When Will Quantum Computers Break Bitcoin's ECDSA? The Complete 2026 Timeline

TL;DR — Quick Answer

Quantum computers will break Bitcoin's ECDSA when a machine can run Shor's algorithm with approximately 4,000+ logical qubits. A March 2026 Google Quantum AI paper estimates this requires ~4 million physical qubits running for 20 minutes. Current best: ~105 error-corrected qubits (Google Willow). Conservative timeline: 10+ years. Aggressive timeline: early 2030s. The Harvest Now, Decrypt Later threat is active right now.

What Exactly Needs to Happen for Bitcoin's ECDSA to Break?

Definition: The Quantum Breaking Threshold for Bitcoin ECDSA

Breaking Bitcoin's secp256k1 ECDSA requires a quantum computer running Shor's algorithm against a 256-bit elliptic curve discrete logarithm problem. A 2022 analysis (Webber et al., AVS Quantum Science) calculated this requires approximately 317 logical qubits running for one hour, or 2,330 logical qubits running for one hour with more aggressive circuit optimization. A March 2026 Google Quantum AI paper estimates the physical qubit requirement at approximately 4 million, running for 20 minutes of sustained operation.

The gap between the logical qubit requirement and the physical qubit requirement is the most important number in this timeline. Current quantum hardware uses noisy, error-prone physical qubits. Quantum error correction requires hundreds to thousands of physical qubits to maintain a single reliable logical qubit.

The 4-million physical qubit estimate (Google, 2026) assumes a specific error correction scheme and architecture. Breakthroughs in error correction could dramatically reduce this number. The timeline is accelerating faster than experts predicted in 2020.

Where Is Quantum Hardware Today vs. the Breaking Threshold?

The gap is significant. But the trajectory is not linear. Quantum computing has repeatedly surprised experts with the pace of progress. The key bottleneck is not qubit count — it is error correction quality and the physical-to-logical qubit overhead ratio.

Google's Willow chip specifically demonstrated that error rates decrease as the number of error-correcting qubits increases (below a specific threshold). This is the first experimental confirmation of the key theoretical assumption underlying large-scale quantum computing. It means the scaling problem is fundamentally solvable — it is now an engineering challenge, not a physics challenge.

The Timeline: What Do Experts Estimate?

Conservative Estimate: 2035-2040

The most widely cited academic consensus (Mosca & Piani, 2024 survey) puts the probability of a CRQC by 2035 at approximately 50%. This is the 'assume nothing unexpected' scenario: steady hardware progress following current roadmaps, no major algorithmic breakthroughs in error correction.

Moderate Estimate: 2030-2035

If IBM and Google meet their aggressive qubit scaling roadmaps, and if error correction overhead improves as projected, a system capable of running Shor's algorithm against Bitcoin's ECDSA could emerge in the early-to-mid 2030s. This is the 'current trajectory continues' scenario.

Aggressive Estimate: 2028-2032

Several defense and intelligence agency analyses (not all publicly available) have reportedly modeled CRQC timelines in the late 2020s under scenarios involving government-funded quantum programs with classified capabilities beyond publicly reported hardware. CISA's urgency in requiring agency PQC migration by 2030 is consistent with a more aggressive threat timeline than public hardware suggests.

Why NIST Says 'Start Now'

NIST explicitly advises organizations not to wait beyond 2030 to begin PQC migration. This creates a migration window of approximately 4 years from today. Given that Bitcoin governance alone would require years to achieve consensus on a PQC hard fork, the math does not favor waiting.

Which Specific Bitcoin Addresses Are Most Vulnerable?

Not all Bitcoin is equally at risk. The vulnerability depends on whether your public key is exposed on the blockchain:

Immediately Vulnerable: P2PK Addresses

Early Bitcoin transactions used Pay-to-Public-Key (P2PK) format, embedding the full public key directly in the transaction output. Every address using this format has its public key permanently exposed on-chain. An estimated 1 million+ BTC (including early Satoshi-era coins) are in this format. These become attackable the instant a CRQC exists.

Highly Vulnerable: Reused P2PKH Addresses

Standard Bitcoin addresses (P2PKH) do not expose the public key until the first spend. However, once you have sent Bitcoin from an address, the public key is permanently recorded on-chain. Any address that has ever sent a transaction is a full HNDL and Q-Day target. This includes the majority of active wallets.

Less Vulnerable (but Not Safe): Unspent P2PKH Addresses

Bitcoin held at an address that has never sent a transaction has its public key obscured (only the hash of the public key is public). However: if you ever spend from this address, you expose the public key.

Satoshi's Wallet: The Elephant in the Room

Satoshi Nakamoto's estimated 1.1 million BTC is held in early P2PK addresses with fully exposed public keys. These are the highest-value quantum attack targets in existence. On Q-Day, they become immediately claimable. The resulting market panic from a potential drain of $100B+ in BTC would be devastating regardless of whether the attack succeeds.

What Happens to the Bitcoin Network When ECDSA Breaks?

The consequences extend beyond individual wallet security:

• Any validator or miner whose signing keys are quantum-compromised can be impersonated, allowing an attacker to sign fraudulent blocks or transactions
• The 'Harvest Now, Decrypt Later' corpus of archived blockchain data would become instantly decryptable
• Market panic from even a credible demonstration of ECDSA vulnerability could trigger a mass sell-off long before a full CRQC is operational
• Emergency hard fork proposals would compete with each other in a chaotic governance environment where the signing keys needed to coordinate the fork may already be compromised

What Is the Only Way to Protect Against This Timeline?

Option 1: Hope Legacy Chains Migrate in Time

Wait for Bitcoin, Ethereum, or your current blockchain to successfully execute a post-quantum hard fork, migrating to NIST PQC standards before Q-Day arrives. The challenges: Bitcoin has no consensus PQC proposal. Ethereum's migration is years from completion.

Option 2: Migrate to Natively Quantum-Safe Infrastructure

Move to blockchain infrastructure that was built from genesis on NIST PQC standards. This is the QubitChain.io approach.

Frequently Asked Questions

Q: When will quantum computers break Bitcoin's ECDSA?

A: Conservative expert consensus: 10+ years (2035-2040). Moderate estimates: early 2030s. What is certain is that the Harvest Now, Decrypt Later threat is active today.

Q: How many qubits are needed to break Bitcoin's ECDSA?

A: Approximately 2,330 logical qubits (Webber et al. 2022) or ~4 million physical qubits (Google Quantum AI 2026) running for approximately 20 minutes of sustained quantum computation.

Q: Can Bitcoin's ECDSA be fixed with a hard fork?

A: Technically yes, but the governance challenge is enormous. A hard fork requires near-universal community consensus, migration of existing wallets (impossible for dormant wallets), and coordination across all exchanges and wallet providers.

Q: Is my Bitcoin safe today?

A: Your Bitcoin is safe from quantum attacks today — no CRQC exists. However, if your wallet has ever sent a transaction, your public key is permanently recorded on-chain and is a target for Harvest Now, Decrypt Later collection. Migrating to quantum-safe infrastructure before Q-Day is the only complete mitigation.

→ QubitChain.io is quantum-safe from genesis — no migration needed before Q-Day. Join the waitlist.