The Quantum Shift: Getting Ready For A New Computing Era

Back in the 90s, TV shows dropped freshly minted internet jargon into dialogue to make everything sound futuristic. Today, those same words are part of our everyday life. Quantum has been getting the same treatment in the past decade. For many, “quantum” still sounds like sci-fi, but this isn’t fiction anymore – and it’s advancing faster than many realize.

Quantum computers promise to solve certain problems that would take classical computers billions of years, potentially unlocking breakthroughs in multiple fields, such as medicine, chemistry, energy systems, materials science, climate modeling, financial optimization, logistics, machine learning, fusion power, and beyond.

That same power is what could potentially render today’s most trusted cryptographic systems obsolete, as our whole encryption foundation wasn’t build with quantum in mind. The risk isn’t just for Bitcoin, but for everything from online banking to government secrets, stock exchanges, power grids, health records, national defense systems… the list goes on and on.

Fortunately, the cryptography community has been preparing. Post-quantum encryption schemes are maturing. Bitcoin, for its part, has a proposed upgrade – BIP-360 – that could secure the protocol against a quantum future.

But before we dive deeper, let’s break down the basics.

‍

What Is Quantum Computing?

Every classical computer – whether it’s your phone or a supercomputer – processes information as bits: zeroes or ones. Every photo you take, song you play, email you send, and game you enjoy is ultimately built from combinations of these binary digits.

A quantum computer uses qubits – short for quantum bits – instead. Thanks to principles from quantum mechanics, a qubit can be in a state of 0, 1, or both at the same time – a phenomenon called superposition. When a quantum system is measured, it “collapses” to a definite value. Until then, it explores many possibilities.

Imagine a classical bit as a light switch. It’s either on or off.
A qubit, in contrast, is like a dimmer dial spinning on a wheel – not locked to one
position, but in all possibilities until you check.

Another key property to understand how quantum computers work is entanglement – the idea that multiple qubits can be linked in such a way that the state of one instantly influences the other, no matter how far apart in space they are. This gives quantum computers the ability to handle multidimensional problems with extreme parallelism.

Quantum computers aren’t just “faster” in the way we think of classical speed. They operate in a fundamentally different way, allowing them to tackle certain problems that classical computers simply can’t solve efficiently. One of those is factoring large numbers, the core of RSA and ECC encryption.

The amount of qubits also matters. For reference, today’s most advanced quantum chip hosts around 1,200 qubits, a 20x increase from the 53 qubit chip unveiled by Google in 2019.

Here are some examples of the theoretical time a quantum computer would take to break the encryption of different sectors:

_{* Estimations based on Gidney, C. (2025). How to factor 2048-bit RSA integers with fewer than a million noisy qubits & Garn, M., & Kan, A. (2025). Quantum Resource Estimates for Computing Binary Elliptic Curve Discrete Logarithms}

So, what does it take to build a quantum computer powerful enough to do this? Let’s break down how quantum computing works and why it’s still so challenging to scale.

‍

How Does Quantum Computing Work?

Just in Q1 of 2025, private investment in quantum research and development rose to $1.2 billion.

Quantum computers are no longer theoretical; they’re already being built and tested around the world, although they still have several challenges to overcome.

‍

Why Are Quantum Computers So Difficult to Build

Qubits are incredibly delicate. Even small amounts of environmental noise can cause information to collapse or be lost entirely. The main challenges researchers are facing are:

• Decoherence: Quantum states degrade rapidly due to heat, radiation, or electromagnetic interference, limiting how long a qubit can hold useful information.
• Gate errors: Every operation on a qubit introduces a chance of error due to hardware imperfections or timing issues.
• Crosstalk: Qubits can unintentionally interfere with nearby qubits, especially as systems grow in size, leading to unintended interactions.

Today’s quantum computers can run small programs under controlled conditions, but scaling up to handle complex or general-purpose tasks is still limited by these sources of instability.

‍

Error-Correcting Qubits

To build reliable quantum computers, researchers need to correct for the noise and instability described above. This is done by combining many unstable qubits, also called physical or noisy qubits, in a way that allows the system to catch and fix errors as they happen.

Combined physical qubits create a logical qubit, which theoretically would allow error-free calculations, but depending on the error rate of the hardware, building one logical qubit can require hundreds to thousands of physical qubits, so a system with, say, 1,000 physical qubits might not yet support even a single usable logical qubit.

When a quantum chip is said to have 100 or 1,000 qubits, those are referring to physical qubits – the raw, error-prone kind.

‍

Do we need logical qubits to perform useful tasks?

Surprisingly, not always. Some quantum algorithms – most famously Shor’s algorithm, which could potentially break RSA and ECC encryption – may be feasible on large systems of noisy qubits, as long as the algorithm can finish before decoherence sets in.

This has been demonstrated in recent research:

• Craig Gidney (2025) showed how to break RSA-2048 with ~600,000 noisy qubits in ~8 hours.
• Michael Garn & Angus Kan (2025) estimated that breaking ECDSA and ECC could also be possible using hundreds of thousands of physical qubits, assuming low enough noise and optimized circuits.

While logical qubits are essential for general-purpose quantum computing, they may not be required to pose real-world threats to encryption systems in the near future.

How Are Quantum Computers Built

There’s no single way to build a quantum computer, because there are various ways to build qubit. Researchers are exploring multiple approaches, each with different strengths and trade-offs:

• Superconducting qubits (IBM and Google): Tiny circuits cooled near absolute zero. Fast and well-developed, but fragile.
• Trapped ion qubits (IonQ): Use individual atoms manipulated by lasers. Very stable but slower.
• Photonic qubits (PsiQuantum): Use photons to encode information. Operate at room temperature and potentially easier to scale.
• Topological qubits (Microsoft): Based on exotic quasiparticles (Majorana zero modes) that promise built-in error resistance. Still no full topological qubit yet, but progress is finally measurable.

Each design has its own challenges, but they all share the same goal: maintaining stable quantum states long enough to perform useful computation.

TL;DR: Quantum computers don’t run faster, they run differently – exploiting quantum physics to search entire solution spaces in parallel.

‍

Quantum Milestones

Quantum computing isn’t new, it’s been theorized for decades, but progress in recent years has made the threat to encryption real.

We are no longer in the “maybe one day” era. We’re in the “plan for this now” era, especially for systems that need to remain secure for years.

‍

Why Quantum Computers Threaten Modern Encryption

Most of today’s encryption systems rely on problems that are hard for classical computers to solve, but easy to verify. These are the bedrock of digital security:

• RSA (Rivest-Shamir-Adleman): Secures online banking, powers HTTPS (the lock icon in your browser), encrypts some emails, and protects communication between cloud services, payment processors, and VPNs.
• ECC (Elliptic Curve Cryptography), including ECDSA (Elliptic Curve Digital Signature Algorithm): Used in Bitcoin wallets, two-factor authentication apps, mobile banking apps, and modern websites that need fast, lightweight encryption.
• AES (Advanced Encryption Standard) and SHA (Secure Hash Algorithm): Used to encrypt files on your phone or laptop, secure your messaging apps (like WhatsApp or iMessage), protect biometric data, and hash passwords on every website you log into.

But here’s how quantum computers are changing the rules:

‍

What is Shor’s Algorithm

In 1994, an American mathematician called Peter Shor published a quantum algorithm that could factor large integers exponentially faster than any known classical method.

Shor’s algorithm breaks the core assumption behind public key cryptography: certain math problems (like factoring large primes or solving elliptic curve equations) are practically unsolvable. With a powerful enough quantum computer, Shor makes it possible to extract private keys from public ones.

‍

What Could Shor’s Algorithm Crack?

• Bitcoin and other cryptocurrencies: ECDSA secures wallet ownership. Shor’s algorithm could theoretically derive a private key from exposed public keys (like P2PK outputs and Taproot addresses).
• Online banking: Secure login and transaction signing for banking portals (i.e. login handshakes).
• Web browsing (HTTPS/TLS): The padlock in your browser, protecting everything from online shopping to health insurance portals.
• Email encryption: Secures the privacy of millions of emails daily.
• Messaging apps: Forward secrecy and authentication between users.
• Apple iMessage, iCloud, and FaceTime: Use ECC for end-to-end encryption and device trust.
• Military-grade secure communications: Some encrypted communication systems rely on ECC.
• Authentication in mobile apps and IoT: Everything from smart locks to digital car keys.

‍

Check if your Bitcoin address is quantum vulnerable:

What is Grover’s Algorithm

Unlike Shor's, Grover’s algorithm doesn’t fully break encryption, but it does make brute force attacks much faster. It gives a quadratic speedup for searching through possible keys or hashes, which weakens the strength of symmetric encryption and hashing functions.

If a classical computer needs 2ⁿ operations to break a key, a quantum computer using Grover’s algorithm only needs √(2ⁿ), effectively halving the bits of security:

• A 128-bit AES key would offer only 64 bits of quantum security
• A 256-bit hash (like SHA-256) would offer only 128 bits of quantum security

‍

What Could Grover’s Algorithm Weaken?

• File storage encryption: Tools that protect data from laptops and external drives.
• Cloud data at rest: Encrypted files stored in Google Drive, Dropbox, iCloud, and corporate storage systems.
• VPN traffic encryption: VPNs often use AES to protect traffic.
• Wireless communication: WPA3 uses AES to secure Wi-Fi traffic in homes and businesses.
• Disk encryption on phones: Android and iOS devices protect your data with AES.
• Password storage: Hash-based storage can be attacked faster.
• Digital signatures: Hashes are used in signature schemes to commit to message contents.

‍

Mitigation and Bitcoin Mining

Symmetric algorithms (like AES or SHA) can be made quantum resistant by doubling key sizes. AES-256 and SHA-256 are already considered safe against Grover’s algorithm for now, but legacy systems using 128-bit or even 64-bit keys may be vulnerable in a post-quantum future.

SHA-256 based hashing (used in Bitcoin mining) remains strong, because Grover’s could reduce brute force complexity from 2²⁵⁶ to 2¹²⁸, but 2¹²⁸ operations would still theoretically take a quantum computer ~10²⁸ years (a 1 followed by 28 zeros), even on a fully error-corrected quantum computer.

Any system that uses RSA, ECC, or ECDSA is vulnerable once public keys are exposed, even if quantum decryption capabilities comes years later.

This is known as a “store now, decrypt later” approach, and it might be already happening. Governments or entities may be collecting encrypted traffic today, with the intent of decrypting it once a powerful enough quantum computer becomes available.

The day that becomes possible has a name: Q-Day.

‍

What Is Q-Day?

Q-Day refers to the day a quantum computer becomes powerful enough to break widely used public key cryptography.

It marks a moment where encrypted data becomes retroactively readable by any entity in control of a sufficiently powerful quantum computer, capable of running Shor’s algorithm against real-world targets.

‍

Will We Know When Q-Day Arrives?

If we apply game theory logic to the quantum race, the incentives strongly favor secrecy.

Suppose a government, intelligence agency, or company achieves a breakthrough in building a quantum computer capable of breaking encryption.

Announcing that breakthrough would instantly alert adversaries, who would probably:

• Harden their systems with post-quantum encryption.
• Stop transmitting valuable encrypted data.
• Instantly migrate from vulnerable infrastructure

The moment the breakthrough is disclosed, the strategic advantage disappears. But if the actor stays quiet, they theoretically could:

• Passively decrypt communications
• Harvest intelligence over time
• Exploit security gaps without detection

‍

This creates a classic asymmetric information scenario: one player holds a dominant but hidden capability, and maximizes its utility by keeping others in the dark. In game theory terms, revealing your hand collapses your edge, especially in a multiplayer environment with no trust and high stakes.

Still, there are warning signs we could watch:

• Number of qubits: Around 370,000 is roughly the number of (noisy) qubits that a quantum computer would need to break Bitcoin’s ECDSA signatures using optimized versions of Shor’s algorithm.
• Computation time: If a quantum system can keep enough qubits stable for 8 to 12 hours, that’s enough to pose real threats to RSA, ECC, and Bitcoin.
• Error rates: A 0.1% per gate level of fidelity makes it possible to run long circuits without full error correction.
• Public demos: Any credible demo of factoring large RSA keys (2048+ bits) or solving ECC problems would be a major red flag.

These thresholds are grounded in published research and technical feasibility studies. Reaching any of them could suggest that Q-Day is no longer theoretical, and that quantum decryption capabilities are within striking distance.

Current estimates vary, but projections for Q-Day stand within 5 to 15 years, possibly sooner depending on hardware breakthroughs.

‍

‍

Post-Quantum Cryptography: Rebuilding the Foundations

If quantum computers can break today’s encryption, we need cryptography that can resist them, now and in the future. This field is known as post-quantum cryptography (PQC).

Quantum-safe cryptographic algorithms are designed around math problems that quantum computers can’t solve efficiently, even with Shor or Grover.

In August 2024, the U.S. National Institute of Standards and Technology (NIST) released the first official post-quantum encryption standards. These algorithms were selected after an 8-year global review process:

U.S. Government Transition Plan

• By 2030: RSA, ECC, ECDSA, and other quantum-vulnerable algorithms will be phased out of U.S. federal systems.
• By 2035: Only quantum-safe algorithms will be allowed in use.

These deadlines signal a global shift. Organizations and protocols are preparing to stay secure in a post-quantum world.

‍

Bitcoin’s Quantum Risk: What If We Do Nothing?

Security on Bitcoin depends on cryptography, and that cryptography wasn’t built with quantum in mind.

The signature scheme in Bitcoin (ECDSA) is how users prove ownership of their coins without exposing their private keys, but there’s a catch: once a Bitcoin address is used (i.e. the coins are spent), the public key becomes visible on-chain.

An attacker with a sufficiently powerful quantum computer could in theory use Shor’s algorithm to derive the private key from that exposed public key, and spend any remaining funds from that address.

That said, most modern wallets typically avoid UTXO reuse, generating fresh addresses for change.

But there’s a more prominent risk: addresses that have their public keys exposed on-chain, even before spending.

‍

The Immediate Target: Satoshi’s Coins

In the early days of Bitcoin, miners received rewards in what are called Pay-to-Public-Key (P2PK) addresses, which expose the public key directly on-chain, even before coins are spent.

Roughly 1.7 million BTC sit in these output types. Some belong to early adopters, some to Satoshi Nakamoto himself.

These funds are especially vulnerable because:

• Their public keys are exposed from day one
• They’ve never been consolidated or moved to newer address types
• They represent over 8% of all Bitcoin

‍

Taproot’s Quiet Exposure

Introduced in 2021, Taproot (P2TR) was designed to improve privacy and efficiency.

Like P2PK, Taproot addresses expose their public key on-chain from day one, meaning coins are vulnerable even before they’re spent.

Modern formats like P2PKH (Pay-to-Public-Key-Hash) only reveal the public key at the moment of spending, offering a fighting chance, that’s assuming quantum computers aren’t fast enough to crack keys in seconds.

‍

Short vs Long Exposure Attacks

Quantum attacks to Bitcoin fall into two categories:

• Short Exposure Attack (with P2PKH): The public key is hidden until a transaction is broadcast. Once it's exposed, an attacker has a small window – while the transaction is in the mempool – to crack it and front-run the transaction.
• Long Exposure Attack (with P2PK or Taproot): The public key is visible even before any transaction is made. This gives attackers unlimited time to precompute the private key and move the funds.

That’s why addresses that expose their public keys are the easiest targets in a post-quantum world.

‍

What is BIP360? - Bitcoin’s Quantum-Safe Proposal

Recognizing the risk, Hunter Beast started working on solutions and authored BIP-360.

This Bitcoin Improvement Proposal aims to make Bitcoin quantum-resistant by introducing a Pay-to-Quantum-Resistant-Hash (P2QRH) output type, enabling post-quantum digital signatures. It adds support for quantum-safe cryptographic schemes alongside existing ones, rather than replacing them outright.

How BIP-360 makes Bitcoin quantum resistant:

• Soft-Fork Compatible

BIP-360 is designed to be introduced via soft fork, making it opt-in and backward-compatible.

• Post-Quantum Signatures

The proposal allows Bitcoin wallets to use two quantum-resistant algorithms:

1. CRYSTALS-Dilithium (lattice-based, fast, NIST approved).
2. SPHINCS+ (hash-based, very secure, slower, and larger).

These options offer flexibility depending on the user’s risk profile and technical constraints.

• Multisig and Migration Tools

BIP-360 doesn’t just add new cryptography, it’s designed with key migration and wallet flexibility in mind. Users could, for example:

1. Create addresses that require both ECDSA and Dilithium signatures.
2. Transition existing funds to quantum-safe outputs in stages.
3. Future-proof cold storage wallets.

‍

‍

Why Not Just Replace Quantum Vulnerable Algorithms?

Bitcoin prioritizes stability, and abruptly replacing all cryptography would break compatibility with existing wallets and exchanges, adding new attack vectors before maturity is proven.

BIP-360 offers an incremental path forward, letting early adopters secure their funds without forcing the rest of the ecosystem to move prematurely.

But what about P2PK outputs that are just sitting on-chain with millions of coins?

There’s also a plan.

‍

Hourglass: Throttling Quantum Exposed Coins

While BIP-360 provides a pathway for future transactions to adopt quantum-resistant signatures, it doesn't address the coins locked in P2PK outputs.

To mitigate the risk of a sudden mass liquidation of these funds, the Hourglass proposal introduces a consensus-level mechanism that limits the rate at which P2PK outputs can be spent. Key features include:

• Spending Rate Limitation: Restricts the number of P2PK outputs that can be spent per block, effectively throttling, from hours to 8 months, the potential release of these funds into the market.
• Economic Incentives: By creating a scarcity of spendable P2PK outputs per block, it encourages higher transaction fees for these spends, potentially redistributing value to miners and reducing the attractiveness of mass quantum-based theft.
• Minimize Disruption: Rather than burning coins and hoping for the best, Hourglass maintains a fundamental property of Bitcoin, in terms of never invalidating coins, minimizing disruption to the network.

This approach aims to provide a controlled and economically balanced method for integrating vulnerable legacy funds into the post-quantum Bitcoin ecosystem, complementing the proactive measures in BIP-360.

‍

The Quantum Shift Involves Everybody

Quantum computing is no longer a distant possibility, it’s a rapidly developing field with clear implications for our everyday life.

While we may still be years away from Q-Day, the foundations are being laid today.

Addressing the quantum threat involves everyone:

• Governments, guarding critical infrastructure.‍
• Banks, safeguarding trillions in global transfers and records.
• Companies, responsible for incredible amounts of customer data.
• Everyday people, who trust that their messages, identities, money, and memories remain private in a digital world.

And yes, it matters for Bitcoin. Without an upgrade, the protocol risks real loss, not from software bugs or nation-state bans, but from physics itself.

Fortunately, the cryptographic community is not asleep at the wheel. Post-quantum encryption is here. For Bitcoin, proposals like BIP-360 give us a solid path forward.

This is not a time for panic. But for action.