💡 The Plain-English Definition
Post-quantum cryptography refers to the cryptographic algorithms that can resist attacks from quantum computers — computers that use quantum mechanics to perform certain calculations exponentially faster than classical computers. For Bitcoin, quantum computing represents a potential long-term threat to the elliptic curve cryptography that secures private keys, and the community is actively developing responses.
🤔 But Why Though?
Bitcoin’s private key security relies on elliptic curve cryptography — specifically, the mathematical hardness of deriving a private key from a public key. Classical computers cannot solve this problem in any practical timeframe. Quantum computers running Shor’s algorithm (a quantum algorithm that efficiently solves the discrete logarithm problem underlying elliptic curve cryptography) could theoretically derive a private key from a public key, compromising any address whose public key is visible on-chain.
In March 2026, Google Quantum AI published research showing that the hardware requirements for breaking 256-bit elliptic curve cryptography are approximately 20 times lower than 2024 estimates — reducing the requirement from tens of millions of physical qubits to approximately 400,000–500,000. This doesn’t mean the threat is imminent: current quantum computers operate at around 1,000–2,000 physical qubits with high error rates. Stage 3 capability (breaking Bitcoin’s 256-bit ECC outside the 10-minute block confirmation window) is estimated by most researchers as mid-2030s at the earliest for the most well-resourced actors. The vulnerability is address-type specific. P2PK addresses (the earliest format, where the public key is visible directly on-chain) and addresses where the public key has been exposed by spending are immediately vulnerable to a sufficiently powerful quantum computer — an offline attack requiring no timing constraint. Unspent P2WPKH and P2TR addresses (Native SegWit and Taproot) expose public keys only at the moment of spending, requiring an attacker to derive the private key within the approximately 10-minute block confirmation window — a much harder constraint. A March 2026 report from ARK Invest and Unchained Capital estimated approximately 34.6% of circulating Bitcoin supply is in addresses with already-exposed public keys. NIST finalised its first post-quantum cryptographic standards in August 2024: ML-DSA (Module-Lattice-Based Digital Signature Algorithm, formerly CRYSTALS-Dilithium) and SLH-DSA (Stateless Hash-Based Digital Signature Algorithm, formerly SPHINCS+). BIP-360, proposing a quantum-resistant Pay to Quantum Resistant Hash (P2QRH) output type, has been proposed for Bitcoin.
🌍 The Real-World Analogy
Think of the quantum threat like a lock-picking technology that’s currently being developed in a research lab. Today, your lock is unpickable with any known tool. In ten to fifteen years, the tools might exist to pick it. The sensible response isn’t panic — it’s migrating to a new lock type while there’s still plenty of time, rather than waiting until the picking tools are deployed. Bitcoin’s response to PQC is that migration: moving funds to quantum-resistant address types before the threat becomes practical.
⚡ So What?
For most Bitcoin holders, the practical action today is straightforward: migrate holdings to Taproot (bc1p) addresses, and avoid address reuse. Taproot’s exposed internal key makes it slightly more vulnerable than unspent SegWit in theory, but better positioned than legacy formats overall, and any post-quantum upgrade to Bitcoin will build on Taproot’s architecture. The quantum threat is real, the timeline is uncertain, and the Bitcoin community is working on solutions — but this is a decade-horizon concern, not a 2026 emergency.