Q-Day: Quantum Threat to Bitcoin
Google and Caltech research shows advances that could let quantum computers break elliptic-curve cryptography, endangering Bitcoin addresses that revealed public keys and about $452 billion in wallets.
Research from Google and Caltech in 2026 reports improvements to methods that attack elliptic-curve cryptography, reducing the qubit count and computational steps needed to run Shor’s algorithm. The papers and related demonstrations have focused attention on a possible “Q-Day,” when a fault-tolerant quantum computer could derive private keys from exposed public keys on the Bitcoin blockchain.
The technical finding is that optimizations to algorithms and hardware progress narrow the gap between current quantum devices and the resources required to break the elliptic-curve signatures Bitcoin uses. Google published a whitepaper in March 2026 detailing algorithmic gains. Caltech released complementary results that reduce resource estimates for the same class of attacks. In 2025 and 2026, several industry milestones occurred: a verified quantum speed-up on a 105-qubit Google processor and an experiment that recovered a simplified elliptic-curve key on a publicly available machine.
A likely attack pattern is “harvest now, decrypt later.” An attacker would scan the blockchain for any address that has ever revealed a public key-older pay-to-public-key outputs, reused addresses and many early miner payments-copy those public keys and later run them through a quantum machine to compute the corresponding private keys. With recovered private keys, an attacker could forge valid signatures, move coins, and create on-chain transactions that appear legitimate to nodes and miners.
Analysts estimate roughly $452 billion sits in wallets whose public keys have been exposed at some point. Experts highlight about $180 billion of those coins as abandoned or effectively inaccessible to owners, including an estimated $100 billion from the earliest era of the network. Funds tied to truly lost private keys are similarly stationary and would remain unmovable unless the owner regains access.
Cryptographers and developers have proposed multiple technical approaches to reduce exposure. Options under discussion include hybrid address formats that combine current elliptic-curve keys with post-quantum signatures; address designs that hide public keys until a spend; migration protocols to move vulnerable outputs to post-quantum addresses; and cryptographic compression using zero-knowledge proofs to shrink larger post-quantum signatures. Smaller changes that do not alter the cryptographic primitives focus on limiting the visibility of public keys until they are spent.
Post-quantum signature schemes are substantially larger than today’s 64-byte ECDSA signatures, often 10 to 100 times bigger. That size increase raises storage demands and higher transaction fees because every node stores signature data long term. Any network-wide change would require coordination among developers, miners and users in Bitcoin’s decentralized ecosystem.
Public statements and estimates from researchers have given numerical context to the risk. Justin Drake tweeted an estimate assigning at least a 10% chance that a quantum computer could recover a secp256k1 private key from an exposed public key by 2032. Justin Thaler, a researcher who studies cryptography, warned that a quantum-capable attacker could forge the digital signatures Bitcoin uses and move coins from exposed addresses.
Governments and companies have adjusted policy and funding in response. The U.S. has increased spending on quantum development, France has linked some product certification to quantum-resistant standards, and federal timelines for migrating critical systems to post-quantum cryptography have been accelerated. Cryptocurrency firms and custodians have formed advisory groups and started planning migration strategies.
For ordinary Bitcoin holders, current guidance from developers and researchers emphasizes simple practices that limit future exposure: avoid reusing addresses so public keys remain hidden until a spend and adopt modern wallet formats that minimize on-chain key disclosure. The research findings do not change the present capability of quantum machines to break Bitcoin, but they have shifted technical planning timelines and prompted industry and government responses.
The material on GNcrypto is intended solely for informational use and must not be regarded as financial advice. We make every effort to keep the content accurate and current, but we cannot warrant its precision, completeness, or reliability. GNcrypto does not take responsibility for any mistakes, omissions, or financial losses resulting from reliance on this information. Any actions you take based on this content are done at your own risk. Always conduct independent research and seek guidance from a qualified specialist. For further details, please review our Terms, Privacy Policy and Disclaimers.







