Can a quantum computer break Bitcoin today?

No. No machine can run Shor's algorithm at cryptographic scale. The largest integer ever factored with a genuine, scalable Shor run is the textbook example 15. The documented risk is years out, not present.

Did Google's Willow chip break encryption?

No. Willow ran a random-circuit sampling benchmark and demonstrated below-threshold error correction. Google stated it remains at least about ten years from breaking RSA. Headlines about cracking encryption overstated the result.

Does a higher qubit count mean cryptography is about to break?

No. Logical, error-corrected qubits and qubit quality matter far more than raw physical counts, and counts across different platforms are not comparable. A quantum annealer such as D-Wave cannot run Shor's algorithm at all.

Is all my Bitcoin equally exposed to quantum attack?

No. Only exposed public keys are at risk, mainly reused addresses and old pay-to-public-key outputs. Funds in unspent hashed addresses keep the public key hidden until they are first spent.

Will quantum computers break Bitcoin mining and SHA-256?

Not meaningfully. Grover's algorithm gives only a quadratic speedup against hashing, which larger parameters offset. The real exposure is signatures, not hashing.

Is there anything that can be done about the quantum threat?

Yes. NIST has finalised post-quantum cryptography standards, major platforms are deploying them, and quantum-safe Bitcoin address schemes have been proposed. The defensive timeline is intended to finish before the threat lands.

A Living History

The Quantum Timeline

Track every major breakthrough in quantum computing — from the first qubits to the future milestones that could eventually threaten modern cryptography.

Current Bitcoin Quantum Index

/ 100

0 · No practical risk100 · Crypto broken

Updated: Today

Watch the history unfold

Drag to travel through time · Today

1982Today

Biggest remaining bottlenecks

What actually stands between today's machines and one that could break cryptography. Per the Global Risk Institute's 2024 expert survey, most respondents pointed to engineering challenges — not fundamental physics — as the obstacles still to clear.

Timeline statistics

What this page tracks, at a glance.

The quantum threat level — past & projected

The solid line is recorded history (the index reading after each milestone). The dashed line is a projection toward Level 100, built from expert timeline estimates — it is uncertain and widens the further out it goes.

Recorded history

Projected (low confidence)

Current position · 12 / 100

The milestones

Every entry uses the same format. Expand any milestone for the full record, including why it mattered, how it moved the index, and what it meant for Bitcoin holders.

Filter · show only

Future milestones & projected timeline

Where the timeline goes from here, with an estimated time range, a confidence rating, and a "what must happen first" checklist for each level.

These are projections, not achievements. Time ranges and confidence ratings are the index's own assessment, informed by the Global Risk Institute / evolutionQ Quantum Threat Timeline Report 2024 (32 experts: roughly 19–34% odds of a cryptographically-relevant machine within ten years; over half put ≥50% odds of an RSA-2048 break within fifteen years) and by published resource estimates (a 2025 Google analysis put RSA-2048 at under ~1 million noisy qubits — a ~95% reduction on earlier figures, yet still far beyond any machine that exists). None of the levels below has happened. Confidence falls as the horizon extends.

The Bitcoin timeline

Running beside the quantum track, so the relationship is clear.

Why Bitcoin's exposure is specific. Bitcoin signs transactions with elliptic-curve cryptography (ECDSA on the secp256k1 curve) — the kind of signature Shor's algorithm targets. Modern address types hash the public key, so the key stays hidden until coins are first spent. The vulnerable surface is therefore exposed public keys: reused addresses and very old pay-to-public-key outputs reveal a public key permanently. Estimates of how much BTC sits in quantum-exposed forms vary by methodology; treat any single percentage as analysis rather than a settled figure.

Common myths

The claims that get repeated most — and what's actually true.

What's next?

The signals the Quantum Risk Institute is watching — any of these could move the index.

Sources, accuracy & method

Recent milestones (2024–2026) were verified against primary sources during research for this page: Google Willow (blog.google & Nature, 9 Dec 2024); NIST FIPS 203/204/205 (csrc.nist.gov, 13 Aug 2024) and HQC selection (nist.gov, 11 Mar 2025); Microsoft Majorana 1 (Azure Quantum blog & Nature, 19 Feb 2025 — topological claims are contested in the physics community); IBM's fault-tolerant roadmap / Starling (ibm.com Quantum blog, 10 Jun 2025); Google's verifiable quantum-advantage result (22 Oct 2025). Forward-looking ranges draw on the Global Risk Institute / evolutionQ Quantum Threat Timeline Report 2024 and on published resource estimates including a 2025 Google analysis of qubits needed for RSA-2048.

Foundational and early-hardware entries (Feynman 1982, Deutsch 1985, Shor 1994, Grover 1996, NMR qubits 1998, factoring 15 in 2001, D-Wave 2011, IBM cloud 2016, Sycamore 2019, the 2022 Nobel, neutral-atom logical qubits 2023) are cited by their original publication or announcement. Those specific URLs were not re-verified live in the current session — confirm any link before publishing.

Threat-level values and projection ranges are the Bitcoin Quantum Index's own assessment (analysis), not measured physical quantities. Qubit counts, where given, are vendor- or paper-reported and mix incompatible platforms (gate-model, annealing, neutral-atom, topological) that are not directly comparable. No quantum computer can break Bitcoin's cryptography today; the documented risk is long-horizon and is being actively prepared for through standards and migration.