Ruang Press - Original title: "I"Spent"200"Hours Reading Quantum Computing Papers So You Don't Have To. Bitcoin Is F.
Original source: nvk
TL;DR
· Bitcoin does not use encryption; it uses digital signatures. The vast majority of articles get this wrong, and the distinction is crucial.
· Quantum computers cannot crack Bitcoin in 9 minutes. This description refers only to a theoretical circuit; the machine itself does not exist and will not appear for at least a decade.
· Quantum mining is physically impossible to achieve. The energy it requires is actually more than the total energy output of the sun.
Bitcoin is fully capable of being upgraded—it has been successfully upgraded before (Segregated Witness, Taproot), and related work has already begun (BIP-360). However, the community needs to speed things up.
The real reason for the upgrade is not the quantum threat, but the fact that traditional mathematics has already broken countless cryptographic systems, and secp256k1 could very well be the next one. Quantum computers have yet to break any cryptographic system.
There is indeed a real hidden danger: the public keys for approximately 6.26 million bitcoins have been exposed. This is not something to panic about, but it is worth preparing for in advance.
To summarize what I'm about to say in one sentence:
The threat of quantum computing to Bitcoin is real, but still far off; media reports are generally inaccurate and exaggerated; and the most dangerous thing is not quantum computers, but the complacency disguised as panic or indifference.
Both those shouting "Bitcoin is doomed" and those claiming "It's nothing to worry about" are wrong. Seeing the truth requires accepting two things simultaneously:
Bitcoin does not currently face an imminent quantum threat; the actual threat may be much further away than sensationalist headlines suggest.
However, the Bitcoin community should still prepare in advance, as the upgrade process itself can take several years.
This is not a reason to panic, but a reason to act.
I will now explain this using data and logic.
This image compares two core quantum algorithms: the Scholl algorithm (left) is a "cryptography killer" that can exponentially accelerate large number factorization and directly crack public-key cryptography such as RSA/ECC, while the Grover algorithm (right) is a general-purpose quantum accelerator that can bring quadratic speedup to unordered search. Both demonstrate the disruptive nature of quantum computing, but it is still limited by error correction hardware and cannot be deployed on a large scale.
Media Tactics: Clickbait Headlines Are the Biggest Hidden Danger
The same drama plays out every few months:
A quantum computing laboratory published a rigorous research paper with numerous limiting conditions.
Tech media immediately headlined it: (Quantum Computer Cracks Bitcoin in 9 Minutes!)
The crypto community's Twitter account succinctly stated: "Bitcoin is dead."
• Your relatives and friends message you asking if you should sell it quickly.
But the original paper didn't say that at all.
In March 2026, Google's quantum AI team published a paper indicating that the number of physical qubits required to crack Bitcoin's elliptic curve cryptography could be reduced to below 500,000, a 20-fold improvement over previous estimates. This is indeed significant research. Google was very cautious, not disclosing the actual attack circuit, but only releasing zero-knowledge proofs.
But the paper never said that Bitcoin could be cracked now, that there was a clear timeline, or that people should panic.
However, the title reads: "Breaking Bitcoin in 9 Minutes".
CoinMarketCap once published an article (Will AI-accelerated quantum computing destroy Bitcoin in 2026?), the entire article explaining that the answer is almost certainly "no." This is a typical tactic: use sensational headlines to attract traffic, while the main text is cautious and accurate. But 59% of the links that were shared were never clicked—for most people, the headline is the information itself.
There's a saying that puts it perfectly: "The market prices risk extremely quickly. You can't steal something that goes to zero the moment you get it." If quantum computers were truly going to revolutionize everything, Google's own stock price (which also uses similar cryptography) would have collapsed long ago. But Google's stock price has remained remarkably stable.
Conclusion: The headline is the real rumor. The research itself is genuine and comprehensible; let's examine it carefully.
What do quantum computers truly threaten, and what do they not truly threaten?
Biggest misconception: "Encryption"
Almost every article about quantum mechanics and Bitcoin uses the word "encryption." This is wrong, and wrong in a way that affects the whole picture.
Bitcoin does not protect assets through encryption, but rather through digital signatures (ECDSA, later using Schnorr via Taproot). The blockchain itself is public; all transaction data is always visible to everyone, and there is absolutely nothing that needs to be "decrypted."
As Adam Back, the inventor of Hashcash, stated in the Bitcoin white paper: "Encryption means that data is hidden and can be decrypted. Bitcoin's security model is based on signatures, which are used to prove ownership without exposing the private key."
This isn't nitpicking. It means that the most pressing "collect now, decrypt later" threat in the quantum realm is essentially nonexistent when it comes to Bitcoin asset security. There's no encrypted data to collect, and the exposed public keys are already publicly available on the blockchain.
Two quantum algorithms: one poses a real threat, the other is negligible.
• Shor's algorithm (the real threat): It provides an exponential speedup to the underlying mathematics of digital signatures, allowing the reverse engineering of private keys from public keys and the forgery of transaction signatures. This is what we really need to worry about.
Grover's algorithm (not a threat): It only provides quadratic speedup for hash functions such as SHA-256, which sounds scary, but a quick calculation shows that it is completely unrealistic.
A 2025 paper (Kardashev-level quantum computing and Bitcoin mining) calculates that, at Bitcoin's current difficulty, quantum mining requires:
• Approximately 10²³ physical qubits (currently there are only about 1500 in the world)
• Approximately 10²⁵ watts of energy (total solar output is approximately 3.8 × 10²⁶ watts)
Mining Bitcoin with a quantum computer would require energy equivalent to approximately 3% of the sun's total energy output. Humanity is currently only a Type 0.73 Kardashev civilization. The energy required for quantum computer mining would be so vast that only a Type II civilization could achieve this, which is currently beyond human capabilities and practically impossible from a physical standpoint. (Note: This refers to the Kardashev civilization classification: Type I: capable of fully utilizing the energy of a planet (Earth); Type II: capable of utilizing the entire energy of an entire star (the sun).)
In comparison: even under the most ideal design, the computing power of a quantum mining machine is only about 13.8 GH/s; while a typical Antminer S21 can reach 200 TH/s. The speed of a traditional ASIC miner is 14,500 times that of a quantum mining machine.
Ultimately, quantum mining is simply not feasible. It's impossible now, it's impossible 50 years from now, and it may never happen. If someone claims that quantum computers can "crack Bitcoin mining," they're confusing two completely different algorithms.
Of the eight commonly circulated claims, 7.5 are incorrect.
Claim 1: "Once quantum computers are invented, all Bitcoins will be stolen overnight."
The truth is, only Bitcoin addresses whose public keys are exposed pose a security risk. Modern Bitcoin addresses (P2PKH, P2SH, Segregated Witness) do not reveal their public keys until you initiate a transaction. As long as you never reuse an address and never transfer assets from that address, your public key will not appear on the blockchain.
The specific divisions are as follows:
• Category A (Directly at Risk): Approximately 1.7 million BTC use the outdated P2PK format, and the public keys are completely public.
• Level B (Risk exists but can be mitigated): Approximately 5.2 million BTC are located in reused addresses and Taproot addresses. Users can mitigate the risk by migrating their existing addresses.
• Level C (Temporary Exposure): The public key is temporarily exposed during the approximately 10 minutes that each transaction is waiting to be packaged in the mempool.
According to Chaincode Labs estimates, approximately 6.26 million BTC are at risk of public key exposure, representing about 30%–35% of the total supply. While this is a significant number, it is by no means "all Bitcoins".
Claim 2: "Satoshi Nakamoto's coins will be stolen, causing a market crash and rendering them worthless."
Partly right, partly wrong: Satoshi Nakamoto's approximately 1.1 million BTC, held in P2PK format with their public keys fully exposed, do indeed constitute high-risk assets. However:
• Quantum computers capable of cracking these private keys do not currently exist.
Countries that have mastered early quantum technologies will prioritize targeting intelligence and military systems rather than staging a "public propaganda farce of stealing Bitcoin" (Quantum Canary Research Group).
Expanding from the current approximately 1,500 qubits to the hundreds of thousands would require several years of engineering breakthroughs, and the progress is highly uncertain.
Claim 3: "Bitcoin cannot be upgraded—too slow and chaotic governance."
This statement is not entirely accurate, but it's not entirely without merit either. Bitcoin has successfully completed several major upgrades throughout its history:
• Segregated Witness (SegWit, 2015–2017): Highly controversial, nearly failed, and directly led to the Bitcoin Cash fork, but was eventually successfully launched.
• Taproot (2018–2021): The project was successfully launched, taking approximately 3.5 years from proposal to mainnet launch.
The quantum-resistant mainstream solution BIP-360 was officially incorporated into the Bitcoin BIP library in early 2026. It added the bc1z address type and removed the quantum-vulnerable key path expenditure logic from Taproot. Currently, the proposal is still in draft form, and the testnet is running the Dilithium post-quantum signature instruction set.
BIP-360 co-author Ethan Hellman estimates the complete upgrade cycle will take approximately 7 years: 2.5 years for development and review, 0.5 years for activation, and 4 years for ecosystem migration. He admits, "This is just a rough estimate; no one can give an exact timeframe."
Objective conclusion: Bitcoin can be upgraded, and the upgrade has already begun, but it is still in its early stages and needs to be accelerated. Claims that "upgrading is completely impossible" are incorrect, as are claims that "the upgrade has been completed."
Statement 4: "We only have 3–5 years left."
• Adam Back (inventor of Hashcash, cited in the Bitcoin white paper): 20–40 years
Jensen Huang (Nvidia CEO): Practical quantum computers are still 15–30 years away.
Scott Aaronson (leading authority on quantum computing at the University of Texas at Austin): declined to provide a timeline, stating that cracking RSA could require an investment of "hundreds of billions of dollars."
Craig Gidney (Google Quantum AI): The probability of achieving this before 2030 is only 10%; he also believes that under current conditions, it is difficult for the demand for qubits to be optimized tenfold again, and the optimization curve may have already flattened out.
A survey of 26 quantum security experts indicates a 28%–49% probability of risks emerging within 10 years.
• Ark Investment: "This is a long-term risk, not an immediate one."
It's worth noting that Google's Willow chip broke the quantum error correction threshold at the end of 2024. This means that for every increase in the error correction code distance by one level, the logic error rate decreases by a fixed factor (2.14 for Willow). This error suppression effect improves exponentially, but the actual scaling speed depends entirely on the hardware and could be logarithmic, linear, or extremely slow. Breaking the threshold only indicates that scaling is feasible, not that it will be fast, easy, or inevitable.
Furthermore, Google's March 2026 paper did not disclose the actual attack circuit, only releasing zero-knowledge proofs. Scott Aaronson also cautioned that future researchers may no longer publicly disclose resource estimates required to crack cryptography. Therefore, we may not be able to anticipate the arrival of "Quantum Crisis Day" long in advance.
Even so, building a computer with hundreds of thousands of fault-tolerant qubits remains a massive engineering challenge. Currently, the most advanced quantum computers cannot even factor numbers larger than 13 digits, while cracking the Bitcoin code is equivalent to factoring a number of approximately 1300 digits. This gap cannot be bridged overnight, but the technological trend deserves attention, not disregard.
Incorrect. Energy consumption is close to the total solar output; see Part Two for details.
"Collect data now, decrypt it later."
It does not apply to theft of assets (the blockchain itself is public), and only has some impact on privacy, which is a secondary risk.
Google says it cracked Bitcoin in 9 minutes.
Google is referring to a non-existent 500,000-qubit machine where the theoretical circuit would run for approximately 9 minutes. Google itself has explicitly warned against such panic and has withheld details of the attack circuitry.
"Post-quantum cryptography technology is not yet mature."
The National Institute of Standards and Technology (NIST) has completed the standardization of algorithms such as ML-KEM, ML-DSA, and SLH-DSA. The algorithms themselves are mature; the difficulty lies in their deployment and implementation in the Bitcoin system, rather than inventing them from scratch.
Five issues that I am really worried about
The estimated number of qubits required to break a password continues to decline, although this trend may be slowing. In 2012, it was projected that breaking a password system would require 1 billion qubits; by 2019, this had dropped to 20 million; and by 2025, it was below 1 million. In early 2026, Oratomic claimed that using a neutral atom architecture, only 10,000 physical qubits would be needed to break a password.
However, it is worth noting that all nine authors of the study are shareholders of Oratomic, and the 101:1 physical to logical qubit conversion ratio on which their estimate was based has never been verified (the actual historical ratio is closer to 10,000:1).
It's also important to clarify that a computation task that takes only "9 minutes" on Google's superconducting architecture would take 10²⁶⁴ days to complete on neutral atom hardware—the two are completely different devices with vastly different processing speeds. Gidney himself has stated that the algorithm optimization curve may have reached a plateau. Even so, no one knows when the inflection point for the "required number of qubits" and the "existing number of qubits" will arrive. The most objective conclusion is that there is currently a great deal of uncertainty.
The scope of public key exposure is expanding, not shrinking. Taproot, Bitcoin's latest and most widely adopted address format, exposes modified public keys on-chain, leaving quantum attackers with an unlimited window of opportunity for offline cracking. The irony that Bitcoin's latest upgrade has actually weakened its quantum resistance is worth pondering.
Furthermore, the problem extends beyond on-chain addresses: Lightning Network channels, hardware wallet connections, multi-signature schemes, and extended public key sharing services all inherently proliferate public keys. In a world where fault-tolerant quantum computers (CRQC) capable of breaking cryptographic codes become a reality, "protecting public key privacy" becomes simply impractical when the entire system is built around public key sharing. BIP-360 is just a first step, far from a complete solution.
Bitcoin governance is slow, but there is still a window of opportunity. Since November 2021, the underlying Bitcoin protocol has not initiated a soft fork for over four years, remaining largely stagnant. Google plans to complete its quantum-resistant migration by 2029, while the most optimistic estimate for Bitcoin is 2033.
Given that practically crackable quantum computers are likely still a long way off (most reliable predictions suggest it won't be until the 2040s, or even ever), the present is not an urgent crisis, but we must not be complacent. The earlier preparations begin, the more relaxed we will be later.
The issue of Satoshi Nakamoto's Bitcoin holdings presents an unsolvable game theory problem. Approximately 1.1 million BTC are stored in P2PK addresses, and because no one holds the corresponding private keys (or Satoshi Nakamoto has disappeared), these assets can never be migrated. Ignoring, freezing, or destroying them would all have severe consequences; there is no perfect solution.
• A blockchain is a permanently locked list of attack targets. All exposed public keys are permanently and freely recorded, allowing institutions worldwide to begin preparations now and await their opportunity. Defense requires proactive collaboration from multiple parties, while attacks only require patience.
These are real challenges, but there's another side to the story worth noting.
Why the quantum threat may be extremely distant, or even never arrive.
Several serious physicists and mathematicians (not extremists) believe that fault-tolerant quantum computing capable of breaking codes may face fundamental obstacles at the physics level, rather than just engineering challenges:
• Leonid Levin (Boston University, co-proposer of NP completeness): "Quantum amplitude needs to be accurate to hundreds of decimal places, but humanity has never found any physical law that still holds true with more than a dozen decimal places of precision." If nature does not allow precision exceeding about 12 decimal places, the entire field of quantum computing will hit the physical ceiling.
Michel Dyakonov (University of Montpellier, theoretical physicist): A 1000-qubit system would require controlling approximately 10³⁰⁰ consecutive parameters simultaneously, a number far exceeding the total number of subatomic particles in the universe. His conclusion is: "Impossible, absolutely impossible."
Gil Kalai (Hebrew University, mathematician): Quantum noise exhibits an unavoidable correlation effect, which intensifies with increasing system complexity, making large-scale quantum error correction fundamentally impossible. His conjecture remains unproven after 20 years, but his experimental predictions have also shown some deviations, presenting both advantages and disadvantages.
• Tim Palmer (University of Oxford, physicist): His rational quantum mechanical model predicts that quantum entanglement has a hard upper limit of about 1,000 qubits, far below the scale required to break a password.
These are not fringe opinions. Existing evidence clearly supports this judgment: to date, practice has shown that quantum computing, which can threaten cryptographic systems, is either far more difficult to achieve in reality than in theory, or simply impossible due to the unknown laws of the physical world. The analogy of autonomous driving is quite apt: the demonstrations are excellent, attracting huge investments, yet for over a decade it has been claimed that "it will be mature in five years."
Most media outlets assume that "quantum computers will eventually crack the code; it's just a matter of time." This conclusion is not based on evidence but is a false impression created by a hype cycle.
The core driving force behind the upgrade has nothing to do with quantum mechanics.
This is a crucial fact that few people mention (thanks to @reardencode for pointing this out):
• To date, zero cryptographic systems have been broken by quantum computers.
• Countless cryptographic systems have been broken by classical mathematical methods.
DES, MD5, SHA-1, RC4, SIKE, Enigma machines… all failed due to sophisticated mathematical analysis, not quantum hardware. SIKE was once the final candidate for post-quantum cryptography by the National Institute of Standards and Technology (NIST), but in 2022 it was completely cracked by a researcher using a regular laptop in one hour. Since the inception of cryptographic systems, classical cryptanalysis has continuously overturned various encryption schemes.
The secp256k1 elliptic curve used by Bitcoin could become invalid at any time due to a mathematical breakthrough, requiring no quantum computer whatsoever. All it would take is a top number theorist making a new breakthrough in the discrete logarithm problem. This hasn't happened yet, but the history of cryptography is a history of "proven secure" systems constantly being found to have vulnerabilities.
This is the real reason why Bitcoin should adopt alternative encryption schemes: not because quantum computers are on the horizon—they may never come; but because relying on a single encryption assumption for a network worth trillions of dollars is a risk that rigorous engineering must proactively guard against.
The panic and hype surrounding quantum mechanics have obscured this more subtle yet real threat. Ironically, preparations made to counter the quantum threat (BIP-360, post-quantum signatures, hash-based alternatives) are equally effective against classical cryptanalysis attacks. People are doing the right thing for the wrong reasons, and that's fine—as long as it's ultimately implemented.
What should you do?
If you hold Bitcoin:
• Don't panic. The threat is real, but it's still far off, and you have plenty of time.
• Stop reusing addresses. Each reuse exposes the public key; please use a new address to receive payments.
• Monitor the progress of BIP-360. Migrate assets promptly after the rollout of quantum-resistant addresses.
• Holding funds long-term allows you to keep them in an address that has never been transferred out, thus keeping the public key hidden.
Don't be swayed by headlines; read the original paper. The content is more interesting and less alarming than the reports suggest.
If you are a Bitcoin developer:
BIP-360 needs more reviewers. The testnet is already running, and the code urgently needs inspection.
• The 7-year upgrade cycle needs to be compressed; for every year of delay, the safety buffer shrinks.
• Initiate governance discussions regarding Old Unspent Transaction Outputs (UTXOs). Satoshi Nakamoto's Bitcoin does not protect itself, and the community needs a solution.
If you just saw a sensational headline: Remember, 59% of the links that are shared are never clicked. The headline is just meant to stir up emotions; the paper is meant to provoke thought. Go read the original article.
in conclusion
The threat of quantum computing to Bitcoin is not black and white, but rather exists in a middle ground. On one hand, it's "Bitcoin is finished, sell everything now," and on the other hand, it's "Quantum computing is a scam, there's no risk at all." Both extremes are wrong.
The truth lies in a rational and feasible middle ground: Bitcoin faces clear engineering challenges, parameters are known, research and development are underway, and time is tight but manageable—provided the community maintains a reasonable sense of urgency.
The most dangerous thing is not quantum computers, but the cycle of public opinion that swings back and forth between panic and indifference, preventing people from rationally looking at a problem that can be solved in essence.
Bitcoin has survived the block size debate, the hacking of trading platforms, regulatory shocks, and the disappearance of its founder, and it can also make it to the quantum era. But the prerequisite is that the community starts preparing steadily now, without panicking or giving up, and proceeds with the robust engineering mindset that underpins Bitcoin's strength.
The house didn't catch fire, and it may never catch fire in the direction everyone feared. But cryptographic assumptions are never valid indefinitely. The best time to strengthen the foundations of cryptography is always before a crisis arrives, not after.
Bitcoin has always been built by a group of people who anticipate threats before they occur. This isn't paranoia; it's engineering thinking.
References:
This article references 66 research papers from two main Wikipedia sections, covering quantum computing resource estimation, Bitcoin vulnerability analysis, debunking psychology, and research on content dissemination mechanisms. Key sources include Google's Quantum AI Lab (2026), the paper "Quantum Mining at the Kardashev Scale" (2025), the BIP-360 proposal document, Berger and Milkman's research (2012), the "Debunking Handbook" (2020), and discussions by industry practitioners such as Tim Urban, Dan Lu, and patio11. The complete Wikipedia resources are open for peer review.