How many qubits does it take to break Bitcoin encryption?

Breaking Bitcoin's ECDSA-256 encryption requires roughly 4,000 logical qubits running Shor's algorithm. However, accounting for error correction, the physical qubit requirement jumps to approximately 13 million, according to the widely cited Webber 2022 estimate. No quantum computer today comes close to that scale.

What is the difference between logical and physical qubits when attacking Bitcoin?

Logical qubits are the error-free units an algorithm needs; physical qubits are the noisy hardware qubits required to simulate one logical qubit. Because today's qubits make frequent errors, thousands of physical qubits are needed per logical qubit, which is why Bitcoin's real-world threat threshold sits in the millions.

Is Google Willow a threat to Bitcoin?

Not yet. Google's Willow chip demonstrated impressive error-correction progress, but its roughly 105 physical qubits represent a tiny fraction of the millions needed to threaten Bitcoin. Willow is a research milestone, not a cryptographic threat. Blockchains using post-quantum cryptography, like QuanChain, are already prepared for when that gap closes.

How does QLDPC error correction change the qubit estimate for breaking Bitcoin?

Quantum Low-Density Parity-Check codes reduce the overhead needed to produce reliable logical qubits. Revised estimates using QLDPC suggest the physical qubit count could drop below 1 million, significantly lowering the barrier compared to earlier projections. This makes the timeline for a credible Bitcoin threat shorter than many assume.

When could a quantum computer realistically break Bitcoin?

Most expert projections place a cryptographically relevant quantum computer at least 10 to 15 years away, though advancing error-correction techniques compress that estimate. QuanChain addresses this risk now by building on lattice-based, post-quantum cryptographic standards, ensuring assets remain secure well before the threat materializes.

How Many Qubits to Break Bitcoin?

The Question That Defines the Quantum Timeline

Every serious discussion about quantum risk to Bitcoin eventually arrives at the same number: how many qubits does an adversary actually need? The answer to that question determines whether the threat is theoretical, near-term, or already inside the planning horizon of nation-state intelligence agencies. And that answer has changed more dramatically in the last three years than in the preceding decade.

In 2017, the best estimates put the physical qubit requirement to break Bitcoin's elliptic curve cryptography in the range of tens of millions. Today, peer-reviewed research puts that number below 100,000. The compression factor is roughly 200x. Understanding why it fell so fast, and what it means for the 6.9 million BTC sitting in exposed-key addresses, is the most important technical question in cryptocurrency security right now.

Where the Early Numbers Came From

Bitcoin's signature scheme, ECDSA over the secp256k1 curve, relies on the computational hardness of the elliptic curve discrete logarithm problem. A sufficiently large quantum computer running Shor's algorithm can solve that problem in polynomial time, which is why quantum computing threatens blockchain security is not a fringe concern but a mathematical certainty given sufficient hardware.

The earliest rigorous estimates, from researchers like Proos and Zalka in 2003 and updated work through 2017, placed the logical qubit requirement at roughly 4,000 to break a 256-bit elliptic curve key. Logical qubits are the idealized, error-corrected units of computation that quantum algorithms are written for. Physical qubits are the noisy, error-prone hardware qubits that actually exist inside today's machines. Because physical qubits fail constantly, you need many of them to synthesize a single reliable logical qubit.

In 2022, a landmark paper by Mark Webber and colleagues at the University of Sussex provided a detailed resource estimate using surface code error correction, then the dominant approach. Their conclusion: breaking Bitcoin's encryption within one hour would require approximately 317 logical qubits. That sounds modest. But translating those 317 logical qubits through surface code overhead into physical qubits produced a figure of roughly 13 million physical qubits. That number kept the threat safely in the distant future, because no one was close to building a machine with millions of physical qubits.

QLDPC Codes: The Technical Shift That Changed Everything

The 200x compression came from a single theoretical advance: quantum low-density parity-check codes, known as QLDPC codes. To understand why they matter, you need the logical-versus-physical distinction firmly in mind.

Surface codes, the previous dominant approach to quantum error correction, protect logical qubits by spreading information across a two-dimensional grid of physical qubits. The error protection gets better as you make the grid larger, but the overhead scales poorly. To get one high-quality logical qubit, you might need hundreds or thousands of physical qubits arranged in that grid, and the ratio only gets worse as you push for lower error rates.

QLDPC codes encode logical qubits much more efficiently. They use sparse parity-check matrices to distribute redundancy across the physical qubit array in a way that requires far fewer physical qubits per logical qubit while maintaining the same or better error suppression. The practical effect is dramatic: recent analyses using QLDPC codes bring the physical qubit requirement to break Bitcoin's secp256k1 keys below 100,000, compared to the 13 million figure from surface-code estimates. Some recent papers suggest the lower bound may fall further still as QLDPC code constructions continue to improve.

This is not speculative. QLDPC codes are an active and rapidly maturing area of research, with IBM, Google, and several academic groups publishing concrete implementation results. The theoretical basis is solid, and the engineering is following.

Google Willow and the Threshold Milestone

In December 2024, Google announced results from its Willow quantum processor that crossed a critical benchmark: below-threshold error correction. This means the machine demonstrated that adding more physical qubits actually reduced the logical error rate, rather than simply adding more noise. Crossing that threshold is the prerequisite for scaling toward cryptographically relevant machines. It does not mean Willow can break Bitcoin today. Its 105-qubit chip is orders of magnitude away from the qubit counts required. But it confirms that the scaling trajectory assumed by researchers is physically real, not merely theoretical.

The combination of QLDPC code advances and demonstrated below-threshold error correction in hardware means the qubit requirement timeline compression is now a credible engineering roadmap rather than a distant abstraction. The question has shifted from "is this possible" to "how long does it take to build."

Two Attack Windows, Two Risk Profiles

Not all Bitcoin is equally at risk, and the timing of the threat differs depending on what an attacker is targeting. There are two distinct attack windows.

The first is a real-time mempool attack. When you broadcast a Bitcoin transaction, there is a window of seconds to minutes before it is confirmed in a block. During that window, your public key is visible in the unconfirmed transaction pool. A fast enough quantum computer could theoretically extract your private key from your public key in that window and broadcast a competing transaction to a different address before your original transaction confirms. This attack requires completing the elliptic curve computation in under ten minutes, which demands an extremely fast quantum computer. Current timelines place this capability further out than the second attack window.

The second, and more immediately relevant, attack targets wallets where the public key is already known and stored permanently on-chain. In Bitcoin's history, a significant fraction of coins were sent to pay-to-public-key (P2PK) addresses, which encode the full public key directly in the transaction output. Every Satoshi Nakamoto block reward falls into this category. Additionally, anyone who has ever sent Bitcoin from an address has exposed their public key in the spending transaction, meaning that address is permanently vulnerable regardless of what address format was used.

An attacker targeting these stored, exposed keys has unlimited time. They can run the quantum computation over days or weeks, and the victim has no warning. This is the attack window that is closing fastest as qubit counts rise.

6.9 Million BTC in the Crosshairs

The scale of the exposed-key problem is large. According to the Coinbase advisory board report published in 2026, approximately 6.9 million BTC sits in addresses with publicly known keys. At current prices, that represents hundreds of billions of dollars in assets that would be directly accessible to a sufficiently capable quantum computer without requiring any cooperation from the holder.

This figure includes dormant early-miner rewards in P2PK format, coins in reused addresses, and wallets where the owner sent funds at some point but left a balance behind. The harvest now, decrypt later attack model makes even currently safe-looking coins a target: adversaries may already be cataloguing exposed public keys against the day when quantum hardware matures enough to exploit them.

What This Means for BTC Holders Today

The practical implications depend on your address history. If you hold Bitcoin in a native SegWit (bech32) address that you have never used to send funds, your public key has not been revealed and you are not currently vulnerable to the long-range attack. If you have ever sent from that address, your public key is on-chain permanently.

P2PK addresses (common in 2009 to 2012) have always exposed public keys by design. P2PKH addresses that have been used to send are in the same position. Taproot addresses follow the same pattern: the key is protected until you spend, at which point the public key appears in the witness data.

The actionable conclusion for most holders is not to move funds immediately, but to understand the exposure profile of each address in your wallet and make migration decisions based on realistic timelines rather than panic or dismissal. Consult the Vulnerable Wallets guide to assess your specific situation, and use the Quantum Threat Calculator to model how rapidly declining qubit costs affect your personal timeline.

Architecture Matters More Than Algorithm Choice

One lesson from the QLDPC compression story is that cryptographic assumptions can be overturned by engineering advances that arrive faster than expected. Choosing a post-quantum signature algorithm today is necessary but not sufficient. The deeper design question is whether the architecture of a system ever exposes key material to begin with.

On existing blockchains, every spending transaction reveals the public key by definition. That is not a choice that a post-quantum signature upgrade can fully remedy, because the historical public key exposure is already on-chain and permanent. A system that never places public keys on-chain eliminates the attack surface entirely rather than hardening it. That is the architectural principle behind TADEQS architecture, which treats key exposure as a structural problem rather than a cryptographic parameter to be tuned.

The qubit number falling from 20 million to under 100,000 in seven years is a compression rate that should reset assumptions about how much time remains. Planning for quantum resistance on a decade-long horizon is reasonable. Assuming the compression curve has stopped moving is not.