How Many Qubits to Break Bitcoin?
How many qubits to break Bitcoin is one of the most consequential questions in cryptography right now. Bitcoin's security rests on Elliptic Curve Digital Signature Algorithm (ECDSA) over a 256-bit curve, and a sufficiently powerful quantum computer running Shor's algorithm could, in theory, derive a private key from a public key in polynomial time. This article explains the precise qubit thresholds researchers have calculated, how error-correction overhead drives those numbers up by orders of magnitude, where today's machines actually stand, and what the realistic timeline looks like.
Why Quantum Computers Threaten Bitcoin's ECDSA
Bitcoin does not use a password. Every wallet's security depends on the mathematical hardness of the elliptic curve discrete logarithm problem (ECDLP): given a public key point Q on the secp256k1 curve, it is computationally infeasible for a classical computer to find the private key scalar k such that Q = k × G, where G is the generator point.
Classical computers would require roughly 2^128 operations to brute-force a 256-bit elliptic curve key. At any conceivable clock speed, that number exceeds the estimated number of atoms in the observable universe. The threat from quantum computing is not brute force. It is Shor's algorithm, which solves the discrete logarithm problem in polynomial time on a quantum processor.
How Shor's Algorithm Attacks ECDSA
Shor's algorithm, published by Peter Shor in 1994, was originally formulated for integer factorisation. Researchers subsequently adapted it for the discrete logarithm problem, including elliptic curve variants. The quantum circuit for elliptic curve Shor's requires:
- Representing the 256-bit scalar arithmetic in quantum gates.
- Performing a quantum Fourier transform over the group order.
- Measuring the output register to extract the private key with high probability.
The circuit depth required is substantial. Unlike factoring RSA-2048, where some optimisations allow partial parallelism, elliptic curve point multiplication is inherently sequential in its quantum formulation, making the gate count and qubit requirements especially large.
The Difference Between Logical and Physical Qubits
This distinction is central to the question. A logical qubit is the abstract, error-free qubit your algorithm operates on. A physical qubit is the noisy hardware qubit that actually exists in a quantum processor. Today's physical qubits have error rates ranging from 0.1% to several percent per gate operation. Shor's algorithm over a 256-bit elliptic curve requires millions of sequential gate operations. At even a 0.1% error rate per gate, a circuit of that depth would almost certainly return garbage.
Error correction schemes, such as the surface code, encode one logical qubit into many physical qubits arranged in a 2D lattice, continuously measuring and correcting errors. The overhead ratio, called the code distance, depends on the physical error rate and the required circuit fidelity. At today's error rates, a commonly cited ratio is roughly 1,000 physical qubits per logical qubit, though more optimistic hardware assumptions push this toward 100:1.
---
The Key Research Estimates
Several peer-reviewed papers have attempted to quantify the qubit requirement precisely. The numbers vary significantly depending on hardware assumptions, but the consensus direction is clear: we need far more qubits than exist today.
Webber et al. (2022) — The Landmark Paper
The most widely cited study is *"The impact of hardware specifications on reaching quantum advantage over classical attacks on elliptic curves"* by Mark Webber and colleagues, published in *AVS Quantum Science* in 2022.
Their findings, under different hardware scenarios:
| Scenario | Physical Qubits Required | Time to Break One Key |
|---|---|---|
| Optimistic (1 µs gate time, 10⁻³ error rate) | ~317 million | ~1 hour |
| Near-term realistic (1 µs gate time, 10⁻³ error) | ~13 million | ~1 day |
| Conservative (10 µs gate time, 10⁻³ error) | ~4 billion | ~10 days |
| Stretch target (faster clocks, lower error) | ~1.9 million | ~10 minutes |
The critical insight: even in the most optimistic scenario modelled, the researchers required at least 1.9 million physical qubits running with error rates and gate speeds well beyond current capability.
Earlier Estimates: Roetteler et al. (2017)
An earlier Microsoft Research paper by Roetteler, Naehrig, Svore, and Lauter estimated the logical qubit count at around 2,330 logical qubits to run the elliptic curve Shor circuit, with approximately 2.3 × 10⁹ Toffoli gates. Multiplying even 2,330 logical qubits by a conservative 1,000:1 physical overhead gives 2.33 billion physical qubits.
Banegas et al. and Subsequent Refinements
Later work by Banegas and colleagues optimised the quantum circuit for elliptic curve point addition, reducing the Toffoli gate count significantly. Some optimised circuits bring the logical qubit count down toward 1,500 logical qubits, but the gate count remains in the billions, still requiring millions to billions of physical qubits at real-world error rates.
---
Where Today's Quantum Hardware Actually Stands
Understanding the gap requires a clear view of the current state of quantum hardware.
Superconducting Processors
IBM's Heron processor (2023) operates at 133 qubits with two-qubit gate error rates around 0.3%. Google's Sycamore processor demonstrated 53-qubit operation. IBM has published a roadmap targeting 100,000+ physical qubits by the late 2020s, with a longer-horizon goal of fault-tolerant systems in the 2030s.
Key limitation: qubit count is growing, but error rates are not falling fast enough to offset overhead. A machine with 100,000 noisy physical qubits does not equal 100 logical qubits in usable, high-fidelity computation. It depends heavily on the error rate per gate.
Trapped-Ion Systems
IonQ and Quantinuum build trapped-ion processors. These have higher fidelity per gate (two-qubit error rates of ~0.1% or below) but slower gate times and limited qubit counts (tens to low hundreds). Quantinuum's H-series processors have demonstrated some of the lowest error rates in the industry, but scaling to millions of physical qubits in a trapped-ion architecture presents enormous engineering challenges.
Photonic and Neutral-Atom Approaches
Photonic quantum computers and neutral-atom arrays (companies like Pasqcal, Atom Computing, QuEra) are scaling more rapidly in raw qubit count. Atom Computing demonstrated a 1,225-qubit neutral-atom array in 2023. However, two-qubit gate fidelities in these systems still need improvement, and the architecture differs significantly from the surface-code model assumed in most threat estimates.
---
The Error Correction Gap Explained
The reason the physical qubit count is so much higher than the logical qubit count is rooted in the physics of noise.
Surface Code Overhead
The surface code is the leading fault-tolerant architecture. It arranges physical qubits on a 2D grid with data qubits and ancilla qubits. Errors are detected by measuring stabilisers without collapsing the logical state. The number of physical qubits required per logical qubit scales as approximately 2d² physical qubits, where d is the code distance (roughly, the minimum number of errors needed to cause a logical failure).
For a circuit requiring 10⁹ gate operations, you need a very high code distance to keep the logical error probability below 1. At a physical error rate of 10⁻³ and a target of fewer than one logical error across the full computation:
- Required code distance: approximately d = 27
- Physical qubits per logical qubit: approximately 2 × 27² ≈ 1,458
- For 2,330 logical qubits: roughly 3.4 million physical qubits
This is why the Webber et al. figures cluster in the millions rather than the thousands.
The Magic State Distillation Cost
Shor's algorithm requires non-Clifford gates, specifically T gates, which cannot be implemented transversally in most error-correcting codes. They require a resource-intensive process called magic state distillation. This process consumes additional physical qubits, sometimes doubling or tripling the total overhead. Many estimates in the literature already include this cost; others do not, which explains some of the variation between papers.
---
Why We Are Not There Yet — And When We Might Be
The gap between current hardware and the threshold needed to threaten Bitcoin is not merely quantitative. It is qualitative. Today's machines are Noisy Intermediate-Scale Quantum (NISQ) devices. They can demonstrate quantum advantage on narrow, artificial tasks, but they cannot run fault-tolerant algorithms of the depth required by Shor's on a 256-bit elliptic curve.
The Timeline Problem
Most sober analyst forecasts place the arrival of a cryptographically relevant quantum computer (CRQC) somewhere between 2030 and 2050, with the median estimate around 2035 to 2040 in government and academic assessments. The US National Security Agency formally stated in 2022 that it does not expect quantum computers to be able to break 256-bit elliptic curve cryptography within the next decade.
However, timelines can compress. The most important variables to watch:
- Physical qubit error rate improvement (current target: below 10⁻⁴)
- Qubit connectivity improvements reducing circuit overhead
- Breakthroughs in alternative error-correction schemes (e.g., topological qubits via Microsoft's approach)
- Algorithmic improvements further reducing logical qubit or gate counts
Which Bitcoin Addresses Are Most Vulnerable First
Not all Bitcoin addresses face equal risk on Q-day. Addresses that have already broadcast a public key on-chain, such as:
- Pay-to-Public-Key (P2PK) addresses used in early Bitcoin blocks (including coins attributed to Satoshi Nakamoto)
- Reused P2PKH addresses where the public key is revealed in the spending transaction
...are more vulnerable than addresses where only the hash of the public key is publicly known (standard P2PKH, P2SH, P2WPKH). A quantum attacker would need to crack the ECDLP before a victim's transaction is confirmed, or could target dormant addresses with exposed public keys. Researchers estimate approximately 4 million BTC sits in P2PK outputs with publicly exposed keys.
---
Post-Quantum Cryptography: The Path Forward
The National Institute of Standards and Technology (NIST) finalised its first set of post-quantum cryptographic standards in August 2024. These include:
- CRYSTALS-Kyber (now ML-KEM): lattice-based key encapsulation
- CRYSTALS-Dilithium (now ML-DSA): lattice-based digital signatures
- SPHINCS+ (now SLH-DSA): hash-based signatures
Lattice-based schemes are considered resistant to both classical and quantum attacks. Migration to post-quantum standards at the protocol level for cryptocurrencies is a non-trivial engineering and governance challenge, requiring soft or hard forks, community consensus, and careful transition mechanisms.
Projects building post-quantum security into their architecture from the ground up, rather than retrofitting it, represent a structurally different approach to this problem. BMIC.ai, for instance, is building a quantum-resistant wallet and token using lattice-based cryptography aligned with NIST PQC standards, positioning itself for a world where the qubit threshold is eventually crossed.
---
Key Takeaways
- Breaking Bitcoin's 256-bit ECDSA via Shor's algorithm requires an estimated 1.9 million to 4+ billion physical qubits, depending on hardware assumptions.
- The logical qubit count is approximately 1,500 to 2,330, but error-correction overhead multiplies this by roughly 1,000x under realistic conditions.
- The largest quantum processors today have hundreds to low thousands of physical qubits with error rates far too high for fault-tolerant operation at this scale.
- No credible scientific body expects a cryptographically relevant quantum computer before the 2030s at the earliest.
- The risk is not zero, and the migration window to post-quantum cryptography is the time to act, not the moment of the threat.
Frequently Asked Questions
How many qubits does it actually take to break Bitcoin?
Based on the most cited research (Webber et al., 2022), breaking Bitcoin's 256-bit ECDSA using Shor's algorithm would require between approximately 1.9 million and 4 billion physical qubits, depending on gate speed and error rate. At the logical qubit level, the circuit requires roughly 1,500 to 2,330 logical qubits, but fault-tolerant error correction inflates that to millions of physical qubits under realistic hardware assumptions.
What is the difference between logical and physical qubits in this context?
A logical qubit is the error-free, abstract qubit your algorithm uses. A physical qubit is the noisy hardware qubit. Because today's physical qubits have error rates of 0.1% to several percent per gate, error-correcting codes like the surface code must encode each logical qubit into roughly 1,000 physical qubits to maintain computation fidelity across millions of gate operations.
Could a quantum computer break Bitcoin today?
No. The most powerful quantum processors in existence today have hundreds to a few thousand physical qubits with error rates far too high for fault-tolerant operation. Breaking Bitcoin's ECDSA requires millions of physical qubits operating with much lower error rates than currently achievable. Most expert timelines place this capability in the 2030s to 2040s at the earliest.
Which Bitcoin addresses are most at risk from a quantum attack?
Addresses where the full public key is already publicly visible on the blockchain are most vulnerable. These include early Pay-to-Public-Key (P2PK) outputs and reused addresses whose public key was revealed when spending. Standard hashed addresses (P2PKH, P2WPKH) where only a hash of the public key is public offer a layer of additional protection, since an attacker would need to break the hash before running Shor's algorithm.
What is Shor's algorithm and why does it threaten Bitcoin?
Shor's algorithm is a quantum algorithm that solves the discrete logarithm problem and integer factorisation in polynomial time, compared to exponential time on classical computers. Bitcoin's ECDSA relies on the elliptic curve discrete logarithm problem being computationally hard. A quantum computer running Shor's algorithm could derive a wallet's private key from its public key, breaking that security assumption entirely.
What post-quantum alternatives exist for cryptocurrencies?
NIST finalised its first post-quantum cryptography standards in 2024, including ML-DSA (formerly CRYSTALS-Dilithium) for digital signatures and ML-KEM (formerly CRYSTALS-Kyber) for key encapsulation — both lattice-based schemes resistant to quantum attacks. For cryptocurrencies, adopting these standards would require protocol-level changes via soft or hard forks. Some newer projects are building quantum-resistant cryptography into their architecture from launch rather than retrofitting it.