Quantum computers are seen as the next major upheaval in IT — and are regularly described as a threat to Bitcoin. The short version up front: Bitcoin is currently safe. In the medium to long term, however, there are real risks that the community is aware of and already working on. This article explains clearly where the actual attack surfaces lie, which scenarios are overblown, and why Taproot from a quantum perspective is not the most secure address type.
Short answer: Are quantum computers a threat to Bitcoin?
As of 2026: No. Quantum computers that exist today are far from being able to break the cryptographic primitives behind Bitcoin. The question only becomes relevant once cryptographically relevant quantum computers with a sufficient number of stable (logical) qubits are available.
A recent Google paper from March/April 2026 estimates the bar lower than previously assumed: roughly 1,200–1,450 high-quality logical qubits and fewer than 500,000 physical qubits could be enough to practically attack ECDSA/Schnorr. At the same time, the paper emphasizes that no such system exists yet — and that in particular Bitcoin's Taproot upgrade is expanding the pool of quantum-exposed coins, because Taproot exposes public keys by default.
For users, this means: no reason to panic, but a good reason to take address hygiene seriously and follow the discussion around post-quantum cryptography.
What is a quantum computer, and what makes it dangerous?
A quantum computer isn't a faster PC; it's a machine based on quantum mechanics. Instead of classical bits (0 or 1), it works with qubits, which can occupy multiple states simultaneously. For certain mathematical problems, this provides an exponential speed advantage.
Qubits, superposition, entanglement
- Superposition: A qubit can represent 0 and 1 at the same time.
- Entanglement: The states of multiple qubits are linked, allowing complex problems to be processed in parallel.
- Decoherence: Qubits are extremely fragile — today's devices often only manage fractions of a second of stable compute time. Error correction consumes most of the hardware.
Shor's vs. Grover's algorithm
Not every quantum algorithm is relevant for Bitcoin. The two decisive ones are:
- Shor's algorithm: Breaks asymmetric cryptography such as RSA and ECDSA/Schnorr (Bitcoin's signatures) in polynomial time. This is the actual risk for BTC wallets.
- Grover's algorithm: Provides a quadratic speedup for searching hash functions like SHA-256. 256-bit security would effectively drop to 128 bits — still practically unbreakable.
Why Bitcoin is theoretically attackable
Bitcoin relies on two central cryptographic building blocks:
- ECDSA or Schnorr to sign transactions.
- SHA-256 to hash blocks and addresses.
ECDSA/Schnorr: the actual weak point
With a sufficiently large quantum computer, Shor's algorithm could derive the corresponding private key from a public key. Whoever holds the private key controls the bitcoin.
The attack window opens wherever the public key is visible on-chain — that is, on every address that contains the public key directly, on reused addresses, or as soon as an address signs a transaction and thereby reveals the public key.
SHA-256: less critical than often claimed
Grover's algorithm halves the effective key length of SHA-256, but doesn't break the function. For mining and block integrity, SHA-256 is considered "comfortably" secure even in a quantum scenario — if needed, it could be upgraded to SHA-384/512.
Which Bitcoin addresses are particularly at risk?
Not all bitcoin is equally exposed. From a quantum perspective, the key question is: Is the public key already visible on the blockchain — or only its hash?
Important: From a quantum perspective, Taproot is not an upgrade
A widespread misconception: "Taproot is newer, so it's safer." From a pure quantum perspective, that's wrong. P2TR outputs contain the x-only Schnorr public key directly in the scriptPubKey. As soon as bitcoin is received at a Taproot address, the public key is publicly visible — and remains so forever. That makes every P2TR output a classic "harvest now, decrypt later" candidate: an attacker doesn't need to break the key today, they can simply archive the data and attack it later.
P2PKH and P2WPKH, on the other hand, only store a hash of the public key on-chain. As long as the address is not reused and no outgoing transaction has been made from it, Shor's algorithm has no target. Grover against the hash would be practically infeasible.
The quantum risk ranking therefore looks roughly like this:
- Most exposed: P2PK outputs, reused addresses, and all P2TR outputs.
- Best protected: freshly used, never reused P2PKH or P2WPKH addresses whose public key has never appeared in an outgoing transaction.
This doesn't change Taproot's everyday advantages (privacy, cheaper multisig, MuSig2, script trees). For long-term HODLing in cold storage, however, it's a relevant point.
How far has quantum research actually come in 2026?
Current systems from IBM, Google, and others operate in the range of several thousand physical qubits with high error rates. A cryptographically relevant attack on Bitcoin requires error-corrected logical qubits in sufficient numbers.
Google's 2024 "Willow" chip demonstrated error correction above the threshold, but did not enable an attack.
IBM's roadmap, along with QuEra, IonQ, PsiQuantum and others, is working on significantly more scalable systems by the end of the 2020s.
Google's 2026 paper lowers the bar to under 500,000 physical qubits for an attack on ECDSA/Schnorr. Such a system isn't available yet — but the time horizon is drawing closer.
In parallel, "harvest now, decrypt later" is the actual strategic threat: data that is publicly visible today (public keys in P2TR outputs, exposed P2PKH, etc.) can be decrypted years later.
Post-quantum cryptography: the path to a solution
The research answer is Post-Quantum Cryptography (PQC). In 2024, the US institute NIST published the first standards, including ML-KEM (Kyber), ML-DSA (Dilithium), and SLH-DSA (SPHINCS+). They are based on lattice, hash, or code problems that remain hard even for quantum computers.
Approaches being discussed for Bitcoin:
- Hash-based signatures (e.g., XMSS, LMS, SPHINCS+) — very conservative, well understood.
- Lattice-based signatures (e.g., Dilithium) — more compact, but based on younger assumptions.
- BIP-360 / P2QRH (Pay-to-Quantum-Resistant-Hash) or P2MR — a recently merged BIP proposal that behaves like "Taproot without the key path": no long-lived public keys in the output, spending only via a script path with a Merkle proof. This removes Taproot's permanent quantum attack surface without immediately forcing a heavy PQC signature algorithm.
A full migration would likely run via a soft fork: a new address type, and users would move their UTXOs over during a migration window. What matters is that the process is completed before a cryptographically relevant quantum computer arrives.
What you as a Bitcoin user can do now
No panic, but solid hygiene:
- Don't reuse addresses. Use each receiving address only once.
- Choose the address type deliberately: For everyday payments, SegWit/Taproot are unproblematic. For large, long-term cold-storage holdings, unused P2WPKH addresses (bc1q...) are currently the more conservative choice from a quantum perspective than Taproot — until Bitcoin rolls out a quantum-safe output type (e.g., BIP-360 / P2QRH).
- Migrate very old UTXOs if you hold significant balances in P2PK or frequently reused addresses.
- Keep self-custody tight: seed backups, up-to-date firmware, trustworthy hardware and software.
- Follow the discussion: Once the community rolls out a quantum-safe soft fork, migrate in a timely manner.
Conclusion: prepared, not scared
Quantum computers are a serious long-term topic for Bitcoin, but not an acute risk. The weak point isn't mining or SHA-256, but ECDSA/Schnorr combined with exposed public keys — and that's precisely why Taproot, from a quantum perspective, is not an upgrade over well-managed legacy addresses.
The solution — post-quantum cryptography and concrete proposals like BIP-360 — stands on solid technical ground. Bitcoin has cleanly delivered several protocol upgrades in its history (SegWit, Taproot). There are good reasons to assume that the transition into the quantum age will also succeed — not in spite of, but because the community is discussing it early.
FAQ
Can a quantum computer break Bitcoin today?
No. Available hardware is orders of magnitude too small to practically break ECDSA/Schnorr or SHA-256.
Is Taproot more quantum-safe than legacy addresses?
No — quite the opposite. Taproot outputs contain the public key directly visible on the blockchain. Legacy (P2PKH) and native SegWit addresses (P2WPKH) only store the hash of the public key, as long as the address hasn't been reused and has never signed an outgoing transaction. For pure long-term HODLing without spending, the latter are currently more quantum-robust.
Which algorithm is more dangerous for Bitcoin — Shor or Grover?
Shor. It threatens the signature (ECDSA/Schnorr). Grover only weakens SHA-256 quadratically and remains manageable.
Are old Satoshi coins at risk from quantum computers?
Many early coins sit in P2PK outputs with exposed public keys. They are considered particularly exposed — should quantum computers ever become cryptographically relevant.
Do I need to move my bitcoin to a new address now?
Not necessarily yet. Anyone holding very old, exposed addresses or large balances in Taproot can preemptively migrate to freshly used P2WPKH addresses and consistently avoid reuse.
How will Bitcoin be made quantum-safe?
Most likely via a soft fork that introduces a new, quantum-safe address and signature type (e.g., BIP-360 / P2QRH). Users would migrate their UTXOs within a given time window.
When will the migration to post-quantum cryptography happen?
There's no firm date. What matters is that it's completed before a cryptographically relevant quantum computer arrives — and the Bitcoin community's discussion is already actively underway (including BIP-360).
Marketing communication by FIOR Digital GmbH (21bitcoin). Investments in Bitcoin involve both risks and opportunities. Past performance is not an indicator of future results.
