A quantum computer could one day break Bitcoin's cryptography. Here's the BTC at risk, the plans to defend it, and the coins already built to resist.
For most of Bitcoin's life, the idea that a quantum computer might one day break it was a worry for the distant future.
That changed in 2026. A March 2026 Google Quantum AI paper cut the estimated resources needed to crack Bitcoin's signatures by roughly 20x, and Caltech researchers now argue a useful machine could arrive by the end of the decade.
The cryptography protecting more than a trillion dollars of digital assets is now on a clock, and the work to replace it has started.
How Many Coins Are Quantum-Vulnerable?
A practical attack still looks years away. Google has set itself a 2029 internal deadline to migrate to post-quantum cryptography. Caltech and partner Oratomic argue a fault-tolerant quantum computer could appear as soon as 2030. Blockstream's Adam Back maintains the real threat is 20–40 years out.
The exposure, however, is enormous: research group Project Eleven estimates that roughly a third of all BTC (almost 7 million coins) sits in addresses whose public keys are already visible on-chain. That includes ~1.7 million in ancient P2PK addresses, of which ~1.1 million is attributed to Satoshi Nakamoto.
Source: Project Eleven
Urgency spiked when a researcher recently claimed a bounty for breaking a small elliptic-curve key using real quantum hardware. The key was far smaller than Bitcoin's but a working proof of concept.
Developer Paul Sztorc is responding to the question with a controversial fork. His eCash project, planned for August 2026, would airdrop 1:1 to existing BTC holders while reassigning 500,000 of Satoshi's dormant coins on the new chain to early investors and developers.
Critics pushed back, arguing against the redistribution.
Some question whether Bitcoin needs protecting at all, arguing any freeze betrays the principles of self-custody and fixed supply. Jameson Lopp counters that letting an attacker sweep dormant coins amounts to "theft from everyone."
Read more: Will AI-Accelerated Quantum Computing Break Bitcoin in 2026?
The Plan to Save Bitcoin
The base-layer fix is a pair of proposals.
BIP-360, merged into Bitcoin's repository on February 11, 2026, adds a new output type (pay-to-Merkle-root) that behaves like Taproot but removes the quantum-vulnerable key-spend path, protecting newly stored coins.
Its companion, BIP-361 ("Post Quantum Migration and Legacy Signature Sunset") from Jameson Lopp and five co-authors, is more aggressive. Phase one blocks new transfers to legacy addresses after three years. Phase two invalidates old signatures after five, freezing unmigrated coins. Phase three offers a zero-knowledge-proof recovery path for holders who still have their seed phrase.
How those signatures get smaller is the subject of an extensive interview with BIP-360 co-author Ethan Heilman and Blockstream researcher Jonas Nick. Briefly, their hash-based schemes (SHRINCS and SHRIMPS) shrink a signature by capping how many times each key is allowed to sign. The fewer signatures it permits, the less data it carries.
The trade-off is that the wallet now has to keep careful count, and a poorly built one could put a user's funds at risk. That risk falls on individual wallets rather than the whole network, where oversized signatures would slow every transaction and raise fees.
Both make the same point. They argue that the community should settle the details and the soft forks early, so the switch isn't a rushed scramble when Q-Day arrives.
A few teams avoid changing Bitcoin itself. Quip Network adds a quantum-safe signature (a scheme called WOTS+) through a separate layer built on top of Bitcoin called Arch. This ensures none of Bitcoin's core rules have to change, and no community vote is needed. It even lets holders claim a quantum-safe key without moving their coins.
StarkWare's Avihu Levy proposes Quantum Safe Bitcoin (QSB), which forces a quantum-resistant, hash-based signature into Bitcoin's existing rules with no soft fork. It's expensive, though. It can require $75–$150 worth of GPU compute per transaction, which is why even its authors call it a last resort.
The drawbacks are real and shared across most approaches. Post-quantum signatures are far larger than today's, demanding more block space, higher fees, and new wallet and hardware-signer support. Bitcoin's non-interventionists, meanwhile, still argue the fix is riskier than the threat it answers.
Are There Any Quantum-Resistant Cryptocurrencies?
A few blockchains already ship quantum-resistant tech.
Quantum Resistant Ledger (QRL) is the prototypical example. Live since 2018, it was built from the ground up on hash-based XMSS signatures instead of elliptic curves.
Since 2022, Algorand (ALGO) has used a quantum-resistant signature scheme to sign its state proofs (which secure its ledger history). In 2025 it executed the first such transaction on a public mainnet.
Source: Top Quantum-resistant Tokens Page
Zcash (ZEC) currently tops the quantum-resistant category by market capitalization. Shielded funds have some quantum resistance that transparent ones lack. Its Project Tachyon aims to take this a step further.
Source: z.cash
Other platforms are also developing and testing their own quantum resistance upgrades. Ethereum (ETH) formed a dedicated Post-Quantum Security team in January 2026, betting on hash-based "leanXMSS" signatures plus account abstraction. Solana and the XRP Ledger have published roadmaps of their own.
Read more: Privacy is Taking Over Crypto (Again) as Institutional Adoption Grows
Will Bitcoin Migrate in Time?
Plenty of fixes already exist: base-layer upgrades, L2 add-ons, quantum-resistant chains and more.
The problem is getting Bitcoin to adopt one. No central authority can mandate the change, millions of addresses each have to move on their own, and many coins belong to owners who are long gone and will never migrate at all. Because migration takes years, it has to begin well before a working quantum computer exists.
The Bitcoin network has reacted fast before, soft-forking a fix within hours when a 2010 bug minted billions of fake coins. But that was an obvious flaw with one right answer. This prospective migration offers no such unambiguous solution.
Whether a leaderless network can act before the danger is visible — more than any hardware breakthrough — will decide the outcome.
This article contains links to third-party websites or other content for information purposes only (“Third-Party Sites”). The Third-Party Sites are not under the control of CoinMarketCap, and CoinMarketCap is not responsible for the content of any Third-Party Site, including without limitation any link contained in a Third-Party Site, or any changes or updates to a Third-Party Site. CoinMarketCap is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement, approval or recommendation by CoinMarketCap of the site or any association with its operators. This article is intended to be used and must be used for informational purposes only. It is important to do your own research and analysis before making any material decisions related to any of the products or services described. This article is not intended as, and shall not be construed as, financial advice. The views and opinions expressed in this article are the author’s [company’s] own and do not necessarily reflect those of CoinMarketCap.
