Quantum Horizon: An evaluation of quantum computing as a threat to Bitcoin and Ethereum

The paper argues that while quantum computing poses a significant but manageable threat to Bitcoin and Ethereum primarily through Shor's algorithm breaking digital signatures rather than mining, the critical challenge lies in timely governance-led migration to post-quantum cryptography rather than the technology itself, with a projected 60% probability of a cryptographically relevant quantum computer emerging by 2050.

The Gist

The Big Picture: A Looming, But Manageable, Storm

Imagine Bitcoin and Ethereum as two massive, high-security vaults. For years, people have worried that a super-smart "quantum computer" might one day pick the locks on these vaults.

This paper argues that while the threat is real, it is not a disaster waiting to happen tomorrow. The authors say we have a clear view of the storm clouds, we know exactly which locks are weak, and we have the blueprints to replace them. The only thing that could cause a crash is if the people in charge (the "governance" teams) are too slow to act.

Here is the breakdown of the paper's main points:

---

1. The Two Different "Superpowers" (Shor vs. Grover)

People often confuse two different types of quantum computer attacks. The paper says we need to stop mixing them up.

• The Real Threat (Shor's Algorithm): The Master Key.
  • The Analogy: Imagine your bank account has a digital signature (a unique seal) that proves you own the money. Shor's algorithm is like a magical device that can look at your public seal and instantly figure out your secret private key.
  • The Result: If a quantum computer gets this, it can forge your signature and steal your coins. This is the danger.
• The Fake Threat (Grover's Algorithm): The Speedy Guess.
  • The Analogy: Bitcoin mining is like a giant lottery where computers guess numbers to win. Grover's algorithm is like a speed-boost for guessing. It makes the computer guess twice as fast (or rather, the square root of the time).
  • The Result: The paper says this is not a problem. It's like giving a human a slightly faster calculator in a race against a Ferrari. The network would just adjust the difficulty (make the lottery harder), and the quantum computer would still be too slow to take over. Mining is safe.

2. The Timeline: "Soon" but Not "Now"

When will this magical "Master Key" machine exist?

• Today: We don't have it. The best machines we have today are like a single bicycle compared to the super-tank needed to break the locks. We are roughly 400 to 500 times away from having enough power.
• The Forecast: The authors ran a complex simulation (like a weather forecast) combining expert guesses and hardware progress.
  • By 2035: There is about a 1-in-6 chance the machine exists.
  • By 2040: The chance goes up to 30%.
  • By 2050: The chance is about 60%.
• The Takeaway: It's not "panic time," but it's definitely "start packing time." We have a window of maybe 10 to 15 years to fix things before the machine arrives.

3. Who Is Actually in Danger? (The "Exposed" Coins)

Not every Bitcoin or Ethereum coin is at risk. It depends on where the "seal" (the public key) is visible.

• The Safe Zone (Fresh Addresses): If you put your money in a brand-new, unused address, your secret key is hidden behind a one-way mirror. Even a quantum computer can't see it until you try to spend the money.
• The Danger Zone (Reused Addresses): If you have spent from an address before, your "seal" is now public on the blockchain forever. A quantum computer could steal any money sitting there.
• The "Lost" Zone (Irreducible Risk):
  • Bitcoin: About 2.3 million coins are "dormant" (lost keys or from the very early days like Satoshi's). These owners can never move them. If the quantum computer arrives, these coins are gone forever. This is a permanent loss, but it's a fixed amount (about 12% of all Bitcoin).
  • Ethereum: Because Ethereum works like a bank account (where you reuse the same address), about 50–65% of all Ether is currently "exposed." However, unlike the lost Bitcoin, these owners can still move their money to safety.

4. The Race: Can We Fix It in Time?

The paper compares the time it takes to upgrade the software (migration) vs. the time it takes for the quantum computer to arrive.

• The Upgrade Plan: We already have the new "quantum-proof" locks (standards finalized in 2024).
  • Ethereum has an easy path: It can let individual accounts upgrade their locks one by one without shutting down the whole network.
  • Bitcoin has a harder path: It requires a massive community agreement to change the rules, which is politically difficult.
• The Race Result: If we start upgrading now (in 2026), we will finish the job by 2029–2031. This beats even the most optimistic prediction of when the quantum computer will arrive (2035) by several years.
• The Real Danger: The only way we lose is if we delay. If the community argues for too long and doesn't start until 2033, we might get caught with the door open.

5. The Bigger Picture (Other Cryptocurrencies)

The authors looked at the top 20 cryptocurrencies.

• The Bad News: None of them are fully safe yet. They all use the same type of "locks" that quantum computers can break.
• The Good News: Some (like XRP and Solana) are already testing new locks. Others (like Dogecoin) are lagging behind.
• The Lesson: It doesn't matter which math they use; it matters if they have a plan to upgrade and if they hide their keys until the money is spent.

Summary: What Should You Do?

The paper concludes with a posture of "Prepared Urgency," not Panic.

1. For Users: Stop reusing old addresses. If you have money in an old, reused address, move it to a fresh one. Plan to upgrade to "quantum-safe" wallets when they become available.
2. For the Networks: Start the upgrade process immediately. Don't wait for an emergency.
3. The Bottom Line: The threat is real, and the timeline is getting shorter, but the problem is solvable. The only thing that can break the system is if we are too slow to fix it. The "irreducible" loss (the lost coins) is small and known, but the rest of the network can be saved.

Technical Summary

Technical Summary: Quantum Horizon

Problem Statement
The paper addresses the threat posed by quantum computing to the cryptographic security of Bitcoin and Ethereum. It specifically targets the conflation of two distinct quantum algorithms: Shor's algorithm, which threatens elliptic-curve digital signatures (ECDSA on secp256k1 and BLS on BLS12-381), and Grover's algorithm, which accelerates unstructured search. The central question is whether a Cryptographically Relevant Quantum Computer (CRQC) will emerge before these networks can migrate to post-quantum standards, and what the scope of exposure is for existing assets.

Methodology
The authors employ a multi-faceted approach combining resource estimation, hardware modeling, and chain analysis:

• Resource Estimation: The paper synthesizes algorithmic advances (specifically the 2025–2026 reduction in Toffoli gate counts for factoring) with hardware scaling models. It distinguishes between logical qubits (error-corrected) and physical qubits, applying a "fault-tolerance readiness lag" to account for the engineering gap between raw qubit counts and functional machines.
• Monte-Carlo Forecasting: To predict the arrival of a CRQC, the authors integrate four signals: (1) the declining resource requirement due to algorithmic improvements, (2) hardware scaling rates (physical qubit doubling), (3) the fault-tolerance readiness lag, and (4) expert surveys (Global Risk Institute, Mosca). Rather than averaging these divergent signals, the model preserves their disagreement, resulting in a bimodal probability distribution.
• Exposure Analysis: The paper conducts a granular on-chain analysis of Bitcoin and Ethereum to distinguish between "irreducible" risk (dormant/lost coins) and "migratable" risk (active coins). It utilizes chain scans to quantify the percentage of supply where public keys are permanently revealed versus those hidden behind hash-based addresses.
• Mining Competitiveness Modeling: A calibrated model evaluates the impact of Grover's algorithm on Proof-of-Work (PoW), factoring in fault-tolerant per-operation costs, parallelization limits, and network difficulty adjustments.

Key Contributions

1. Decoupling Threats: The paper rigorously separates the threat to signatures (Shor's) from the threat to mining (Grover's). It concludes that while signatures are vulnerable, PoW mining is not meaningfully threatened by quantum speedups due to quadratic limitations, high fault-tolerance costs, and the square-root parallelization wall.
2. Bimodal Timeline Forecast: Instead of a single point estimate, the paper presents a bimodal distribution for CRQC arrival. One mode reflects expert surveys (centered ~2038–2040), and the other reflects bottom-up physics models (centered ~2052). The combined forecast assigns a ~1-in-6 chance of a CRQC by 2035, rising to ~60% by 2050.
3. Exposure Stratification: The authors quantify the "irreducible" risk floor. For Bitcoin, they estimate ~2.3 million BTC (12% of supply) are irreducibly at risk (dormant/lost), while ~3.7 million BTC are migratable. For Ethereum, they estimate 50–65% of supply sits in "used" accounts with revealed keys, but note this is largely migratable via account abstraction.
4. Governance as the Binding Constraint: The paper argues that the primary bottleneck is not technological feasibility but governance. A timely migration starting in 2026 is projected to finish by 2029–2031, beating even an optimistic 2035 CRQC. The risk of failure lies in governance paralysis, not the inability to implement post-quantum cryptography.

Results

• Hardware Gap: As of June 2026, the best hardware possesses ~1,000–1,200 physical qubits and at most ~100 logical qubits. Breaking secp256k1 requires ~1,200–2,330 logical qubits, implying a gap of 400–500× even against aggressive estimates, and orders of magnitude larger against conservative ones.
• Mining Safety: A single quantum machine at an optimistic 100 GHz gate speed would achieve ~21 TH/s, roughly one-tenth of a single modern ASIC. The network difficulty adjustment would neutralize any quantum mining advantage, rendering the "quantum miner" threat negligible.
• Vulnerability Distribution:
  • Bitcoin: ~30% of supply is quantum-exposed at rest. Of this, ~12% is irreducible (dormant/lost), and ~19% is migratable.
  • Ethereum: ~50–65% of supply is exposed at rest due to account reuse, but the exposure is structurally easier to fix via account abstraction (EIP-7702/8141) than Bitcoin's UTXO model.
• Market Readiness: A survey of the top 20 cryptocurrencies reveals none are fully post-quantum. Readiness is determined by migration progress and exposure models (UTXO vs. Account) rather than the specific curve used. Bitcoin and Ethereum are near the less-ready end of major chains due to governance complexity, despite having concrete migration paths.

Significance and Claims
The paper claims that the quantum threat to Bitcoin and Ethereum is real, broad-based, but bounded and substantially mitigable.

• Mitigability: The threat is confined to digital signatures; the underlying consensus mechanisms (PoW/PoS) and hash functions remain secure.
• Actionability: The "binding constraint" is governance speed. The authors assert that a prompt migration starting in 2026 allows the networks to finish upgrades years before a CRQC is likely to arrive.
• Residual Risk: The only unfixable loss is the "irreducible core" of dormant coins (e.g., Satoshi-era Bitcoin), which constitutes a bounded, characterizable loss rather than a systemic collapse.
• Posture: The paper advocates for "prepared urgency" rather than alarm. It concludes that while the timeline has compressed due to algorithmic advances, the window for migration remains open, provided decentralized communities coordinate effectively to activate post-quantum standards (such as NIST's ML-DSA and SLH-DSA) before a CRQC emerges.