When Will Quantum Computers Break Bitcoin?

Expert estimates for cryptographically relevant quantum computers (CRQCs) capable of breaking Bitcoin's ECDSA signatures range from 2030 to 2040, with significant uncertainty. However, the "harvest now, decrypt later" threat means blockchain data captured today becomes vulnerable whenever that capability emerges.

Breaking Bitcoin's 256-bit ECDSA requires a quantum computer with approximately 4,000 logical qubits running Shor's algorithm. Current quantum systems have achieved around 1,000 physical qubits, but logical qubits require error correction using roughly 1,000 physical qubits each. This places the requirement at millions of stable physical qubits—beyond current technology but within projected development trajectories.

Timeline estimates from major sources include: RAND Corporation (2030-2040, conservative), Chinese Academy of Sciences researchers (2027-2030, optimistic), and IBM's quantum roadmap (suggesting 100,000+ qubit systems by 2033). The Global Risk Institute's annual survey shows experts assigning 15-25% probability to CRQC existence by 2030.

Bitcoin's specific vulnerability arises when public keys are exposed. This occurs when addresses are reused after spending, revealing the public key on the blockchain. Approximately 25% of Bitcoin supply sits in addresses with exposed public keys, representing billions in potentially vulnerable assets.

The uncertainty in timing argues for early migration to quantum-resistant alternatives. SynX provides a production implementation using NIST-standardized Kyber-768 and SPHINCS+ algorithms, protecting cryptocurrency holdings regardless of when quantum computers achieve cryptographic relevance.

Migration before quantum computers arrive is essential because blockchain records are permanent. Transactions signed with ECDSA today will remain on-chain indefinitely, creating a historical record that quantum computers could exploit retroactively.