In the near future, the unthinkable becomes inevitable. A cryptographically-relevant quantum computer (CRQC) capable of executing Shor’s algorithm threatens to unravel the foundations of digital trust. It will not announce itself with fanfare. There will be no press release, no whitepaper. Instead, the evidence will emerge as a trickle—a few inexplicable transactions, loss of private keys, a market surplus of "recovered" Bitcoin. By the time the evidence for a CRQC becomes undeniable, it will already be too late.
This article explores a realistic, near-term scenario of how the arrival of a CRQC may impact Bitcoin. Like a true wargame, it's important to first start by defining the "red team" or quantum adversary in terms of both their capabilities and goals. Next, we examine how a quantum adversary would use a quantum computer. Finally, we conclude with a subtle but important implication: a failure to prepare proactively before Q-Day will result in a transition likely to be fragmented and chaotic.
The leading candidates fall into two broad categories: nation-states and commercially-motivated private actors. Among nation-states, China and the United States stand out. Both have well-funded national quantum initiatives and classified research that likely extends beyond the public state-of-the-art.
While most of the state-of-the-art quantum computing research is assumed to take place in the U.S. and/or Europe, the possibility of China getting there first can't be ruled out. They recently announced a $138B state-backed fund for quantum computing, and their existing quantum computers are on par with the US. They are also ahead of the West in certain sub-fields, having demonstrated the ability to share cryptographic keys over quantum networks via satellite.
A CRQC in state hands is most likely to be used first for intelligence collection: decrypting diplomatic channels, compromising secure comms, and gaining strategic advantage in cyberwarfare. But disrupting or undermining trust in alternative financial systems like Bitcoin could be a secondary or even strategic objective—particularly for a regime threatened by financial sovereignty outside its control, or as a weapon against sovereigns holding Bitcoin in a strategic reserve.
On the other hand, the first CRQC could also emerge from the private sector. Massive investment by public companies like Google, IBM, or Amazon, or by well-funded quantum startups might yield a breakthrough. PsiQuantum, for example, raised $750M just this year from Blackrock, Nvidia, and others for a quantum computer they aim to build within the next three years, that according to one recent paper, is powerful enough to break the RSA cryptosystem.
For a commercial actor, Bitcoin’s market cap—$2T in accessible value, a meaningful portion of which is in lost or inactive addresses with exposed public keys—presents a unique, time-sensitive arbitrage. Recovering even a small fraction of that value represents a multi-billion dollar payoff: a natural way to recoup the huge upfront investment to build a quantum computer.
Crucially, whether state or non-state, revealing the existence and capabilities of a CRQC squanders a major strategic advantage. For a state, they waste the opportunity to gather valuable intelligence. For a company, it kills the arbitrage before it can be harvested. Thus, a quantum adversary is able and incentivized to stay in stealth for as long as possible. So Q-Day (the day on which a CRQC emerges) might only be discovered after the fact.
This is likely because of an unsettling truth: a signature produced by a quantum computer isn't actually a forgery, it's identical in every respect to a signature produced classically. There is no watermark, no telltale sign. If a quantum adversary steals funds, it will appear as though the rightful owner sent the transaction deliberately. A CRQC breaks the assumptions of classical cryptography and allows an adversary to create anyone’s signature, and thus break the link between knowledge of a secret private key and asset ownership.
Consider the implications: the first signs of a CRQC will be interpreted as anything but a quantum breach. Custodians will investigate internal logs. Exchanges will blame faulty infrastructure. Individuals will assume they were spearphished.
Only after repeated incidents—or a dramatic event, the draining of a high-profile wallet—will the narrative shift. By then, billions could be gone.
We don't know how Q-Day will play out. All we know is that after Q-Day, everything changes.
The early attacks won't be loud. They won’t target the mempool, or attempt to rewrite history. Instead, they will be silent, precise, and plausible. A transaction from a known, dormant address appears. It spends coins from a wallet inactive since 2011. There’s no message, no signature from the original holder. But everything checks out cryptographically.
These first attacks will likely target addresses with weak protections:
- Early wallets with flawed or insufficient entropy: Private keys are only as secure as the entropy used to generate them. Early Bitcoin wallets (such as those on Android before 2013) used weak entropy to create keys that were far below the 256-bit security level. The most plausible target for a quantum adversary is an older address that is already on the borderline of being classically insecure.
- P2PK addresses that expose the full public key: The first coinbase reward for Satoshi went to a pay-to-public-key (P2PK) address. P2PK addresses (the recipients of a large share of the initial coinbase rewards) are particularly vulnerable to long-range "grinding attacks" where a quantum adversary has much more time to work out a solution, and even potentially design around a single public key.
- P2PKH addresses reused across multiple transactions: Satoshi actually realized that quantum computers would be a threat to Bitcoin, so he created pay-to-public-key-hash (P2PKH) as a means of protection. But Satosh's first Bitcoin client actually did not protect against address re-use, so many early users of Bitcoin actually have exposed their public key in transaction signing even if they were using P2PKH.
Over 30% of all Bitcoin in circulation today are in addresses with exposed public keys. Because of the persistent nature of blockchain’s ledger, these keys (and the value associated with them) represent highly attractive targets.
Most of the vulnerable cryptography used in traditional finance features keys that are ephemeral, and therefore would require a relatively advanced quantum computer to break in a relevant time window, for a possibly unknown payoff (since there are multiple controls to prevent unauthorized movement of funds).
On the other hand, Bitcoin funds require only a SINGLE digital signature for a given address to entirely drain the account. And because of the visibility of these addresses on the blockchain, a quantum attacker can “grind” a single address over a period of time by exploiting an algorithmic time/space tradeoff (similar to that referenced by Gidney et al in their recent paper).
The goal won’t be to move billions all at once—it will be to move quietly. A state actor might even simulate more conventional causes: a key compromise, a sophisticated malware exploit, a rogue insider. A company might launch an internal effort to slowly “recover” lost Bitcoin, avoiding detection. The network will have no native mechanism to distinguish legitimate owners from quantum adversaries.
Once a CRQC is publicly known, digital signatures lose their authority. The very foundation of ownership on Bitcoin and other blockchains disappears. You are no longer the owner of your BTC because you control the private key. You are only the owner until someone with a quantum computer decides otherwise.
But any attempt to fix the problem at this point becomes subjective. With classical cryptography compromised, there is no way to retroactively prove you are the rightful owner of a given UTXO. Migration must now be arbitrary—a community-wide act of collective memory and consensus.
But this won’t happen easily because the potential solutions will be extremely controversial.
Which post-quantum signature scheme do we adopt moving forward? Who gets to claim which coins? What do we do with inactive or lost UTXOs? At what block height do we draw “the line” after which point we consider UTXOs to be compromised?
Each of these questions will have multiple answers, and each answer will have backers. The result is likely to be a fragmented ecosystem with multiple competing forks, shattered trust, and intense financial volatility. The longer we delay coordinated migration, the more brittle the outcome becomes.
Consider the controversy surrounding SegWit, which led to Bitcoin's last hard fork (creating Bitcoin Cash). In that case, the stakes were relatively low, since Bitcoin adoption was still not widespread and institutionalized. The root cause of the disagreement was an increase in blocksize from 1MB to 2MB.
Compare that to the situation today. Post-quantum cryptography applied to Bitcoin will increase the block size by at least an order of magnitude. Bitcoin under existing UTXOs will effectively have to be redistributed, confiscated, or ceded to a quantum attacker. And institutions that now are estimated to hold 10-15% of circulating supply stand to gain nothing but lose everything.
This is not a call for panic. It is a call for realism. Quantum computing is no longer a theoretical threat. It is a developing capability, pushed forward by both strategic state interests and capital markets hungry for the next technological leap.
We might be two years away, ten years away, or twenty years away from a CRQC. But recall that just eight years ago, the transformer was invented inside of Google's AI lab. That result set the stage for the emergence of modern AI, and the attendant disruption the world is currently experiencing.
Similarly, quantum computing might only be one or two breakthroughs away from being able to produce a CRQC. And we may not see it coming or know that it's being used.
Bitcoin, like all cryptosystems built on classical public-key infrastructure, faces a binary future. Either it transitions before the threat matures, or it attempts to rebuild after the trust has already been broken.
Whether or not the first quantum computers are used for cryptanalysis, the very existence of a CRQC is an overhanging threat that clouds the outlook of Bitcoin to become the truly robust digital store of value, as well as other blockchain use cases such as stablecoins, identity, etc.
The only durable option is proactive migration. That means starting now: defining secure post-quantum key formats, building tools to register post-quantum ownership, and fostering a consensus-led path for transition.
The quantum adversary is coming. It will not declare itself. It will represent an existential threat not just to cryptocurrencies, but all of classical public key cryptography.
But we can prepare, and ensure that Bitcoin survives and fulfills the vision of becoming the Peer to Peer Electronic Cash System envisioned by its founder for the next thousand years.