For years the correct answer to “can quantum computers break Bitcoin?” was a comfortable no, decades out. In 2026 the answer is still no - and the comfort is gone. A sequence of checkable events compressed the debate: a resource estimate fell by twenty times, a small key actually broke for a public bounty, the first defensive code shipped, and the industry began arguing - in formal proposals - about freezing Satoshi’s coins. This brief lays out the ledger: what is verified, what is projected, and where the sources genuinely disagree.
What verifiably changed
On 30-31 March 2026, Google’s Quantum AI team - with co-authors including Ethereum researcher Justin Drake and Stanford cryptographer Dan Boneh - published a paper estimating that breaking the elliptic-curve cryptography securing Bitcoin signatures could require fewer than 500,000 physical qubits, against prior estimates near nine million: a roughly twenty-fold reduction, with modelled attack runtimes measured in minutes. In April, researcher Giancarlo Lelli broke a 15-bit elliptic-curve key on publicly accessible quantum hardware, claiming a 1 BTC bounty from Project Eleven - a 512-fold advance on the September 2025 mark, against Bitcoin’s 256-bit keys. And the analyses converge on the real exposure: coins in addresses whose public keys are already visible on-chain - estimates run from Deloitte’s ~4 million BTC in directly exposing formats to the Google-paper-adjacent figure of ~6.9 million BTC, roughly a third of supply - including 2.3-3.7 million coins in wallets believed lost, which by definition can never migrate.
What did not change
The machines. The best 2026 hardware runs on the order of 1,000-1,500 physical qubits supporting perhaps a hundred logical ones - a gap of hundreds of times even against the aggressive new estimate, before the fault-tolerant engineering that does not yet exist. The threat model also stayed exactly where cryptographers have always put it: Shor’s algorithm against signatures - theft from exposed public keys - not against mining, which rests on far more quantum-resistant hashing. A quantum computer on this model steals coins; it does not rewrite the chain.
The timeline dispute, quoted fairly
Here the experts genuinely diverge, and the honest brief says so. Drake puts the odds of a quantum key-recovery against an exposed public key by 2032 at “at least 10%”. Project Eleven’s 110-page May report concludes Q-Day is “more likely than not by 2033, potentially as soon as 2030”, with over $3 trillion in elliptic-curve-secured digital assets in scope. Blockstream’s Adam Back argues the practical threat is 20-40 years out - while still urging preparation now, because migration itself needs a decade. ARK’s March assessment: Stage 0, no commercially relevant capability. And the co-author of the paper that started the year’s panic supplies its best counter-caution: Boneh warns that a hasty post-quantum transition “is more likely to cause a catastrophic bug than we’ll be attacked by a quantum computer.” Vitalik Buterin - whose 4 July “Lean Ethereum” roadmap made quantum resistance a headline priority - puts roughly a 20% probability on a cryptographically relevant machine before 2030. The institutional deadlines split the difference - NIST’s roadmap deprecates current encryption by 2030, Google set itself 2029 internally, Ripple committed the XRP Ledger to 2028.
Multiple outlets report BIP-360 - the quantum-resistant address proposal (Pay-to-Quantum-Resistant-Hash) - as “merged in February 2026”; others, in the same weeks, describe it as a draft with no activation mechanism proposed. Both can be technically true: assignment into the BIP repository is not a consensus change, and neither is a testnet. Nothing quantum-resistant is active on Bitcoin mainnet. Reader beware the verb “merged”.
The governance problem is the story
The hard part was never the mathematics - post-quantum signature standards have existed since NIST finalised them in August 2024. It is coordination: BIP-361, published 14 April 2026 by Jameson Lopp and five co-authors, proposes a phased migration with a sunset on legacy signatures - which means, bluntly, that unmigrated coins (Satoshi’s 1.1 million among them) would eventually freeze. Its own text names the nightmare being priced: a “covert bleed”, where a quantum-capable attacker drains exposed wallets quietly for months before anyone can prove Q-Day happened. Prepare too early and you carry bigger transactions and operational cost; prepare too late and the debate gets settled by an attacker. That asymmetry - not any single qubit count - is why the argument moved from forums to formal proposals this year.
- Logical-qubit milestones - error-corrected counts, not raw physical qubits, are the honest hardware metric.
- BIP-360/361 status changes - testnet → activation mechanism → mainnet: three different verbs, three different stories.
- The freeze debate - whether the network can agree to sunset legacy signatures before an adversary makes the argument moot.
- Harvest-now-decrypt-later - evidence of adversaries archiving chain data against future capability.
The Blockchain Desk covers markets because markets are where these systems are tested. Nothing on this desk is investment advice, and The Verifier holds no positions in the assets it covers.