The Conspiratory
Case File No. 7414-C● Open File

Fears that a “Q-Day” quantum computer will imminently break Bitcoin are overstated, though the long-term risk is real

Where the evidence lands: Disputed
That a cryptographically relevant quantum computer, arriving imminently, will run Shor's algorithm against Bitcoin's elliptic-curve keys (and Grover's against SHA-256), letting an attacker forge signatures and sweep coins from exposed addresses, so that a sudden “Q-Day” collapse of Bitcoin's security is a near-term danger rather than a distant one.
First circulated
Resource estimates for breaking elliptic-curve cryptography with Shor's algorithm date to the 2010s; the acute “Q-Day” panic around Bitcoin surged during the crypto volatility of 2025 and 2026, amplified by Google's May 2025 factoring paper and Coinbase's January 2026 advisory report
Era
2020s
Sources
10

Believed by: Widely discussed across crypto media and social platforms, and spiking on price selloffs. The specialist consensus among cryptographers is that the risk is real but years away and manageable by migration; a vocal segment of traders and commentators treats an imminent break as a live danger, especially when quantum-hardware headlines and market volatility arrive together.

The full story

What the threat actually is

Bitcoin leans on two pieces of cryptography. Ownership is proven with a digital signature, ECDSA over the elliptic curve secp256k1: your private key signs a transaction, and anyone can check it against the corresponding public key. The ledger itself, and the mining that extends it, rely on the SHA-256hash function. When people say quantum computing could “break Bitcoin,” they are almost always talking about the first of these, the signatures.

The reason is Shor's algorithm, published in 1994. On a large, fault-tolerant quantum computer it can solve the elliptic-curve discrete-logarithm problem, which is precisely the problem that is supposed to make it impossible to work backward from a public key to a private one. If that becomes practical, an attacker who can see a public key could derive its private key and forge valid signatures, spending coins that are not theirs. A Google whitepaper estimated that on the order of 1,200 error-corrected qubits could do this in minutes.

The hashing layer is a different story. Against SHA-256 the relevant tool is Grover's algorithm, and it offers only a quadratic speedup: it weakens the function, roughly halving its effective security, but does not shatter it the way Shor's attack shatters the signatures. So the honest shape of the threat is narrow and specific. The signatures are the soft target; mining and the hash are comparatively hard. “Q-Day” is the name for the moment the machine to run that first attack finally exists.

What the evidence shows

How far away the hardware really is

Here is where the panic and the physics part company. The attack needs error-corrected, logical qubits: stable units of computation each stitched together from many noisy physical qubits by quantum error correction. Estimates for breaking secp256k1 land on the order of a thousand or more logical qubits, which, with the overhead of error correction, implies hundreds of thousands of physical qubits in a fault-tolerant machine.

Now look at what exists. In 2025 and 2026 the largest processors run on the order of a thousand noisyphysical qubits: IBM's Condor at 1,121, Atom Computing's neutral-atom array near 1,180. Google's celebrated Willow chip has just 105 qubits; its advance was reliability, not size. None of these are the error-corrected, fault-tolerant qubits the attack requires, and the count is short by several orders of magnitude. The distance from today's machines to a Bitcoin-breaking one is not a step; it is a chasm that no announced roadmap crosses soon.

Breaking Bitcoin's keys needs on the order of a thousand error-corrected logical qubits. The best machines today have about a thousand noisy physical ones. That gap is the whole argument.

This is why the recent, widely shared papers do not mean what the headlines imply. Craig Gidney's 2025 result cut the estimated cost of factoring RSA-2048 roughly twentyfold, to under a million noisy qubits, and 2026 work trimmed the elliptic-curve figures too. Those are real, clever reductions of a theoretical requirement. They are also still far beyond any hardware in existence, and they are resource estimates, not demonstrations. A target that keeps shrinking but stays out of reach is exactly what steady, undramatic progress looks like.

The case for it

Why the panic keeps spiking

If the hardware is so far off, why does the fear keep flaring? Partly because the people raising it are credible. In January 2026 Coinbase convened a Quantum Advisory Councilof serious cryptographers and published a roughly fifty-page report. Google researchers keep publishing qubit-slashing papers. When names like that are attached to the word “quantum,” the reasonable thought that specialists are worried slides almost frictionlessly into the different thought that the danger is now.

The timing amplifies it. The acute Q-Day chatter surged during the crypto volatility of 2025 and 2026, when a quantum story offered a clean narrative for a falling price, and a falling price lent the quantum story a borrowed urgency. Each fed the other. A December-2024 Willow announcement, a May-2025 factoring paper, a March-2026 round of “Q-Day just got closer” coverage: each arrived as a headline calibrated for alarm, and each landed on an audience primed to read distant progress as imminent threat.

It matters, too, that this is not a hoax. The vulnerability is real and the math is sound, which makes the threat feel non-negotiable in a way an invented scare never could. “Eventually true” is unusually hard to hold in the mind alongside “not yet,” and the gap between those two is precisely where the panic lives. Reporting the fear fairly means granting that its foundation is genuine before explaining why its clock is wrong.

Why people believe

The part that is genuinely real

Strip out the imminence and a real problem remains. Because public keys, once used, are visible and permanent on the blockchain, a large share of coins are already exposed. Estimates put roughly 6 to 7 million BTC, about a third of the eventual supply, in reused or early pay-to-public-key addresses whose keys are already published, including much of the Satoshi-era holdings. Those keys are the standing attack surface, and this is where “harvest now, decrypt later” bites: an adversary does not need the machine today to benefit from it later, because the target data is already captured.

That is a strong argument for acting early, and the tools exist. NIST finalized its post-quantum standards in August 2024, including the FIPS 204 and FIPS 205signature schemes, and Bitcoin can adopt quantum-resistant signatures through a soft fork. As Blockstream's Adam Back has argued, the sensible move is to build optional post-quantum upgrades now, before they are needed, and to encourage holders to move funds to fresh addresses that do not expose a key until they spend.

The stubborn issues are not cryptographic but human. How fast will the ecosystem coordinate a migration? What happens to dormant or lost coins, above all the roughly one million BTC tied to Satoshi Nakamoto, that no one can move to safety? Leaving them exposed invites an eventual theft; freezing them breaks Bitcoin's core promise that a valid key can always spend. Those are governance questions, and they are unsettled. As one framing put it, Bitcoin's quantum deadline is not a physics problem.

Where the evidence lands

Keep the two claims apart. Bitcoin's signatures are theoretically breakableby a large, fault-tolerant quantum computer running Shor's algorithm: that is uncontested, and this file does not pretend otherwise. But the panic claim, that a Q-Day break is imminent, is not supported by the hardware. Today's best machines are short of the requirement by orders of magnitude, and every expert body that has weighed in, Coinbase's cryptographers, Google's researchers, Blockstream, places the danger years out, generally a decade or more, with wide uncertainty.

The vulnerability is real; the clock is wrong. A true weakness with a mistimed deadline is still a weakness, and still not an emergency.

So the verdict is Disputed, and the word is exact. It is not disputed that quantum computing threatens Bitcoin in principle, and it is not seriously argued that a break is happening now. What is genuinely contested is the timeline: how fast the hardware scales, how far the algorithms compress the requirement, and therefore when, not whether, migration becomes urgent. Reasonable experts disagree about the date and agree about the direction.

The responsible posture is the one the serious voices already hold. Treat “harvest now, decrypt later” as a real reason to move coins and to build post-quantum signatures on an unhurried but deliberate schedule; treat the next viral “Q-Day is here” headline, especially one that arrives with a red chart, as a claim to check against the qubit counts. The threat deserves preparation, not panic, and those are not the same response.

Advertisement
Open questions

What's still unexplained

  • When a cryptographically relevant quantum computer will actually exist is genuinely unknown. Credible estimates cluster in roughly the 2029–2035 window and beyond, but the error bars are wide, and the honest answer is that no one can date Q-Day with confidence.
  • Whether algorithmic progress keeps compressing the timeline is unresolved. The 2025 and 2026 papers cut the resource estimates sharply; another such leap could pull the date forward, while the hardware engineering could just as easily stall, as it has for years.
  • How quickly Bitcoin could coordinate a migration to post-quantum signatures is a governance question, not a physics one, and the ecosystem has not settled it. The debate over optional upgrades versus a forced move is active and unfinished.
  • What to do about coins that can never be moved, above all the roughly one million BTC linked to Satoshi Nakamoto, is a live and contentious problem: leave them vulnerable, or freeze them and break Bitcoin's promise that valid keys always spend.

Point by point

The claim: A quantum computer could, in principle, derive a Bitcoin private key from a public key.

What the record shows: This is the true kernel of the whole story, and this file does not dispute it. Bitcoin signatures use ECDSA over secp256k1, whose security rests on the elliptic-curve discrete-logarithm problem, exactly the problem Shor's algorithm solves. A Google whitepaper estimated that roughly 1,200 logical (error-corrected) qubits could recover a private key from an exposed public key in about nine minutes. The physics is not the objection; the machine to run it is.

The claim: Today's quantum computers are on the verge of doing this.

What the record shows: They are not, and the gap is enormous. The largest processors in 2025 and 2026 run on the order of a thousand noisy physical qubits: IBM's Condor at 1,121, Atom Computing's neutral-atom array near 1,180, with Google's error-correction-focused Willow at 105. Attacking secp256k1 needs on the order of a thousand or more logical qubits, and each logical qubit is built from many physical ones, putting the real requirement in the hundreds of thousands of physical qubits with full fault tolerance. No such machine exists, and none is close.

The claim: Recent papers slashing the qubit estimates mean a break is essentially here.

What the record shows: The reductions are real and significant, but they move a distant target, not a present one. Gidney's 2025 result cut the RSA-2048 estimate about twentyfold, to under a million noisy qubits; 2026 papers trimmed the elliptic-curve figures further. These are theoretical resource estimates and clever algorithmic improvements, not demonstrations, and even the reduced numbers dwarf current hardware. A shrinking requirement that is still orders of magnitude out of reach is progress, not arrival.

The claim: SHA-256 and Bitcoin mining would collapse at the same moment as the signatures.

What the record shows: Much less so. The signature layer is the vulnerable part. Against hash functions like SHA-256, the relevant quantum tool is Grover's algorithm, which offers only a quadratic speedup, effectively halving the security level rather than breaking it. Analysts consistently identify ECDSA signatures, not proof-of-work, as the first and primary casualty, and SHA-256 as comparatively robust. “Bitcoin breaks” usually means the keys, not the mining.

The claim: A large share of all Bitcoin is already exposed and could be swept the day a machine exists.

What the record shows: Broadly accurate, and it is the strongest part of the worry. Estimates put roughly 6 to 7 million BTC, about a third of the eventual supply, in addresses whose public keys are already visible on-chain: reused addresses and early pay-to-public-key coins, including much of the Satoshi-era holdings. Those keys are the real attack surface once a capable machine arrives. That is a powerful argument for migrating funds and hardening the protocol, not evidence that the machine is here.

The claim: Bitcoin cannot be fixed, so Q-Day would be terminal.

What the record shows: The cryptography is the easy part. Post-quantum signature schemes are already standardized (NIST's FIPS 204 and 205), and Bitcoin can adopt them through a soft fork, as Blockstream's Adam Back and others have proposed. The hard problems are coordination and governance: how fast the ecosystem migrates, and what to do about dormant or lost coins whose owners can never move them. As one framing put it, Bitcoin's quantum deadline is not a physics problem.

The claim: “Harvest now, decrypt later” means the threat is effectively already active.

What the record shows: This is a legitimate concern, stated precisely. Because exposed public keys are permanent and public on-chain, an attacker (or the ledger itself) has already “harvested” them; they can be attacked whenever hardware catches up. That is exactly why cryptographers urge migration now rather than later. But it describes future decryption of data captured today, not a present-day ability to break a key, which is the distinction the panic collapses.

The claim: Experts agree that a break is imminent.

What the record shows: They do not. Coinbase's advisory council put the danger at least two major engineering leaps away; Brian Armstrong called it exaggerated and not unique to crypto; Adam Back described current machines as lab experiments after decades of incremental gains. Even the aggressive estimates, such as a stated ten-percent chance of a private-key recovery by 2032, are probabilistic and years out. The center of gravity among specialists is the early 2030s at the soonest, with wide error bars, not next quarter.

Other readings

Angles that don't fit neatly into the claim or its rebuttal, laid out and weighed, not endorsed.

The already-exposed-keys reading

A more careful version of the worry drops the word “imminent” and focuses on the permanence of exposed public keys. Because reused and early pay-to-public-key addresses have already published the keys that a future machine would target, those specific coins face a standing risk that only grows as hardware improves. This is the serious, defensible core of the concern, and it argues for moving funds to fresh addresses and migrating the protocol, on a timeline measured in years, rather than for expecting an overnight collapse.

The “not unique to Bitcoin” reading

The same quantum capability that would threaten secp256k1 would also threaten the RSA and elliptic-curve cryptography behind online banking, secure web traffic, government communications, and digital signatures generally. On this view Bitcoin is neither uniquely fragile nor the likeliest first target, and it may even be quicker to upgrade than sprawling legacy systems, since it can adopt new signatures through a coordinated fork. Q-Day, if it comes, is a problem for the entire public-key world, not a Bitcoin-specific doomsday.

Timeline

  1. 1994Mathematician Peter Shor publishes the algorithm that bears his name, showing that a quantum computer could factor large integers and solve the discrete-logarithm problem efficiently, the two hard problems underpinning most modern public-key cryptography, including the elliptic-curve keys later used by Bitcoin.
  2. 2009Bitcoin launches, using ECDSA over the secp256k1 elliptic curve for signatures and SHA-256 for proof-of-work and hashing. Both schemes are standard and battle-tested against classical computers, and both are, in principle, in scope for a future quantum attack.
  3. 2017Academic resource estimates begin to quantify the quantum threat to elliptic-curve cryptography, generally concluding that thousands of error-corrected logical qubits, and millions of physical qubits, would be required, numbers far beyond any hardware then or now in existence.
  4. 2024-08-13NIST finalizes its first three post-quantum cryptography standards: FIPS 203 (ML-KEM, from CRYSTALS-Kyber), FIPS 204 (ML-DSA, from CRYSTALS-Dilithium), and FIPS 205 (SLH-DSA, from SPHINCS+). It urges organizations to begin migrating now, giving Bitcoin and every other system a concrete replacement toolkit.
  5. 2024-12Google unveils its Willow chip, 105 superconducting qubits, and reports a milestone in quantum error correction: errors that fall as the system scales. It is a genuine advance in reliability, not raw size, but the coverage feeds a wave of “quantum is almost here” headlines and chatter about Bitcoin.
  6. 2025-05Google researcher Craig Gidney posts a paper estimating that factoring a 2048-bit RSA key might take under one million noisy qubits, about a twentyfold reduction from his own 2019 figure of roughly twenty million. The result lowers the bar dramatically while still leaving it far above current hardware.
  7. 2026-01Coinbase convenes a Quantum Advisory Council of leading cryptographers and blockchain researchers, publishing a roughly fifty-page position paper. Its conclusion: a machine able to break blockchain encryption will eventually be built, but the threat is not imminent and sits at least two major engineering leaps away.
  8. 2026-03Further papers from Caltech and Google trim the estimated qubit and step counts for attacking elliptic-curve keys, prompting “Q-Day just got closer” coverage and renewed selloff chatter, even as the revised numbers remain orders of magnitude beyond what exists.
  9. 2026-04The debate splits in public. Coinbase's Brian Armstrong calls the threat greatly exaggerated and not unique to crypto while still urging action; Blockstream's Adam Back argues for optional quantum-resistant upgrades now, describing today's machines as essentially lab experiments after twenty-five years of incremental progress.
Where the evidence lands

Disputed. Two separate claims travel under the same headline, and they do not share a verdict. That Bitcoin's signature scheme is theoretically breakable by a large, fault-tolerant quantum computer is not in dispute: Shor's algorithm solves the elliptic-curve discrete-logarithm problem behind secp256k1, so a sufficiently powerful machine could recover a private key from an exposed public key. What is disputed is the timing. The panic version, that a “Q-Day” break is imminent, is not supported: today's largest quantum processors run on the order of a thousand noisy physical qubits, while breaking Bitcoin's keys is estimated to need on the order of a thousand or more error-corrected logical qubits, which translates to hundreds of thousands of physical qubits that no one has built. Cryptographers at Coinbase and Blockstream, and the direction of NIST's post-quantum standardization, all point to a threat that is real but years off, generally estimated a decade or more out with wide uncertainty. This file rates the claim disputed because the timeline is genuinely contested while a near-term break is not.

Reviewed by The Conspiratory Editors · Last reviewed July 19, 2026 · How we rate

Sources

  1. 1.What Is Q-Day? The Quantum Threat to Bitcoin Explained, Decrypt (2026)
  2. 2.How to factor 2048 bit RSA integers with less than a million noisy qubits, Craig Gidney (arXiv 2505.15917) (2025)
  3. 3.Post-Quantum Cryptography FIPS Approved, NIST Computer Security Resource Center (2024)
  4. 4.Coinbase Quantum Advisory Council: Post-Quantum Migration and Abandoned Coins, Coinbase (2026)
  5. 5.Coinbase advisory board says quantum computing threat is on the horizon, crypto needs a plan, CoinDesk (2026)
  6. 6.Bitcoin's quantum debate splits as Adam Back pushes optional upgrades over forced freeze, CoinDesk (2026)
  7. 7.Bitcoin's Quantum Deadline Isn't A Physics Problem, Forbes (2026)
  8. 8.Q-Day Just Got Closer: Three Papers in Three Months Are Rewriting the Quantum Threat Timeline, The Quantum Insider (2026)
  9. 9.Meet Willow, our state-of-the-art quantum chip, Google (2024)
  10. 10.Quantum computers are coming to break our codes faster than anyone expected, The Conversation (2025)

Help us investigate

This is a living case file. If you spot an error or know evidence we missed, tell us, and weigh in on where you land.

Where do you land?

Cast your read on this one.

What did we miss?

Spotted an error or know a source worth chasing? Every note is read by a human.

Comments

Add your take. Comments are read and approved by a human before they appear, so keep it on topic and civil. Please do not accuse named, living people of crimes.

Saved on this device so you keep the same name next time. No account needed.

Related case files

Advertisement
Written by The Conspiratory Editors · Published July 19, 2026. The Conspiratory lays out the claim, the case on every side, and the sources, so you can weigh it yourself. Spotted a stronger source? Corrections are welcome.