Original Title: "I" Spent "200" Hours Reading Quantum Computing Papers So You Don't Have To. Bitcoin Is F. TL;DR • Bitcoin doesn't use encryption; it uses digital signatures. The vast majority of articles get this wrong, and the difference is crucial. • A quantum computer cannot crack Bitcoin in 9 minutes. This describes only a theoretical circuit; the machine itself doesn't exist and won't appear for at least another decade. • Quantum mining is physically impossible. It requires more energy than the total energy output of the sun. • Bitcoin can be upgraded—it has been successfully upgraded before (Segregated Witness, Taproot), and related work has begun (BIP-360). But the community needs to speed things up. • The real reason for the upgrade isn't the quantum threat, but that traditional mathematics has already broken countless cryptographic systems, and secp256k1 could very well be next. Quantum computers haven't broken any cryptographic systems to date. • There is indeed a real vulnerability: the public keys for approximately 6.26 million Bitcoins have been exposed. This isn't something to panic about, but it's worth preparing for. To summarize my main points in one sentence: The threat of quantum computing to Bitcoin is real, but still far off; media reports are generally inaccurate and exaggerated; and the most dangerous thing is not quantum computers, but the complacency disguised as panic or indifference. Whether you're someone shouting "Bitcoin is doomed" or claiming "It's perfectly fine, don't make a fuss," you're wrong. Understanding the truth requires accepting two things: • There is no imminent quantum threat to Bitcoin; the actual threat is likely much further away than sensationalist headlines suggest. • However, the Bitcoin community should still prepare in advance, as the upgrade process itself takes years. This is not a reason to panic, but a reason to act. I will explain this with data and logic. This chart compares two core quantum algorithms: the Shor algorithm (left) is a "crypto killer" that can exponentially accelerate large number factorization and directly crack public-key cryptography such as RSA/ECC; the Grover algorithm (right) is a general-purpose quantum accelerator that can provide quadratic speedups for unordered searches. Both highlight the disruptive nature of quantum computing, but currently, large-scale deployment is limited by error-correcting hardware. Media Tactics: Clickbait Headlines Are the Biggest Danger. Every few months, the same formula repeats itself: • A quantum computing lab publishes a rigorous research paper with numerous limiting conditions. • Tech media immediately write: "Quantum Computer Cracks Bitcoin in 9 Minutes!" • Crypto community Twitter simplifies it to: "Bitcoin is dead." • Your relatives and friends message you asking if you should sell your shares immediately.However, the original paper didn't say that at all. In March 2026, Google's quantum AI team published a paper stating that the physical qubits required to crack Bitcoin's elliptic curve cryptography could be reduced to below 500,000, a 20-fold improvement over previous estimates. This is indeed significant research. Google was very cautious, not disclosing the actual attack circuit, only releasing zero-knowledge proofs. But the paper never said: Bitcoin can be cracked now, there's a clear timeline, or everyone should panic. Yet the title was: "Break Bitcoin in 9 Minutes." CoinMarketCap published an article titled "Will AI-Accelerated Quantum Computing Destroy Bitcoin in 2026?", the entire article explaining that the answer was almost certainly "no." This is a typical tactic: use sensational headlines to attract traffic, while the main text is cautious and accurate. But 59% of the shared links were never clicked—for most people, the headline is the information itself. There's a saying that puts it well: "The market prices risk extremely quickly. You can't steal something that goes to zero the moment you get it." If quantum computers were truly going to disrupt everything, Google's own stock price (which also uses similar cryptography) would have collapsed long ago. But Google's stock price remained stable. Conclusion: The headline is the real rumor. The research itself is real and comprehensible; let's examine it carefully. The biggest misconception about what quantum computers truly threaten and don't threaten: "encryption." Almost every article discussing quantum mechanics and Bitcoin uses the word "encryption." This is wrong, and wrong in a way that affects the whole picture. Bitcoin doesn't protect assets through encryption, but through digital signatures (ECDSA, later using Schnorr via Taproot). The blockchain itself is public; all transaction data is always visible to everyone, and there's nothing that needs to be "decrypted." As Adam Back, the inventor of Hashcash, quoted in the Bitcoin white paper, said: "Encryption means that data is hidden and can be decrypted. Bitcoin's security model is based on signatures used to prove ownership without exposing private keys." This isn't nitpicking. This means that the most pressing "collect now, decrypt later" threat in the quantum realm is essentially nonexistent for Bitcoin asset security. There is no encrypted data to collect; the exposed public keys are already publicly available on the chain. Two types of quantum algorithms: one a real threat, the other negligible. Shor's algorithm (the real threat): provides exponential speedup to the underlying mathematics of digital signatures, allowing for the reverse engineering of private keys from public keys, and the forgery of transaction signatures. This is what we really need to worry about. Grover's algorithm (not a threat): only provides quadratic speedup to hash functions like SHA-256; it sounds alarming, but a quick calculation shows it's completely impractical.A 2025 paper, "Kardashev-level Quantum Computing and Bitcoin Mining," calculates that at Bitcoin's current difficulty, quantum mining requires: • Approximately 10²³ physical qubits (currently, there are only about 1500 globally) • Approximately 10²⁵ watts of energy (the sun's total output is approximately 3.8 × 10²⁶ watts). Mining Bitcoin with a quantum computer would require energy equivalent to about 3% of the sun's total output. Humanity is currently only a Type 0.73 Kardashev civilization; the energy required for quantum computer mining would be so vast that only a Type II civilization could achieve it, making it physically impossible for humanity to do so. (Note: Based on the Kardashev classification of civilizations: Type I: capable of fully utilizing the energy of a planet (Earth); Type II: capable of utilizing the entire energy of an entire star (the Sun)) In comparison: even with the most ideal design, a quantum mining machine's computing power is only about 13.8 GH/s; while a typical Antminer S21 can reach 200 TH/s. Traditional ASIC miners are 14,500 times faster than quantum mining machines. Ultimately, quantum mining is simply not feasible. It's impossible now, it's impossible in 50 years, and it may never be possible. If someone says that quantum computers can "crack Bitcoin mining," they are confusing two completely different algorithms. Of the eight common claims, 7.5 are incorrect. Claim 1: "With the advent of quantum computers, all Bitcoins will be stolen overnight." The fact is, only Bitcoins whose public keys are exposed pose a security risk. Modern Bitcoin addresses (P2PKH, P2SH, Segregated Witness) do not reveal their public keys before you initiate a transaction. As long as you never reuse an address and never transfer assets from that address, your public key will not appear on the blockchain. The specific classifications are as follows: • Level A (Directly at Risk): Approximately 1.7 million BTC use the old P2PK format, and their public keys are completely public. • Level B (Risk Exists but Can Be Remedied): Approximately 5.2 million BTC are located in reused addresses and Taproot addresses; users can mitigate the risk by migrating. • Level C (Temporary Exposure): During the approximately 10 minutes each transaction waits to be packaged in the mempool, the public key is temporarily exposed. According to Chaincode Labs estimates, a total of approximately 6.26 million BTC are at risk of public key exposure, representing about 30%–35% of the total supply. This is indeed a significant amount, but it is by no means "all Bitcoins." Claim 2: "Satoshi Nakamoto's coins will be stolen, causing a market crash and reducing them to zero." Partly True, Partly False: The approximately 1.1 million BTC held by Satoshi Nakamoto use the P2PK format, and their public keys are completely exposed, making them indeed high-risk assets. However: • Quantum computers capable of cracking these private keys do not currently exist.• Countries possessing early quantum technology will prioritize targeting intelligence and military systems, rather than staging a "public propaganda farce of stealing Bitcoin" (Qubits Canary Research Group's statement). • Expanding from the current approximately 1500 qubits to hundreds of thousands will require years of engineering breakthroughs, and the progress is highly uncertain. • Statement 3: "Bitcoin cannot be upgraded—too slow, chaotic governance." This statement is not entirely accurate, but it is not entirely without merit. Bitcoin has successfully completed several major upgrades in its history: • Segregated Witness (SegWit, 2015–2017): Highly controversial, nearly failed, and directly led to the Bitcoin Cash fork, but ultimately launched successfully. • Taproot (2018–2021): Smooth implementation, taking approximately 3.5 years from proposal to mainnet launch. • The quantum-resistant mainstream solution BIP-360 was officially incorporated into the Bitcoin BIP library in early 2026, adding the bc1z address type and removing the quantum-vulnerable key path expenditure logic in Taproot. The proposal is currently still in draft form, and the testnet is already running the Dilithium post-quantum signature instruction set. Ethan Hellman, co-author of BIP-360, estimates the complete upgrade cycle to be approximately 7 years: 2.5 years for development and review, 0.5 years for activation, and 4 years for ecosystem migration. He admits, "This is just a rough estimate; no one can give an exact timeframe." Objective conclusion: Bitcoin can be upgraded, and the upgrade has already begun, but it is still in its early stages and needs to be accelerated. Claims that "an upgrade is completely impossible" are incorrect, as are claims that "the upgrade has already been completed." Statement 4: "We only have 3-5 years left" is highly unlikely, but we cannot be completely complacent. Experts estimate a wide timeframe: * Adam Back (inventor of Hashcash, cited in the Bitcoin white paper): 20–40 years. * Jensen Huang (CEO of Nvidia): Practical quantum computers will still take 15–30 years. * Scott Aaronson (quantum computing authority at the University of Texas at Austin): Refused to give a timeline, stating that cracking RSA might require "hundreds of billions of dollars in investment." * Craig Gidney (Google Quantum AI): Only 10% probability of achieving this before 2030; also believes that under current conditions, it's unlikely that the demand for qubits will see a 10-fold improvement, and the optimization curve may have already flattened. * A survey of 26 quantum security experts: The probability of risks occurring within 10 years is 28%–49%. * Ark Investment: "It's a long-term risk, not an imminent one." It's worth noting that Google's Willow chip broke through the quantum error correction threshold at the end of 2024. This means that for every increase in the error correction code distance, the logic error rate will decrease by a fixed factor (2.14 for Willow).This error suppression effect increases exponentially, but the actual scaling speed depends entirely on the hardware and can be logarithmic, linear, or extremely slow. Breaking the threshold only indicates that scaling is feasible, not that it will be fast, easy, or inevitable. Furthermore, Google's March 2026 paper did not disclose the actual attack circuit, only the zero-knowledge proof. Scott Aaronson also warned that future researchers may no longer publicly disclose resource estimates required to crack cryptography. Therefore, we may not be able to anticipate the arrival of "Quantum Crisis Day" long in advance. Even so, building a computer with hundreds of thousands of fault-tolerant qubits remains a huge engineering challenge. Currently, the most advanced quantum computers cannot even factor numbers larger than 13 digits, while cracking the Bitcoin password is equivalent to factoring a number of approximately 1300 digits. This gap cannot be bridged overnight, but the technological trend deserves attention, not disregard. Statements 5–8: Quickly clarify that "quantum computing will destroy mining" is incorrect. Energy consumption is close to the total output of the sun; see Part II for details. "Collect data now, decrypt it later" does not apply to asset theft (the blockchain itself is public), only having some impact on privacy, which is a secondary risk. "Google claims to have cracked Bitcoin in 9 minutes." Google is referring to a theoretical circuit that would run for approximately 9 minutes on a non-existent 500,000-qubit machine. Google itself has explicitly warned against such panic and has concealed details of the attack circuitry. "Post-quantum cryptography is not yet mature." The National Institute of Standards and Technology (NIST) has standardized algorithms such as ML-KEM, ML-DSA, and SLH-DSA. The algorithms themselves are mature; the difficulty lies in deploying them in the Bitcoin system, not in inventing them from scratch. Five issues I'm truly concerned about: A debunking article that completely denies everything loses credibility. Here are five issues that deeply worry me: • The estimated number of qubits required to crack a cryptosystem continues to decline, although this trend may be slowing. In 2012, it was estimated that 1 billion qubits would be needed to crack a cryptosystem; by 2019, this had dropped to 20 million; and by 2025, it was below 1 million. In early 2026, Oratomic claimed that using a neutral atom architecture, only 10,000 physical qubits would be needed to crack it. However, it is worth noting that all nine authors of the study are shareholders of Oratomic, and the 101:1 physical to logical qubit conversion ratio on which their estimate was based has never been verified (the actual historical ratio is closer to 10,000:1).It's also important to clarify that a computation task that takes only "9 minutes" on Google's superconducting architecture would take 10²⁶⁴ days to complete on neutral atom hardware—the two are completely different devices with vastly different processing speeds. Gidney himself has stated that the algorithm optimization curve may have reached a plateau. Even so, no one knows when the inflection point between the "required number of qubits" and the "existing number of qubits" will arrive. The most objective conclusion is that there is currently immense uncertainty. The scope of public key exposure is expanding, not shrinking. Taproot, Bitcoin's latest and most widely adopted address format, exposes modified public keys on-chain, leaving quantum attackers with an unlimited window of opportunity for offline cracking. The irony that Bitcoin's latest upgrade has actually weakened its quantum resistance is worth pondering. Furthermore, the problem isn't limited to on-chain addresses: Lightning Network channels, hardware wallet connections, multi-signature schemes, and extended public key sharing services all inherently spread public keys by design. In a world where fault-tolerant quantum computers (CRQC) capable of breaking cryptographic keys become a reality, "protecting public key privacy" becomes impractical when the entire system is built around public key sharing. BIP-360 is just a first step, far from a complete solution. Bitcoin governance is slow, but there is still a window of opportunity. Since November 2021, the Bitcoin underlying protocol has not activated a soft fork for over four years, remaining stagnant. Google plans to complete its quantum-resistant migration system by 2029, while the most optimistic estimate for Bitcoin is 2033. Considering that practically crackable quantum computers are likely still a long way off (most reliable predictions suggest the 2040s, or even never), this is not an urgent crisis, but complacency is unacceptable. The earlier preparations begin, the more relaxed the later stages will be. Satoshi Nakamoto's Bitcoin holdings present an unsolvable game theory problem. Approximately 1.1 million BTC are stored in P2PK addresses, and because no one holds the corresponding private key (or Satoshi Nakamoto has disappeared), these assets can never be migrated. Whether choosing to ignore, freeze, or destroy, all options will have serious consequences; there is no perfect solution. A blockchain is a permanently locked list of attack targets. All exposed public keys will be permanently and freely recorded, allowing institutions worldwide to begin preparations now and await their opportunity. Defense requires proactive collaboration from multiple parties, while attacks only require patience. These are real challenges, but there is another side to consider.Why the quantum threat may be extremely distant, or even never arrive: Several serious physicists and mathematicians (not extremists) believe that fault-tolerant quantum computing on a scale sufficient to break cryptography may face fundamental obstacles at the physics level, not just engineering challenges: • Leonid Levin (Boston University, co-proposer of NP-completeness): "Quantum amplitudes need to be accurate to hundreds of decimal places, but humanity has never found any physical law that holds true with more than a dozen decimal places of precision." If nature does not allow precision exceeding about 12 decimal places, the entire field of quantum computing will hit a physical ceiling. • Michel Dyakonov (University of Montpellier, theoretical physicist): A 1000-qubit system requires controlling approximately 10³⁰⁰ consecutive parameters simultaneously, far exceeding the total number of subatomic particles in the universe. His conclusion is: "Impossible, never possible." • Gil Kalai (Hebrew University, mathematician): Quantum noise exhibits unavoidable correlation effects, which intensify with increasing system complexity, making large-scale quantum error correction fundamentally impossible. His conjecture remains unproven after 20 years, but his experimental predictions have also shown some deviations, presenting both advantages and disadvantages. Tim Palmer (Oxford University, physicist): His rational quantum mechanics model predicts a hard upper limit of approximately 1000 qubits for quantum entanglement, far below the scale required to break cryptography. These are not fringe opinions. Existing evidence clearly supports this judgment: To date, practical experience shows that quantum computing capable of threatening cryptographic systems is either far more difficult to achieve in reality than in theory, or simply impossible due to unknown laws of the physical world. The analogy of self-driving cars is apt: impressive demonstrations attract huge investments, yet for over a decade it has been claimed that "it will be ready in five years." Most media outlets assume that "quantum computers will eventually break cryptography, it's just a matter of time," but this is not a conclusion drawn from evidence, but rather an illusion created by a hype cycle. The core driving force behind the upgrade is unrelated to quantum mechanics—a crucial fact rarely mentioned (thanks to @reardencode for highlighting this): • To date, 0 cryptographic systems have been broken by quantum computers; • Countless cryptographic systems have been broken by classical mathematical methods. DES, MD5, SHA-1, RC4, SIKE, Enigma machines… all failed due to sophisticated mathematical analysis, not quantum hardware. SIKE was once the final candidate for post-quantum cryptography by the National Institute of Standards and Technology (NIST), but in 2022 it was completely cracked by a researcher using an ordinary laptop in one hour.Since the inception of cryptographic systems, classical cryptanalysis has continuously overturned various encryption schemes. The secp256k1 elliptic curve used by Bitcoin could become invalid at any time due to a mathematical breakthrough, requiring no quantum computer whatsoever. All it would take is a top number theorist making a new breakthrough in the discrete logarithm problem. This hasn't happened yet, but the history of cryptography is a history of "proven secure" systems constantly being found to have vulnerabilities. This is the real reason Bitcoin should adopt alternative encryption schemes: not because quantum computers are coming—they may never appear; but because relying on a single encryption assumption for a multi-trillion-dollar network is a risk that rigorous engineering must proactively guard against. The quantum-related panic hype has masked this more subtle but real threat. Ironically, preparations made to address the quantum threat (BIP-360, post-quantum signatures, hash-based alternatives) can also defend against classical cryptanalysis attacks. People are doing the right thing for the wrong reasons, and that's fine—as long as it can ultimately be implemented. What should you do? If you hold Bitcoin: • Don't panic. The threat is real, but far off; you have plenty of time. • Stop reusing addresses. Each reuse exposes the public key; please use a new address for receiving payments. • Follow the progress of BIP-360. Migrate assets promptly after the launch of quantum-resistant addresses. • For long-term holding, keep funds in addresses that have never been transferred out, keeping the public key hidden. • Don't be swayed by headlines; read the original paper. The content is more interesting and not as scary as the reports suggest. If you are a Bitcoin developer: • BIP-360 needs more review; the testnet is running, and the code urgently needs examination. • The 7-year upgrade cycle needs to be compressed; every year of delay shrinks the security buffer. • Start governance discussions regarding legacy unspent transaction outputs (UTXOs); Satoshi Nakamoto's Bitcoin will not protect itself, and the community needs solutions. If you just saw sensational headlines: Remember, 59% of the links that are forwarded are never clicked. Headlines are just for stirring emotions; the paper is meant to provoke thought. Read the original. Conclusion: The threat of quantum mechanics to Bitcoin is not black and white, but exists in a middle ground. On one hand, there's the sentiment that "Bitcoin is finished, sell everything now," and on the other hand, "Quantum is a scam, there's no risk whatsoever." Both extremes are wrong. The truth lies in a rational and feasible middle ground: Bitcoin faces clear engineering challenges, the parameters are known, research and development are underway, and time is tight but manageable—provided the community maintains a reasonable sense of urgency.The most dangerous thing isn't quantum computers, but the vicious cycle of public opinion oscillating between panic and indifference, preventing people from rationally considering a problem that can be fundamentally solved. Bitcoin survived the block size debate, the hacking of trading platforms, regulatory shocks, and the disappearance of its founder, and it can also survive into the quantum era. But this is contingent on the community starting now to prepare steadily, without panicking or giving up, and advancing with the robust engineering mindset upon which Bitcoin's strength lies. The house isn't on fire, and it may never even catch fire in the direction everyone fears. But cryptographic assumptions are never valid indefinitely. The best time to strengthen the foundations of cryptography is always before a crisis arrives, not after. Bitcoin has always been built by a group of people who plan ahead for threats that haven't yet occurred. This isn't paranoia; it's engineering thinking. [Foresight News]