TL;DR:

Google's Willow chip just crossed a 30-year threshold. We're at 105 qubits now and millions needed to break crypto. Vitalik Buterin sees 20% chance before 2030.
$40B/year being spent globally on quantum research; breaking ECDSA estimated to cost $10B
1-4 million BTC (20% of supply) directly at risk due to exposed public keys, including Satoshi's coins. Requires controversial hard fork to upgrade; "ossification" philosophy makes changes difficult
On the Ethereum side, public keys have been hashed from day one, only exposed during transactions (narrow attack window). Account Abstraction enables signature upgrades without protocol changes, and only 0.1% of ETH supply is vulnerable compared to Bitcoin's 20%.
Beam Chain is planned for a 5 year timeline, targeting quantum resistance everywhere by ~2030. Ethereum is already working on upgrades for BLS signatures for consensus, blobs with post-quantum commitments, and Verkle trees using Poseidon hash functions.
Quantum isn't killing crypto today, but upgrading blockchains takes years. Protocols that can adapt will survive while rigid ones face existential crisis, and the real race is on: who builds a scalable quantum computer first, and will crypto be ready?

Part 1: "If Bitcoin Dies, Crypto Dies With It" Really?

For the past year, one question has consumed the crypto ecosystem:

Can quantum computers one day destroy Bitcoin, Ethereum, or all modern crypto?

The question isn't new. But in the last two years, it's reignited in both academia and on X. Why?

December 2024: Google CEO Sundar Pichai announced Willow, a new quantum chip. "We've solved a 30-year challenge," he said.

November 2025: At Devconnect Buenos Aires, Vitalik Buterin, referencing Metaculus predictions, said he sees "about a 20% chance of a cryptographically relevant quantum computer before 2030."

Scott Aaronson - a theoretical computer scientist with 20 years of experience in quantum computing - wrote on his blog:

"Given the current staggering rate of hardware progress, I now think it's a live possibility that we'll have a fault-tolerant quantum computer running Shor's algorithm before the next U.S. presidential election."

So quantum computers are no longer the "distant future" of science, they're a topic strategically affecting the sector today.

Google Willow: Panic Button or Milestone?

Scott Aaronson calls Google's Willow chip an "engineering milestone."

What exactly happened?

For 30 years, we knew in theory: if you can make clean enough quantum bits (qubits), you can correct errors and keep the system stable longer. But it took 30 years to actually demonstrate this in practice.

Willow contains 105 quantum bits. And for the first time, it proved something: as you scale up the system (use more bits), you actually get better performance. That means crossing a critical threshold.

But - and this is an important "but" - this still isn't enough to break ECDSA.

Breaking ECDSA (the encryption Bitcoin and Ethereum use) requires millions of quantum bits. Willow has 105. So there's still a massive gap.

An analogy: the first airplane was the Wright Brothers' plane that stayed airborne for 12 seconds. It was important, but not enough for transatlantic flights. Willow is like that - an important step, but not yet at the "crypto is dead" point.

So the question is no longer "is this possible?" but "when will it happen and who will do it first?"

How Much Money Is in This?

The estimate shared at the 2024 Q2B conference: globally, about $40 billion per year is being spent on quantum research.

If you want to set up a serious quantum experiment today, you need to put a few hundred million dollars on the table. This is no longer a university lab thing, it's the domain of tech giants and governments.

To build a machine that can break ECDSA - Bitcoin and Ethereum's encryption? Steve Brierley's (founder of quantum company Riverlane) estimate: $10 billion.

So When Will It Really Happen?

Three major figures in crypto have three different answers:

Adam Back (early Bitcoin developer, Blockstream CEO): "We're 20-40 years away. No point panicking now."

Nick Szabo (architect of pre-Bitcoin digital currency projects): "Yes, cryptography will break someday. But the real danger isn't quantum. It's government regulations, bans, pressure. Those are much closer and more real."

Vitalik Buterin (Ethereum founder): "There's a 20% chance before 2030. That might sound small, but upgrading a blockchain isn't like updating a browser. Years of testing, community decisions, risks... You can't just say 'we'll deal with it when it comes.'"

Part 2: What Does the Quantum Threat Actually Mean?

The impact of quantum computers on cryptographic systems has been debated for a long time. But these discussions often stay at a surface level like "will Bitcoin break?" The real issue is how durable the mathematical structures securing blockchain protocols today will be in the post-quantum era.

Current Blockchain Security Model

Both Bitcoin and Ethereum's security today relies on elliptic-curve digital signature algorithms. On Bitcoin's side, ECDSA (secp256k1); on Ethereum's side, both ECDSA and the BLS used for validator signatures.

With classical computers, getting from a public key to a private key would take longer than the age of the universe to compute. That's why there's no risk to ECDSA or BLS today.

Shor's Algorithm: Quantum's Cryptography Weapon

**Classical vs Quantum factorization:** Shor's algorithm provides exponential speedup over classical methods, making ECDSA vulnerable once large-scale quantum computers arrive.

The quantum threat, as Scott Aaronson explains, comes especially from Shor's algorithm. Shor's algorithm provides exponential speedup on the discrete logarithm problem that schemes like ECDSA and BLS rely on.

While classical methods require exponential time to factorize an n-digit number, Shor's algorithm solves it in just n^2 steps. This means a sufficiently powerful quantum computer could have a capacity unreachable by classical computers in deriving a private key from a visible public key.

But as we mentioned earlier, for this capability to emerge, a few hundred qubit prototypes aren't enough. You need millions of error-corrected, stable qubits.

Grover's Algorithm: Effect on Proof-of-Work

Unlike Shor, it only offers quadratic speedup, making it less threatening to proof-of-work systems.

Shor's algorithm is very dangerous for ECDSA because it provides exponential speedup - it shrinks the problem astronomically.

But the algorithm to be used for PoW (Grover) isn't that powerful. It only speeds things up by a square root.

A simple example:

Say you need to try 1 million combinations to break an encryption.

Classical computer: will try 1 million
Quantum computer: will try 1,000 (√1,000,000 = 1,000)

Good speedup, but not that destructive.

Also, quantum computers still bring a lot of "overhead." Error correction mechanisms are so heavy they eat up that speedup in practice.

In conclusion: For Bitcoin mining, the quantum threat isn't as urgent as signature breaking. It's a much longer-term issue.

What Is Q-Day?

"Q-Day" is often misunderstood. It's not the day Bitcoin or Ethereum breaks. Rather, it represents a threshold where signature schemes considered secure today could practically become vulnerable to attack.

As Vitalik Buterin emphasizes, this threshold doesn't mean chains will collapse; but it shows that the transition process to quantum resistant alternatives for structures like ECDSA and BLS needs to begin.

Part 3: Bitcoin's Existential Crisis

Bitcoin faces a two-front war against the quantum threat: ECDSA signatures and PoW. Both are at risk in different ways.

ECDSA and Vulnerable Coins

Let's start with Bitcoin's biggest open wound: 1-4 million Bitcoin are directly vulnerable.

Where does this number come from?

Satoshi's 1 million coins: In Bitcoin's early years, Satoshi mined about 1 million Bitcoin. These coins never moved and use an old Bitcoin script version, the public key is directly on-chain.

Other lost/exposed coins: Today, there are about 4 million Bitcoin total in addresses with known public keys. Some are active, but most are lost or forgotten accounts.

Today, these 1-4 million Bitcoin are worth hundreds of billions of dollars.

And when quantum computers arrive, all these coins become pirate treasure.

How Long to Break a Key?

Initial estimates: one week.

But Steve Brierley's estimate: a few seconds.

Scott Aaronson said: "It varies wildly depending on architecture. Superconducting qubits: gate times 1000x faster. That's why you can get wildly different estimates."

If breaking a key takes a few seconds: an attacker could steal thousands of Bitcoin addresses in a day.

If it takes a week: one big target at a time.

"Quantum Issuance"

Satoshi's coins aren't in one place. They're spread across dozens of addresses, each with 50 Bitcoin. Because back then, each block gave miners 50 Bitcoin.

Justin Drake has an interesting observation: This could be seen as a kind of "quantum reward."

Bitcoin's security depends on miners buying hardware and burning electricity. They need to be paid for this. Bitcoin's block reward is declining, and if transaction fees don't rise enough (by 2 orders of magnitude), security needs a solution.

If breaking a Satoshi address takes 1 day, 50 Bitcoin get "unlocked" per day. This becomes an incentive for quantum hardware and electricity, contributing to the network's security.

Of course, this is quite ironic: securing Bitcoin by slowly hacking its own lost coins.

To Upgrade or Not to Upgrade?

Bitcoin has a technical solution: migrate to a new generation of quantum resistant encryption.

But this requires a hard fork.

One of Bitcoin's core values is "ossification". Freeze the protocol as much as possible, don't change it. Every change raises the question "who decides?" And for Bitcoin, this is an existential issue.

Lost Coins Problem

Even if Bitcoin upgrades, the 1-4 million lost coin problem won't be solved.

Nearly 3 million BTC have been inactive for 10+ years, including Satoshi's estimated 1 million coins. These long-dormant coins with exposed public keys are the most vulnerable to quantum attacks.

What can be done?

Option 1: Do nothing. Leave coins as they are. Whoever builds the first quantum computer wins.

Option 2: Freeze coins. Make these addresses unspendable through a fork.

Option 3: Burn coins. Delete them from the system entirely.

Option 4: Prove ownership with seed phrase. Freeze coins until real owners show their seed phrase.

But option four doesn't work for Satoshi. Because Satoshi probably used randomly generated keys without a seed phrase system. Today's 12-word system came later.

Every option interferes with property rights. For Bitcoin, this is hard to accept.

The emergency intervention for a software bug in 2010-2011 was very different from today's Bitcoin world where Michael Saylor and institutions have invested big money.

Mining and Centralization Risk

Grover's algorithm only provides square root speedup for mining. So it's not that destructive.

But the real risk is different: first-mover advantage.

Justin Drake's analysis: "If only a few entities in the world have scalable quantum computers, these entities can mine much more Bitcoin than everyone else."

Eventually, if everyone gets access to quantum computers, mining difficulty automatically adjusts and balance is restored. But the transition period is problematic.

No single entity should ever control 51% of the network. But there will probably be a "first mover." Among those who follow, there could also be big performance differences. Maybe 10x, maybe more…

For a few years, there could be a single dominant power.

What could this power do?

Scenario 1: Control the network cheaply. Get all mining rewards, but adjust difficulty so you don't burn much energy.

Scenario 2: Establish a transaction fee monopoly. A policy like "pay 3% per transaction" (like Visa). Or 30% like Apple.

Scenario 3: Decide to kill Bitcoin. First, open billions of dollars in short positions in the open market (there's $40 billion in Bitcoin derivatives today). Then attack the network, block transactions. Attack cost: $1 billion, gain: $100 billion.

Of course, these are just theoretical scenarios.

Part 4: Ethereum's 5-Year Master Plan

Ethereum is in a very different position from Bitcoin. Because Ethereum has been preparing for this day for a decade.

Why Is Ethereum Ready from the Start?

The first difference: In Ethereum, address = hash(public key).

In Bitcoin, old coins keep the public key directly onchain. In Ethereum, the public key has been hashed from day one. The public key only gets exposed when you send a transaction.

This significantly narrows the attack surface. For a quantum thief, there's only a few minute window while the transaction waits in the mempool and until it's included in a block.

If Scott Aaronson's estimate is correct (breaking a key takes a week), then no inflight transaction can be broken.

But if Steve Brierley is right (a few seconds), then this protection isn't enough either.

Ethereum's 4 Vulnerable Points

Ethereum has 4 areas that need upgrading to become quantum resistant:

1. BLS Signatures (Beacon Chain)

Ethereum's proof-of-stake consensus uses BLS signatures. The advantage: it can compress thousands of signatures into one.

Problem: Not quantum resistant.

Solution: There are alternatives that do the same job but are quantum resistant. Ethereum Foundation researchers are working on it.

When the update happens it will become clearer that proof of stake is much more secure against quantum than proof of work.

2. ECDSA (Accounts)

Similar situation to Bitcoin, but Ethereum has 2 advantages:

Advantage 1 - Account Abstraction: In Ethereum, accounts can choose their own signature methods. So the transition to quantum resistant signatures can begin without a major protocol change.

Tradeoff: Post quantum signatures are ~10x larger. 10x more gas fees.

Solution: These large signatures can be compressed with SNARKs.

Advantage 2 - Automatic Transition System: A smart mechanism is being considered: When the existence of a small quantum computer is proven (small enough not to be dangerous yet but enough to say "quantum has arrived"), the system can automatically switch to secure mode. No one needs to decide.

3. Blobs (KZG Commitments)

Blobs use elliptic curve-based KZG, not post quantum secure.

Justin Drake isn't happy with current blobs. Too big, not variable size, blob sharing and packing complications.

New concept is Blob Abstraction. A smarter, smaller, more efficient system. Both better and quantum resistant. Timeline same as Beam chain (4-5 years) but different stack layer.

4. Verkle Trees

This is about how Ethereum organizes all accounts and balances. The current system is quantum resistant. But a more efficient system was being considered that system isn't quantum resistant.

New plan is a system combining the advantages of both. Both efficient and quantum resistant: Poseidon hash function.

Lost Coins: 0.1% vs 20%

Bitcoin has 1-4 million lost coins (20% of total supply).

Ethereum? Estimates suggest only a few hundred thousand ETH (around 0.1% of total supply).

This huge difference means Ethereum might not have to make hard decisions like "should we burn or freeze coins?" Social intervention might not be necessary for such a small percentage.

Beam Chain: Lean, ZK-Friendly, Quantum Ready

Vitalik's vision: "Quantum resistance everywhere"

Not just signatures; consensus, data structures, zk proofs... Everything will use long lived, quantum resistant cryptography. The goal is to consolidate 20 years of innovation and research into a single system.

Justin Drake says the quantum narrative will age like fine wine, over the years. There's no need to rush, getting the Beam chain right is more important. The goal is post quantum cryptography within five years.

The US technology standards body (NIST) has set a similar timeline: ECDSA deprecation recommended in 2030, banned for regulated institutions in 2035.

Part 5: Quantum Money

Quantum computers might not just threaten crypto, they could create something entirely different.

There's a fundamental rule in quantum physics: the No-Cloning Theorem. You literally can't copy a quantum state, trying to measure it destroys it.

Since the 1960s, physicists wondered: could this create physically uncopyable digital money? Stephen Wiesner proposed the first scheme, but you had to take the money back to the bank for verification.

In 2009, Scott Aaronson solved this: publicly verifiable quantum money. Anyone can verify, but no one can duplicate.

The physics does the security work. No mining. No validators. No blockchain growing forever.

Scott's Bitcoin Story

Scott Aaronson has an interesting memory from 2010:

"I was giving talks about quantum money. People came up and said 'there's Bitcoin.' I thought: blockchain grows forever, nobody wants that. I never considered buying any."

He was wrong about Bitcoin's success. But was he wrong about the idea?

Here's the thing: Quantum money doesn't have smart contracts or programmability. Just pure value transfer.

So it's not a replacement for Ethereum. But for Bitcoin's original vision, pure digital cash, no trusted third parties?

Maybe the final boss of digital money isn't even here yet.

Part 6: Conclusion - Adapt or Die

Three Visions, One Truth?

Adam Back: "Quantum is far away, no panic."
Nick Szabo: "The real threat is state pressure, not quantum."
Vitalik: "Maybe it's far, but upgrading blockchain takes years, we should prepare now."

They all agree on one point: Modern cryptography won't last forever.

"If Bitcoin Dies, Crypto Dies"

When quantum arrives, this phrase will probably turn into:

"If crypto survives, it'll be thanks to those who could adapt."

When is The Awakening?

We're at 1 logical qubit now. Millions needed for danger.

There will probably be a "game of chicken": ignore, ignore, ignore... then panic.

What could the first signal be? Maybe an unexpected movement of Satoshi's 50 BTC address.

Crypto Isn't Dying, It's Evolving

Quantum isn't today's crisis. But it's a stress test that will show which protocols are truly long-lived.

Crypto already knows how to upgrade: we moved from PoW to PoS, adopted rollups, did hard forks.

Quantum is just the next exam.

It's not about who's immortal, but who can adapt in time.

References:

0xberil_

4 comments