Quantum Computers

Perhaps this is the most complex FUD to refute. Confirmation bias --- that is, the tendency to believe what we want to believe --- is especially relevant here, given that the concepts involved are neither part of our everyday experience nor easy to understand. To form the most objective opinion possible, free from such bias, it would be advisable to master quantum information theory. The book Quantum Computation and Quantum Information^↗ is a classic on this subject, and if you have studied it, most of this chapter will seem trivial to you. This chapter assumes no prior knowledge of quantum mechanics or quantum computing, but we must enter the subject, even if only superficially, in order to form our own opinion as objectively as possible.

This criticism consists of the following argument: “when we have sufficiently powerful quantum computers, it will be possible to break the cryptography on which bitcoin is based, and therefore bitcoin will be worthless”. Let us examine what truth there is in this claim.

Bitcoin uses ECDSA and Schnorr digital signatures¹ which are based on the difficulty of the discrete logarithm problem over elliptic curves. Computing the public key from the private key is straightforward, but the inverse is not feasible. In this context, “not feasible” means that no algorithm is known capable of computing the private key from the public key except by brute force. Since there are nearly 2²⁵⁶ private keys --- approximately one billion times the number of atoms in the Milky Way --- not even all the computers in the world working together could find it in less time than the age of the universe.

But of course, this is true for conventional computers, not for quantum computers. Since we already have quantum computers that will make everything much faster, bitcoin will be destroyed. Right?

Not so fast. In the book Thinking, Fast and Slow^↗, Daniel Kahneman² describes how humans are experts at reaching conclusions quickly, even from weak evidence. It is simply in our DNA. So we need to keep in check this very human bias of “jumping to conclusions” if we want to reach correct ones. Let us begin by examining what these quantum computers actually are.

Qubits

Quantum computers will not perform all tasks faster --- they are not simply faster computers. They are completely different machines that will be entirely impractical for most tasks we perform with conventional computers, but will be capable of solving in a short time certain specific problems that conventional computers would take millions of years to solve. These quantum computers do not work with bits, the basic unit of information in traditional computers, but with qubits³.

Qubits are units of information far more complex than bits. A qubit has two basic states, commonly represented as |0⟩ and |1⟩, but unlike a classical bit, a qubit can exist in any state α|0⟩ + β|1⟩, where α and β are complex numbers such that the sum of the squares of their moduli equals 1. The state α|0⟩ + β|1⟩ is known as a superposition state, and α and β are the probability amplitudes. In a conventional computer, reading a bit in state 1 gives us 1, and reading a bit in state 0 gives us 0, as one would expect. But with a qubit things work differently. In quantum mechanics, measurement alters the state. If we read the value of the qubit α|0⟩ + β|1⟩, the qubit ceases to be in a superposition state and collapses to one of the two fundamental states |0⟩ or |1⟩. That is, we will always read either |0⟩ or |1⟩. It is not physically possible to read the probability amplitudes α and β. And the reason is not that we are measuring with a poor instrument or with insufficient care --- the reason is that performing a measurement on a quantum system implies the collapse of the wave function; in other words, this is simply the nature of the quantum phenomenon itself. Furthermore, the no-cloning theorem tells us that it is impossible to create an identical copy of an arbitrary unknown quantum state. This means that in general we cannot make a copy of a qubit.

We can already appreciate that qubits are strange units of information, very different from the bits we are accustomed to. In a classical computer, both reading a bit and copying a bit are trivial operations — in a quantum computer they are impossible. A quantum computer is radically different from a conventional computer because it must deal with these strange units of information. From there, everything is different. In a classical computer, bits are processed using the familiar logic gates AND, OR, NOT, NAND, XOR --- but these logic gates do not exist in quantum computers. Instead, there are many other (in theory, infinitely many) possible quantum gates. The circuits and algorithms, built from qubits and these new quantum gates, are also completely different in quantum computing.

Everything mentioned so far about qubits is inherent to quantum mechanics --- that is, it applies to any technology used to implement qubits. The complexity of physically implementing qubits, keeping them free from noise, connecting them to each other, controlling them, and operating with them is far greater than for their classical counterparts, bits. There are several technologies for implementing qubits, and different companies are trying to build quantum computers based on them --- for example, the superconducting technology pursued by Google and IBM, trapped ions (IonQ, Quantinuum), semiconductors (Intel, Silicon Quantum Computing), photonics (Xanadu, PsiQuantum), neutral atoms (ColdQuanta, QuEra Computing, PASQAL), and topological qubits (Microsoft). It is not the purpose of this book to analyze each of these in detail. We will simply note that each has its advantages and disadvantages, and no clear winner has emerged yet.

Let us take a brief historical perspective to better understand where we stand today.

Origins and Evolution

In 1980, Paul Benioff⁴ published “The computer as a physical system: A microscopic quantum mechanical Hamiltonian model of computers as represented by Turing machines”,^↗ a paper in which he described the first model of a quantum computer. It could be said that with this, the race to build quantum computers began. Below is a series of relevant milestones that followed:

• In 1981, Richard P. Feynman gave a talk at MIT titled “Simulating physics with computers”^↗, in which he argued that since the essence of nature is quantum, simulating it would require quantum computers.

• In 1985, David Deutsch⁵ described the first universal quantum computer, also known as the Quantum Turing Machine, by analogy with its classical equivalent, the Universal Turing Machine, which Alan Turing had conceived almost half a century earlier^↗.

• In 1994, Peter Shor⁶ described an algorithm capable of factoring any number in polynomial time^↗. The existence of this algorithm is the foundation of the claim that quantum computers will break bitcoin, since in addition to factoring a number, the algorithm can also be applied to solve the discrete logarithm problem on elliptic curves.

• In 1996, Lov K. Grover⁷ published an algorithm for searching an unordered list^↗, more efficient than any search algorithm on a classical computer.

• In 1998, the first 2-qubit machine was created, demonstrated at the University of Berkeley, California.

• In 1999, IBM created the first 3-qubit machine.

• In 2001, IBM and Stanford University ran Shor’s algorithm for the first time. The calculation was performed on the first 7-qubit quantum computer. The experiment computed the prime factors of 15, yielding the correct result of 3 and 5.

• In 2019, IBM presented the IBM Q System One, the first quantum computer for commercial use. Housed in a hermetically sealed glass cube measuring 2.7 meters on each side, with a total of 20 qubits.

• In November 2019, Google announced “quantum supremacy” achieved with its 54-qubit Sycamore processor. The term “quantum supremacy” means that a quantum computer is capable of solving a well-defined problem --- regardless of whether it has any practical application --- in a time that a conventional computer could never achieve. And this is what Sycamore accomplished. Until 2019, no quantum computer had solved anything that a conventional computer could not also solve.

• In 2022, IBM presented Osprey, a quantum computer with 433 qubits.

• In 2023, IBM announced the Condor processor with 1121 qubits, and also the IBM Heron, with 156 qubits but higher performance than the Condor.

• In 2023, Google announced that it had succeeded in reducing the error rate of a logical qubit by increasing the number of physical qubits composing it. The article published in Nature^↗ describes how, in a 72-qubit Sycamore quantum processor, they implemented a logical qubit composed of 49 physical qubits and achieved a lower error rate than with a logical qubit composed of 17 physical qubits. This was an important milestone, as they managed to demonstrate that quantum error correction techniques work in practice --- something that had not been demonstrated previously, since increasing the number of physical qubits also increases the number of noise sources, and it was not obvious that the advantage provided by the error correction code would be sufficient to offset the disadvantage of the additional noise.

• In 2024, Google made another major announcement with the presentation of the Willow processor and the publication of another article in Nature^↗, describing how they succeeded in halving the error rate of a logical qubit by increasing the surface code distance by 2, while operating with a physical qubit error rate below a certain threshold. According to the article, reaching an error rate of  × 10^−6^ would require a logical qubit of distance 27 using 1457 physical qubits.

• In early 2025, Microsoft announced its new chip⁸ “Majorana 1” with eight topological qubits. An announcement that would represent a major advance, since topological qubits would be far more resistant to noise and, according to Microsoft, would have an error rate ten times lower than superconductor-based qubits.

The Threat

Now that we have a somewhat better understanding of the nature of these computers and their evolution over the past forty years, let us return to examining the threat they pose to bitcoin. It can be summarized as follows: on the one hand, quantum computers already exist; on the other, an algorithm also exists for solving the ECDSA discrete logarithm problem on which bitcoin’s security is based. And although quantum computers are not yet powerful enough, since Moore’s Law says that roughly every two years the capacity of a microprocessor doubles, it will soon be possible to break bitcoin. This is the reasoning of those who push this FUD.

Moore’s Law states specifically that approximately every two years the number of components on an integrated circuit doubles. It is an empirical law formulated by Intel co-founder Gordon Moore in a 1965 article in Electronics magazine^↗. But the assumption that Moore’s Law also applies to the progress of quantum computers is completely arbitrary, and therefore so is the conclusion that in 10 or 20 years we will have quantum computers capable of breaking current cryptography. There are many technological challenges to overcome. The FUD typically focuses on the number of qubits required, but the number of qubits is not the only meaningful parameter for understanding how close we are to building quantum computers capable of breaking bitcoin — something we could already intuit when we mentioned that IBM’s 156-qubit Heron processor had greater processing capacity than IBM’s 1121-qubit Condor processor. In addition to the number of qubits, the quality of those qubits, the fidelity of the quantum gates, error correction techniques, coherence time, and qubit connectivity all matter.

Remaining Challenges

Since the most commonly cited parameter as a measure of quantum computing progress is the number of qubits in the processor, the first question that arises is: how many qubits are needed to break ECDSA with 256-bit keys? According to research by a Microsoft team^↗, a quantum computer with around 2300 qubits would be required. But these 2300 theoretical qubits are ideal qubits --- that is, error-free --- and the reality is that ideal, error-free qubits do not exist.

Qubits are, in fact, extremely fragile units of information. Any interaction with the environment can cause the qubit to lose coherence. Coherence is the ability of a quantum system to maintain the phase relationship between the different states in superposition. The coherence time is the average time a quantum system maintains its coherence. The longer the coherence time, the more complex (with more quantum gates) the algorithm that can be executed. Decoherence (loss of coherence) can occur due to various causes such as thermal fluctuations, electromagnetic interference, or errors in the quantum gates. In the superconducting technology used by both IBM and Google, qubits are maintained at a temperature close to absolute zero (0,015 Kelvin) to minimize thermal noise. Despite this, since it is not possible to fully isolate the qubits, coherence times for this technology are on the order of hundreds of microseconds. In fact, with the technology available in 2025, the error rate is so high that any practical application is impossible.

Readers familiar with classical computing will know that various error correction codes have long been known, and that errors in physical bits present no fundamental problem, since as long as the error rate remains below a certain threshold they can be corrected. For example, a bit could be copied into two others to yield 3 bits with the same information. If one is corrupted during computation or transmission, the error can be corrected as long as fewer than half are wrong. In the case of qubits, however, the situation is radically different. The first difficulty is that in general it is not possible to copy a qubit in a superposition state --- a very serious problem since all error correction codes rely on some form of redundancy. And this is not a limitation of our current technology; it is impossible by the very nature of the quantum phenomenon.

Nevertheless, quantum error correction codes have also been developed — far more complex than their classical counterparts. In particular, Google used surface codes in its experiments with Sycamore and Willow, in which physical qubits form a kind of grid that constitutes the logical qubit. These surface codes only work if the physical qubit error rate is below a certain threshold. For this reason, reducing the physical qubit error rate to sufficiently low levels is crucial in order to implement these error correction codes and achieve logical qubits with lower error rates. For superconducting technology, the current estimate is that several thousand physical qubits would be needed per logical qubit to achieve the error levels required to break ECDSA. This means that for the 2300 logical qubits, we would need a quantum computer with several million physical qubits.

The challenges do not end with the number of qubits. Another problem is that in order to perform calculations, qubits must be in an entangled state. Two or more qubits are entangled when they are intrinsically connected in such a way that the quantum state of one cannot be described independently of the state of the others. For example, a system of 3 entangled qubits (A, B, and C) cannot be described with 6 probability amplitudes --- that is, the two probability amplitudes of A, the two of B, and the two of C. The entangled system has 8 probability amplitudes: the probability amplitude of state |000⟩, the amplitude of state |001⟩, … and that of state |111⟩. In other words, 3 entangled qubits do not behave as 3 quantum systems with two basic states each, but as a single quantum system with 8 basic states. The exponential advantage of some quantum algorithms is largely based on this behavior: entanglement, one of the most counterintuitive physical phenomena in quantum mechanics. So counterintuitive, in fact, that Einstein himself described it as spooky action at a distance⁹.

For a system of n qubits to be in an entangled state, the qubits must be in a superposition state. The time during which a qubit remains in a superposition state is the coherence time, as we have seen. For superconducting technology, this time is on the order of hundreds of microseconds.¹⁰ This time is a probabilistic average --- some qubits will lose their superposition state before others, and the average is the figure we have as coherence time. Since entanglement requires the qubits to be in a superposition state, the entanglement time decreases as the number of qubits in the system increases. And the entanglement time is the time we have to complete our calculation. If entanglement is lost before the algorithm finishes, we have to start over. Shor’s algorithm for 256-bit keys, in addition to the 2300 error-free qubits, is implemented in a circuit with a depth of one hundred billion quantum gates^↗. This means that qubits must pass through one hundred billion quantum gates to reach the end of the circuit and be measured, before superposition and entanglement are lost.

Without going into greater depth to understand how surface error correction codes work, what their physical limitations are, and how logical qubits are formed from physical qubits, we can observe that enormous technical challenges must be overcome to build a quantum computer powerful and stable enough to run Shor’s algorithm at a practical scale. Not only the number of qubits matters --- so does the quality of those qubits, the error correction mechanisms, the interconnection between them, the coherence time, the fidelity of the quantum gates, and the circuit depth.

With all this in mind, how many years are left before quantum computers can break elliptic curve cryptography with 256-bit keys?

Practical quantum computing always seems to be “ten years in the future”, which means that no one has any idea.¹¹

— Bruce Schneier

As Schneier said in 2018 --- and it still seems to hold true in 2025 --- no one knows. But many predictions are probably biased. Surveys of quantum computing experts generally are. These experts are experts because they work at a research center or startup dedicated to quantum computing, and they have little incentive to say they see no practical use in the next fifty years. Quite the opposite --- their natural inclination is toward optimism, consciously or unconsciously, since if their estimates are not optimistic someone might question their job or the venture capital funding might dry up.

Predicting the future is not one of humanity’s strong suits. The most important innovations tend not to happen where and when we think they will. We are incapable of predicting a “black swan”^↗ event, such as a physics discovery that might make building many-qubit quantum computers straightforward.

Nor can we rule out the possibility that, due to some physical limitation, building sufficiently scalable quantum computers for practical applications may be impossible. Some highly respected physicists and mathematicians maintain, in fact, exactly this thesis --- among them Mikhail Dyakonov, physics professor at the Charles Coulomb Laboratory, Gil Kalai, Israeli mathematician and professor at the Hebrew University of Jerusalem, and Robert Alicki, doctor of physics at the Institute of Theoretical Physics and Astrophysics at the University of Gdańsk. In the book Will We Ever Have a Quantum Computer?^↗, Dyakonov sets out the arguments that decades of research into quantum phenomena and condensed matter physics have led him to think that the idea of a universal quantum computer is theoretically possible but not a realistic prospect. In ^↗, Kalai postulates that “noisy quantum systems will not allow us to build the quantum error correction codes needed for quantum computing”, and in ^↗ he even questions the veracity of Google’s claims regarding its error correction results. In ^↗, Alicki concludes that for an optimal but inefficient classical algorithm, quantum computation is also inefficient either with respect to computation time or with respect to the energy used. If this claim is correct, it would imply that with quantum computers we are merely shifting complexity from one dimension to another, but cannot escape the fact that the complexity of a certain problem is inherently exponential.

Although we can neither confirm nor refute these claims, the fact that there are highly respected researchers who believe building quantum computers for practical applications is an impossible mission does provide us with information: it gives us some sense of the magnitude of the challenge.

We want to understand how close the threat is, so we must make an estimate based on what we know: the development of the past forty years and the current state of the art. This estimate assumes the absence of any black swan event in quantum physics in the coming years, since such an event could change the estimate radically. From 1981 to 2001 --- twenty years --- the first quantum computer capable of factoring the number 15 into its two prime factors was built. In 2019, the number 21 was factored^↗ using an IBM Q processor. The same article describing the experiment also states that “the algorithm fails for 35”. As of mid-2025, the record remains the number 21. To break bitcoin’s cryptography, a quantum computer capable of factoring a 617-digit number (RSA 2048) is needed. A number like the following: 26603196683886601272862244629405540463486539215269685863846109367948468074464751839560535531505168048341211838937113356893285240512917080163991659976436831316161432952465630062709937232075475378826871339139350774473191552194070896439745381099222367902657668572496233233141349108854058046621357581898351450911598754890668178645098852034584864387940434451596677060116023789518542807567446379665560994754821790108043663019661138718785653284270593340132618109927254607759279786359562766133946419829075290585937005338731387253422231690264072604237717144021862533232532549991866436367298152432353699087608885455750429800101.

Bearing in mind that humans are not good at predicting the future, the task of making their own estimate is left to the reader.

Although the size of the number a quantum computer can factor is a good measure of its power, curiously no one uses this simple metric. Given the complexity of the subject, confirmation bias is highly relevant here, and for those who simply seek to justify their already-held opinion that quantum computers will break cryptography within ten years, it is very easy to generate fear with incomplete or biased information. Major announcements tend to suggest to the non-expert public that giant leaps have been made and that now, this time, we are very close. There are even academic papers that can be used as a basis for FUD, claiming to have factored very large numbers. But these experiments are misleading, as the classical preprocessing step of Shor’s algorithm uses the information that is supposedly being discovered, as detailed in Pretending to factor large numbers on a quantum computer.^↗ To quote that paper: “It is not legitimate for a compiler to know the answer to the problem it is solving. Even calling such a procedure compilation is an abuse of language”.

New Algorithms

Until now we have focused on analyzing how quickly we can build a quantum computer capable of implementing Shor’s algorithm. But we might also consider that new algorithms could be invented that are more efficient than Shor’s and could therefore run on smaller quantum computers.

In the algorithms space too, there are “studies” that can be used as tools to generate FUD and conclude that quantum computers will break RSA or ECDSA in five or ten years. In this paper^↗ by a group of Chinese researchers, a hybrid algorithm is proposed that converts the factoring problem into an optimization problem. The authors claim to have factored the 48-bit number 261980999226229, the largest number factored by a quantum computer to date, and conjecture that only 372 qubits would be needed to break RSA 2048. The work has been independently refuted by several researchers, for example in ^↗ and ^↗. In the second of these papers, Google researchers show how the probabilistic algorithm fails for numbers larger than 80 bits. Furthermore, as far as bitcoin’s cryptography is concerned, this algorithm would pose no threat, since unlike Shor’s algorithm, it is not applicable to the discrete logarithm problem on which ECDSA security is based, but only to the factoring problem.

As a corollary to this section on algorithms, we can state that for factoring numbers or solving the discrete logarithm, the most efficient algorithm we know remains Shor’s algorithm, known since 1994. And given that in thirty years no more efficient algorithm has been discovered, it is possible that Shor’s algorithm is, in fact, the most efficient one.

Post Quantum

It does not appear likely, a priori, that we will build a quantum computer capable of breaking bitcoin’s elliptic curve cryptography in the near future. If we ever do --- which is not certain --- it will likely take a very long time. Current technology is far from constituting a real threat to bitcoin and will very likely remain so in the short and medium term.

Nevertheless, although quantum computers do not appear to pose a threat in the near future, it is also not something that can be ruled out with complete certainty, so it is worth thinking about what to do if a day comes when the threat becomes more real. The first thing to note is that if that day arrives, bitcoin would not be the only thing affected. Our communications with our bank and countless other things that are secure today would cease to be so. Likely before our banking communications could be compromised, we would begin using other encryption schemes resistant to quantum computers. And although, due to its decentralized nature, bitcoin does not update as easily as a communications protocol in a client-server architecture, it could also be modified to enable a different signature scheme if the threat were to become relevant.

Lamport signatures^↗, resistant to quantum computing, have been known since 1979 and are the first in their category, though they are enormously large signatures. But they are not the only known digital signature scheme resistant to quantum computing. In 2016, NIST asked the industry for proposals to standardize post-quantum digital signature schemes, and in 2022 selected three: Dilithium, Falcon, and SPHINCS+. In August 2024, NIST standardized two algorithms: ML-DSA, based on Dilithium, and SLH-DSA, based on SPHINCS+. So, given that two quantum-resistant signature schemes have already been standardized, why not switch to one of them now and forget about the problem? Would it not be better to get ahead of potential threats?

If these signatures had no disadvantages compared to ECDSA or Schnorr signatures, it would indeed make sense to update bitcoin now. But quantum-resistant signatures have several drawbacks. First, they take up much more space (more bytes) than ECDSA or Schnorr signatures, which means far fewer transactions would fit in a block, or larger blocks would be needed. Second, they are also more expensive to verify in terms of CPU. These two problems are especially significant for bitcoin since they directly affect the hardware requirements of a node and therefore bitcoin’s decentralization. Finally, NIST continues to search for other algorithms with smaller signatures and faster verification¹². That is, rather than selecting a definitive standard, NIST has validated the two aforementioned schemes, but we cannot yet say which will ultimately prevail. For all these reasons, and because the threat --- if it is real — is still very distant, it makes little sense to switch to any such scheme in the short term. However, if the threat posed by quantum computers were one day to appear more imminent, a consensus would very likely be reached to introduce a new signature scheme in a consensus rule update. In fact, a formal improvement proposal already exists that proposes a way to do this: BIP 360.

BIP 360: Pay to Quantum Resistant Hash

BIP 360¹³, published in December 2024, proposes a new type of address p2qrh (Pay to Quantum Resistant Hash) resistant to quantum computing. Since the change proposed in this BIP involves a modification of the consensus rules (soft fork), implementing this BIP in the code would require the vast majority of the bitcoin community to agree with it. Once implemented in a new version of the software, the vast majority of the network’s users and miners would need to decide to run the new version. Once the soft fork is activated on the network, users could move their bitcoin to p2qrh addresses as each individual concluded that the threat was drawing closer. One observation to make is that the existence of a BIP with this proposal does not mean it will be implemented in bitcoin, nor does it mean it will be the only proposal for making bitcoin resistant to the quantum computing threat. It means the community is already working to find the best way to make bitcoin quantum-resistant and that at least one formal proposal exists in its early stage.

Another point to bear in mind is that not all addresses will be equally easy to attack. Some will be accessible much sooner than others. BIP 360 itself mentions this fact, classifying attacks into two types: long-exposure attacks and short-exposure attacks. Since what Shor’s algorithm achieves is deriving the private key from a public key, the bitcoin that are vulnerable are those for which the public key is known. But this is not the case for all addresses. There are several address types for which the public key is not known until the moment they are spent: p2pkh (pay to public key hash), p2sh (pay to script hash), p2wpkh (pay to witness public key hash), or p2wsh (pay to witness script hash) addresses --- in short, all those that end in hash, since what is on the blockchain is a hash, not the public key. For these addresses (the majority), even with a quantum computer those bitcoin could not be spent, because a quantum computer could break ECDSA but not the hash function.

For this type of address, the public key is only known at the moment the owner decides to spend those bitcoin. At that moment, the transaction includes the public key and the signature (produced with the private key). BIP 360 refers to the attack by a quantum computer from the moment the transaction is seen in the mempool¹⁴ as a “short-exposure attack”. At that point, the attacker has approximately ten minutes to run Shor’s algorithm, find the private key, and create another transaction with higher fees so that the one the miner includes is the attacker’s rather than the owner’s.

But long before a short-exposure attack becomes possible, all the bitcoin exposed in addresses whose public key is on the blockchain --- such as the million bitcoin mined by Satoshi --- will have been hacked, since if a quantum computer capable of breaking ECDSA is ever built, the attack will take hours, if not days.

The address types in which the public key is exposed are p2pk (pay to public key), used in the early years and where Satoshi’s bitcoin reside, and p2tr (pay to taproot).

In other words, if a quantum computer capable of breaking ECDSA were ever built, the bitcoin currently considered lost “forever” --- many of which were mined in the early years, and perhaps Satoshi’s own --- would become a kind of prize, because those that are lost will never be moved by anyone. The moment someone had in their possession a quantum computer capable of deriving the private key from a public key, they could transfer to an address of their own all the lost bitcoin for which the public key was known. Satoshi’s bitcoin are a kind of canary in the coal mine when it comes to the quantum threat.

However, it is possible that the prize would not exist either. Entering purely speculative territory --- simply as a possibility --- perhaps many years from now bitcoin will be the primary money and store of value used by everyone. Four million bitcoin that might be lost would represent a large fraction of humanity’s total wealth, and perhaps some would consider it too large a prize to be handed to whoever builds the first quantum computer with that capability. Technically, it would be perfectly feasible to implement via a soft fork that all bitcoin held under ECDSA and Schnorr signatures become unspendable. Or perhaps not all of them, but UTXOs prior to 2012, for example. Reaching consensus on this will not be easy, but it is not unreasonable to think it could happen. Activating the soft fork before a certain date at which the threat is deemed imminent would eliminate the prize and reduce the total supply from 21 million to a new maximum of around 17 million (if the estimates of approximately 4 million lost bitcoin are accurate). Such a soft fork would not happen today, nor in the near future, but cannot be ruled out within a few decades. In any case, this speculation about the distant future is entirely irrelevant to our argument, since bitcoin would not cease to exist or lose its value on either path the community might choose.

Conclusion

To close this chapter, we can draw two conclusions. First, although quantum computers already exist and the algorithm for breaking the public-key cryptography on which bitcoin is based also exists, current technology is far from posing a real threat to bitcoin. Furthermore, this does not appear likely to change significantly in the near future, given the enormous technological challenges involved in achieving the necessary scalability.

The second conclusion we can draw is that if the necessary technological advances were to occur and the threat were one day to draw closer, we know how to modify bitcoin to make it resistant, since quantum-resistant signature technology has existed for decades and the community is already working on a proposal.

For all these reasons, it seems reasonable to conclude that, even if it is not malicious, the FUD about quantum computers is, at the very least, poorly informed.