How Many Qubits Are Needed to Break Bitcoin? A Technical Analysis

A survey of peer-reviewed qubit estimates, hardware trajectories, and what they mean for ECDSA-secured blockchains.

Bitcoin's entire security model rests on one assumption: that breaking secp256k1 ECDSA is computationally impossible.

That assumption is about to die.

Peter Shor proved it in 1994. A sufficiently powerful quantum computer running his algorithm can derive a private key from a public key in hours — not years, not decades, hours. The only remaining question is how many qubits that computer will need. The peer-reviewed literature has an answer, and it is far closer than most Bitcoin holders want to believe.

secp256k1 and the Discrete Logarithm Problem

Every Bitcoin transaction is authenticated with ECDSA on the secp256k1 curve, a 256-bit elliptic curve specified in SEC 2 and adopted by Satoshi Nakamoto in 2009. The security of this scheme rests on the Elliptic Curve Discrete Logarithm Problem (ECDLP): given a public key Q = kG, find the scalar k.

Classically, the best known attack (Pollard's rho) requires ~2¹²⁸ operations. At a trillion operations per second, that would take longer than the age of the universe. The problem is genuinely hard for classical machines.

It is not hard for quantum machines. In 1994, Peter Shor published a quantum algorithm that solves the discrete logarithm problem in polynomial time, reducing what takes classical computers billions of years to a computation measurable in hours. The algorithm exploits quantum superposition to evaluate exponentially many candidates in parallel, then uses quantum Fourier transforms to extract the period, which yields the private key.

ECDSA on secp256k1 falls squarely within the problem class Shor's algorithm was designed for. This is not a conjecture. It is a mathematical proof, published thirty-two years ago, and never refuted.

Logical vs. Physical Qubits: Why the Estimates Diverge

The confusion in popular coverage stems from conflating two fundamentally different metrics. Logical qubits are the error-corrected, mathematically perfect units that Shor's algorithm requires. Physical qubits are the noisy, error-prone hardware elements that must be grouped and error-corrected to produce each logical qubit.

The peer-reviewed literature on the ECDLP qubit cost:

The logical qubit estimates cluster tightly: 2,000–2,500. The physical qubit overhead is where the orders-of-magnitude disagreement lives, because it depends on quantum error correction (QEC) ratios that are still being researched. Today's ratio sits at roughly 1,000:1. If that improves to 100:1 — a trajectory supported by Google's 2024 Willow results, which demonstrated error reduction below the fault-tolerance threshold — then the physical qubit requirement drops from hundreds of millions to tens of millions.

The Conflict of Interest Problem

It is worth noting who profits from framing these numbers in a particular direction.

Bitcoin maximalists and large institutional holders like MicroStrategy and Marathon Digital, with billions in BTC exposure, have an obvious motive to characterize the quantum threat as distant or exaggerated. This is not speculation about intent; it is an observation about incentive structures. The same dynamic has played out in other industries: tobacco companies funded decades of contrarian research on smoking, and fossil fuel companies funded doubt about climate models. Financial exposure produces motivated reasoning.

The most conservative independent estimate: taking Roetteler's 2,330 logical qubits as a lower bound and applying a generous 2,000:1 physical-to-logical ratio, that yields roughly 4.7 million physical qubits. Our own cryptographic analysis puts the realistic range at 2,500–5,000 logical qubits, accounting for implementation-specific overhead and non-ideal gate fidelity.

Even at the high end of 5,000 logical qubits with a 1,000:1 error correction ratio, that is 5 million physical qubits. IBM's published roadmap targets 100,000+ by 2033. Google's Hartmut Neven has publicly stated that his team expects cryptographically relevant quantum computing by 2029. The gap between current hardware and the threat threshold is measured in years, not generations.

Current Hardware: 2026 Snapshot

No quantum computer in existence can break secp256k1. The threat model is prospective, not immediate. But the trajectory matters more than the current snapshot.

Two data points merit attention. First, IBM has roughly doubled its qubit count three times in four years, and its roadmap is public. Second, Google's Willow processor in late 2024 crossed the fault-tolerance boundary: the point where adding more physical qubits reduces total system error rather than increasing it. This is a qualitative threshold, not an incremental improvement. It means that scaling up now helps rather than hurts, which changes the trajectory of error correction ratios.

The NSA's CNSA 2.0 advisory, published in 2022, mandates that all US national security systems complete migration to post-quantum cryptography by 2035. Intelligence agencies do not publish migration deadlines for threats they consider remote.

The Exposure Surface: 4+ Million BTC

The qubit count is one half of the risk equation. The other is how much Bitcoin is already cryptographically exposed.

Over 4 million BTC reside in pay-to-public-key (P2PK) addresses, where the full secp256k1 public key is recorded directly on-chain. This includes Satoshi Nakamoto's estimated 1.1 million BTC. These keys are not hashed. They sit in the UTXO set as raw 33-byte compressed public keys, readable by anyone.

A CRQC with sufficient logical qubits could derive the corresponding private key from any of these public keys using Shor's algorithm. No exploit. No vulnerability discovery. Straightforward computation on publicly available data.

There is also a dynamic exposure window. When anyone spends from a standard P2PKH address, the public key is broadcast to the mempool and remains visible for an average of 10 minutes before block confirmation. A sufficiently fast quantum computer could attack keys during this window. The viability of this attack depends on quantum computation speed relative to block interval — a constraint that relaxes as hardware improves.

Harvest Now, Decrypt Later

The HNDL threat model does not require a CRQC to exist today. It requires only that an adversary believes one will exist within the useful lifetime of the data being collected.

Bitcoin's entire transaction history is public. Every public key ever exposed — through P2PK addresses, spent P2PKH outputs, or multisig scripts — is permanently recorded and freely downloadable. An adversary with a long time horizon can harvest this data now and decrypt it when quantum hardware matures. The cost of storage is trivial relative to the value of the keys.

This is not a theoretical exercise. The NSA's CNSA 2.0 advisory and NIST's 8-year PQC standardization effort both exist because the US government considers HNDL a credible, active threat against classical cryptography. Blockchain data, being immutable and public by design, is uniquely vulnerable to this attack class.

The Migration Problem

The standard rebuttal is that Bitcoin will upgrade to post-quantum signatures when the threat materializes. Three structural constraints make this significantly harder than it appears.

Governance latency. Bitcoin's consensus model optimizes for stability, not speed. The SegWit upgrade — which modified transaction serialization without changing the signature scheme — required 4 years of debate, produced a competing fork (Bitcoin Cash), and nearly fractured the network permanently. A post-quantum migration would require replacing ECDSA for every wallet on the network and is orders of magnitude more invasive. No such proposal exists on Bitcoin Core's development roadmap as of March 2026.

Signature overhead. SPHINCS+ signatures (NIST FIPS 205) are 7,856 bytes. Bitcoin's current ECDSA signatures are 72 bytes, a 109:1 ratio. Bitcoin's 1 MB base block size already constrains throughput to approximately 7 transactions per second. Accommodating post-quantum signatures without fundamental architectural changes would reduce that to near-zero. Increasing the block size to compensate would reignite the same governance battle that produced the 2017 fork wars.

Unmigrateable keys. Satoshi Nakamoto's estimated 1.1 million BTC cannot be moved because the keys are presumed lost. The same applies to several million additional BTC in dormant wallets with exposed public keys. These coins cannot participate in any signature-scheme migration and would remain vulnerable indefinitely, regardless of what active wallets do. The market implications of millions of BTC becoming simultaneously stealable are difficult to overstate.

Post-Quantum Cryptography: The NIST Standards

NIST finalized the first post-quantum cryptography standards in August 2024, concluding an 8-year evaluation that involved hundreds of cryptographers and dozens of candidate algorithms. The result is two primary standards relevant to blockchain security:

• FIPS 203 — ML-KEM (Kyber): A lattice-based key encapsulation mechanism. Its security rests on the hardness of the Module Learning With Errors problem, which is resistant to both Shor's and Grover's algorithms.
• FIPS 205 — SLH-DSA (SPHINCS+): A stateless hash-based digital signature scheme. Its security depends solely on the collision resistance of hash functions, a problem class with no known quantum speedup beyond the quadratic advantage of Grover's algorithm, which is easily countered by increasing hash output length.

These standards exist because the cryptographic community reached consensus that the quantum threat to classical public-key cryptography is not a matter of if but when. The relevant question for any system relying on ECDSA, RSA, or EdDSA is whether it can migrate to these standards before a CRQC is operational.

For blockchains, this creates a hard distinction: chains that must migrate (every chain using ECDSA or EdDSA today) and chains that deployed PQC from genesis and face no migration at all.

Timeline Estimates

Multiple independent bodies have published CRQC arrival estimates. Their ranges overlap:

• 2026–2028: 10,000+ physical qubit systems. Insufficient for secp256k1, but relevant for shorter key lengths and niche targets.
• 2029–2032: If error correction ratios improve to ~100:1 — consistent with Google's Willow trajectory — the physical qubit requirement for ECDLP drops into the low millions. This aligns with Google's public 2029 estimate and IBM's 100K qubit target.
• 2033–2035: The NSA's CNSA 2.0 migration deadline. CRQCs capable of attacking 256-bit ECC are expected to be operational within or near this window.

These are not fringe predictions. They come from NIST, the NSA, the RAND Corporation, and the Global Risk Institute — organizations with no commercial interest in overstating or understating the threat.

References

• Roetteler, M., Naehrig, M., Svore, K.M., & Lauter, K. (2017) — "Quantum resource estimates for computing elliptic curve discrete logarithms." Quantum Information & Computation, 17(15-16).
• Gidney, C. & Ekerå, M. (2021) — "How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits." Quantum, 5, 433.
• Webber, M. et al. (2022) — "The impact of hardware specifications on reaching quantum advantage in the fault tolerant regime." AVS Quantum Science, 4(1).
• NIST Post-Quantum Cryptography Standardization — FIPS 203 (ML-KEM) and FIPS 205 (SLH-DSA), finalized August 2024.
• NSA Cybersecurity Advisory: CNSA 2.0 — Commercial National Security Algorithm Suite 2.0 migration requirements.
• SEC 2: Recommended Elliptic Curve Domain Parameters — secp256k1 specification used by Bitcoin.

The academic consensus is clear: between 2,000 and 5,000 logical qubits are sufficient to break secp256k1. Every major government and technology lab on Earth is racing toward that threshold. The only two types of blockchains that will exist after the arrival of cryptographically relevant quantum computers are those that were built post-quantum from day one — and those that were not.

There will be no migration window. There will be no soft landing. There will only be chains that prepared, and chains that didn't.