This article explains what quantum computers could actually do to Bitcoin, which coins are most exposed, and how Bitcoin may upgrade to survive it.
Introduction: Bitcoin’s quantum problem is real, but it is being misunderstood
The biggest near-term quantum threat to Bitcoin is not that quantum computers suddenly take over mining and erase the chain. It is that a future cryptographically relevant quantum computer could break the elliptic-curve signatures that protect many Bitcoin wallets, especially where public keys are already exposed or become exposed during spending. Google Quantum AI’s March 2026 whitepaper did not show that Bitcoin is breakable today, but it did sharply reduce the estimated resources needed for a future attack and made preparation harder to postpone.
Bitcoin’s core signature stack is built on secp256k1. Bitcoin has long used ECDSA for transaction authorization, and Taproot added Schnorr signatures over the same curve. Both rely on the hardness of the elliptic-curve discrete logarithm problem, which is exactly the kind of problem Shor’s algorithm targets on a sufficiently capable quantum computer.
The blunt version: Bitcoin’s quantum risk starts with signature theft, not network collapse.
What changed in 2026
Google’s whitepaper says its team compiled secp256k1 attack circuits requiring either about 1,200 logical qubits and 90 million Toffoli gates or about 1,450 logical qubits and 70 million Toffoli gates. Under the paper’s superconducting-hardware assumptions, those circuits could run in minutes using fewer than half a million physical qubits, and a “primed” on-spend attack could cut the time from public-key exposure to private-key recovery to roughly 9 to 12 minutes.
That does not mean a live Bitcoin break exists now. It means the estimated path to one is shorter than many Bitcoin holders assumed. Google’s own framing is about future quantum computers and the need to migrate vulnerable systems to post-quantum cryptography before those machines exist.
What part of Bitcoin is actually vulnerable
Bitcoin outputs are protected by scripts, hashes, and digital signatures. In the common P2PKH flow, the public key is hashed in the receive output and only revealed when coins are spent. That design was already useful for privacy and, as the Bitcoin developer guide notes, it also protects against attacks that rely on exposed public keys.
Quantum risk appears the moment a public key is exposed. Google’s analysis breaks Bitcoin’s exposure into four paths: weak-address exposure from scripts that publish the public key on-chain, address reuse that later reveals a public key tied to older coins, public mempool exposure while a spend is waiting to confirm, and off-chain exposure through practices such as key reuse across chains or sharing public keys with third parties.
That is why the simple “my coins are safe because I never used them” line is only partly true. A fresh hash-hiding address is safer against at-rest theft until first spend, but Google’s paper also says that, at present, all bitcoin is vulnerable to public-mempool exposure or reorganization-style attacks during spending.
Which wallets are most exposed now
The weakest Bitcoin outputs are the ones that publish public keys directly. Google identifies old P2PK outputs, legacy multisig in some old forms, and modern P2TR/Taproot receive outputs as on-chain exposure cases. In plain English: some coins are exposed from the moment they are received, while others only become exposed later through spending or reuse.
Taproot matters here. Google’s whitepaper says P2TR stores the tweaked public key directly in the locking script, which is why bc1p receive outputs are treated as immediately exposed to both at-rest and on-spend attacks. By contrast, previously unused bc1q-style outputs such as P2WPKH and P2WSH keep the public key hidden behind a hash until spend, making them safer against at-rest attacks so long as the key is not otherwise revealed.
The scale is not small. Google’s Figure 7 estimates that the top 100,000 vulnerable addresses together hold about 6.7 million BTC, and one draft Bitcoin proposal says that, as of March 1, 2026, more than 34% of all bitcoin had a public key revealed on-chain. That second figure is from a Draft BIP, not settled consensus data, but it shows how seriously some Bitcoin contributors are treating the exposure problem.
What quantum computers do not break first
Bitcoin’s proof-of-work is not the main quantum emergency. Google’s whitepaper says Grover-based attacks on mining are not practically relevant in the next several decades under current assumptions, because the quadratic speedup is heavily eaten by quantum error-correction costs and because Grover’s algorithm does not parallelize well compared with classical ASIC mining.
That does not mean proof-of-work is magically immune forever. It means the priority order is clear: signature theft comes first, mining disruption later if ever. Anyone claiming “quantum computers will kill Bitcoin mining first” is focusing on the wrong battlefield.
What Bitcoin likely has to upgrade
Bitcoin’s long-term fix is not another warning. It is migration away from quantum-vulnerable signature assumptions. Google’s whitepaper is explicit that the only real long-term remedy is moving to post-quantum cryptographic keys for signing transactions. On the standards side, NIST has already finalized ML-DSA and SLH-DSA as federal post-quantum digital-signature standards and says a Falcon-derived standard is still being developed as an additional option.
But Bitcoin has not chosen its final post-quantum signature path. That part is still open. Post-quantum signatures can bring larger proofs, larger signatures, more verification burden, and fresh implementation risk. Bitcoin is not just choosing an algorithm; it is choosing a new security model that has to fit fee markets, hardware wallets, nodes, exchanges, and long-term script design.
The leading upgrade proposal right now: P2MR
One of the clearest candidate mitigations is BIP 360, a Draft soft-fork proposal called Pay-to-Merkle-Root, or P2MR. Its goal is to keep Taproot-like script-tree functionality while removing the Taproot key-path spend that exposes a quantum-vulnerable key. The proposal says P2MR is meant to resist long-exposure attacks and create a practical path for future post-quantum signature integration.
That matters, but it is not a full fix by itself. BIP 360 explicitly says P2MR does not by itself stop short-exposure attacks, including attacks on public keys revealed in the mempool while a transaction is waiting to confirm. The proposal says comprehensive protection may require post-quantum signatures as a later step.
So the honest framing is this:
- P2MR is a strong candidate mitigation for long-exposure risk. It removes the Taproot key path and is designed to work with future post-quantum signature opcodes.
- P2MR is not the final quantum cure. It still needs complementary post-quantum signature work to address short-exposure risk while spending.
- It is still only a Draft BIP. Publication in the BIPs repository does not mean Bitcoin consensus exists or that activation is imminent.
The harder proposal: forcing migration
BIP 361 is the more aggressive draft. It is also Draft, but unlike BIP 360 it is Informational, and it explicitly depends on a still-TBD post-quantum signature BIP. Its proposed framework is blunt: Phase A would stop new sends to quantum-vulnerable address types about 160,000 blocks after activation, roughly three years, and Phase B would later reject ECDSA/Schnorr-based spends entirely about two years after that.
This is not Bitcoin policy today. It is one proposed migration framework. That distinction matters because the BIPs repository itself says publication does not imply community consensus or likely adoption. In other words, Bitcoin now has draft paths on the table, but it does not yet have a final quantum roadmap that the ecosystem has accepted.
How a real Bitcoin quantum upgrade would actually be implemented
The implementation path is likely to be slow, political, and technical at the same time. Bitcoin would need a new output type or signing path added through a soft fork, wallet and hardware-wallet support for new address formats and validation logic, exchange and custodian migration of deposits and withdrawals, miner and node adoption for enforcement, and a long coordination window so users do not get stranded. That is the real work.
A practical migration would likely look like this:
- Protocol layer: add a quantum-safer output or signature path through a reviewed soft fork, with clear validation rules.
- Wallet layer: support fresh quantum-safer receive types and make bad practices like address reuse harder or impossible by default.
- Infrastructure layer: exchanges, custodians, payment processors, and hardware-wallet vendors would need to add send, receive, signing, scanning, recovery, and monitoring support.
- User layer: holders would need to move exposed or reused coins into safer outputs before any sunset or stricter validation rules kicked in.
What holders should understand right now
Bitcoin holders do not need panic. They do need clarity. The safest current reading of the primary sources is that reducing unnecessary public-key exposure still matters: avoid address reuse, understand that spending reveals keys, and recognize that Taproot’s current receive design is worse for long-exposure quantum risk than fresh hash-hiding SegWit outputs. Google’s paper even says that sticking to SegWit-style addresses and avoiding Taproot can help protect against at-rest attacks from slower quantum machines.
The second point is even more important: waiting for a last-minute emergency patch is not a strategy. If Bitcoin is going to become quantum-resistant, it will happen through years of standards work, implementation, audits, ecosystem rollout, and hard arguments over incentives. The draft proposals exist because serious people in Bitcoin know this is a migration problem, not a press-release problem.
Conclusion: Bitcoin can survive quantum computing, but not by doing nothing
Quantum computers are not about to vaporize Bitcoin’s chain tomorrow. That story is lazy. The real danger is more precise and more uncomfortable: future quantum machines threaten the signature system that protects wallets, especially where public keys are exposed on-chain, reused, or revealed during spending. Google’s 2026 research made that threat harder to dismiss, not because Bitcoin is broken today, but because the upgrade window may be shorter than the market wanted to believe.
Bitcoin’s survival path is visible, but it is not settled. P2MR is a serious draft for reducing long-exposure risk. Post-quantum signatures are the likely endgame. A migration-and-sunset framework has already been proposed. None of that equals consensus yet. But the direction is clear: if Bitcoin wants to remain the hardest money in a post-quantum world, it has to upgrade its wallet security model before quantum attackers get there first.