The One-Sentence Version Is Wrong
Ask most people what a quantum computer does and you will hear some version of: "it tries all possible answers at the same time." That description is intuitive, memorable, and fundamentally misleading. Understanding why it is wrong matters, because the accurate version explains both what quantum computers can and cannot do, including which parts of blockchain cryptography are genuinely at risk.
This article works through quantum computing from first principles: what qubits are, how superposition and entanglement work, what quantum gates and circuits actually do, why error correction is the hardest unsolved problem in the field, where current hardware stands, and what all of it means for the security of digital assets.
Classical Bits Versus Qubits
A classical computer stores information as bits. Each bit is a transistor that is either on or off, representing 1 or 0. A register of 64 bits holds one 64-bit number at a time. Every operation the processor performs consumes one state of that register and produces another.
A qubit is physically different. It is typically implemented as a superconducting circuit, a trapped ion, or a photon, and its quantum state is described by a wave function that encodes a probability amplitude for each possible measurement outcome. Before you measure a qubit, it exists in a superposition of 0 and 1. Not both at once in the sense of a coin showing heads and tails simultaneously, but in the sense that the wave function assigns probability amplitudes to both outcomes and those amplitudes can interfere with each other, like waves in water.
A register of 64 qubits holds a superposition over all 2^64 possible 64-bit strings simultaneously, where each string has an associated amplitude. That is the kernel of truth in the "tries everything at once" framing. But here is the catch: when you measure that register, you get exactly one answer, selected probabilistically according to the squared magnitudes of the amplitudes. All the other possibilities collapse. Reading out "all answers at once" is impossible by the laws of quantum mechanics.
Entanglement: Correlated Probabilities, Not Telepathy
Entanglement is the second core concept. Two qubits are entangled when their quantum states are correlated in a way that cannot be described independently. Measuring one instantly determines a property of the other, regardless of physical separation. This is not faster-than-light communication: no classical information travels between the qubits, and you cannot use entanglement to send a message. What it does provide is a resource for quantum algorithms that manipulate correlations between many qubits simultaneously, enabling computations that have no efficient classical analogue.
Quantum Gates and Circuits
A quantum algorithm is a sequence of quantum gates applied to a register of qubits. Gates are unitary operations: they rotate and reflect the wave function in a high-dimensional complex vector space. Common gates include the Hadamard gate, which puts a qubit into equal superposition; the CNOT gate, which flips a target qubit conditioned on a control qubit; and phase gates, which shift the complex amplitude of the 1 state.
The real power comes from interference. A well-designed algorithm uses quantum gates to amplify the amplitudes of correct answers and suppress the amplitudes of incorrect answers, so that when you finally measure the register, you get a useful result with high probability. Designing that interference pattern is what makes quantum algorithm research hard: it is not obvious how to arrange gates so that the "right" answer constructively interferes and the "wrong" answers destructively interfere.
This is why quantum parallelism does not mean "tries all answers simultaneously." It means you manipulate a superposition of all possible inputs to steer probability toward a useful output. The manipulation is the hard part, and it only works for problems with specific mathematical structure.
Where Quantum Algorithms Beat Classical Ones
Quantum speedups are not universal. For most computational problems, including most of what software runs today, quantum computers offer no meaningful advantage. The two quantum algorithms that matter for cryptography are:
- Shor's algorithm, which factors large integers and computes discrete logarithms in polynomial time. A classical computer cannot do either efficiently. Shor's algorithm directly breaks RSA, Diffie-Hellman, and elliptic-curve cryptography, the three families of public-key cryptography that secure essentially all internet traffic and all blockchain signatures today. For a deep look at the mechanics, see our article on how Shor's algorithm works.
- Grover's algorithm, which searches an unstructured database of N items in O(sqrt(N)) time instead of O(N). Against hash functions, this effectively halves the security level in bits. SHA-256 drops from 256-bit to 128-bit security. That is painful but not catastrophic, and it is addressed by switching to longer hash outputs.
Everything else you use a computer for, including machine learning, video rendering, database queries, and general software execution, is not meaningfully threatened by quantum computers.
The Error Correction Wall
Current quantum hardware is categorized as noisy intermediate-scale quantum (NISQ) devices. "Noisy" is the operative word. Physical qubits decohere rapidly: thermal vibrations, stray electromagnetic fields, and imperfect gate operations introduce errors at a rate that makes deep quantum circuits unreliable. A physical qubit on today's best hardware might have an error rate of 0.1 to 1 percent per gate operation. Running Shor's algorithm against a 2048-bit RSA key would require millions of error-free gate operations. The errors compound catastrophically long before the circuit finishes.
Quantum error correction (QEC) addresses this by encoding one logical qubit across many physical qubits. The surface code, the leading QEC scheme, requires roughly 1,000 physical qubits per logical qubit to achieve the error rates needed for deep circuit execution. Breaking a 2048-bit RSA key with Shor's algorithm needs approximately 4,000 logical qubits. At current surface-code overhead, that means roughly 4 million physical qubits with today's error rates. For context, see our detailed analysis of how many qubits it takes to break Bitcoin.
Where Hardware Stands Today: Google Willow
In December 2024, Google announced its Willow chip, a 105-physical-qubit superconducting processor. Willow demonstrated a landmark result: as the team scaled up the surface code, error rates decreased below threshold, meaning the error correction was actually working as theory predicted. Previous generations had seen error rates increase as more qubits were added, because the overhead introduced more problems than it solved. Willow proved that scaling is physically possible.
That is significant progress. It is not, however, a threat to Bitcoin today. Willow's 105 physical qubits, even at below-threshold error rates, do not approach the logical qubit counts required for cryptographically relevant attacks. Achieving 4,000 fully error-corrected logical qubits at surface-code overhead still requires millions of high-fidelity physical qubits. The engineering gap between Willow and that target spans multiple hardware generations and likely a decade or more of scaling, though the trajectory is accelerating faster than most expected.
Why This Specifically Threatens Blockchain Cryptography
Classical public-key cryptography depends on mathematical asymmetry: multiplying two large primes together is easy, but factoring the result is hard. Elliptic-curve cryptography uses a related asymmetry in a different algebraic structure. Both are efficiently solvable with a sufficiently large quantum computer running Shor's algorithm.
Blockchain architectures compound the exposure in a specific way. When a user signs a transaction on Bitcoin or Ethereum, the network must see the public key to verify the signature. That public key is derived from the private key via a one-way elliptic-curve operation that classical computers cannot reverse. A quantum computer running Shor's algorithm can reverse it. Every transaction, therefore, broadcasts a target to any adversary with a sufficiently capable quantum machine.
The threat is not limited to future transactions. Adversaries can collect public keys exposed in historical transactions today and store them, waiting until quantum hardware is capable enough to derive the corresponding private keys. This is the harvest now, decrypt later strategy, and it is already operationally rational for well-resourced actors. Funds sitting in addresses whose public keys have been exposed on-chain are already at future risk, even if the keys were exposed years ago.
Not every cryptocurrency is equally exposed. Chains differ in how much public key material they expose on-chain, what signature schemes they use, and whether they have a migration path. Our analysis of which cryptocurrencies are most vulnerable to quantum attacks ranks the major networks by risk surface.
Post-Quantum Cryptography: The Defense
The solution is not to wait for quantum computers to become dangerous before acting. Cryptographic migration is slow, expensive, and risky. NIST finalized its first post-quantum cryptography standards in 2024, selecting CRYSTALS-Dilithium (lattice-based signatures), CRYSTALS-Kyber (key encapsulation), SPHINCS+ (hash-based signatures), and FALCON (compact lattice signatures). These algorithms are based on mathematical problems, primarily lattice problems and hash preimage resistance, that are not known to be vulnerable to either Shor's or Grover's algorithms, even with unlimited quantum hardware.
Retrofitting post-quantum cryptography onto existing blockchains is not straightforward. Classical public keys are permanently recorded on-chain. Migrating wallet security requires users to take action, and the chains with the largest balances in exposed addresses are also the ones with the most conservative governance processes. For a broader overview of the landscape, see what post-quantum cryptography is and how it works.
What a Purpose-Built Quantum-Resistant Chain Does Differently
A blockchain designed from the start for quantum resistance can make architectural choices that retroactive migration cannot. QuanChain's TADEQS system ensures that no public key is ever exposed on-chain, eliminating the primary attack surface that makes harvest-now-decrypt-later possible. The Quantum Oracle monitors real-time logical qubit cost curves and triggers automatic cryptographic migration when thresholds are crossed, without requiring user action or a hard fork.
These are not features that can be bolted onto Bitcoin or Ethereum. They require rethinking key management, transaction structure, and on-chain data exposure at the protocol level. The question of whether existing chains can adapt in time is examined in detail in our piece on the blockchain quantum migration problem in 2026.
The Timeline Is the Variable
Quantum computing is not a theoretical future threat. It is an engineering challenge that is being solved, with well-funded teams at Google, IBM, Microsoft, and a growing field of startups all making measurable progress. The precise date when a cryptographically relevant quantum computer will exist is unknown. What is known is that the architecture of a blockchain deployed today will still be running when that date arrives.
Designing for quantum resistance now, rather than planning to migrate later, is the same logic that drives long-term infrastructure decisions in every other engineering domain. The harvest-now-decrypt-later dynamic means the risk window is already open, regardless of when fault-tolerant quantum hardware arrives.
Quantum computing does not break all cryptography. It breaks specific mathematical problems that happen to be the ones most cryptographic systems, and essentially all blockchain signatures, are built on. That distinction matters for understanding both the risk and the solution.
For an overview of what quantum resistance actually requires at the blockchain level, see what a quantum-resistant blockchain is and the specific properties it needs to have. If you want to model the risk to your own holdings, the QuanChain Quantum Threat Calculator estimates your exposure based on current and projected hardware trajectories.
