Deutsch
English
Español
Français
Nederlands
Português
Quantum computing threatens crypto — but not all networks are equal
A new research report from Citi warns that Bitcoin (BTC) faces greater risk from the rise of quantum computers than Ethereum (ETH), not because of technical code differences, but due to fundamental governance structures. As quantum computing breakthroughs accelerate the timeline for so-called 'Q-Day' — the moment a cryptographically relevant quantum computer (CRQC) can break current encryption — the report highlights that Bitcoin's conservative, consensus-driven upgrade process may leave it dangerously exposed.
According to Citi analysts, recent advances in quantum hardware have compressed the expected timeline for practical attacks. Google researchers now estimate that a quantum computer with roughly 500,000 qubits could break Bitcoin's elliptic curve cryptography (secp256k1) within minutes. While such a machine does not yet exist, multiple independent research groups have pushed the projected Q-Day window to 2030–2032, with a 34% probability of a CRQC existing by 2034 according to Citi's own models.
The governance gap: Why Bitcoin struggles to adapt
The core of Citi's analysis centers on how each network makes decisions. Bitcoin's upgrade process requires broad, often contentious consensus among miners, node operators, and the wider community. Implementing quantum-resistant cryptography would likely require a hard fork — a divisive and technically risky undertaking that Bitcoin has historically approached with extreme caution.
"The challenge for Bitcoin is not primarily technical — it's a coordination issue," said Michael Shaulov, CEO of Fireblocks, in comments cited by the report. "Getting the entire ecosystem to agree on a migration path is far harder than designing the cryptography itself."
Ethereum, by contrast, benefits from a more flexible governance model. The Ethereum Foundation has already established a dedicated Post-Quantum team, and quantum resistance was formally listed as a protocol priority for 2026. The network's history of regular, smooth upgrades — including the Pectra and Fusaka hard forks in 2025 — positions it to implement changes more rapidly. This is similar to how Ethereum's transition to proof-of-stake demonstrated its capacity for major structural changes.
Billions in Bitcoin already exposed
The report quantifies the scale of the threat: an estimated 6.7 to 7 million Bitcoin — roughly one-third of the total circulating supply, worth approximately $450–500 billion at current prices — currently sit in wallets with already-exposed public keys. These include early Pay-to-Public-Key (P2PK) addresses, which permanently display the public key on-chain, and Pay-to-Public-Key-Hash (P2PKH) addresses that reveal the key during transaction signing. Among these vulnerable funds are approximately 1 million Bitcoin mined by Satoshi Nakamoto that have never been moved.
The vulnerability mechanism is well understood. During a Bitcoin transaction, the sender's public key is temporarily visible on the network until the transaction is confirmed. A sufficiently powerful quantum computer running Shor's algorithm could theoretically derive the corresponding private key from that public key in under 90 minutes, according to Google's latest estimates. This would allow an attacker to forge signatures and steal funds before the transaction even finalizes.
Citi also flagged the 'harvest now, decrypt later' risk, where adversaries collect encrypted data today in anticipation of future quantum decryption capabilities. This threat extends beyond cryptocurrency to the entire financial sector, with global banking exposure estimated at $3 trillion.
Ethereum and proof-of-stake networks: Not immune but better positioned
While Ethereum is better positioned than Bitcoin according to Citi, it is not invulnerable. The report notes that a quantum attacker could theoretically collect enough private keys from staked assets to control approximately 33% of the validator set, potentially disrupting network finality and enabling double-spend attacks. However, Ethereum's faster upgrade cycle and active development of post-quantum solutions — including integration of STARK-based signatures and other quantum-safe cryptographic primitives — provide a meaningful buffer.
Other proof-of-stake networks like Solana (SOL) were also noted as having governance advantages similar to Ethereum, though the report did not provide specific vulnerability estimates for those networks. The broader quantum computing impact on blockchain security is expected to be a defining challenge of the late 2020s.
Proposed solutions: BIP-360 and BIP-361
Within the Bitcoin ecosystem, two proposals have emerged to address the quantum threat. BIP-360, introduced in 2025, proposes a new output type called Pay-to-Merkle-Root (P2MR), which removes the quantum-vulnerable keypath spend while maintaining near-full compatibility with existing Pay-to-Taproot (P2TR) outputs. BIP-361, released in April 2026, outlines a three-phase migration roadmap toward quantum-resistant outputs, including a controversial provision to potentially freeze unmigrated coins after a transition period to prevent quantum theft of abandoned funds.
Neither proposal has been adopted yet, reflecting the slow pace of Bitcoin's governance. The debate has exposed a rift between Wall Street investors seeking stability and early adopters pushing for urgent security upgrades. As one analyst noted, the future of Bitcoin in a post-quantum world will depend on the community's ability to overcome these divisions.
FAQ: Quantum computing and cryptocurrency
What is Q-Day?
Q-Day refers to the point in time when a cryptographically relevant quantum computer (CRQC) becomes powerful enough to break widely used public-key cryptography, such as the elliptic curve signatures that secure Bitcoin and Ethereum. Current estimates place Q-Day between 2030 and 2034.
How many qubits are needed to break Bitcoin?
Google researchers estimate that approximately 500,000 physical qubits running Shor's algorithm could break Bitcoin's secp256k1 elliptic curve cryptography within minutes. As of 2026, the largest quantum processors have around 1,000–2,000 qubits, but error correction and scaling remain significant challenges.
Can Bitcoin be upgraded to resist quantum attacks?
Yes, but it requires broad community consensus and likely a hard fork. Proposals like BIP-360 and BIP-361 outline technical pathways, but adoption has been slow due to Bitcoin's conservative governance. Ethereum has moved faster, making quantum resistance a formal 2026 priority with a dedicated team.
How much Bitcoin is at risk from quantum computers?
Citi estimates that 6.7 to 7 million Bitcoin (approximately one-third of total supply, worth $450–500 billion) currently sit in addresses with exposed public keys that could be targeted by a future quantum computer. This includes roughly 1 million Bitcoin believed to belong to Satoshi Nakamoto.
What is a 'harvest now, decrypt later' attack?
This is a strategy where adversaries collect encrypted data today, storing it until a sufficiently powerful quantum computer becomes available to decrypt it. This poses a threat not only to cryptocurrency but to all encrypted communications and data, with Citi estimating $3 trillion in global banking exposure.
Follow Discussion