Quantum Horizon: An evaluation of quantum computing as a threat to Bitcoin and Ethereum

Source: arXiv:2606.14484 · Published 2026-06-12 · By Iosif M. Gershteyn, Jacob A. Alber

TL;DR

This paper assesses the realistic threat quantum computing poses to Bitcoin and Ethereum, separating two frequently conflated quantum algorithms: Shor's and Grover's. Shor's algorithm threatens to break elliptic-curve signature schemes securing wallets (ECDSA over secp256k1 for Bitcoin and BLS over BLS12-381 for Ethereum), enabling key recovery and unauthorized spending. Grover's algorithm offers only a quadratic speedup on proof-of-work mining, which is effectively mitigated by network difficulty adjustments and the enormous hardware resources classical ASIC miners command. The work calibrates and integrates diverse data sources—algorithmic improvements, hardware scaling, fault-tolerant quantum operation readiness, and expert surveys—into a probabilistic Monte Carlo forecast of a cryptographically relevant quantum computer (CRQC). This forecast shows a bimodal timeline with around a 1-in-6 chance of such a machine by 2035, ~30% by 2040, and ~60% by 2050.

On exposure, only about 30% of Bitcoin supply (~6M coins) is quantum-exposed at rest, but only about 2.3M are irreducibly at risk (lost or dormant, e.g. Satoshi coins). The remainder is migratable if owners act in time. Ethereum exhibits broader exposure due to its account reuse model, with 50–65% of ETH at used, key-visible accounts but benefits from flexible account abstraction allowing per-account post-quantum signature migration. The authors emphasize migration feasibility as the critical mitigation, with governance delays—not technical challenges—as the main constraint. None of the top 20 cryptocurrencies are currently post-quantum secure. The paper provides detailed evaluations, calibrated models, and reproducible forecasts to guide timely quantum migration planning.

Key findings

• Breaking Bitcoin’s secp256k1 requires approximately 1,200–2,330 logical qubits, equivalent to roughly 0.5–320 million physical qubits under current error correction assumptions (2026 hardware has only ~1,000–1,200 physical qubits and tens to ~100 logical qubits).
• Grover's algorithm yields only a quadratic speedup on proof-of-work mining; a single quantum machine at optimistic 100 GHz achieves about 21 TH/s against an 860 EH/s classical Bitcoin network (about 1/40,000,000th), making quantum mining practically useless.
• Bitcoin has roughly 6 million quantum-exposed coins (~30% supply) but only about 2.3 million (12% supply) are irreducibly at risk due to dormancy or lost private keys (e.g., Satoshi-era coins), with the rest migratable by sweeping to post-quantum addresses.
• Ethereum exposes 50–65% of ETH supply in used accounts whose public keys are visible on-chain, but these are mostly migratable via planned account abstraction on a per-account basis.
• Monte Carlo break-year forecast combining hardware scaling, algorithmic improvements, fault-tolerance delays, and expert survey estimates yields a bimodal distribution peaking near 2038–2040 (survey) and 2052 (physics), with a 1-in-6 chance of a CRQC by 2035, ~30% by 2040, ~60% by 2050.
• Mempool ‘sniping’ attacks exploiting public keys revealed during pending transactions have at best ~30–41% success rate assuming a fast-clock quantum machine, and only during the brief mempool window (~10 minutes).
• Top 20 cryptocurrencies are all vulnerable to Shor’s algorithm on elliptic-curve or pairing-based signatures; none have fully deployed post-quantum schemes, with migration progress ranging from none to early testnets (ratings 1 to 4 on a 5-point scale).
• Migration race analysis shows a migration start in 2026 finishing by ~2029–31 beats even optimistic early CRQC arrival (2035) by years; governance delay in starting migration is the primary existential risk.

Threat model

The adversary possesses a future cryptographically relevant quantum computer capable of running Shor’s algorithm to recover private keys from publicly revealed elliptic-curve signed transactions on Bitcoin or Ethereum, thus enabling unauthorized spending or validator key compromise. They cannot break unexposed keys, nor implement large-scale quantum proof-of-work mining at scale due to hardware and parallelization limits. The attacker is constrained by blockchain propagation delays and cannot forge blinded or post-quantum keys before migration. The threat excludes side-channel, social, or cryptanalytic attacks outside quantum key recovery.

Methodology — deep read

1. Threat Model & Assumptions: The adversary is a quantum attacker with access to a cryptographically relevant quantum computer (CRQC) capable of executing Shor's algorithm to recover private keys from publicly exposed ECDSA or BLS public keys on Bitcoin or Ethereum, enabling unauthorized spending. The attacker cannot break idealized hash functions or mine proof-of-work quantumly with meaningful speed. They must operate within network propagation constraints for mempool attacks. The threat excludes attacks on unexposed keys or data availability attacks involving short-lived aggregation proofs.

2. Data Collection and Exposure Analysis: On-chain analyses from multiple independent sources (Glassnode, Coinbase, CoinDesk, Deloitte) estimate the quantum-exposed coin counts on Bitcoin and Ethereum. For Bitcoin, script types are classified by whether they reveal the public key at rest—P2PK and P2TR keys expose it, P2PKH/P2WPKH reveal keys only post-spend. Dormant coins (e.g., Satoshi-era coins) are classified as irreducibly at risk because their keys cannot be migrated. For Ethereum, the percentage of coins in accounts that have revealed their keys via signatures is aggregated, using ledger scans and previous published figures.

3. Algorithmic and Hardware Modeling: The quantum resource estimate for breaking secp256k1 and BLS12-381 signatures is based on recent quantum circuit optimizations reducing logical qubit counts and Toffoli gate costs, incorporating fault-tolerant overhead under surface-code error correction assumptions. Hardware capability growth is modeled as physical qubit doubling every 1.0 to 2.5 years. Expert survey data are included as an independent timing estimate.

4. Monte Carlo Forecast: The forecast combines four factors with associated uncertainty ranges: algorithmic resource declines (halving every 4–20 years), hardware qubit doubling rates, fault-tolerance readiness lag (2–12 years delay after sufficient physical qubits exist until full error correction is operational), and expert-survey-based arrival times. The four estimates are equally weighted and sampled to produce a probabilistic break-year distribution, which is found to be bimodal due to disagreement between bottom-up physics modeling and expert opinion.

5. Mining Threat Model and Rebuttal: A calibrated mining-competitiveness model, using the 2017 Aggarwal et al. benchmarks on double SHA-256 T-gate costs and channel capacity, computes an effective quantum hash rate at various quantum gate speeds, showing it remains orders of magnitude below classical ASIC farms. Parallelization limits provide at best a square-root scaling for multiple quantum machines.

6. Exposure and Attack Surface Modeling: The impact of key reuse and mempool timing is modeled to estimate practical risk from on-chain and in-flight transaction keys. The mempool sniping success rate is simulated accounting for key recovery times and blockchain confirmation intervals.

7. Migration Race and Governance Modeling: The authors employ Mosca's inequality to compare time-to-migration (start plus propagation) with time-until-CRQC arrival, sweeping parameters for migration speed, and start time. The analysis shows prompt migration starting by 2026 outpaces even optimistic quantum threat scenarios.

8. Post-Quantum Signature Standards Review: The paper reviews NIST-standardized post-quantum signature candidates (e.g., ML-DSA, SLH-DSA, XMSS, Falcon) and assesses their size, throughput, block space impact, and suitability for migration.

9. Broader Survey: A systematic survey of the top 20 cryptocurrencies by market cap is conducted to assess quantum exposure models and post-quantum migration progress, producing a quantum-readiness rating from 1 to 5 based on measurable migration initiatives.

Reproducibility: The paper provides reproducible models for all key quantitative claims, though no public code or datasets beyond publicly available blockchain states and hardware published benchmarks are formally released. The work integrates and reconciles publicly reported chain analyses, hardware specs, and expert surveys.

Technical innovations

• A unified probabilistic Monte Carlo forecast combining bottom-up quantum hardware scaling, algorithmic resource declines, fault-tolerance lag, and expert survey data to predict the timeline for a cryptographically relevant quantum computer.
• Separation and quantification of two distinct quantum threats—Shor’s algorithm breaking elliptic-curve signatures vs Grover’s limited quadratic speedup on proof-of-work mining—with detailed resource-adjusted mining competitiveness modeling.
• Classification of cryptocurrency exposure based on script types (Bitcoin) and account reuse metrics (Ethereum), distinguishing irreducible quantum risk (lost/dormant coins) from migratable coins, to clarify actual at-risk funds.
• Application of Mosca’s inequality in a detailed migration race model showing that governance-induced delays, not migration throughput or technical feasibility, are the binding constraint for quantum security.
• A broad survey of the top 20 cryptocurrencies integrating signature algorithms, exposure models, and migration program status into a quantified quantum-readiness scale, highlighting exposure-model importance over base cryptography.

Datasets

• Bitcoin blockchain state — 200+ million UTXOs, public ledger
• Ethereum blockchain state — 160+ million accounts and transactions, public ledger
• Chain analysis exposure estimates — Glassnode, Coinbase, CoinDesk 2025–26 reports
• Expert surveys — Global Risk Institute quantum risk survey (circa 2025)
• Hardware benchmarks — IBM, Google, Atom Computing qubit counts and error rates (2026)

Baselines vs proposed

• Classical Bitcoin ASIC mining network: ~860 EH/s effective hash rate vs quantum machine at 100 GHz: 21 TH/s
• Logical qubits required to break secp256k1: prior 2017 estimate ~ 2,330 vs 2026 estimates ~1,200–1,450 logical qubits
• Quantum break-year forecast: expert survey alone median ~2038–2040 vs bottom-up physics alone median ~2052; combined median ~2046 (bimodal distribution)
• Bitcoin's quantum-exposed coins: total ~6M vs irreducible at risk ~2.3M vs migratable ~3.7M
• Mempool sniping success rate: literature best-case 41% vs realistic model 30%, assuming a fast quantum clock

Figures from the paper

Figures are reproduced from the source paper for academic discussion. Original copyright: the paper authors. See arXiv:2606.14484.

Fig 1: Effective quantum “hashrate” versus gate speed, compared with one ASIC and the whole 2026

Fig 2: The two estimators (survey and physics) and the bimodal combined distribution; the median falls

Fig 3: Bitcoin’s supply split into permanently-at-risk, migratable, and protected coins.

Fig 5: Top-20 quantum-readiness ratings; none is fully post-quantum (RAIN excluded; its host chain

Fig 4: When migration finishes versus when a quantum computer might arrive, across start-time and

Limitations

• Quantum hardware and fault-tolerance models remain optimistic and uncertain, with vast ranges in physical qubit counts (0.5–320 million) for CRQC construction.
• The Monte Carlo forecast blends fundamentally different data sources (expert surveys and physics-based hardware models) with equal weighting without principled grounds, leading to bimodality and wide uncertainty bands.
• Ethereum exposure estimates rely on indirect measurements and Ledger state approximations; exact current percentage of quantum-exposed ETH remains unconfirmed.
• No adversarial simulations of full migration under attack conditions are performed; governance, user compliance, and network effects remain untested.
• Grover's algorithm impact on mining is modeled assuming static network difficulty and ignores potential future protocol adjustments or novel quantum-accelerated mining strategies.
• Migration cost and block-space impact of large post-quantum signatures (e.g., up to 700x larger) are recognized but not quantitatively evaluated for network performance and fee market effects.

Open questions / follow-ons

• What are the concrete economic and social incentives or barriers impacting timely migration to post-quantum schemes, especially for dormant or lost keys?
• How will blockchain protocol changes (e.g., new signature schemes, block-size limits) impact scalability and security during large-scale migrations to post-quantum cryptography?
• Can quantum mining be enhanced or combined with classical strategies to meaningfully threaten proof-of-work beyond the current quadratic speedup model?
• What real-time detection and mitigation measures can protect mempool-snooped transactions during migration periods from quantum key recovery attacks?

Why it matters for bot defense

For practitioners focused on bot-defense and CAPTCHA design, this paper underscores that while quantum computing threatens cryptographic signature integrity on major cryptocurrencies, it does not currently undermine the fundamental proof-of-work mining security nor classical hash-based protections. This distinction is critical when evaluating the robustness of blockchain-backed CAPTCHA or anti-abuse systems that rely on cryptographic assumptions. The clear separation between signature compromise risk (via Shor’s algorithm) and mining feasibility (not notably weakened by Grover’s) informs threat models concerning transaction authorization versus network security.

Furthermore, the paper's detailed migration analyses and timelines suggest that testing for quantum vulnerability today may be premature but should be incorporated into future-proofing strategies. Bot-defense systems leveraging blockchain or cryptographic signatures should prioritize readiness for post-quantum signature schemes during migration windows, and consider the impact of address reuse and exposure models on security risk. The governance challenges highlighted as the main bottleneck may analogously affect deployment and adoption of advanced bot-defense measures relying on evolving cryptographic standards.

Cite

@article{arxiv2606_14484,
  title={ Quantum Horizon: An evaluation of quantum computing as a threat to Bitcoin and Ethereum },
  author={ Iosif M. Gershteyn and Jacob A. Alber },
  journal={arXiv preprint arXiv:2606.14484},
  year={ 2026 },
  url={https://arxiv.org/abs/2606.14484}
}

Read the full paper

• arXiv:2606.14484 (abstract)
• arXiv:2606.14484 (PDF)