A new quantum countdown website projects a two– to three-year window for quantum computers to break widely used public key cryptography, placing Bitcoin within its scope.
Sites like The Quantum Doom Clock, operated by Postquant Labs and Hadamard Gate Inc., package aggressive assumptions about qubit scaling and error rates into a timeline that spans the late 2020s to early 2030s for a cryptographically relevant quantum computer.
This framing doubles as product marketing for post-quantum tooling, but you need to read the fine print to notice that disclosure.
The clock’s presets rely on exponential hardware growth and improving fidelity with scale, while runtime and error-correction overheads are treated as surmountable on a short fuse.
The U.S. National Security Agency’s CNSA 2.0 guidance recommends that National Security Systems should complete their transition to post-quantum algorithms by 2035, with staged milestones before then, a cadence echoed by the UK National Cyber Security Centre.
This requires identifying quantum-sensitive services by 2028, prioritizing high-priority migrations by 2031, and completing them by 2035.
The policy horizon serves as a practical risk compass for institutions that must plan capital budgets, vendor dependencies, and compliance programs, implying a multi-year migration arc rather than a two-year cliff.
Laboratory progress is real and relevant, yet it does not exhibit the combination of scale, coherence, logical gate quality, and T-gate factory throughput that Shor’s algorithm would require at Bitcoin-breaking parameters.
According to Caltech, a neutral-atom array with 6,100 qubits has reached 12.6-second coherence with high-fidelity transport, an engineering step toward fault tolerance rather than a demonstration of low-error logical gates at proper code distances.
Google’s Willow chip work highlights algorithmic and hardware advances on 105 qubits, claiming exponential error suppression with scale on specific tasks. Meanwhile, IBM has demonstrated a real-time error-correction control loop running on commodity AMD hardware, which is a step toward systems plumbing fault tolerance.
None of these set pieces removes the dominant overheads that prior resource studies identified for classical targets like RSA and ECC under surface code assumptions.
A widely cited 2021 analysis by Gidney and Ekerå estimated that factoring RSA-2048 in about eight hours would need roughly 20 million noisy physical qubits at around 10⁻³ physical error rates, underscoring how distillation factories and code distance drive totals more than raw device counts.
For Bitcoin, the earliest material vector is key exposure on-chain rather than harvest-now-decrypt-later attacks against SHA-256. According to Bitcoin Optech, outputs that already reveal public keys, such as legacy P2PK, reused P2PKH after spend, and some Taproot paths, would become targets once a cryptographically relevant machine exists.
At the same time, typical P2PKH remains protected by hashing until it is spent. Core contributors and researchers track multiple containment and upgrade paths, including Lamport or Winternitz one-time signatures, P2QRH address formats, and proposals to quarantine or force rotation of insecure UTXOs.
With NIST now finalizing FIPS-203 for key encapsulation and FIPS-204 for signatures, wallets and exchanges can implement the chosen family today.
According to NIST FIPS-204, ML-DSA-44 has a 1,312-byte public key and a 2,420-byte signature, which are orders of magnitude larger than those of secp256k1.
Under current block constraints, replacing a typical P2WPKH input witness with a post-quantum signature and public key would increase the per-input size from tens of virtual bytes to multiple kilobytes. This would compress throughput and push fees higher unless paired with aggregation, batch-verification-friendly constructs, or commit-reveal patterns that move bulk data off hot paths.
Institutions with many exposed-pubkey UTXOs have an economic incentive to de-expose and rotate methodically before a scramble concentrates demand into a single fee spike window.
The divergences between a marketing-aggressive clock and institutional roadmaps can be summarized as a set of input assumptions.
Recent papers that reduce logical-qubit counts for factoring and discrete log problems can make a few-million physical qubit target appear closer, but only under assumed physical error rates and code distances that remain beyond what labs demonstrate at scale.
The mainstream lab view reflects stepwise device scaling where adding qubits can erode quality, with a path toward 10⁻⁴ to 10⁻⁵ error rates as code distance grows.
A conservative read places material limits, control complexity, and T-factory throughput as rate limiters that extend timelines into the 2040s and beyond, absent breakthroughs.
The policy drumbeat to complete migrations by 2035 aligns more with the stepwise and conservative cases than with exponential hardware trajectories.
*Totals depend on surface code distance, logical gate error targets, and T-gate distillation throughput. See Gidney and Ekerå (2021).
The Doom Clock’s utility is narrative, compressing uncertainty into urgency that funnels to a vendor solution.
The risk compass that matters for engineering and capital planning is anchored by NIST standards now finalized, government migration deadlines around 2035, and the lab milestones that would mark real inflection points for fault tolerance.
According to NIST’s FIPS-203 and FIPS-204, the tooling path is available today, which means wallets and services can start de-exposing keys and testing larger signatures without accepting a two-year doomsday premise.
Bitcoin’s hash-then-reveal design choices already delay exposure until spending time on common paths, and the network’s playbook includes multiple rotation and containment options when credible signals, not vendor clocks, indicate it’s time to proceed.
It is, however, worth remembering that when quantum computers make Bitcoin’s cryptography vulnerable, other legacy systems are also exposed. Banks, social media, finance apps, and much more will have backdoors left wide open.
Societal collapse is a bigger risk than losing some crypto if legacy systems are not updated.
