What Breaks Bitcoin Keys
Bitcoin uses secp256k1 — a 256-bit elliptic curve — for ECDSA and Schnorr signatures. Breaking a Bitcoin private key means solving the elliptic curve discrete logarithm problem for that specific public key. A sufficiently large quantum computer running Shor’s algorithm does this efficiently.
How large? Roetteler et al. (2017) gave us the formula: for an n-bit elliptic curve, Shor’s algorithm requires at most 9n + 2⌈log₂(n)⌉ + 10 logical qubits. For secp256k1 where n = 256:
9(256) + 2(8) + 10 = 2,330 logical qubits.
That’s the number you’ll hear cited — roughly 2,500 logical qubits. It’s directionally correct. But “logical qubits” is doing enormous load-bearing work in that sentence.
Logical qubits are error-corrected abstractions built from thousands of noisy physical qubits. The gap between logical and physical is the whole story. Webber et al. (2022) modeled the physical requirements: breaking a single Bitcoin key within one hour requires approximately 317 million physical qubits. Relax the timeline to 24 hours and you still need around 13 million. The physical-to-logical overhead at current surface code error rates runs roughly 136,000:1.
Evidence
- Bitcoin uses secp256k1 (256-bit ECC): Bitcoin Wiki — secp256k1
- Roetteler et al. (2017), qubit formula for ECC discrete log: arXiv:1706.06752
- Webber et al. (2022), 317M physical qubits / 1 hour for Bitcoin key: AVS Quantum Science, arXiv:2108.12371
Where Quantum Computers Are Today
The gap between 2,330 logical qubits and current hardware is enormous.
Gate-based superconducting (IBM, Google): IBM’s Condor chip hit 1,121 physical qubits in 2023. Google’s Willow demonstrated 105 physical qubits with below-threshold error correction in late 2024. These are noisy physical qubits — not the error-corrected logical qubits Shor’s algorithm needs. Best demonstrated logical qubit counts are in the range of 12–50 across platforms.
Trapped-ion (IonQ, Quantinuum): Quantinuum’s H2 system operates at 56 physical qubits with industry-leading two-qubit gate fidelity (99.8%+). IonQ has demonstrated 99.99% two-qubit fidelity on their Tempo system. Higher fidelity means lower error correction overhead — but the systems are still small.
Quantum annealers (D-Wave): 5,000+ qubits, but irrelevant here. Annealers solve optimization problems, not the structured number theory that Shor’s algorithm requires. They don’t factor integers or compute discrete logarithms.
We’re at roughly 10¹ to 10³ noisy physical qubits. We need 10⁷ to 10⁸ physical qubits at current error rates, or a dramatic reduction in error correction overhead.
Evidence
- IBM Condor (1,121 qubits, 2023): IBM Quantum roadmap
- Quantinuum H2 (56 qubits, 99.8%+ fidelity): Quantinuum product page
- IonQ Tempo (99.99% two-qubit fidelity): IonQ roadmap
The Roadmaps
Here’s where it gets less comfortable.
IonQ published an accelerated roadmap targeting trapped-ion scaling: ~256 physical qubits and 12 logical qubits by 2026, ~10,000 physical and 800 logical by 2027 (single-chip architecture via Oxford Ionics 2D traps), modular multi-chip systems with ~20,000 physical and 1,600 logical qubits by 2028, and over 2 million physical qubits with 40,000–80,000 logical qubits by 2030. That 2030 number would be well past the ~2,330 logical qubit threshold for secp256k1.
IBM laid out a detailed path to fault-tolerant quantum computing in June 2025, shifting from surface codes to quantum LDPC codes (which reduce physical qubit overhead by up to 90%). Their milestones: Starling processor with 200 logical qubits and 100 million gates by 2029, then Blue Jay with 2,000 logical qubits and 1 billion gates by 2033. IBM has a strong track record of hitting published hardware deadlines.
Craig Gidney at Google published a result in May 2025 showing 2048-bit RSA can be factored with fewer than 1 million noisy physical qubits in under a week — down from 20 million qubits in his 2021 paper with Ekerå. The algorithmic improvements are compounding. The qubit requirements are dropping faster than the hardware is scaling up.
The convergence window — where hardware capacity meets cryptographic relevance — looks like 2028–2033, not the comfortable 2035+ that many in crypto assume.
Evidence
- IonQ accelerated roadmap (2M physical qubits by 2030): ionq.com/roadmap, IonQ blog
- IBM Quantum roadmap (Starling 2029, Blue Jay 2033): IBM Quantum blog, IBM newsroom
- Gidney (2025), RSA-2048 with <1M qubits: arXiv:2505.15917
- Gidney & Ekerå (2021), RSA-2048 with 20M qubits in 8 hrs: Quantum journal, arXiv:1905.09749
What Doesn’t Break
Grover’s algorithm gives a quadratic speedup on brute-force search. Applied to Bitcoin’s 256-bit private key space, it reduces the search from 2²⁵⁶ operations to 2¹²⁸. That sounds dramatic until you do the math: 2¹²⁸ is approximately 3.4 × 10³⁸ operations. At 10 billion quantum operations per second — far beyond any current or projected system — that’s still 10²¹ years. The universe is 1.38 × 10¹⁰ years old. Grover on Bitcoin’s full keyspace takes about 78 billion times the age of the universe.
The “Bitcoin goes to zero overnight” scenario assumes an attacker can sweep all wallets simultaneously. They can’t. Shor’s algorithm breaks a specific public key — the attacker needs your public key, and they need to target your coins specifically. Coins sitting in addresses where the public key has never been revealed (i.e., you’ve never spent from that address) are protected by SHA-256 and RIPEMD-160 hashing on top of the ECC — a quantum attacker would need to crack the hash first, and Grover doesn’t make that feasible.
The quantum risk is targeted, not universal. It’s a sniper rifle, not a bomb.
Evidence
- Grover’s algorithm quadratic speedup (2^n → 2^(n/2)): Wikipedia — Grover’s algorithm
- secp256k1 uses 256-bit keys (Grover reduces to 2^128, still infeasible): Bitcoin Wiki — secp256k1
The Real Timeline Pressure
NIST finalized three post-quantum cryptography standards in August 2024: FIPS 203 (ML-KEM, lattice-based encryption), FIPS 204 (ML-DSA, lattice-based signatures), and FIPS 205 (SLH-DSA, hash-based signatures). Their transition guidance in IR 8547 sets hard dates: all classical public-key algorithms — RSA, ECDSA, EdDSA, ECDH — are deprecated by 2030 and disallowed by 2035. That includes secp256k1.
But vendor roadmaps suggest fault-tolerant machines arrive before the 2035 disallow date. IBM targets 2,000 logical qubits by 2033. IonQ targets 40,000+ logical qubits by 2030. Even accounting for roadmap slippage, the machines likely arrive before the migration deadline.
Then there’s “harvest now, decrypt later.” Nation-state actors are already collecting encrypted traffic and storing it for future decryption. Bitcoin transactions are public by design — every transaction that exposes a public key is already harvestable. The public keys of high-value wallets are sitting in an immutable public ledger, waiting for a sufficiently powerful quantum computer. The clock started the moment those keys were exposed, not the moment a quantum computer boots up.
Bitcoin’s migration to post-quantum signatures needs to start before the machines are ready, not after.
Evidence
- NIST PQC standards (FIPS 203/204/205, August 2024): NIST announcement
- NIST IR 8547 deprecation timeline (2030 deprecated, 2035 disallowed): NIST IR 8547
What This Means If You Hold Bitcoin
The practical response isn’t panic — it’s hygiene.
Move coins to fresh addresses. If you’ve ever spent from an address, the public key is on-chain and exposed. Coins in never-spent addresses — where only the hash of the public key has been revealed — are meaningfully safer against quantum attack. This is basic operational security that you should be doing anyway.
Watch for Bitcoin Improvement Proposals. Post-quantum signature schemes (lattice-based, hash-based) are actively being researched for Bitcoin. The transition will require a soft fork or hard fork, and it will need broad consensus. The Bitcoin development community is aware of the timeline. This is an upgrade problem, not an unsolvable problem.
Understand the shape of the threat. It’s real, it’s targeted, and it’s time-bounded. An attacker with a cryptographically relevant quantum computer can derive your private key from your exposed public key. They cannot sweep all of Bitcoin. They cannot crack addresses where the public key hasn’t been revealed. They cannot brute-force the keyspace with Grover. The threat is surgical, and the defense is migration.
The Durability Question
I keep coming back to durability. The systems that survive are the ones that plan for threats before they arrive — not the ones that react after the damage is done.
Bitcoin’s strength has never been immutability in the “nothing ever changes” sense. It’s been the ability to upgrade through rough consensus, slowly and deliberately. The transition from P2PKH to SegWit took years of debate and a contentious fork. Post-quantum migration will be harder. The signature schemes are larger, the performance tradeoffs are real, and the consensus process is slower than the hardware roadmaps.
But this is what durable infrastructure looks like — not systems that never face threats, but systems that absorb them and keep running. The quantum threat to Bitcoin is a test of that durability. The numbers say we have time. The roadmaps say not as much as we’d like.
Evidence
- IonQ targets 40,000+ logical qubits by 2030: ionq.com/roadmap
- IBM targets 2,000 logical qubits by 2033: IBM Quantum blog
- Roetteler et al. (2017), ~2,330 logical qubits needed for secp256k1: arXiv:1706.06752
- Gidney (2025), algorithmic improvements reducing qubit requirements: arXiv:2505.15917