For years, quantum computing has served as cryptocurrency’s favorite doomsday scenario, a distant but existential threat that periodically resurfaces whenever a lab announces a qubit milestone.
The narrative follows a predictable arc where researchers achieve some incremental breakthrough, social media erupts with “Bitcoin is dead” predictions, and the news cycle moves on.
NIST has already standardized quantum-secure signature schemes, such as SLH-DSA, and Bitcoin can adopt these tools through soft-fork upgrades long before any quantum machine poses a genuine threat.
His comment reframes quantum risk from an unsolvable catastrophe into a solvable engineering problem with a multi-decade runway.
That distinction matters because Bitcoin’s actual vulnerability isn’t where most people think, as the threat doesn’t come from SHA-256, the hash function that secures the mining process. It comes from ECDSA and Schnorr signatures on the secp256k1 elliptic curve, the cryptography that proves ownership.
A quantum computer running Shor’s algorithm could solve the discrete logarithm problem on secp256k1, deriving a private key from a public key and invalidating the entire ownership model.
In pure mathematics, Shor’s algorithm renders elliptic curve cryptography obsolete.
But mathematics and engineering exist in different universes. Breaking a 256-bit elliptic curve requires somewhere between 1,600 and 2,500 logical, error-corrected qubits.
Each logical qubit demands thousands of physical qubits to maintain coherence and correct errors.
It is essential to consider where quantum hardware actually stands. Caltech’s neutral-atom system operates around 6,100 physical qubits, but these are noisy and lack error correction.
The gap between current capability and cryptographic relevance spans several orders of magnitude, not a small incremental step, but a chasm that requires fundamental breakthroughs in qubit quality, error correction, and scalability.
NIST’s own post-quantum cryptography explainer states this plainly: no cryptographically relevant quantum computer exists today, and expert estimates for its arrival vary so widely that some specialists think “less than 10 years” remains a possibility. In contrast, others place it firmly past 2040.
The median view clusters around the mid-to-late 2030s, making Back’s 20-to-40-year window conservative rather than reckless.
Back’s “Bitcoin can add over time” comment points toward concrete proposals already circulating among developers.
A single UTXO becomes spendable under either scheme, allowing for a gradual migration rather than a hard cutoff.
Academic work dating back to 2017 has already recommended similar transitions. A 2025 preprint from Robert Campbell proposes hybrid post-quantum signatures, where transactions carry both ECDSA and PQ signatures during an extended transition period.
The user-side picture reveals why this matters. Roughly 25% of all Bitcoin, between four and six million BTC, sits in address types where public keys are already exposed on-chain.
Early pay-to-public-key outputs from Bitcoin’s first years, reused P2PKH addresses, and some Taproot outputs all fall into this category. These coins become immediate targets once Shor on secp256k1 becomes practical.
Modern best practice already provides substantial protection. Users who employ fresh P2PKH, SegWit, or Taproot addresses without reusing them benefit from a critical timing advantage.
For these outputs, the public key remains hidden behind a hash until the first spend, compressing the attacker’s window to run Shor within the mempool confirmation period, measured in minutes rather than years.
The migration job isn’t starting from scratch, it’s building upon existing good practices and transitioning legacy coins into safer structures.
NIST also standardized XMSS and LMS as stateful hash-based schemes, with the lattice-based Falcon scheme in the pipeline.
Bitcoin developers now have a menu of NIST-approved algorithms, along with reference implementations and libraries.
Bitcoin-focused implementations already support BIP-360, indicating that the post-quantum toolbox exists and continues to mature.
The protocol doesn’t need to invent brand-new mathematics, it can adopt established standards that have undergone years of cryptanalysis.
Post-quantum signatures also consume more resources than their classical counterparts, raising questions about transaction sizes and the economics of fees.
But these represent engineering problems with known parameters, not unsolved mathematical mysteries.
The near-term threat is investor sentiment, rather than the technology of quantum computing itself.
When examining what actually drove Bitcoin’s movement throughout 2024 and 2025, going through ETF flows, macroeconomic data, regulation, and liquidity cycles, quantum computing rarely appears as a proximate cause.
CPI prints, ETF outflow days, and regulatory shocks drive price action, while quantum computing generates headlines.
Even articles sounding the loudest alarms about “25% of Bitcoin at risk” frame the threat as years away while emphasizing the need to start upgrading now.
The framing consistently lands on “governance and engineering problem” rather than “sell immediately.”
Bitcoin’s quantum story isn’t really about whether a cryptographically relevant quantum computer arrives in 2035 or 2045. It’s about whether the protocol’s governance can coordinate upgrades before that date becomes relevant.
Every serious analysis converges on the same conclusion that the time to prepare is now, precisely because migration takes a decade, not because the threat is imminent.
The question that will determine Bitcoin’s quantum resilience is whether developers can build consensus around BIP-360 or similar proposals, whether the community can incentivize migration of legacy coins without fracturing, and whether communication can stay grounded enough to prevent panic from outrunning physics.
In 2025, quantum computing poses a governance challenge that necessitates a 10- to 20-year roadmap, rather than a catalyst that will dictate this cycle’s price action.
Physics advances slowly, and a roadmap is visible.
Bitcoin’s role is to adopt PQ-ready tools well before the hardware arrives, and to do so without the governance gridlock that can turn a solvable problem into a self-inflicted crisis.
