Quantum Computers and Bitcoin: The Real Threat and When Q-Day Might Come

Will a quantum computer break Bitcoin? We explain what is actually vulnerable, how much BTC is at risk, when Q-Day could realistically arrive and how to protect your coins today. No panic, just facts as of 2026.

Every few months a headline claims that a quantum computer is about to break Bitcoin and crash the entire market. The reality is calmer, but also more interesting. The threat is real and worth taking seriously, yet Bitcoin is not at risk "tomorrow". In this article we explain what exactly is vulnerable, how much BTC is genuinely at risk, when the so-called Q-Day might arrive and what you can do about it today.

What is actually at risk in Bitcoin

Bitcoin rests on two cryptographic pillars, and quantum computers affect each of them differently.

The first is the ECDSA signature scheme on the secp256k1 curve. This is what proves the coins belong to you. It is the weak spot. A quantum algorithm called Shor's algorithm can, in theory, derive a private key from a public key. And the private key is everything: whoever holds it holds your coins.

The second pillar is the SHA-256 hash function, which Bitcoin uses for mining and for generating addresses. Here the situation is completely different. Weakening SHA-256 would rely on Grover's algorithm, which only offers a quadratic speedup. In practice a meaningful attack would require on the order of 10^23 qubits and energy on the scale of a star. That is beyond any imaginable technology. Mining and the network itself are therefore safe. The real threat concerns signatures, not hashing.

Why this matters already today

If Q-Day is years away, why worry about it now? Because of a principle called "harvest now, decrypt later".

Bitcoin is a public ledger. Every transaction is recorded forever and visible to anyone. The moment you first send coins from an address, your public key is revealed on the blockchain. An attacker can store it today and wait until they have a quantum computer powerful enough to use it. Your coins are therefore not at risk at the moment of attack, but from the moment your public key first appears on the network.

How much BTC is genuinely vulnerable

Not all coins are in the same position.

The most exposed are old P2PK addresses, which have the public key written directly into the transaction. This includes most of the coins mined by Satoshi Nakamoto. We are talking about roughly 1.7 million BTC that have sat untouched for years.

The second group is reused addresses. Once you send coins from an address and then keep receiving more to it, its public key is exposed forever. Many people used addresses this way for years.

According to data from March 2026, more than 34% of all BTC in circulation sits in addresses with exposed public keys. That is not a small number. Addresses you have never spent from, where the public key stays hidden behind a hash, are in a far better position for now.

Where the hardware stands today

This is the reassuring part. The most powerful quantum computers in 2026 have on the order of 1,500 qubits, and these are noisy physical qubits with high error rates.

Breaking 256-bit ECDSA would, according to March 2026 estimates from Google Quantum AI, require under 500,000 physical qubits and roughly up to 1,200 logical qubits. That is less than previously thought, yet we are still tens of thousands of times below that threshold.

The Q-Day Prize competition from Project Eleven illustrates this nicely. In April 2026 a researcher broke a 15-bit key on real quantum hardware and won a 1 BTC reward. It sounds alarming until you realise Bitcoin uses 256 bits. The difference between 15 and 256 bits is not linear but exponential. It is a chasm, not a step.

When Q-Day might realistically arrive

Q-Day is the moment a quantum computer can reliably break today's cryptography. Most researchers place it in the 2030s as the earliest case, and many consider even that optimistic.

The plans of major players are a useful reference point. Google has set a goal of moving to post-quantum cryptography by 2029. NIST has a broader transition horizon extending to 2035. The European Union wants quantum-resistant critical infrastructure by 2030. In other words, none of the serious actors expects an attack tomorrow, but all of them are preparing years in advance.

How Bitcoin is defending itself

Bitcoin is not passive. Developers are working on solutions, and here is the state of play as of mid-2026.

BIP-360 (P2MR, Pay-to-Merkle-Root). A proposal that entered the official Bitcoin Improvement Proposals repository in February 2026. It removes the part of Taproot that leaves the public key needlessly exposed. Note: it is still only a draft at the testnet stage and is not activated on the main network. Soft forks in Bitcoin take years, SegWit roughly four and Taproot about three.

BIP-361. A companion and far more controversial proposal. It envisions a three-phase migration where, after a certain period, sending to old addresses would first be blocked and later old signatures would become invalid. In practice this would mean unmigrated coins would freeze. There will be a lot more debate about this one.

Quantum Safe Bitcoin (QSB). A solution from a StarkWare researcher that can make a transaction quantum-resistant today and without a soft fork, but at a cost of 75 to 200 dollars per transaction. It is more of an emergency tool than an everyday solution.

The common drawback of post-quantum signatures is that they are significantly larger than today's. That means higher storage demands and potentially higher fees. The transition is therefore not a simple swap but a complex engineering task.

What you can do today

No panic. A few sensible steps make sense already now.

Do not reuse addresses. Receive change to a new address after every spend. The public key then stays hidden behind a hash.
Hold coins in modern bc1 addresses (Native SegWit or Taproot). They are better prepared for the future transition.
Coins in active circulation carry less risk than the hundreds of thousands of old coins nobody has moved in years.
Follow the developments around BIP-360. When migration time comes, you will be ready to act.
Know your wallet. Understanding where and in what address types your coins sit is the foundation.

What about taxes

Here is the good news that few people mention amid the quantum panic. Moving your own coins between your own addresses is not a sale. In Slovakia, the move itself (for example to a new, safer address) creates no tax obligation, because no income arises. Tax only comes into play when you sell the crypto, exchange it for another cryptocurrency or pay with it.

If you migrate coins to quantum-resistant addresses in the future, the move itself will not create a tax burden. What matters is recording it correctly, so it is clear this is your own transfer and not a taxable operation. We can help you with that.

Summary

The quantum threat to Bitcoin is real, but not acute. The most vulnerable coins are old and reused addresses with exposed public keys. Today's hardware is still orders of magnitude away from a real attack, and Bitcoin is already working on defences through BIP-360. For an ordinary holder the rule is simple: do not reuse addresses, hold coins in modern address types and follow the developments.

If you are unsure about the tax side of your crypto transactions or you are planning larger transfers, get in touch. We will help you keep your taxes in order no matter what the quantum future brings. 🇸🇰