In Part 1, we explored how secp256k1 — Bitcoin's elliptic curve cryptographic lock — makes brute-forcing a private key thermodynamically implausible for any classical computer, and how the custody of those keys has evolved from fragile wallet.dat files to institutional vaults managing hundreds of thousands of BTC. The mathematics protecting Bitcoin has held firm for sixteen years.
But a fundamentally different class of machine is now being built. And it doesn't play by classical rules.
The Algorithm That Changes Everything
In 1994 — fifteen years before Bitcoin even existed — a mathematician named Peter Shor published a paper that quietly redrew the map of what was computationally possible.
Shor's Algorithm demonstrated that a sufficiently powerful quantum computer could solve the discrete logarithm problem — the mathematical bedrock of elliptic curve cryptography — exponentially faster than any known classical method. This wasn't an incremental speedup. It was a categorical shift in complexity class.
To understand why this matters: Bitcoin's security rests entirely on the assumption that deriving a private key from its public key is computationally infeasible. Classical computers would need billions of years to work backwards through the elliptic curve math. Shor's Algorithm, running on a capable quantum machine, could reduce that timeline to a matter of hours.
Qubits: The Promise and the Problem
Here's where theory meets the brutal reality of hardware engineering.
A qubit is not a classical bit. Where a binary bit is always either 0 or 1, a qubit exists in superposition — processing multiple states simultaneously. This property is what gives quantum computers their theoretical edge over classical machines on problems like Shor's.
But qubits are extraordinarily fragile. Heat, vibration, electromagnetic interference — almost any environmental interaction collapses their quantum state in a phenomenon called decoherence. This is the core engineering problem of our moment.
Physical Qubits vs. Logical Qubits
The distinction that matters most is between two types of qubits:
- Physical qubits are the raw, noisy units that exist in today's machines — unstable and prone to errors that corrupt calculations almost instantly.
- Logical qubits are error-corrected qubits, assembled from many physical qubits working in concert to produce one stable, reliable unit of computation.
Running Shor's Algorithm at the scale needed to threaten Bitcoin's cryptography requires an estimated 1,500 to 2,000 logical qubits. Since each logical qubit demands hundreds — and potentially thousands — of physical qubits for error correction, the total hardware requirement translates to a machine with potentially millions of high-fidelity physical qubits operating in near-perfect unison.
As of early 2026, the most advanced systems — IBM's Condor, Google's Willow — operate in the range of hundreds of physical qubits, with improving but still insufficient error rates. The gap between where we are and where a cryptographically relevant machine needs to be remains enormous.
So When?
Timeline estimates vary widely, and credible experts disagree sharply:
| Outlook | Estimated Timeline | Key Assumption | Risk to Bitcoin |
|---|---|---|---|
| Conservative | 10–15 years | Error correction remains hard to scale | Moderate |
| Optimistic | 5–7 years | Accelerating hardware investment | High |
| Skeptical | Never at viable scale | Economic & physical limits too high | Low |
Why precision is impossible but preparation is not: A 10% chance of a breakthrough in five years is not reassuring when the asset base at risk exceeds $1 trillion. The expected value of catastrophic exposure is not zero.
Not All Bitcoin Addresses Are Equal
Here's something the headlines often miss: a quantum attack would not threaten every Bitcoin address equally. The level of exposure depends entirely on how an address was constructed — and that distinction cuts along a historical fault line running straight through Bitcoin's earliest years.
The Two Address Formats That Define Your Risk
| Format | Era | Public Key Exposure | Quantum Risk | Why |
|---|---|---|---|---|
| P2PK (Pay-to-Public-Key) | 2009–2012 | Fully exposed on-chain | Critical | Only barrier is discrete logarithm — exactly what Shor's solves |
| P2PKH (Pay-to-Public-Key-Hash) | 2012–present | Only hash visible | Substantially Lower | Attacker must first reverse SHA-256 and RIPEMD-160 — a harder problem still |
P2PK (Pay-to-Public-Key) is the early format used from 2009 to approximately 2012. Here, the public key itself is permanently recorded on the blockchain. Once exposed, the only barrier between an attacker and the coins is the discrete logarithm problem — the exact problem Shor's Algorithm is designed to solve. No hash reversal required. One lock. One target.
P2PKH (Pay-to-Public-Key-Hash) is the modern standard. Only a cryptographic hash of the public key is visible on the blockchain. To attack these addresses, a quantum adversary would first need to reverse both SHA-256 and RIPEMD-160 hash functions — a problem considered even harder than breaking elliptic curve cryptography. These addresses carry substantially more protection.
The implications are stark. Modern addresses have two locks. Early P2PK addresses have one — and it's the one that quantum computing directly targets.
Satoshi's Billions: The Most Exposed Coins on Earth
Approximately 2–3 million BTC, mined primarily between 2009 and 2012, sit in addresses with fully exposed public keys. These are not obscure, forgotten wallets. They include some of the most historically significant coins in existence.
Among them: roughly 1 million BTC attributed to Satoshi Nakamoto — coins mined during Bitcoin's first year and left completely dormant ever since. At current valuations, that represents well over $90 billion in exposed, untouched holdings.
The target profile of a quantum attacker: High-value addresses with already-visible public keys whose legitimate owners are almost certainly not monitoring them for suspicious activity. Satoshi's coins, the most mythologized holdings in crypto history, check every box.
In a hypothetical post-quantum scenario, these addresses represent a uniquely attractive target. A quantum attacker could work methodically through dormant P2PK addresses, maximizing reward while minimizing the chance of triggering a defensive response. Unlike an attack on a live custodial wallet — where security teams would respond within minutes — dormant coins have no such guardian. By the time anyone noticed coins moving from addresses that haven't transacted in fifteen years, the window for intervention would already have closed.
The Ethical Stress Test: Protect or Preserve?
This vulnerability creates a dilemma that cuts to the philosophical core of what Bitcoin is. Should the network intervene to protect these dormant coins before a quantum attacker can reach them? Or does Bitcoin's foundational promise of immutability — the rule that no authority can alter the ledger or override ownership — mean accepting that they could theoretically be claimed by whoever builds the right machine first?
The debate has two principled camps, and neither has an easy answer.
The Case for Intervention
Coins sitting untouched for 15+ years almost certainly represent lost keys, not living owners. A hard fork establishing a migration deadline — after which uncontacted P2PK coins become unspendable — would protect the network's integrity from systematic quantum theft without harming any real person. This is triage, not theft.
The Case Against
Any protocol-level intervention, regardless of the justification, is a form of centralized authority overriding the ledger. If the network can freeze coins once, the precedent is set. Bitcoin's social contract — code is law, ownership is inviolable — doesn't include an asterisk for good intentions.
Some proposals suggest a sunset mechanism: after a defined block height, old-format addresses with exposed keys could no longer spend unless they've migrated. Critics call this protocol-enforced confiscation. Supporters call it necessary triage.
Others suggest a softer approach: marking P2PK outputs as deprecated without freezing them, encouraging voluntary migration while letting the market price in the risk.
And some argue the question is purely hypothetical — that quantum hardware capable of threatening secp256k1 is decades away at minimum, giving the network ample time for an orderly, consensus-driven upgrade to post-quantum standards like NIST's newly finalized CRYSTALS-Dilithium and FALCON algorithms.
There is no clean answer. This is Bitcoin's governance philosophy under genuine existential stress — not a thought experiment, but a question the network will eventually have to answer. The mathematics protecting Bitcoin has held for sixteen years. Whether its social and governance architecture can weather a cryptographic migration of this scale is the harder problem.
