How Many Qubits to Break Bitcoin?

Understanding how many qubits to break Bitcoin is one of the most pressing questions in cryptographic security today. Bitcoin's signature scheme, ECDSA on the secp256k1 curve, relies on the computational hardness of the elliptic curve discrete logarithm problem. A sufficiently powerful quantum computer running Shor's algorithm could, in theory, derive a private key from a public key and drain any exposed wallet. This article explains the underlying mechanics, walks through the best published qubit estimates, unpacks the enormous gap between logical and physical qubits, and explains why the threat remains real but not imminent.

Why Bitcoin's Cryptography Is Vulnerable to Quantum Computers

Bitcoin uses the Elliptic Curve Digital Signature Algorithm (ECDSA) with a 256-bit key on the secp256k1 curve. Every time you sign a transaction, your wallet uses your private key to produce a signature that proves ownership without revealing the key itself.

Classical computers cannot reverse this process in any practical timeframe. The best-known classical attack on a 256-bit elliptic curve key would take longer than the current age of the universe, even with every computer on Earth working in parallel.

Quantum computers change the equation because of Shor's algorithm, published by Peter Shor in 1994. Shor's algorithm solves the discrete logarithm problem (and integer factorization) in polynomial time on a quantum processor. Applied to ECDSA, it means a quantum computer could derive a private key from a public key, provided it has enough high-quality qubits.

Classical vs Quantum Attack Complexity

Attack typeAlgorithmComplexityPractical today?
Classical brute-force on 256-bit ECCPollard's rhoO(2^128)No — astronomically infeasible
Quantum attack on 256-bit ECCShor's algorithmO(n^3 polylog n)Not yet — requires millions of physical qubits
Classical brute-force on 128-bit AESExhaustive searchO(2^128)No
Quantum attack on 128-bit AESGrover's algorithmO(2^64)Partial speedup, not a near-term threat

ECDSA is the primary concern. Grover's algorithm does provide a quadratic speedup against symmetric primitives like SHA-256 (used in Bitcoin mining), but that speedup is far less alarming and is mitigated by simply doubling key sizes.

---

Logical Qubits: The Theoretical Minimum

When researchers calculate how many qubits are needed to break Bitcoin, they first think in terms of logical qubits, which are idealised, error-free computational units. Physical qubits, as we will cover below, are noisy and require many physical units to simulate one logical qubit.

The Roetteler et al. Estimate (2017)

The most widely cited baseline comes from a 2017 paper by Roetteler, Naehrig, Svore, and Lauter from Microsoft Research: *"Quantum Resource Estimates for Computing Elliptic Curve Discrete Logarithms."* Their key finding:

The Webber et al. Estimate (2022)

A more recent and more operationally precise study by Webber et al., published in *AVS Quantum Science* (2022), reframed the question around a time constraint: how powerful would a quantum computer need to be to steal a Bitcoin private key within the window that the public key is exposed (typically one hour, the time between broadcasting a transaction and its first confirmation)?

Their conclusions were stark:

These estimates assume surface-code error correction (discussed below) and a physical gate error rate of around 10^-3, close to current best-in-class hardware.

For context, the most advanced publicly announced quantum processors in 2024 top out at roughly 1,000–1,100 physical qubits (IBM's Condor/Heron series, Google's Willow chip announced at 105 qubits with improved error rates). None of these are anywhere near the millions required.

---

The Error-Correction Overhead: Why Physical Qubits Far Outnumber Logical Qubits

The gap between "2,330 logical qubits" and "317 million physical qubits" is explained entirely by quantum error correction (QEC). This is the single most important concept to understand when evaluating quantum timelines.

Why Qubits Make Errors

Physical qubits are fragile. They lose coherence through interactions with their environment, a phenomenon called decoherence. Gate operations introduce additional errors. Current state-of-the-art physical error rates sit in the range of 10^-3 to 10^-4 per gate operation, meaning roughly 1 in 1,000 to 1 in 10,000 operations goes wrong.

Shor's algorithm on 256-bit ECC requires billions of gate operations. Without error correction, errors would accumulate and destroy the computation long before any useful result emerged.

Surface Code Error Correction

The leading error-correction scheme for near-term quantum hardware is the surface code, a topological code that arranges physical qubits on a 2D lattice. Error correction works by encoding one logical qubit across many physical qubits and continuously measuring "parity checks" to detect and correct errors without collapsing the quantum state.

The key trade-off:

At current physical error rates (~10^-3), each logical qubit requires approximately 1,000 to 10,000 physical qubits depending on the code distance required for the computation depth. For a billion-gate computation like breaking ECDSA, researchers need code distances large enough to suppress errors below the fault-tolerance threshold, driving that ratio up significantly.

This is why Webber et al. reach millions of physical qubits from a starting point of ~2,300 logical qubits.

Alternative Error-Correction Approaches

Surface codes are not the only game in town. Several other approaches are being actively researched:

If physical error rates can be driven down to 10^-6 or below, the physical qubit overhead collapses dramatically, and the threat timeline accelerates. This is why cryptographers monitor hardware progress closely rather than just qubit counts.

---

Which Bitcoin Addresses Are Actually Vulnerable?

Not all Bitcoin holdings are equally exposed. The vulnerability window depends on when and whether a wallet's public key is visible on the blockchain.

Exposed Public Keys vs Pay-to-Public-Key-Hash (P2PKH)

Vulnerable Bitcoin Estimates

Several researchers have estimated how much Bitcoin sits in exposed addresses. Studies published between 2021 and 2023 suggest that somewhere between 4 million and 5 million BTC (roughly 20-25% of circulating supply) resides in addresses where the public key is already known. This includes known dormant wallets, early mining rewards, and reused addresses. The actual number shifts as dormant coins move or as new addresses reuse keys.

---

Current State of Quantum Hardware: How Far Away Is Q-Day?

"Q-day" refers to the hypothetical date when a cryptographically relevant quantum computer (CRQC) first becomes operational. Estimates from leading cryptographers and national security agencies span a wide range.

Published Timelines and Agency Guidance

The key takeaway: the threat is not imminent, but cryptographic migration takes years to a decade to execute at scale. The Bitcoin network itself would require a hard or soft fork to adopt quantum-resistant signature schemes, a process with significant political and technical complexity.

Recent Hardware Milestones

The consensus among quantum computing researchers is that no quantum computer today poses any threat to Bitcoin's cryptography, and current hardware trajectories suggest this remains true for at least the next decade under most scenarios.

---

Post-Quantum Cryptography: How the Industry Is Responding

Given the stakes, the cryptographic community is not waiting for Q-day to arrive before acting. The transition to post-quantum cryptography (PQC) is already underway at the standards level.

NIST's 2024 PQC standards rely primarily on the hardness of lattice problems (specifically the Learning With Errors problem and its ring variants). These problems are believed to be resistant to both classical and quantum attacks, including Shor's algorithm. Grover's algorithm provides only a modest speedup against lattice problems, which is accommodated by the parameter sizes chosen.

For Bitcoin specifically, the path to quantum resistance is more complex than for centralised systems. It would require:

  1. Defining a new quantum-resistant signature scheme compatible with Bitcoin's scripting system.
  2. Reaching consensus across miners, node operators, and wallet developers.
  3. Executing a network upgrade (likely a soft fork) to support the new scheme.
  4. Providing a migration path for existing exposed addresses.

Steps 1 and 2 alone could take years. Some proposals, such as those incorporating CRYSTALS-Dilithium or hash-based signatures (e.g., XMSS), have been discussed in Bitcoin development forums, but no formal Bitcoin Improvement Proposal (BIP) has reached consensus status as of this writing.

Projects building wallet infrastructure from scratch have an advantage here. BMIC.ai, for example, has built its wallet on lattice-based post-quantum cryptography aligned with NIST PQC standards from the ground up, rather than retrofitting quantum resistance onto a classical architecture.

---

Summary: What the Numbers Actually Mean

Pulling the key figures together:

MetricValueSource
Logical qubits to break 256-bit ECC~2,330Roetteler et al. (2017)
Physical qubits to break ECDSA in 1 hour~317 millionWebber et al. (2022)
Physical qubits to break ECDSA in 1 day~13 millionWebber et al. (2022)
Physical qubits to break ECDSA in 1 month~1.9 millionWebber et al. (2022)
Largest public quantum processor (2024)~1,121 qubitsIBM Condor
Estimated gap to cryptographically relevant QC15–30 years (central estimate)NCSC, various

The numbers tell a clear story. The theoretical minimum is around 2,300 logical qubits, which sounds achievable. The practical requirement, once error-correction overhead is applied to current hardware, is in the range of millions to hundreds of millions of physical qubits. Current processors are three to five orders of magnitude away from that threshold.

The threat is not here yet. But the cryptographic migration needed to address it is lengthy, complex, and should begin well before Q-day arrives.

Frequently Asked Questions

How many qubits does it actually take to break Bitcoin?

In theory, approximately 2,330 logical (error-free) qubits are needed to run Shor's algorithm against Bitcoin's 256-bit ECDSA, based on the Roetteler et al. (2017) estimates. In practice, due to error-correction overhead, a real quantum computer using surface codes would need somewhere between 1.9 million and 317 million physical qubits, depending on how quickly the attack needs to complete. No machine close to that scale exists today.

Why is there such a large gap between logical and physical qubit requirements?

Physical qubits are noisy and make errors. Quantum error correction encodes one logical qubit across many physical qubits to detect and correct errors without disturbing the computation. At current error rates (roughly 1 in 1,000 gate operations), each logical qubit may require thousands of physical qubits, and deep computations like Shor's on 256-bit ECC require very high code distances, driving total physical qubit counts into the millions.

Which Bitcoin addresses are most at risk from a quantum computer?

Addresses where the public key is already visible on-chain are most at risk. These include Pay-to-Public-Key (P2PK) outputs (common in early Bitcoin, including Satoshi-era blocks), and any address that has already been used to send a transaction (since broadcasting a transaction reveals the public key). Standard unused P2PKH addresses have an additional layer of hash protection, though they become vulnerable the moment a transaction is broadcast.

Could a quantum computer attack Bitcoin mining (SHA-256) as well?

In principle, Grover's algorithm provides a quadratic speedup against hash functions, halving the effective security of SHA-256 from 256 bits to 128 bits. However, this is far less severe than Shor's attack on ECDSA, and is easily mitigated by doubling hash output sizes. The more serious concern is the signature scheme (ECDSA), not proof-of-work mining.

When might a quantum computer powerful enough to break Bitcoin actually exist?

Most credible institutional estimates, including from the UK's NCSC and various academic bodies, place a cryptographically relevant quantum computer between 15 and 30 years away under central-case scenarios. However, there is genuine uncertainty: breakthroughs in error-correction or hardware could compress that timeline, while engineering challenges could extend it. The spread of estimates is wide, which is precisely why cryptographic migration planning is beginning now.

What would it take for Bitcoin to become quantum-resistant?

Bitcoin would need a protocol upgrade to replace ECDSA with a post-quantum signature scheme, such as a lattice-based algorithm (e.g., CRYSTALS-Dilithium/ML-DSA) or a hash-based scheme (e.g., XMSS). This requires broad consensus among miners, developers, and node operators, likely implemented as a soft fork. A migration path for existing exposed addresses would also be needed. Given Bitcoin's governance complexity, this process could take many years to complete.