposals sketch a step-by-step path to quantum safety: quick, low-impact fixes like P2TRH now, and heavier upgrades like BIP-360 or STARK-based compression as the risk grows. All of them would need broad coordination, and many of the post-quantum address formats and signature schemes are still early in discussion.

Thaler noted that Bitcoin’s decentralization—its greatest strength—also makes major upgrades slow and difficult, since any new signature scheme would need broad agreement across miners, developers, and users.

“Two major issues stand out for Bitcoin. First, upgrades take a long time, if they happen at all. Second, there are the abandoned coins. Any migration to post-quantum signatures has to be active, and owners of those old wallets are gone,” Thaler said. “The community must decide what happens to them: either agree to remove them from circulation or do nothing and let quantum-equipped attackers take them. That second path would be legally gray, and the ones seizing the coins likely wouldn’t care.”

Most Bitcoin holders don’t need to do anything right away. A few habits go a long way in reducing long-term risk, including avoiding reusing addresses so your public key stays hidden until you spend, and sticking with modern wallet formats.

Today’s quantum computers aren’t close to breaking Bitcoin, and predictions of when they will vary wildly. Some researchers see a threat within the next five years, others push it into the 2030s, but continued investments could speed up the timeline.