The quantum computing threat to cryptocurrency cryptography has moved from theoretical footnote to active governance debate in 2026. Three developments have converged to make the conversation urgent: Google's Willow processor demonstrated 105-qubit operation with meaningfully improved error rates in late 2024; NIST formally published its first post-quantum cryptography standards in August 2024; and several Bitcoin Improvement Proposals addressing quantum resistance entered the community review process in early 2026. The question is no longer whether to migrate but when and how — and the answers have profound implications for every Bitcoin and Ethereum holder, including those protecting assets with the hardware wallets rated at Ledger and Trezor.
The Cryptographic Threat: What Quantum Computers Actually Break
Bitcoin's security rests on two cryptographic foundations. The first is SHA-256, the hash function used in proof-of-work mining. Grover's algorithm allows a quantum computer to search an unsorted database of N items in √N operations instead of N — a quadratic speedup. Against SHA-256's 2^256 search space, this produces effective security of 2^128, still considered computationally infeasible. Mining is not the concern.
The second foundation is ECDSA (Elliptic Curve Digital Signature Algorithm), used to authorise Bitcoin transactions. Shor's algorithm, a different quantum algorithm, can solve the discrete logarithm problem — the mathematical basis of ECDSA — in polynomial time on a sufficiently large fault-tolerant quantum computer. A quantum computer with approximately 4,000 logical qubits running Shor's algorithm could, in theory, derive any Bitcoin private key from its exposed public key within hours.
The critical word is "logical." Today's physical qubits have error rates that require roughly 1,000 noisy physical qubits per logical qubit for fault-tolerant operation under current error correction schemes. Attacking Bitcoin's 256-bit elliptic curve therefore requires on the order of 4 million physical qubits operating at physical error rates below 0.1% — a machine orders of magnitude beyond what exists today.
The Timeline Debate
Experts disagree sharply on how quickly the gap will close. Optimistic quantum computing researchers cite the pace of progress — Google, IBM, and IonQ have each demonstrated significant qubit count growth and error rate improvements in 2023-2025 — and argue that 10-15 year timelines for cryptographically relevant systems are plausible. NIST used a similar horizon to justify urgent standardisation of post-quantum algorithms.
Sceptics point to the engineering challenges that compound as qubit counts grow: qubit coherence times, cross-talk between adjacent qubits, and the overhead of quantum error correction all present formidable barriers. Some researchers argue that fault-tolerant quantum computing at the scale needed for cryptographic attacks may remain 30-50 years away, or may never be achieved commercially.
The prudent position acknowledges the uncertainty itself: if the probability is 10% over 15 years, the expected value of migration preparation is enormous given the total value secured by Bitcoin and Ethereum. Waiting for certainty is not a viable strategy — blockchain migrations require years of development, testing, and social consensus.
Bitcoin's Migration Proposals
The Bitcoin development community has produced several proposals addressing quantum resistance, none yet near activation. The most discussed approach involves adding a new post-quantum signature type as a SegWit version — analogous to how Taproot (SegWit v1) added a new spending condition without breaking existing transaction types. Post-quantum signatures using CRYSTALS-Dilithium or FALCON would be available to users who voluntarily migrate to new address types.
The governance challenge is profound. Bitcoin's soft-fork upgrade process requires near-unanimous miner and node operator consensus — a threshold that has taken years to reach for less controversial changes. A post-quantum migration proposal also raises politically charged questions: should Satoshi's early-mined P2PK outputs (estimated at over 1 million BTC) be protected, frozen, or eventually burned? Different factions hold strong views.
A phased approach advocated by several Bitcoin researchers would: first add post-quantum signature support as an optional new address type; then set a future date after which quantum-vulnerable address types cannot receive new coins; then, years later, consider whether unreachable quantum-vulnerable outputs should be moved to provably unspendable addresses. Each phase requires its own consensus process.
Ethereum's Path: Faster Governance, Harder Migration
Ethereum's more active governance process — regular hard forks coordinated through the EIP system — gives it a faster theoretical migration path. Ethereum Foundation researchers have published EIP drafts exploring account abstraction-based quantum resistance, where externally owned accounts are migrated to smart contract accounts that can implement post-quantum signature verification logic in EVM bytecode.
The challenge is scale: Ethereum has over 200 million unique address holders, most using standard ECDSA EOAs. Migrating all of them requires either a forced migration (politically difficult, requires active participation from hundreds of millions of users) or an opt-in process that leaves quantum-vulnerable accounts exposed indefinitely.
Signature size is a material constraint for both networks. Dilithium signatures are approximately 2,420 bytes compared to ECDSA's ~72 bytes — a 33x increase. Processing this data at scale would significantly increase node storage and bandwidth requirements, threatening decentralisation unless accompanied by other protocol changes.
What Should Holders Do Now?
The honest answer is: not much differently from today, but with informed awareness. The quantum threat to Bitcoin and Ethereum is real but not imminent. Current hardware wallets like those reviewed at Ledger and Trezor use ECDSA — the vulnerable algorithm — but there is no practical quantum computer capable of exploiting this today. Future firmware updates will implement post-quantum signing as standards mature and hardware manufacturers integrate NIST-standardised algorithms.
Two practices reduce long-term quantum exposure. First, avoid reusing addresses: UTXO-based systems like Bitcoin reduce public key exposure when coins are moved to fresh addresses after each spend. Second, prefer address types that do not permanently expose public keys: P2PKH is better than P2PK in this regard. P2TR (Taproot) permanently exposes the full key and will require migration when quantum risk becomes real, though it is also the cleanest upgrade path for new signature types.
For a broader view of current crypto security threats — most of which have nothing to do with quantum computing — the wallets rating and the top crypto scams 2026 guide address the attack vectors that pose practical risk today.




