The Quantum Threat to Bitcoin, Explained Simply

What happened

On March 31, Google published a paper that got everyone worked up. In short, breaking Bitcoin's encryption would take a quantum computer with roughly 500,000 qubits. Previous estimates said 10 million. That's a 20x drop.

And once your public key is exposed, such a machine could crack your private key in about 9 minutes.

Sounds scary. But let's zoom out.

The best quantum computers today have a few hundred qubits that stay stable for millionths of a second. This attack needs 500,000 of them holding together for minutes. That's like saying "we figured out you only need a car going 50,000 mph to reach Mars" when the fastest car today does 300 mph. Closer, sure. But not close.

Still, Google is planning to quantum-proof their own systems by 2029. When the people building these machines set that kind of internal deadline, they clearly expect real progress.

What's actually at risk

Not all Bitcoin. It depends on one thing: has your public key been exposed.

Think of it this way. Your Bitcoin address is like a P.O. box number. People can send mail to it, but they can't figure out who owns it. Your public key is your actual name and home address. As long as you never reveal it, nobody can find you.

The problem is, every time you spend Bitcoin from an address, your public key gets posted on the blockchain. Permanently. And about 6.9 million BTC, roughly 35% of all Bitcoin, sits behind already-exposed public keys. That includes Satoshi's coins, reused addresses, and newer Taproot addresses.

Why you can't just "patch" this

Quantum-resistant signature schemes exist. The problem is they're way bigger.

Bitcoin's current signatures are about 70 bytes. Think of that as a sticky note. Quantum-resistant alternatives are more like a full-page letter, 35 to 66 times larger.

Bitcoin's block size is intentionally small so that regular people can verify the entire network on normal hardware. That's what keeps it decentralized. If every signature becomes a full page instead of a sticky note, either you fit way fewer transactions per block (fees skyrocket) or you make blocks bigger (regular people can't verify anymore, and Bitcoin starts looking more like a traditional database).

On top of that, hardware wallets would need redesigns, the way seed phrases generate keys might break, and several privacy features Bitcoiners rely on could stop working entirely.

What's being built right now

Builders aren't sitting around. Three things worth knowing about:

BIP 360 is a proposal for a new type of Bitcoin address that works like the current Taproot system but hides your public key until you actually spend. Instead of your key sitting exposed on-chain for years, it's only visible for a few minutes while the transaction processes. Already merged into Bitcoin's official proposal repository and running on a test network.
‍
‍SHRINCS is a new signature scheme designed specifically for Bitcoin's tight space constraints. Most quantum-resistant signatures are huge. SHRINCS gets them down to 324 bytes, small enough to actually work on Bitcoin. The tradeoff is your device needs to keep track of which keys it's already used. If that tracking gets corrupted, a fallback mode kicks in that uses larger signatures to make sure you don't lose your coins.

SHRIMPS solves a related but different problem: how to use this kind of scheme across multiple signing devices without them stepping on each other. It lets you load a single seed backup across separate devices, each one getting its own slice of the signing keys.

The upgrade path

First, hide public keys until spend time. This kills the "sit and wait" attack. (BIP 360, happening now.)

Then, swap in quantum-proof signatures. This kills the "grab it in transit" attack. (SHRINCS and related work, in progress.)

Eventually, move vulnerable coins into new, quantum-safe addresses.

There are still hard questions nobody has clean answers to. What about the coins that can never be moved, like Satoshi's? Do you freeze them? Leave them as future bounties for quantum attackers? Nobody agrees yet.

So should you worry?

No quantum computer today can touch your Bitcoin. The real thing is probably a decade away, maybe more. And real engineering work is happening now, not just research papers.

If you're feeling paranoid and your coins sit behind an exposed public key, moving them to a fresh address you've never spent from wouldn't hurt. With a self-custodial platform like Xverse, that's a 5-minute job.

The quantum threat is real but not imminent. Bitcoin builders are handling it the way Bitcoin handles everything: slowly, carefully, and without rushing into something that breaks more than it fixes. That seems right.