Quantum Computing and Bitcoin: What BIP-360 Changes
A quantum computer could one day forge signatures and drain exposed wallets. Here is the real timeline, what BIP-360 does, and how to reduce your exposure.

Every few months a headline claims quantum computers are about to break Bitcoin tomorrow. They are not. But the threat is real on a multi-year horizon, and the uncomfortable detail is that roughly a third of all bitcoin sits in wallets that would be first in line if a capable machine ever arrives.
Quick answer
A sufficiently powerful quantum computer could use Shor's algorithm to derive a private key from an exposed public key, letting an attacker forge signatures and drain that wallet. "Q-Day" is widely estimated for around 2030 to 2033, not now. The main defensive step already merged is BIP-360, a new Bitcoin output type that removes the quantum-vulnerable key-spend path for newly stored coins. As a user, the practical move is to hold coins in modern "bc1" addresses whose public keys are not exposed until you spend, and to avoid reusing addresses.
Key takeaways
- The danger is Shor's algorithm recovering a private key from an exposed public key, not brute-forcing your seed.
- Estimates put a capable machine around 2030 to 2033, though newer research keeps trimming the qubit count needed.
- Roughly 6.9 million BTC sit in wallets with permanently exposed public keys, making them the highest-risk targets.
- BIP-360 was merged into Bitcoin's repository in early 2026, adding a post-quantum-friendly output type.
- Post-quantum signatures are much larger (an ML-DSA signature is roughly 38 times bigger than a current one), which complicates migration.
How the threat actually works
Bitcoin secures ownership with elliptic curve cryptography. Your private key can produce a public key easily, but going backward, from public key to private key, is computationally hopeless for normal computers. A large fault-tolerant quantum computer running Shor's algorithm could do exactly that reversal.
The nuance that matters is when your public key is visible on-chain:
- Reused or legacy addresses often have the public key already exposed, because it was revealed in a prior spend. Those are the sitting-duck wallets.
- Modern single-use addresses only reveal the public key at the moment you spend. Before that, the chain shows only a hash, which does not help a quantum attacker.
That distinction is why "about a third of supply is vulnerable" and "you can meaningfully reduce your risk" are both true at the same time.

The timeline, without the hype
There is no confirmed machine that can break Bitcoin today. What changed in 2026 is that the estimates got less comfortable. Google's Quantum AI research suggested breaking the relevant cryptography might need far fewer physical qubits than a 2019 estimate implied, on the order of under 500,000 rather than the millions previously assumed. That does not mean the machine exists; it means the finish line moved closer.
Most credible framings land in a similar place:
| Scenario | Rough timing | What it means for holders |
|---|---|---|
| Q-Day arrives | ~2030 to 2033 estimate | Exposed-key wallets become forgeable |
| "Harvest now, decrypt later" | Ongoing today | Attackers may log exposed keys to break later |
| Migration window | Now through Q-Day | Time to move to quantum-resistant schemes |
The "harvest now, decrypt later" idea is the reason not to be complacent. An attacker does not need a working quantum computer today to benefit from your exposed public key today; they can record it and wait.
What BIP-360 does
BIP-360 was merged into Bitcoin's code repository in early 2026. In plain terms, it introduces a new output type designed with post-quantum security in mind. It removes the quantum-vulnerable key-spend path for coins stored under it, so newly parked funds are not exposed the way legacy scripts are.
Being merged into the repository is not the same as being active on the network. Bitcoin changes activate through a slow, deliberate consensus process, and BIP-360 is an option being built rather than a switch already flipped for everyone. Bitcoin's culture of conservatism means this will take time, and the debate over what to do about the millions of already-exposed coins is genuinely unresolved.
Other networks are moving on parallel tracks. Ethereum has elevated post-quantum security to a strategic priority and is researching how to let users adopt quantum-resistant signatures incrementally without breaking existing infrastructure. The direction across ecosystems is the same: build optionality now, migrate before Q-Day.
Why migration is hard
If the fix is known, why not just ship it? Two reasons.
- Signature size. The NIST-standardized post-quantum signature scheme ML-DSA produces signatures around 2,420 bytes, versus roughly 64 bytes today. That is close to 38 times larger, which bloats transactions and blocks and raises fees.
- Coordination. Migrating a global, adversarial, leaderless system is a social problem more than a technical one. Everyone has to agree, wallets and exchanges have to support the new format, and users have to actually move funds. Large systems historically take five to more than ten years to migrate cryptography.
The uncomfortable version, argued in some 2026 reports, is that if the industry waits too long the migration window itself could become the vulnerable period.
What to do right now
You cannot flip a personal quantum switch, but you can lower your exposure with ordinary hygiene:
- Use modern "bc1" addresses (Native SegWit or Taproot), which keep the public key hidden until you spend.
- Never reuse addresses. A fresh receiving address per transaction avoids leaving an exposed public key sitting on-chain.
- Keep long-term holdings in cold storage and follow a resilient backup process; see our seed phrase and multisig backup guide.
- Update your wallet software so you get post-quantum address support when it ships.
- Ignore "quantum-proof coin" sales pitches. The threat is real but slow, and urgency is a classic scam lever, as we cover in how to spot a crypto rug pull.
For the bigger picture on how validators and honest participants keep the network safe against reorganizations and other attacks, our blockchain finality explainer is a useful companion read.
Frequently asked questions
Can a quantum computer break my Bitcoin today?
No. There is no known machine capable of it right now. The concern is a multi-year horizon, commonly estimated around 2030 to 2033, and the risk that exposed public keys recorded today could be broken later.
Which wallets are most at risk?
Wallets with a public key already visible on-chain, which usually means reused addresses or older legacy address types that revealed the key in a prior spend. Roughly 6.9 million BTC sit in such exposed wallets.
Does moving to a "bc1" address make me safe?
It reduces your exposure, because the public key stays hidden until you spend. It is not a permanent fix; full protection needs post-quantum signatures at the protocol level, which is what BIP-360 and similar work aim to deliver over time.
Is my 24-word seed phrase the weak point?
No. The threat is deriving a private key from an exposed public key, not guessing your seed. Your seed phrase security still matters enormously for ordinary theft, just not for the quantum attack specifically.
This article is for general information and is not financial advice.


