What is Q Day? The Quantum Threat to Bitcoin Explained

Quantum computers can’t break Bitcoin’s encryption today, but new developments from Google and IBM suggest the gap is closing faster than expected. Their progress toward fault-tolerant quantum systems raises the stakes for “Q-Day,” the moment when a sufficiently powerful machine could crack older Bitcoin addresses and expose more than $711 billion in vulnerable wallets.

Upgrading Bitcoin to a post-quantum state will take years, meaning the work must start long before the threat arrives. The challenge, experts say, is that no one knows when that will be, and the community is struggling to agree on the best way to move forward with a plan.

This uncertainty has led to ongoing fears that a quantum computer that can attack Bitcoin will come online before the network is ready.

In this article we will look at the quantum threat to Bitcoin and what needs to change to make it the number one blockchain ready.

How a quantum attack would work

A successful attack wouldn’t look dramatic. A thief with quantum technology would start by scanning the blockchain for every address that has ever revealed a public key. Old wallets, reused addresses, early miner outputs, and many dormant accounts fall into this category.

The attacker copies a public key and runs it through a quantum computer using Shor’s algorithm. The algorithm, developed in 1994 by mathematician Peter Shor, gives a quantum machine the ability to factor large numbers and solve the discrete logarithm problem much more efficiently than any classical computer. Bitcoin’s elliptic curve signatures depend on the difficulty of these problems. With enough error-corrected qubits, a quantum computer could use Shor’s method to calculate the private key associated with the exposed public key.

This is what Justin Thaler, research partner at Andreessen Horowitz and associate professor at Georgetown University, explains Declutteronce the private key is recovered, the attacker can move the coins.

“What a quantum computer could do, and this is what is relevant to Bitcoin, is forge the digital signatures that Bitcoin uses today,” Thaler said. “Someone with a quantum computer could authorize a transaction that takes all the Bitcoin out of your accounts, or however you want to think of it, and you haven’t authorized it. That’s the concern.”

The forged signature would look real to the Bitcoin network. Nodes would accept it, miners would include it in a block, and nothing in the chain would mark the transaction as suspicious. If an attacker attacks a large group of exposed addresses at once, billions of dollars could be moved in minutes. The markets would start to react before anyone ever confirmed that a quantum attack was happening.

Where quantum computing will be in 2025

In 2025, quantum computing finally started to feel less theoretical and more practical.

• January 2025: Google’s 105-qubit Willow chip showed steep error reduction and a benchmark beyond classical supercomputers.
• February 2025: Microsoft rolls out its Majorana 1 platform and reports record entanglement of logic qubits with Atom Computing.
• April 2025: NIST extended the coherence of superconducting qubits to 0.6 milliseconds.
• June 2025: IBM sets goals of 200 logic qubits by 2029 and more than 1,000 by early 2030.
• October 2025: IBM snares 120 qubits; Google confirmed verified quantum acceleration.
• November 2025: IBM announces new chips and software aimed at quantum advantage by 2026 and fault-tolerant systems by 2029.

Why Bitcoin has become vulnerable

Bitcoin signatures use elliptic curve cryptography. Spending from an address reveals the public key behind it, and that exposure is permanent. In Bitcoin’s early pay-to-public-key format, many addresses published their public keys before the initial release on-chain. Later pay-to-public key hash formats kept the key hidden until first use.

Because their public keys have never been hidden, these oldest coins, including roughly 1 million Bitcoin from the Satoshi era, are exposed to future quantum attacks. Thaler said the move to post-quantum digital signatures will require active involvement.

“If Satoshi wants to protect their coins, they need to put them in new, post-quantum safe wallets,” he said. “The biggest concern is the abandoned coins, worth some $180 billion, of which about $100 billion are believed to belong to Satoshi. These are huge amounts, but they are being abandoned and that is the real risk.”

What increases the risk are coins linked to lost private keys. Many have lain untouched for more than a decade, and without those keys they could never be placed in quantum-proof wallets, making them viable targets for a future quantum computer.

No one can freeze Bitcoin directly on-chain. Practical defenses against future quantum threats focus on migrating vulnerable funds, adopting post-quantum addresses, or managing existing risks.

However, Thaler noted that post-quantum encryption and digital signatures come at a high performance cost because they are much larger and more resource-intensive than today’s lightweight 64-byte signatures.

“Today’s digital signatures are about 64 bytes. Post-quantum versions could be 10 to 100 times larger,” he said. “In a blockchain, that increase in size is a much bigger problem, because each node has to store those signatures forever. Managing that cost, the literal size of the data, is much more difficult here than in other systems.”

Paths to protection

Developers have launched several Bitcoin improvement proposals to prepare for future quantum attacks. They follow different paths, from light optional protection to full network migrations.

• BIP-360 (P2QRH): Creates new “bc1r…” addresses that combine current elliptic curve signatures with post-quantum schemes such as ML-DSA or SLH-DSA. It offers hybrid security without a hard fork, but the larger signatures mean higher costs.
• Quantum-Safe Taproot: Adds a hidden post-quantum branch to Taproot. If quantum attacks become realistic, miners could softfork to demand the post-quantum branch, while users operate normally until then.
• Quantum-Resistant Address Migration Protocol (QRAMP): A mandatory migration plan that moves vulnerable UTXOs to quantum-safe addresses, likely via a hard fork.
• Pay to Taproot Hash (P2TRH): Replaces visible Taproot keys with double-hashed versions, limiting the window of exposure without new cryptography or breaking compatibility.
• Non-Interactive Transaction Compression (NTC) via STARKs: Uses zero-knowledge proofs to compress large post-quantum signatures into one proof per block, reducing storage and compensation costs.
• Commit-Reveal schemes: Rely on hashed commitments published before any quantum threat.
  • Helper UTXOs add small post-quantum outputs to protect expenditure.
  • Poison pill transactions allow users to pre-publish recovery paths.
  • Fawkescoin-style variants will remain dormant until a real quantum computer is demonstrated.

Taken together, these proposals outline a step-by-step path to quantum safety: quick, low-impact fixes like P2TRH now, and tougher upgrades like BIP-360 or STARK-based compression as risk increases. They would all require broad coordination, and many of the post-quantum address formats and signature schemes are still in their infancy.

Thaler noted that Bitcoin’s decentralization — its greatest strength — also makes major upgrades slow and difficult, as any new signature scheme requires broad agreement among miners, developers and users.

“Two major issues stand out for Bitcoin. First, upgrades take a long time, if they happen at all. Second, there are the abandoned coins. Any migration to post-quantum signatures needs to be active and the owners of those old wallets are gone,” Thaler said. “The community must decide what happens to them: either agree to take them out of circulation, or do nothing and let quantum-equipped attackers take them over. That second path would be legally gray, and those who seize the coins probably won’t care.”

Most Bitcoin holders don’t need to do anything right away. A few habits can go a long way toward reducing long-term risk, including avoiding address reuse so your public key remains hidden until you spend money, and sticking to modern wallet formats.

Current quantum computers are not yet close to breaking Bitcoin, and predictions about when they will vary wildly. Some researchers see a threat within the next five years, others push it into the 2030s, but continued investment could accelerate the timeline.