Q-Day: Quantum advances heighten risk to early Bitcoin wallets

Two research papers published in March 2026 from Caltech (with startup Oratomic) and Google report methods that reduce the qubit count and computational steps needed to run Shor’s algorithm, narrowing estimates for when a fault-tolerant quantum computer could break the elliptic-curve cryptography Bitcoin uses today. The work focuses on circuit and hardware optimizations that affect the resources required for key recovery.

Shor’s algorithm can solve the discrete-logarithm problem underlying Bitcoin signatures. An attacker aiming to exploit a quantum device would scan the blockchain for addresses that have revealed their public keys-older pay-to-public-key outputs, reused addresses and some early miner payouts-and run the public key through a quantum circuit to recover the matching private key. With the private key, an attacker can produce signatures that appear valid to Bitcoin nodes and miners and move the funds without any on-chain marker showing a theft.

Google reported a verified quantum speed-up on a 105-qubit processor called Willow, and Caltech described a neutral-atom qubit system in which atoms are trapped and controlled with lasers. The papers together tightened prior estimates for the size and error rates a quantum machine would need to execute Shor’s algorithm reliably. Researchers say the hardware available today remains noisy and lacks the error correction required for a practical attack.

Security researchers have quantified the risk. Justin Drake wrote on social media that there is “at least a 10% chance that by 2032 a quantum computer recovers a secp256k1 ECDSA private key from an exposed public key.” Justin Thaler, a researcher at Andreessen Horowitz and Georgetown University, cautioned that a recovered private key would allow an attacker to authorize transactions without the owner’s consent, and he emphasized that abandoned coins increase exposure.

Estimates cited by researchers point to a substantial stock of vulnerable coins from Bitcoin’s earliest years. Some figures describe roughly one million early-era bitcoins and about $180 billion in coins tied to lost or inactive keys as particularly exposed because their public keys are already on-chain and their owners cannot move them into quantum-resistant wallets.

Developers have proposed several technical responses. Proposals range from hybrid address formats that combine current elliptic-curve signatures with post-quantum schemes, to adding a hidden post-quantum branch inside Taproot that could be activated by a soft fork, to mandatory migration plans such as BIP-361 that would freeze coins that fail to migrate. Other ideas include replacing visible Taproot keys with double-hashed values to limit public-key exposure and compressing larger post-quantum signatures with zero-knowledge proofs to lower storage costs.

Post-quantum signature schemes are larger than today’s signatures; researchers note they can be 10 to 100 times bigger than a 64-byte signature. That size increase affects block weight, transaction fees and long-term storage for full nodes. Any migration would require broad coordination among miners, developers, wallet providers and users, and some proposals would need a network-wide protocol change.

For most holders, immediate changes are not required. Wallet hygiene that reduces long-term exposure includes avoiding address reuse so public keys remain hidden until a spend and using modern wallet formats that minimize key exposure. Researchers and developers say planning and testing migration paths and post-quantum signature implementations should continue now, since organizing and deploying any large-scale upgrade can take years.