Supercomputers, Quantum Computers, and the Threat to Crypto
The qubit count needed to break Bitcoin's encryption has dropped five orders of magnitude in twenty years. Here is what is actually at risk, what is not, and the timeline that matters.
The headline you keep seeing is wrong in both directions.
“Quantum computers will steal all the Bitcoin” is too strong. “Quantum is 40 years away, ignore it” is too comfortable. The truth sits in the gap, and the gap has been shrinking fast enough that the people who run the numbers for a living are nervous.
Here is the part that should get your attention. In 2012, breaking RSA-2048 was estimated to need roughly a billion physical qubits. By 2025, newer architectures put the figure under 100,000. That is five orders of magnitude in two decades, and most of the drop came from better algorithms and error correction, not bigger machines.
Let me walk through what is actually being threatened.
What “breaking crypto” really means
There are two different cryptographic primitives in play, and they fail in completely different ways.
The first is asymmetric cryptography. RSA and elliptic curve cryptography (ECC) are what protect your wallet keys, your TLS connections, and your signed transactions. Their security rests on math problems that are hard for classical computers: factoring large numbers, and the discrete log problem on an elliptic curve. Shor’s algorithm, running on a large enough quantum computer, solves both in a way that is not just faster but fundamentally different. This is the real threat.
The second is symmetric cryptography and hashing. AES-256 and SHA-256, the hash that secures Bitcoin mining and addresses. Quantum computers help here too, through Grover’s algorithm, but only by halving the effective key strength. AES-256 drops to AES-128 equivalent, which is still fine. SHA-256 stays well out of reach. Bitcoin’s mining is not the weak point. The signatures are.
So when someone says “quantum breaks Bitcoin”, they mean the ECDSA signatures that prove you own your coins, not the proof-of-work that secures the chain.
The qubit numbers that changed
For years the comforting figure was 20 million qubits to break ECC, with no machine anywhere near it. That number is gone.
In 2025, Google Quantum AI showed elliptic curve cryptography could be broken with fewer than 500,000 physical qubits, in a runtime measured in minutes. Then research from Caltech and a startup called Oratomic went further: with a neutral-atom architecture, ECC-256 could fall to roughly 26,000 qubits in about 10 days, and RSA-2048 to around 102,000 qubits over three months.
The most aggressive estimate now puts the threshold for emptying crypto wallets near 10,000 qubits.
For context on where the hardware sits today: Google’s Willow chip, announced in December 2024, has 105 qubits. It demonstrated the thing that actually matters, which is below-threshold error correction. Each time they scaled the grid of qubits up, the error rate dropped by half instead of climbing. That is the result that turns “more qubits” from a liability into a path forward, and it is why the resource estimates keep falling.
We are not at 10,000 logical-quality qubits. But the trend line and the algorithmic improvements are both moving the wrong way for anyone holding long-lived secrets.
Harvest now, decrypt later
This is the attack that makes the timeline argument fall apart.
You do not need a working quantum computer today to be a victim today. An attacker can record encrypted data now, sit on it, and decrypt it the day a capable machine exists. For most encrypted traffic that is bad. For Bitcoin it is worse, because the ledger is public and permanent by design.
Every Bitcoin transaction that has ever exposed a public key is sitting on-chain in plain view, forever. Project Eleven estimates roughly 6.9 million BTC are in addresses where the public key is already visible. That includes about 1.7 million coins in ancient pay-to-public-key (P2PK) outputs from the earliest mining era, some believed to be Satoshi’s roughly 1 million BTC.
Those coins cannot move themselves to safety. A dormant wallet is a sitting target. The day ECC breaks, anyone with the machine can derive the private key from the exposed public key and sweep the balance. Satoshi’s wallet is the canary in the coal mine. If it ever moves, the migration is over and the panic has started.
What is already being done
The defense is not theoretical. It shipped.
In August 2024, NIST finalized three post-quantum standards: FIPS 203 (ML-KEM, for key exchange, formerly Kyber), FIPS 204 (ML-DSA, for signatures, formerly Dilithium), and FIPS 205 (SLH-DSA, a hash-based backup). FIPS 206 (FN-DSA, based on Falcon) is expected later in 2026. These are lattice-based and hash-based schemes that Shor’s algorithm does not touch.
The migration calendar is real too. NIST’s transition plan deprecates RSA-2048 and ECC P-256 by 2030 and pulls all quantum-vulnerable algorithms from its standards by 2035. The NSA’s CNSA 2.0 mandates post-quantum crypto for new national security systems by 2027.
Bitcoin has its own path. BIP-360 proposes a new quantum-resistant address type, letting holders migrate coins to a “bc1r” address backed by post-quantum signatures. The hard problem is not the cryptography. It is getting millions of holders, many with lost keys, to actively move funds before the window closes. Coins in lost wallets can never migrate, which is exactly why the exposed P2PK pile is the unfixable part.
What I actually think
The 20-to-40-year estimates you see quoted are doing a lot of load-bearing work, and they are getting revised down every few months. I would not bet a life savings on them.
The realistic risk is not that quantum computing breaks crypto overnight next year. It is that the capability arrives gradually, the harvest-now data has been accumulating the whole time, and the migration is slow because coordination is hard. The technical fix exists. The deployment is the bottleneck.
Where to start
If you hold crypto, stop reusing addresses. A fresh address that has only received funds keeps its public key hashed and hidden until you spend from it, which is meaningful protection against the harvest-now attack. Reused addresses leak the public key on the first spend.
Move long-term holdings off ancient P2PK and exposed addresses into modern address types now, while it costs nothing but a transaction fee. Do not wait for the migration to be mandatory.
If you build anything that stores secrets meant to stay private past 2030, start looking at hybrid post-quantum key exchange today. ML-KEM is standardized and shipping in TLS libraries already. The data you encrypt this year is the data someone may be harvesting this year.
The machine that breaks this does not exist yet. The data it will break is being created right now. That mismatch is the whole problem.
Sources:
- A quantum computer may need just 10,000 qubits to empty your crypto wallets, CoinDesk
- Q-Day Just Got Closer, The Quantum Insider
- Meet Willow, our state-of-the-art quantum chip, Google
- Bitcoin’s $1.3 trillion security race, CoinDesk
- Bitcoin is going quantum-proof. Inside BIP-360, crypto.news
- Post-Quantum Cryptography, NIST CSRC
- How Quantum Computing Affects Cryptography, The Quantum Insider