The 2025 Nobel Prize validated quantum computing as established science. In 2026, the industry has shifted from "Quantum Advantage" to "QuOps" (error-free Quantum Operations) as the definitive metric for progress, reflecting a mature understanding that value comes from sustained operations, not raw qubit counts.
Google Quantum AI Publishes Cryptocurrency Whitepaper
Google Quantum AI's whitepaper - co-authored with Justin Drake (Ethereum Foundation) and Dan Boneh (Stanford) - is the most authoritative assessment of the quantum threat to cryptocurrency to date. Its headline result: Shor's algorithm against Bitcoin's ECDSA-256 now needs only ~1,200-1,450 logical qubits and fewer than 500,000 physical qubits, a 20x cut over prior estimates. With precomputation, the attack completes in roughly 9 minutes - inside Bitcoin's average block time.
The paper introduces a new attack taxonomy (On-Spend, At-Rest, On-Setup) and sharpens the 'burn or steal' dilemma facing the ~1.7 million BTC locked in P2PK addresses - permanently exposed coins that no fork can migrate. Google verified its findings with a zero-knowledge proof, so the resource estimates can be checked without releasing the attack circuits.
Caltech/Oratomic Show Shor's Algorithm Needs Only ~10,000 Physical Qubits
A Caltech-led paper, alongside the spin-out Oratomic, shows Shor's algorithm against ECC-256 can run on as few as ~10,000 reconfigurable atomic qubits - or ~26,000 in parallel mode for a roughly 10-day run. That is about 100x below prior neutral-atom estimates and two orders of magnitude under the ~1 million qubits typically cited for surface codes.
The breakthrough comes from high-rate qLDPC codes with ~30% encoding (about 1 logical qubit per 3.5 physical), paired with neutral-atom hardware that already runs at 6,100 coherent qubits today. Combined with Google's whitepaper - which needs only ~1,200 logical qubits - the two results sketch a credible CRQC that is far smaller and far closer in time than any prior analysis suggested.
Google Officially Warns Q-Day Could Arrive as Early as 2029
Google has set its first public timeline for post-quantum migration. VP of Security Engineering Heather Adkins and Senior Cryptology Engineer Sophie Schmieg warn that a cryptographically relevant quantum computer capable of breaking RSA and elliptic curve cryptography could exist as early as 2029. Google is already integrating ML-DSA into Android 17 and has proposed Merkle Tree Certificates to keep post-quantum signature overhead manageable in web PKI.
The world's most widely-used mobile OS and browser are now on a defined PQC schedule. Bitcoin and Ethereum governance still have no equivalent plan, and the gap is widening by the month.
Quantinuum "Skinny Logic" Achieves Record 2:1 Physical-to-Logical Qubit Ratio
Quantinuum's Skinny Logic initiative, demonstrated on its 98-qubit Helios trapped-ion processor, achieved 48 error-corrected logical qubits from 98 physical qubits - a 2:1 ratio. For comparison, surface codes (the dominant approach) typically require 500:1 to 1,000:1. Logical qubits outperformed their physical counterparts by 10 to 100x.
Why This Matters for Crypto: The Google whitepaper now sets the minimum attack threshold at ~1,200 logical qubits. The Oratomic paper shows this can be achieved with ~10,000-26,000 physical qubits using high-rate qLDPC codes. The Skinny Logic result is a separate approach (trapped-ion + modified surface codes) reaching 2:1, showing that the qubit overhead reduction is occurring across multiple hardware platforms simultaneously.
Google Expands into Neutral-Atom Quantum Computing
Google Quantum AI appointed Dr. Adam Kaufman (JILA Fellow, University of Colorado Boulder) to lead a new neutral-atom quantum computing team - a second hardware modality alongside its superconducting program. Neutral-atom arrays already exist at 10,000 qubits with reconfigurable "any-to-any" connectivity.
Why This Matters: Google's dual-modality strategy directly hedges the fast-clock vs. slow-clock uncertainty outlined in its own whitepaper. Neutral-atom platforms scale efficiently in the "space dimension." Google's cryptocurrency whitepaper notes that slow-clock (neutral-atom/ion-trap) CRQCs will be able to launch at-rest attacks even before on-spend attacks become feasible - and the Oratomic paper published the same week demonstrates this path is more accessible than previously thought.
PsiQuantum Breaks Ground on World's First 1-Million-Qubit Facility
PsiQuantum began construction at the Illinois Quantum and Microelectronics Park in Chicago - the first utility-scale quantum computing construction project in history. The facility is designed for a 1 million-qubit quantum supercomputer, funded with $1 billion from NVIDIA, BlackRock, and state partners.
This is no longer a lab experiment. Industrial-scale quantum infrastructure is being built now. PsiQuantum uses standard semiconductor fabs, giving quantum the same manufacturing economics as classical chips.
BTQ Technologies launched Bitcoin Quantum testnet v0.3.0 on March 19, 2026, the first working implementation of BIP-360 (Pay-to-Merkle-Root, P2MR), with 50+ miners and 100,000+ blocks. P2MR was merged into Bitcoin's BIP repository on February 11, 2026.
What it fixes is narrow. P2MR removes Taproot's key-path so a public key is no longer written on-chain, but only for new addresses, and only against At-Rest attacks (harvesting keys that already sit permanent on-chain, with no time pressure). The key still appears in the mempool on every spend, so On-Spend exposure is untouched, left to a future post-quantum-signature proposal.
And that is the easy part. P2MR does nothing for the ~$470 billion already in exposed addresses (all P2PK, all Taproot, every reused address), and migrating the rest is its own ordeal: Bitcoin's ~190 million UTXOs, at the chain's ceiling of ~7 transactions per second, would take roughly a year of blocks doing nothing but migration, multi-year in practice, and each migration spend briefly re-exposes the very key it is trying to protect. BIP-360 has no mainnet activation date, and SegWit and Taproot each took 7 to 8 years to adopt.
New Paper Reduces ECC Attack to 1,098 Logical Qubits (EUROCRYPT 2026)
A paper by Chevignard, Fouque, and Schrottenloher accepted at EUROCRYPT 2026 (ePrint 2026/280) demonstrates a space-optimised Shor's algorithm requiring only 1,098 logical qubits for 256-bit elliptic curve discrete logarithm - down from the previous minimum of 2,124. The method uses a Residue Number System and Legendre symbol compression to avoid modular inversion, achieving 3.12n + o(n) total qubits for an n-bit curve.
Important trade-off: This qubit-minimised result requires 22 independent runs and approximately 2^38.10 Toffoli gates each - a massively higher gate count than depth-optimised approaches. For early fault-tolerant hardware where logical qubits are the bottleneck, this provides a path to attacking ECC on smaller systems. For hardware where gate count is the bottleneck, Google's ~1,200-1,450 qubit / 18-23 minute approach remains more practical.
Turing Award Goes to Quantum Cryptography Founders for First Time
The ACM A.M. Turing Award - computing's highest honour - was awarded for the first time to quantum science. Charles H. Bennett (IBM Research) and Gilles Brassard (University of Montreal) share the $1 million prize for their foundational work on quantum information science, including the BB84 quantum key distribution protocol (1984) and quantum teleportation (1993).
Bennett and Brassard invented the quantum-safe cryptographic primitives that are now the backbone of post-quantum defence. Brassard himself noted the urgency of "harvest now, decrypt later" attacks at the award announcement.
Raccoon-G - First Post-Quantum Wallet with Full BIP32 HD Derivation
Researchers published the first post-quantum construction to recover full BIP32 hierarchical deterministic (HD) wallet functionality. Standard NIST PQC schemes (ML-DSA) destroy the linearity needed for non-hardened BIP32 derivation. Raccoon-G uses Gaussian-distributed secrets and full unrounded public keys to preserve it, with security proved under standard lattice assumptions. Trade-off: larger keys (~16 KB public key vs. 33 bytes for secp256k1).
Circle (USDC) Releases Q-Day Roadmap for Blockchains
Circle, issuer of USDC, published a detailed quantum preparation roadmap treating the entire blockchain stack as at risk. Key transitions: TLS 1.3 migration to X25519MLKEM768; replace elliptic curve SNARKs with quantum-resistant STARKs. U.S. and EU are expected to mandate PQC for critical infrastructure by 2030.
For Crypto: The first major stablecoin issuer has set a public timeline. 2030 regulatory mandates will compress the entire DeFi ecosystem's migration window.
Intel demonstrated the Heracles processor at ISSCC - a 3nm chip for Fully Homomorphic Encryption (FHE), which processes data without decrypting it. Performance: 1,074-5,547x faster than a 24-core Xeon CPU.
FHE makes quantum-safe, privacy-preserving cloud computing production-ready - enabling encrypted-by-default infrastructure even before Q-Day arrives.
IBM Quantum Simulates Real Magnetic Material - Verified Against Physical Lab Data
IBM and the DOE's Quantum Science Center used a 50-qubit Heron processor to simulate the magnetic crystal KCuF3, with results verified directly against neutron scattering experiments at Oak Ridge National Laboratory. This is the first time a quantum computer's output has been benchmarked against real physical material data rather than a classical computer.
This demonstrates that current "noisy" quantum hardware is already delivering scientifically reliable results at utility scale - before full fault tolerance is achieved. IBM projects fault-tolerant systems by 2029.
Silicon Quantum Processor Achieves Universal Logical Gate Set
Researchers at the Shenzhen International Quantum Academy demonstrated a silicon-based quantum processor executing a universal set of logical gate operations, including T-gates and CNOT operations, using five phosphorus donor nuclear spins in an isotopically purified silicon-28 lattice. Published in Nature Nanotechnology, the result validates error-corrected quantum computing on a platform fully compatible with existing CMOS semiconductor manufacturing.
Major national quantum investments announced: Karnataka, India ($114M for $20B quantum economy by 2035); Australia NRFC ($20M AUD for SQC atomic-scale semiconductor qubits); USA DOE ($37M for National QIS Research Centers); United Kingdom ($100M for Rigetti hardware development plus £2 billion ProQure program); Europe EC (€75M for EURO-3C quantum infrastructure). PsiQuantum's Chicago facility adds $1 billion - the largest single quantum infrastructure investment to date.
Fermilab-MIT Eliminate the Ion Trap Wiring Bottleneck
Fermilab and MIT Lincoln Laboratory demonstrated in-vacuum cryoelectronics for ion traps - mounting control chips directly inside the dilution refrigerator, eliminating the cable scaling problem that previously limited trapped-ion systems to dozens of qubits. This opens a credible path to tens of thousands of electrodes.
UC Santa Barbara Proposes CN Center - Stable Silicon Defect for Quantum Networking
UCSB researchers proposed the CN center silicon defect as a structurally stable telecom-band qubit emitter - solving the fragility problem of T centers caused by hydrogen migration during fabrication. Photonic Inc. is simultaneously exploring deuterium-substituted T centers for improved magnetic field control.
Telecom-band emitters are the foundation of modular quantum architectures that link distributed processors via standard optical fiber.
Niels Bohr Institute - Real-Time Qubit Monitoring During Computation
NBI researchers demonstrated a system that tracks qubit performance fluctuations in real time - down to fractions of a second - enabling dynamic noise correction during long computations. This is a prerequisite for Shor's algorithm, which requires sustained computation over extended periods.
Majorana Replication Controversy (Frolov et al., Science)
A team led by Sergey Frolov published replication studies in Science finding that signals previously interpreted as Majorana qubit signatures could be explained by simpler mechanisms when fuller datasets were analysed. The work underwent two years of peer review.
Context: This is separate from QuTech's February 2026 Nature paper demonstrating successful Majorana qubit readout via quantum capacitance, which remains uncontested. The controversy reinforces the value of diverse hardware strategies rather than undermining topological computing overall.
Nature Confirms "Vibe Shift" - Usable Quantum Computers Within a Decade
A major Nature news feature declares a "vibe shift" in quantum computing: researchers now believe useful quantum computers could arrive within 10 years, not decades. The article cites four teams - Google, Quantinuum, Harvard/QuEra, and USTC in China (Zuchongzhi 3.2) - that have demonstrated below-threshold quantum error correction, meaning logical error rates suppress exponentially as more qubits are added.
Key quotes:
- Dorit Aharonov (Hebrew University): "At this point, I am much more certain that quantum computation will be realized, and that the timeline is much shorter than people thought. We've entered a new era."
- Nathalie de Leon (Princeton): Describes the change as a "vibe shift" - "People are now starting to come around."
- Chao-Yang Lu (USTC): Expects a fault-tolerant quantum computer by 2035.
For Crypto: Four independent teams across three continents have now proven the fundamental physics of error correction works. The remaining challenge is engineering and manufacturing - a challenge with predictable scaling curves and massive investment behind it.
Iceberg Quantum Pinnacle Architecture Reduces RSA-2048 Breaking Requirement to Under 100,000 Physical Qubits
Iceberg Quantum (Sydney-based startup, $6M seed round) published the Pinnacle Architecture, a fault-tolerant quantum computing design using quantum LDPC codes instead of surface codes. Under standard hardware assumptions (physical error rate of 10⁻³, code cycle time of 1 µs, reaction time of 10 µs), the architecture factors RSA-2048 with fewer than 100,000 physical qubits - an order of magnitude below the previous best estimate of ~1 million (Gidney 2025).
How it works: The architecture uses three modular components: (1) Processing Units built from bridged QLDPC code blocks (specifically generalized bicycle codes) that encode 14 logical qubits in ~860 physical qubits at distance 16 - compared to 1 logical qubit in ~511 physical qubits for a surface code at the same distance; (2) Magic Engines that simultaneously produce and consume magic states for a continuous pipeline of T gates; and (3) Memory blocks for efficient qubit storage with parallel read access. A novel technique called Clifford frame cleaning enables flexible parallelism across processing units.
Key numbers for RSA-2048 factoring:
- Minimum qubits config: 97,000 physical qubits, ~1 month runtime
- Faster config: 151,000 physical qubits, ~1 week runtime
- Trapped ions: 3.1 million physical qubits, ~1 month runtime
Why This Matters for Crypto: Previous estimates assumed surface codes requiring ~1 million physical qubits for RSA-2048, placing CRQC capabilities beyond near-term hardware roadmaps. QLDPC codes compress this by 10x. Iceberg is already partnering with PsiQuantum (photonics), Diraq (spin qubits), and IonQ (trapped ions), all of which project systems of this scale within 3-5 years. While these results are based on simulations and theoretical resource estimates (not experimental demonstrations), they fundamentally reset the hardware threshold for cryptographically relevant quantum computing.
Important caveat: The paper does not address ECDSA/secp256k1 directly - the RSA result demonstrates the architecture's efficiency. Applying similar QLDPC-based architectures to elliptic curve cryptanalysis could yield comparable overhead reductions, potentially bringing the physical qubit requirement for Bitcoin key-breaking well below current 8 million estimates.
QuTech Achieves First-Ever Readout of Majorana Qubits (Nature)
Researchers at QuTech (Delft) and ICMM-CSIC (Madrid) demonstrated the first single-shot, real-time readout of quantum information stored in Majorana-based topological qubits, published in Nature. Using quantum capacitance as a global probe, the team distinguished even/odd parity states of a minimal Kitaev chain with parity coherence exceeding one millisecond.
Why This Matters: Topological qubits (Microsoft's primary approach) store information non-locally across Majorana zero modes, making them inherently resistant to local noise - but this same property made reading them a long-standing challenge. This breakthrough solves the readout problem without compromising topological protection, establishing the measurement primitive needed for functional Majorana-based quantum computers.
QuTech QARPET Chip Benchmarks 1,058 Spin Qubits at 2 Million Qubits/mm²
QuTech (TU Delft) published the QARPET platform (Qubit-Array Research Platform for Engineering and Testing) in Nature Electronics - a crossbar-tiled chip architecture that can host up to 1,058 semiconductor spin qubits in a 23×23 grid, requiring only 53 control lines. The chip achieves a potential density of approximately two million qubits per square millimeter.
Why This Matters: Scaling quantum processors requires understanding statistical qubit properties across large arrays. QARPET brings semiconductor qubit testing in line with traditional chip industry practices, enabling hundreds of qubits to be characterized in a single cooldown. This platform accelerates the path to million-qubit semiconductor quantum computers, which leverage existing CMOS fabrication infrastructure.
Reed-Muller Codes Enable Full Clifford Group Without Ancilla Qubits
Researchers from Osaka, Oxford, and Tokyo demonstrated that high-rate quantum Reed-Muller codes can implement the full logical Clifford group using only transversal and fold-transversal gates - no ancilla qubits required. This is the first such construction for a code family where logical qubits grow nearly linearly with block length.
Why This Matters: This provides another pathway (alongside QLDPC codes) to reduce the overhead of fault-tolerant quantum computing. Eliminating ancilla requirements for Clifford gates means fewer physical qubits needed per logical operation, further compressing the hardware threshold for cryptographically relevant computations.
ePrint 2026/106 - Revised ECDSA Attack Estimates (Kim et al.)
New research significantly revises the quantum resource estimates for breaking Bitcoin's secp256k1 curve. Kim et al. present optimized quantum circuits for Shor's algorithm on elliptic curves that achieve up to 40% improvement in the qubit-count × depth product compared to all previous work, including Roetteler et al. (2017) and Häner et al. (2020).
The widely-cited "~2,330 logical qubits" was the qubit-minimized design with impractically long runtime. A practical attack (completing in ~2 hours) requires ~6,500 logical qubits and ~8 million physical qubits. Maximum circuit depth of 2^28 is well below NIST's MAXDEPTH constraint of 2^40.
The bottom line: Current quantum hardware (Quantinuum Helios: 98 physical qubits, 48 logical) is still far from this threshold, but company roadmaps targeting utility-scale quantum by 2029-2033 place this within reach in the next decade.
ETH Zurich Demonstrates First Lattice Surgery on Superconducting Qubits
Researchers at ETH Zurich and the Paul Scherrer Institute demonstrated lattice surgery on a 17-qubit superconducting processor - the first time this critical operation has been performed on superconducting qubits. Published in Nature Physics, the team used a distance-three surface code to split a single logical qubit into two entangled logical qubits while continuously correcting bit-flip errors.
Why This Matters: Lattice surgery is the operation for fault-tolerant quantum computing. As researcher Ilya Besedin explains: "One could say that the lattice surgery operation is the operation, and all the others can be constructed from it." This clears a major hurdle for scaling superconducting quantum computers - the dominant architecture pursued by IBM, Google, and USTC - toward fault-tolerant systems capable of running Shor's algorithm.
Stanford researchers published a breakthrough in Nature: a novel optical cavity array that efficiently captures photons from individual atoms, enabling parallel readout of all qubits simultaneously. The team demonstrated a working 40-cavity array and a 500+ cavity prototype, with a clear path to tens of thousands.
Why This Matters: One of the biggest barriers to million-qubit quantum computers has been qubit readout - atoms emit photons too slowly and in all directions. Stanford's microlens-equipped cavities solve this by efficiently funneling light from each atom into a specific direction, even with fewer light bounces. The researchers envision "quantum data centers" where individual quantum computers are linked through cavity-based network interfaces to form quantum supercomputers.
Alice & Bob "Elevator Codes" Slash Error Rates 10,000x
Alice & Bob, the French cat-qubit quantum computing company (NVIDIA partner), announced "Elevator Codes" - a new error correction technique that achieves a 10,000× lower logical error rate while requiring only ~3× more qubits. The technique works by "moving" logical ancilla qubits up and down during computation to provide additional bit-flip protection.
Why This Matters: Error correction overhead is the single biggest obstacle to building useful quantum computers. Standard approaches require massive numbers of physical qubits per logical qubit. Alice & Bob's cat qubits are naturally protected against one error type (bit-flips); these elevator codes multiply that protection at minimal cost, potentially making useful quantum computers feasible much sooner than expected.
Ultra-Fast Photonic Phase Modulator for Quantum Computing (JMU Würzburg)
German researchers at Julius Maximilian University of Würzburg developed an ultra-fast, ultra-low-loss optical phase modulator by integrating ferroelectric barium titanate crystals into III-V photonic platforms. Backed by €6.6 million in federal funding, the chip controls light signals at extremely high speeds with almost no losses.
Why This Matters: Quantum photonic circuits require components that combine very high speed with extremely low optical losses - even tiny losses collapse quantum states. This modulator could speed up the transition of quantum photonics from laboratory experiments to practical, large-scale technologies.
USTC Zuchongzhi 3.2 Joins Below-Threshold QEC Club
China's University of Science and Technology (USTC) demonstrated fault-tolerant quantum error correction below the surface code threshold using the 107-qubit Zuchongzhi 3.2 processor. Published as an Editors' Suggestion in Physical Review Letters, the team achieved an error suppression factor of Λ = 1.40 using a distance-7 surface code - proving their system operates below the critical error threshold.
The fourth team: This makes USTC the fourth team worldwide (after Google, Quantinuum, and Harvard/QuEra) to achieve below-threshold QEC, and the first outside the United States. Their novel all-microwave leakage suppression architecture suppressed leakage population by a factor of 72× - and crucially, it reduces wiring density inside the dilution refrigerator, offering a scalability advantage.
Ubuntu 26.04 LTS Ships with Post-Quantum Cryptography by Default
Ubuntu 26.04 LTS ("Resolute Raccoon," releasing April 23, 2026) will ship with post-quantum cryptography enabled by default in OpenSSH and OpenSSL, using hybrid post-quantum algorithms. This marks the first major Linux distribution to make PQC the default for all encrypted communications.
Why This Matters for Crypto: When the world's most popular server operating system makes PQC the default, it signals that the post-quantum transition is no longer theoretical - it's shipping in production infrastructure. Bitcoin and Ethereum still use quantum-vulnerable ECDSA as their sole signature scheme. The contrast is stark: Linux servers protecting SSH connections with hybrid PQC while billions in crypto remain protected only by secp256k1.
Los Alamos National Laboratory Establishes Center for Quantum Computing
Los Alamos National Laboratory formed a dedicated Center for Quantum Computing, consolidating up to three dozen quantum researchers across national security, algorithms, computer science, and workforce development. The center supports DARPA's Quantum Benchmarking Initiative, the DOE's Quantum Science Center, and NNSA's Beyond Moore's Law project.
PQC Signature Upgrades Alone Cannot Support Coherent Bitcoin Migration
A new preprint by Michael Strike (Quantum Compliance, LLC) formally demonstrates that post-quantum digital signature algorithms alone are insufficient to support a coherent migration of Bitcoin under its existing protocol semantics. Rather than evaluating specific cryptographic constructions or governance mechanisms, the analysis focuses on structural constraints arising from Bitcoin's definitions of ownership, validity, and consensus as originally specified by Nakamoto.
The core finding: By holding Bitcoin's fundamental assumptions fixed - signature-defined ownership, immutable ledger history, and independent node validation - the paper characterizes a protocol-semantic constraint showing that certain migration objectives cannot be simultaneously satisfied without modifying underlying consensus semantics. The analysis is non-temporal (it does not depend on when a CRQC arrives) and does not propose specific migration mechanisms.
Why This Matters: This formalizes what the practical migration analysis already suggests - that Bitcoin's quantum migration challenge is not merely a cryptographic problem (swap ECDSA for Dilithium) but a fundamental protocol-design problem. Even with perfect PQC algorithms, Bitcoin's ownership model creates migration constraints that cannot be resolved without consensus-level changes. This adds formal rigor to the "defensive downgrade" thesis.
QLDPC codes rewrite the playbook: Iceberg Quantum's Pinnacle Architecture shows RSA-2048 can be broken with under 100,000 physical qubits using QLDPC codes - 10x fewer than surface code estimates. Hardware partners PsiQuantum, Diraq, and IonQ project systems of this scale within 3-5 years.
Four teams below threshold: Google, Quantinuum, Harvard/QuEra, and USTC have all independently demonstrated below-threshold QEC. Two years ago, zero had.
Topological qubits take a leap: QuTech demonstrated the first-ever readout of Majorana qubits via quantum capacitance (Nature), solving a decade-old experimental challenge. Microsoft's topological approach gains credibility.
Lattice surgery demonstrated: ETH Zurich performed the first lattice surgery on superconducting qubits - the critical missing operation for fault-tolerant computing.
Error correction economics transforming: Alice & Bob's Elevator Codes (10,000× error reduction for 3× more qubits), IonQ's Beam Search Decoder (17× error reduction), and Reed-Muller codes eliminating ancilla overhead are changing the cost equation from multiple directions simultaneously.
Million-qubit scaling path visible: Stanford's cavity-array microscope demonstrates parallel qubit readout at scale. QuTech's QARPET benchmarks 1,058 spin qubits at 2M/mm² density. Path to 100,000+ qubits now engineering, not physics.
Infrastructure moving: Ubuntu 26.04 ships PQC by default. Los Alamos consolidates quantum center. PsiQuantum appoints AMD/Xilinx veteran as CEO for deployment phase. DARPA Stage B has 11 companies. 2026 is the year quantum moves from labs to deployment.
Japanese startup blueqat displayed the first domestically developed semiconductor quantum computer at SEMICON Japan 2025, using single-electron transistors on silicon at 0.3 Kelvin-significantly warmer than superconducting systems.
Why This Matters: Cost under ¥100M (~$670K USD)-1/30th the price of superconducting systems. Power: 1,600W vs. tens of kilowatts. Compatible with standard CMOS manufacturing. Desktop form factor.
The Threat Acceleration: Silicon quantum computing leverages existing semiconductor fabs, potentially achieving "Moore's Law economics"-costs falling with volume, yields improving with iteration. This could dramatically compress timelines to CRQC capabilities. Target: 100 qubits by 2030.
MIT Achieves Scalable Chip-Based Trapped Ion Cooling
MIT and Lincoln Laboratory demonstrated polarization-gradient cooling on photonic chips-cooling ions 10x below the Doppler limit in 100 microseconds using integrated nanoscale antennas.
Why This Matters: Traditional trapped-ion systems require bulky external optics, limiting scaling to dozens of ions. Chip-based integration enables thousands of ion sites on a single chip with improved stability. This removes a critical barrier to scaling trapped-ion quantum computers-a leading architecture for achieving the qubit fidelities needed for cryptographic attacks.
Equal1 raised $60M for its Bell-1 silicon quantum server-already shipping to ESA's Space HPC Centre. Rack-mounted, datacenter-ready, no dilution refrigerators required. Uses standard semiconductor manufacturing.
Timeline Compression: Leveraging existing fabs enables semiconductor economics (costs fall with volume). Already in production while other architectures remain in lab. This commercialization path could accelerate CRQC timelines.
Year of Quantum Security (YQS2026) - Threat Declared Operational
FBI, CISA, and NIST launched the "Year of Quantum Security 2026" initiative in Washington D.C., declaring the quantum threat has transitioned from theoretical to operational. Federal agencies face mandates to complete cryptographic transitions by 2035-requiring immediate action since infrastructure upgrades take 5-7 years.
The "Harvest Now, Decrypt Later" Crisis: Adversaries are actively intercepting and storing encrypted blockchain transactions today for future quantum decryption. Any data with a shelf life beyond "Q-Day" is effectively compromised now if intercepted.
Critical Math: If Q-Day is 8 years away (2034) and migration takes 5-7 years, organizations starting today are "barely on time." Bitcoin and Ethereum have not begun mandatory migration.
Quantinuum Files for $20B+ IPO - The "Netscape Moment"
Quantinuum filed confidential IPO registration targeting $20+ billion valuation. Analysts call this quantum's "Netscape moment"-institutional capital now views quantum as commercially viable, not speculative research.
Timeline Acceleration: Public markets provide capital for rapid scaling, talent acquisition, manufacturing. Quantinuum demonstrated 100 reliable logical qubits in 2025 with error rates 800x lower than physical qubits-proof of commercial viability.
2026 Timeline Compression: All Barriers Falling Simultaneously
Silicon Economics: blueqat ($670K systems), Equal1 (shipping now), Intel/AIST partnerships leverage existing fabs-potential "Moore's Law" scaling for qubits.
Error Correction Solved: 120 QEC papers (2025) vs. 36 (2024). IonQ Beam Search (17x error reduction), Japanese near-theoretical accuracy. Critical bottleneck eliminated.
Commercial Capital: Quantinuum $20B+ IPO, D-Wave $550M acquisition, Equal1 $60M. Research grants → commercial markets = exponential acceleration.
Physics Risk Gone: Google Willow proved below-threshold error correction. Scaling to millions of qubits is now pure engineering.
Expert Consensus Shifting: Conservative "2035+" timelines increasingly questioned. Multiple paths to CRQC validated simultaneously.
D-Wave Acquires Quantum Circuits for $550M, Targets 2026 Gate-Model Launch
D-Wave acquired Quantum Circuits Inc. ($550M: $300M stock, $250M cash), combining annealing and error-corrected gate-model technologies. Dr. Rob Schoelkopf (inventor of transmon and dual-rail qubits, Yale professor) joins to lead gate-model development.
Key Milestone: D-Wave demonstrated "scalable, on-chip cryogenic control" for gate-model qubits-industry-first breakthrough removing a major scaling obstacle. First dual-rail system planned for general availability in 2026.
What This Means: Only company with both annealing (optimization) and gate-model (cryptography-relevant) capabilities. Brings gate-model to market years ahead of previous projections.
International team published comprehensive Nature Photonics review showing quantum structured light has progressed from experimental curiosity to compact chip-based technologies. High-dimensional photons enhance quantum communication security and computing efficiency.
Practical Impact: Holographic quantum microscopes for biological imaging, extremely sensitive quantum sensors now viable. Field reaching turning point for commercial deployment.
IonQ's new Beam Search Decoder achieves 17x reduction in logical error rate and 26x faster runtime, executing in under 1 millisecond on a standard CPU. IonQ estimates three 32-core CPUs could correct 1,000 logical qubits, versus 1,000 FPGA decoders for equivalent superconducting systems.
The QEC Report 2025 identified real-time decoders as the critical remaining bottleneck. IonQ's decoder directly addresses this, de-risking their 2028 roadmap target of 1,600 logical qubits. Their 2030 target of 40,000-80,000 logical qubits would far exceed the ~2,330 threshold.
Japanese Team Achieves Error Correction Near Theoretical Limit
University of Tokyo researchers published a breakthrough in npj Quantum Information demonstrating error correction approaching the "hashing bound", the theoretical maximum. The method maintains accuracy even as system size grows, removing a major obstacle to scaling quantum computers to the sizes needed for cryptographic attacks.
A Nature Physics paper from University of Tokyo proves fault-tolerant quantum computation can achieve constant space overhead and polylogarithmic time overhead simultaneously, meaning qubit requirements don't scale exponentially with problem difficulty. This strengthens the theoretical foundation for practical cryptographic attacks at the scale needed.
D-Wave announced the industry's first scalable, on-chip cryogenic control for gate-model qubits, solving the problem where control-line complexity previously scaled unmanageably with qubit count. D-Wave's stock has risen from under $1 to nearly $31 over two years.
The 2025 Nobel Prize in Physics went to John Clarke (UC Berkeley), Michel Devoret (Yale/Google Quantum AI), and John Martinis (UCSB/Qolab) for demonstrating macroscopic quantum tunneling in superconducting circuits, the foundation of today's quantum processors. Martinis led Google's quantum supremacy demonstration. The Nobel committee explicitly cited "quantum computers" as an application.
Silicon Quantum Computing (Sydney) published an 11-qubit processor in Nature achieving 99.99% single-qubit and 99.90% two-qubit gate fidelities, crossing the threshold for practical error correction. Coherence times reached 660 milliseconds. Silicon qubits can leverage existing semiconductor manufacturing, enabling industrial-scale production.
Scalable Optical Modulator for Trapped-Ion Systems
University of Colorado and Sandia Labs published a CMOS-fabricated optical phase modulator in Nature Communications, 80x more power-efficient than alternatives. This removes a scaling barrier for trapped-ion systems (IonQ, Quantinuum), enabling mass-producible control hardware for their high-fidelity qubits.
Researchers achieved 99.999% success rates for Shor's quantum factoring algorithm across over one million test cases, up from unreliable single-digit percentages in traditional implementations. The paper explicitly notes this is designed for "quantum cryptanalysis." One execution now suffices where thousands were previously needed.
Dutch company QuantWare unveiled the VIO-40K: 10,000 physical qubits via 3D chiplet architecture with NVIDIA integration. Shipments begin 2028 at ~€50 million per chip. They're also building Kilofab, one of the largest quantum fabrication facilities planned.
10,000 physical qubits represents significant scaling progress, though fault-tolerant logical qubit yields depend on achieved error rates and code distance. At current error rates, this might yield tens of logical qubits; with improved fidelity, potentially more.
Photonic Inc. released the first resource estimates for running Shor's algorithm on networked quantum computers, accounting for distributed computation costs. Previous estimates assumed monolithic systems. Attackers can network smaller systems together rather than building one massive machine.
Tsinghua University achieved 78,400 optical tweezer spots using a single metasurface (nearly 10x current limits). Optical tweezers trap atoms in neutral-atom quantum computers (the platform holding the 6,100-qubit record). This shows the path to 100,000+ qubit systems.
Google Quantum AI demonstrated quantum computers that learn from their own errors and continuously self-calibrate. The reinforcement learning system achieved 3.5x improvement in error rate stability and 20% beyond human-expert tuning, managing over 1,000 control parameters. This enables sustained computation over the extended periods required for Shor's algorithm.
Published in Nature, Caltech created the largest qubit array ever: 6,100 neutral cesium atoms with 13-second coherence times (10x previous records) and 99.98% manipulation accuracy. The researchers stated they're "close to a truly scalable platform." Scaling is now an engineering problem, not physics.
Japan announced a 600km quantum-encrypted fiber network linking Tokyo, Nagoya, Osaka, and Kobe. Operational 2027, full deployment 2030. Purpose: defend financial and diplomatic communications against harvest-now-decrypt-later attacks. Investment: tens of billions of yen. Nation-states are preparing; Bitcoin has no quantum protection.
Tsinghua Demonstrates Quantum Factoring on Hardware
Tsinghua University factored N=35 on a superconducting quantum computer using optimized Regev's algorithm, reducing space complexity to O(n log n) (the theoretical minimum). This is a direct demonstration of quantum cryptographic attacks on real hardware.
IBM and Cisco announced plans to network fault-tolerant quantum computers. Proof-of-concept by early 2030s, "quantum internet" by late 2030s. Networked systems can combine computational power, reducing the single-machine requirements for cryptographic attacks.
Riverlane's 2025 report (25 experts including Nobel laureate John Martinis): 120 QEC papers in 2025 vs 36 in 2024. All major qubit types crossed 99% two-qubit fidelity. Seven error correction codes now have working hardware. Critical bottleneck identified: 1μs real-time decoders. IonQ's January 2026 decoder addresses this.
Published in Nature Communications: first quantum teleportation between photons from distinct semiconductor sources with >70% fidelity. Previously maintained entanglement across 36km of urban fiber. Enables distributed quantum computing across geographic distances.
IonQ acquired Skyloom Global (90 Space Development Agency-qualified optical terminals deployed). IonQ is simultaneously building cryptographically-relevant quantum computers (1,600 logical qubits by 2028, 40,000-80,000 by 2030) and global infrastructure to connect them.
Published in Nature: first complete, scalable fault-tolerant architecture using 448 neutral atoms with 2.14x below-threshold error correction, meaning errors decrease as more qubits are added. Senior author Mikhail Lukin (Harvard): "This big dream...is really in direct sight."
Published in Science: strontium titanate demonstrates 40x stronger electro-optic effects than lithium niobate at cryogenic temperatures. Compatible with semiconductor fabrication for wafer-scale production. Better materials mean better qubit control and lower error rates.
Published in Nature Communications: quantum entanglement sustained over 2,000-4,000 km (200-400x improvement). Distributed quantum systems can combine power across continental distances, reducing single-machine requirements.
Published in Nature: quantum coherence exceeding 1 millisecond (15x industry standard). Compatible with existing Google/IBM processors. Researchers: "By end of decade we will see scientifically relevant quantum computer."
Quantinuum announced Helios: 98 physical qubits with 99.921% two-qubit gate fidelity (the highest in the industry). They demonstrated 48 "logical qubits" using the Iceberg code at a 2:1 encoding ratio, achieving "better than break-even" performance where encoded qubits outperform unencoded ones.
Important context: The Iceberg code is distance-2, meaning it can detect errors but not correct them. Fault-tolerant logical qubits for Shor's algorithm require higher-distance codes with hundreds to thousands of physical qubits each. Helios represents significant progress in fidelity, but the path to cryptographically-relevant quantum computing still requires major scaling.
IBM released Nighthawk (120 qubits) and Loon (112 qubits) processors with all hardware elements for fault-tolerant computing. Roadmap: Starling (2029, 200 logical qubits), Blue Jay (2033, 2,000 logical qubits). The ~2,330 threshold falls between these milestones.
University of Oxford physicists achieved a single-qubit error rate of 0.000015% (99.999985% fidelity), using electronic microwave signals to control trapped calcium ions at room temperature. This is nearly an order of magnitude better than previous records.
Microsoft unveiled a family of four-dimensional geometric codes that achieved a 1,000-fold reduction in error rates while requiring 5x fewer physical qubits per logical unit. This directly compresses the timeline to cryptographically relevant quantum computers by reducing physical qubit overhead.
March 2026 marked the shift from quantum research to quantum urgency. Back-to-back on March 30 and 31, Google Quantum AI cut the Bitcoin attack threshold to under 500,000 physical qubits with a 9-minute on-spend window, and Caltech/Oratomic showed the same attack on ~10,000 neutral-atom qubits, collapsing the old assumptions that millions of qubits are needed and that neutral-atom machines are too slow. Quantinuum's Skinny Logic, the EUROCRYPT paper (1,098 logical qubits), PsiQuantum's first utility-scale facility, $1.5 billion in new government funding, and a first quantum Turing Award rounded out the month. On defence, BIP-360 reached testnet with no mainnet timeline and no help for coins already exposed. The hardware is accelerating; the migration is not.
Key Technical Advances Accelerating the Threat
Seven independent areas of progress are converging faster than anticipated, with each breakthrough compounding the others to accelerate the timeline toward cryptographically-relevant quantum computers.
1. Stability: How Long Qubits Stay Usable
Qubits need to stay "alive" long enough to perform calculations. Recent advances extended this from microseconds to milliseconds, a thousand-fold improvement.
Recent advances:
- Caltech 6,100-Qubit Array (September 2025): 13-second coherence times, nearly 10x longer than previous similar arrays
- SQC 11-Qubit Processor (December 2025): 660ms nuclear spin coherence with Hahn echo refocusing
- Princeton 1ms Coherence (November 2025): 15x industry standard, 1,000x potential system improvement
- Stanford Strontium Titanate (November 2025): 40x stronger electro-optic effects at cryogenic temperatures, enabling better qubit control
Current records: neutral atoms (6,100 Caltech research; 1,600 Infleqtion commercial; 1,180 Atom Computing), superconducting (156 IBM Heron, 105 Google Willow), trapped ions (98 Quantinuum Helios). With hundreds to thousands of physical qubits needed per fault-tolerant logical qubit (surface codes), or under 100,000 via QLDPC codes, significant scaling is advancing rapidly.
Recent advances:
- QuTech QARPET (February 2026): 1,058 spin qubits at 2 million qubits/mm² density in crossbar architecture
- QuantWare VIO-40K (December 2025): 10,000-qubit processor shipping 2028
- Tsinghua Metasurface (December 2025): 78,400 optical tweezers demonstrated
- Caltech 6,100-Qubit Array (September 2025): Current neutral atom record
- Harvard/MIT/QuEra 448-Atom System (November 2025): Complete fault-tolerant architecture
- IBM Nighthawk/Loon (November 2025): 120/112 qubits with fault-tolerant features
4. Reliability: Making Systems More Stable as They Grow
Old problem: Adding more qubits made systems less reliable. New breakthrough: Systems now become more reliable as they scale up. This reverses a 30-year problem and makes large quantum computers actually buildable.
Recent advances:
- IonQ EQC (October 2025): 99.99% two-qubit gate fidelity (world record "four nines"), error rate 8.4×10⁻⁵ per gate, maintained without ground-state cooling. Basis for planned 256-qubit systems in 2026
- Infleqtion Sqale (September 2025): 12 logical qubits with error detection, first execution of Shor's algorithm with logical qubits, 1,600 physical qubits demonstrated
- Google RL-QEC (November 2025): 3.5x improvement in logical error rate stability using reinforcement learning; 20% beyond human-expert tuning
- SQC 11-Qubit Processor (December 2025): 99.90% two-qubit gate fidelity, 99.99% single-qubit fidelity in silicon
- QEC Report 2025 (November 2025): 120 peer-reviewed QEC papers in 2025 (vs. 36 in 2024); all major qubit types crossed 99% two-qubit gate fidelity
- Harvard/MIT/QuEra (November 2025): First complete fault-tolerant architecture with below-threshold performance
- Quantinuum Helios (November 2025): 99.921% gate fidelity (highest in industry)
7. Rational Design: Engineering Qubits to Specification
Moving from trial-and-error to computational design of quantum systems with predictable properties.
Recent advances:
- Wisconsin-Madison Asymmetric Rydberg Gate (December 2025): Modified π-2π-π protocol enables high-fidelity entangling gates without requiring strong Rydberg blockade, reaching within a factor of 1.68 of the fundamental lifetime limit. Enables long-range entanglement between neutral atoms, relaxing distance constraints for QLDPC code implementations.
- CU Boulder/Sandia Optical Modulator (December 2025): CMOS-fabricated acousto-optic phase modulator enabling scalable laser control for atom-based quantum computers
- Stanford Strontium Titanate (November 2025): Discovery of material optimized for cryogenic quantum operations
While Bitcoin and Ethereum scramble for solutions, centralized systems are already migrating. Banks, enterprises, and cloud providers are actively deploying post-quantum cryptography to meet regulatory deadlines. The technology is ready and the migration is underway.
NIST Finalized Standards (August 2024)
Standard
Algorithm
Basis
Use Case
FIPS 204 (ML-DSA)
CRYSTALS-Dilithium
Module-Lattice
Primary choice for general use
FIPS 205 (SLH-DSA)
SPHINCS+
Stateless Hash
Backup if lattices fail
FN-DSA
FALCON
NTRU-Lattice
Constrained environments
NSA CNSA 2.0 Requirements
New national security systems quantum-safe by January 1, 2027
Full phase-out of non-compliant systems by 2030
Performance trade-off: SLH-DSA (SPHINCS+) signing is 2,200x slower than ECDSA P256 on ARM architectures. This overhead drives Ethereum's planned gas limit increases.
Major Infrastructure Already Migrated
Cloudflare (October 2025): Over 50% of Internet traffic now protected with post-quantum encryption (the largest PQC deployment globally). Cloudflare's infrastructure serves millions of websites, demonstrating PQC works at scale without performance issues.
AWS and Accenture: Launched comprehensive enterprise migration framework serving financial institutions, governments, and Fortune 500 companies. Their multi-year phased approach addresses the reality that complete migration takes 3-5 years, which is why they started now for the 2030 deadline.
The Contrast
Centralized systems: Migrating now through coordinated infrastructure updates. AWS, Cloudflare, Microsoft, Google managing the complexity for their customers.
Bitcoin/Ethereum: Must coordinate millions of independent users, update billions in hardware wallets, achieve network consensus, and hope for 100% participation. A process requiring 5-10 years that hasn't even started.
The infrastructure exists. The migration is happening. Traditional finance is preparing. Cryptocurrency is not.
Bitcoin uses two different cryptographic systems with vastly different quantum vulnerabilities:
SHA-256 (Mining) - Quantum-Resistant: Grover's Algorithm provides only quadratic speedup. Would require hundreds of millions of qubits to meaningfully impact mining. Effectively quantum-proof.
ECDSA secp256k1 (Transaction Signatures) - Vulnerable: Shor's Algorithm provides exponential speedup. Requires ~2,330 logical qubits minimum (Roetteler 2017) or ~6,500 for practical runtime (~2 hours, Kim et al. 2026). Highly vulnerable to quantum computers.
Result: The blockchain ledger remains safe, but individual wallet balances can be stolen because the cryptographic signatures proving ownership are vulnerable.
Bottom Line: Approximately 30% of all Bitcoin (~5.9 million BTC) has permanently exposed cryptographic keys that attackers are already harvesting today for future decryption.
The Two-Stage Quantum Threat
The quantum threat arrives in two waves, with different capabilities and target dates:
Stage 1: CRQC-Dormant (2029-2032) - Break keys over hours to days using "Harvest Now, Decrypt Later". Target: ~5.9 million BTC in dormant/exposed wallets (1.9M BTC in P2PK, 4M BTC in reused addresses, all Taproot addresses). Requirements: ~6,500 logical qubits with extended computation time (~2 hours per key, per Kim et al. 2026).
Stage 2: CRQC-Active (2033-2038) - Break keys within Bitcoin's 10-minute block time. Target: ALL 19+ million BTC during any transaction. Requirements: ~23,700 logical qubits with depth-optimized circuits (~48 minutes per key), completing 126 billion operations in <10 minutes.
Company Targets: IonQ aims for 1,600 logical qubits by 2028. IBM targets 200 logical qubits by 2029 (Starling) and 2,000 by 2033 (Blue Jay). Google aims for error-corrected system by 2029. Quantinuum targets "hundreds" of logical qubits by 2030.
Key Risk: Traditional estimates assumed 1,000-10,000 physical qubits per logical qubit. Quantinuum has achieved 2:1 ratio. With networking capabilities, multiple smaller systems can now work together to achieve the same result.
Bitcoin Wallet Vulnerability Breakdown
Permanently Exposed (Harvest Now, Decrypt Later)
Pay-to-Public-Key (P2PK): 1.9 million BTC - Public key directly recorded in UTXO. No protection possible. Includes Satoshi Nakamoto's ~1 million BTC.
Reused Addresses (All Types): 4 million BTC - Public key revealed after first spend. Any remaining balance permanently at risk.
Pay-to-Taproot (P2TR): Growing amount - Address directly encodes public key upon receiving funds. Immediate exposure upon first receipt.
Total Permanently Exposed: ~5.9 million BTC (28-30% of circulating supply). Pieter Wuille (Bitcoin Core developer) estimated ~37% in 2019.
Temporarily Exposed (10-60 Minute Window)
Fresh P2PKH, P2WPKH, P2SH, P2WSH: Only vulnerable during transaction (10-60 minutes in mempool).
Current safety: Safe until first use.
Attack requirement: Full Shor's algorithm execution in <10 minutes.
Protection: Never reuse addresses (but once exposed, protection is lost forever).
Government Warnings and Mandates
U.S. Federal Quantum Security Mandates
The U.S. government has issued comprehensive directives requiring transition to post-quantum cryptography across all federal systems and regulated industries.
NIST Post-Quantum Standards
August 2024
Published three quantum-resistant algorithms: ML-KEM (Kyber), ML-DSA (Dilithium), SLH-DSA (SPHINCS+).
2030:ECDSA deprecated - discouraged for new systems
2035:ECDSA prohibited - banned from all federal systems
Now - 2030:All agencies must begin migration planning
Impact Analysis: ECDSA, including secp256k1, is the cryptographic foundation of Bitcoin and Ethereum. The U.S. government will officially classify this cryptography as insecure by 2035. These mandates will force governments and regulated institutions worldwide to prohibit holding or transacting these assets unless Bitcoin and Ethereum complete their complex multi-year upgrade process by these deadlines.
CNSA 2.0 mandates immediate planning for National Security Systems with specific algorithm requirements. High-value and long-lifetime assets must be prioritized. Complete transition by 2035.
The Federal Reserve explicitly warned that quantum computers pose an existential threat to cryptocurrency security. Nation-states are actively pursuing "Harvest Now, Decrypt Later" attacks. Current blockchain cryptography will be completely broken. Historical transaction data will be exposed. No major cryptocurrency is currently protected.
Adversaries are already collecting encrypted blockchain data today, planning to decrypt it once quantum computers become available. The Federal Reserve confirmed in October 2025 that these attacks are happening now, not in the future.
Why This Matters
Past transactions can never be secured retroactively - blockchain immutability makes this impossible
Privacy is compromised NOW, not in the future - your transaction history is already harvested
Every transaction made today is potentially vulnerable tomorrow when quantum computers arrive
Approximately 30% of all Bitcoin (~5.9 million BTC) has permanently exposed public keys waiting to be broken
No software update can protect these coins - they are mathematically doomed
Who's at Risk?
Satoshi Nakamoto's ~1 million BTC in Pay-to-Public-Key addresses
Anyone who has ever reused a Bitcoin address (4 million BTC exposed)
All Taproot (P2TR) address holders - keys exposed immediately upon receiving funds
High-value dormant wallets with no way to migrate to quantum-safe addresses
Future: Every Bitcoin and Ethereum user once quantum computers can break keys in 10 minutes
The Urgency Cannot be Overstated
Why 2026 is Critical
NIST mandates beginning migration in 2026 to have any hope of completing before quantum computers arrive. The math is brutal:
Quantum computers: 2029-2032 (converging timeline from IBM, Google, IonQ, Quantinuum)
Bitcoin upgrade process: 4-7 years minimum (SegWit took 2+ years just for consensus)
NIST deadline: 2030 deprecation, 2035 prohibition
Conclusion: Bitcoin needed to start 2-3 years ago
The Window is Closing
Every day without action makes the situation worse:
More transactions become vulnerable to HNDL attacks
The coordination challenge grows across millions of users
The migration window narrows while quantum computers improve exponentially
The risk increases that quantum computers arrive before migration completes
Adversaries continue collecting encrypted data for future decryption
The Migration Challenge
A fix existing is not the same as a network being safe. Safe means the entire stack is migrated before Q-Day.
Bitcoin: BIP-360 (P2MR) protects only new addresses, and only at rest - the moment a coin is spent its public key still appears in the mempool, and it does nothing for existing coins. BIP-361 (legacy signature sunset) proposes freezing or migrating exposed coins, but it is a draft with no activation timeline and freezing lost coins is contested. About 34% of all BTC (6.5 to 6.9 million, including ~1.7 million Satoshi-era) already have exposed public keys that no fix can hide. Moving Bitcoin's ~190 million UTXOs at the network's ceiling of ~7 transactions per second is roughly a year of blocks doing nothing but migration, and multi-year in practice - each migration transaction itself briefly exposes its key.
Ethereum: the Foundation targets core Layer-1 post-quantum upgrades by 2029, but that is the base protocol only (validator signatures, KZG commitments, ZK proofs). The value sits above it: hundreds of millions of ECDSA accounts, the entire smart-contract and DeFi stack, bridges, and Layer-2s, each with its own cryptographic dependencies. Many contracts are immutable and must be redeployed with liquidity migrated; composability means a single protocol depends on tokens, oracles, bridges, and an L2 that must all migrate compatibly. Per-account signature agility via EIP-8141 is still only proposed for late 2026.
The common thread: no agreed timeline, coordination across millions of users, post-quantum signatures tens of times larger than ECDSA, and a quantum clock that keeps speeding up. A base-layer upgrade is a milestone, not safety.
The QRL Difference
While Bitcoin and Ethereum face existential quantum threats and scramble for solutions, QRL has been quantum-secure since day one. Launched June 26, 2018 - mainnet operational for 7+ years. Using NIST-approved XMSS signatures (standardized 2020). Multiple external security audits (Red4Sec, X41 D-Sec). Already meets NIST 2030/2035 deadlines. Find out more.
No emergency scrambling. No panic-driven retrofits. No vulnerable past. Planned evolution when ready.
The Three Quantum Threats to Cryptocurrency
Quantum computing threatens cryptocurrency through three distinct attack vectors, each with different timelines and targets.
Bitcoin faces an impossible governance decision regarding the ~1 million BTC in Satoshi Nakamoto's P2PK wallets and other permanently-exposed addresses.
Approximately 5.9 million BTC (~$718 billion) have permanently exposed public keys that cannot be protected by any software update. These include Satoshi's ~1 million BTC, early miner rewards, and all addresses that have ever been reused.
Option 1: Do Nothing
Attackers steal billions in Bitcoin, devastating market confidence and creating the largest theft in history. Early adopters who secured the network lose everything.
Proponents: Those who believe property rights are absolute and the market should handle the fallout
Option 2: Freeze/Burn Exposed Coins
Violates Bitcoin's core principle of immutability. Sets precedent for future confiscation. Potentially illegal seizure of property. Could face legal challenges.
Proponents: Those who prioritize network security over individual property rights
Option 3: Force Migration with Deadline
Coins that don't move to quantum-safe addresses by deadline are frozen. But owners of lost keys, deceased holders, and long-term cold storage cannot comply.
Proponents: Those seeking a middle ground that preserves what can be saved
There is no good answer. Every option violates fundamental principles Bitcoin was built upon. The debate will likely split the community and could result in chain forks with different approaches. A February 2026 preprint by Strike formalizes this further, demonstrating that even with perfect PQC algorithms, Bitcoin's protocol semantics create migration constraints that cannot be resolved without modifying underlying consensus rules. The problem is structural, not merely cryptographic.
Beyond direct theft, quantum computing creates systemic risks that threaten cryptocurrency adoption and legitimacy.
Institutional Perception Risk
Even before quantum computers can break crypto, institutions may divest based on perceived future risk. Insurance companies, pension funds, and regulated entities face fiduciary duties that may prohibit holding assets with known future vulnerabilities.
Impact: Price collapse from institutional selling could occur years before actual quantum attacks.
Timeline: Could begin any time as awareness grows; accelerates as NIST 2030 deadline approaches
Quantum Archaeology
All historical blockchain data is public and immutable. When quantum computers arrive, every transaction ever made can be analyzed. Transaction graph deanonymization becomes trivial.
Impact: Complete privacy collapse for all historical Bitcoin/Ethereum activity. Every wallet, every transaction, every flow of funds exposed.
Timeline: Inevitable once Shor's algorithm is practical; cannot be prevented retroactively
Geopolitical Competition
Nation-states are racing to achieve quantum supremacy. China, US, EU investing billions in quantum computing. First nation to achieve cryptographically-relevant quantum computing gains massive strategic advantage.
Impact: Quantum capability could be used for economic warfare, targeting adversary financial systems including cryptocurrency.
Timeline: Multiple nations expected to achieve CRQC by 2030-2035
BIP-360 (now specified as Pay-to-Merkle-Root, authored by Hunter Beast) is the leading proposal, but it remains a draft with no agreed algorithm and no activation date, and it protects only new addresses. The community does not even agree on how urgent the problem is, which is itself part of the risk: the range of expert views below spans nearly two decades.
BIP-360: Pay-to-Merkle-Root (P2MR)
Author: Hunter Beast
Status: Draft - no agreed algorithm, no activation date
Introduces a new address type using NIST-approved post-quantum signatures (ML-DSA, SLH-DSA, FALCON), protecting only new addresses at rest
P2MR (Pay-to-Merkle-Root): hides the public key on-chain for new addresses
Protects only at-rest coins; the key still appears in the mempool on every spend
Backward compatible soft fork approach
No mainnet activation timeline; SegWit and Taproot each took 7 to 8 years to adopt
Challenges
Signature size: PQC signatures are 40-100x larger than ECDSA (gas cost explosion)
Block space: Migration of all UTXOs requires 76-568 days of block space
Consensus: No agreement on which algorithm to use (ML-DSA vs FALCON vs SLH-DSA)
Timeline: Process requires 4-7 years but quantum computers may arrive in 3-6 years
Exposed coins: No solution for permanently-exposed P2PK and reused addresses
Expert Opinions
Charles Edwards (Capriole)
Advocates for 2026 deployment; suggests coins that don't migrate to BIP-360 could be "burned" by 2028. Warns of 20-30% of Bitcoin being vulnerable to quantum attackers.
Adam Back (Blockstream)
Argues the quantum threat is "decades away" and pushes back against urgency, noting Bitcoin doesn't use encryption in the way many understand.
Jameson Lopp (Casa)
Agrees quantum isn't an immediate threat but estimates a full transition to quantum-resistant signatures would take 5-10 years to implement.
Willy Woo
Notes Taproot usage has fallen from 42% of transactions in 2024 to 20%, stating he's "NEVER seen the latest format losing adoption before."
Ethereum is pursuing quantum resistance through planned protocol upgrades, with key milestones in 2026.
Glamsterdam (H1 2026)
Gas limit increase from 60 million to potentially 200+ million to accommodate larger post-quantum signatures. Parallel transaction processing for improved scalability. ZK proof validation: validators move from re-running transactions to verifying ZK proofs.
Quantum Relevance: Gas limit expansion directly enables post-quantum signature deployment; ZK proof validation is a foundational step toward quantum-resistant execution
Status: Targeting H1 2026
Hegota (H2 2026)
Enshrined Proposer-Builder Separation (ePBS): decentralizes block production to defend against quantum-equipped actors dominating the proposer market. 128-bit provable security as foundation for institutional-grade financial applications.
Quantum Relevance: ePBS prevents quantum-advantage actors from monopolizing block production; 128-bit security provides quantum-resistant foundation
Status: Planned for H2 2026
ZK-STARKs for Quantum Resistance
Ethereum is prioritizing ZK-STARKs (based on hash functions) over ZK-SNARKs (based on elliptic curves) because STARKs are quantum-resistant. As Ethereum Foundation researcher George Kadianakis noted: "A soundness issue in ZK-EVMs is catastrophic: if an attacker can forge a proof, they can mint tokens from nothing."
Quantum Relevance: ZK-STARKs provide quantum-resistant zero-knowledge proofs, eliminating elliptic-curve assumptions from the proving system
Status: Active development
Advantages
Gas limit increases accommodate larger PQC signatures without breaking the fee market
The transition to quantum-resistant cryptography is inevitable. The question is not if but when, and whether migration can complete before attacks begin. Projects built quantum-safe from the start (QRL) avoid this risk entirely. Those facing migration (Bitcoin, Ethereum) are in a race against time with uncertain outcomes.
Expert Timeline Predictions
Nature Feature (Feb 2026)
"Vibe shift" - usable quantum computers within a decade. Four teams now below QEC threshold.
Dorit Aharonov (Hebrew University)
"We've entered a new era...the timeline is much shorter than people thought" (Feb 2026)
Fred Chong (U Chicago, ACM Fellow)
"We're very comfortably in era of escape velocity. Building a big useful quantum computer is no longer a physics problem but an engineering problem."
Scott Aaronson (UT Austin)
2025 "met or exceeded" expectations. Compares PQC migration urgency to Frisch-Peierls memo of 1940.
Charles Edwards (Capriole)
"Quantum Event Horizon" is 2-9 years away
Adam Back (Blockstream)
Meaningful threat 20-40 years away
Michele Mosca (Waterloo)
1-in-7 probability public-key cryptography broken by 2026
Chainalysis
5-15 years before quantum computers could break current standards
Alice & Bob CEO (Nvidia partner)
Quantum computers powerful enough to crack Bitcoin "a few years after 2030"
Chao-Yang Lu (USTC)
Expects fault-tolerant quantum computer by 2035
Infleqtion (September 2025)
First execution of Shor's algorithm on logical qubits; targeting 1,000 logical qubits by 2030. Going public on NYSE as INFQ.
IonQ Roadmap
99.99% two-qubit gate fidelity in lab; 256-qubit system planned 2026; 1,600 logical qubits by 2028; targeting 2 million physical qubits by 2030