For years, quantum computing has served as cryptocurrency’s favorite doomsday scenario, a distant but existential threat that periodically resurfaces whenever a lab announces a qubit milestone.
The narrative follows a predictable arc where researchers achieve some incremental breakthrough, social media erupts with “Bitcoin is dead” predictions, and the news cycle moves on.
But Adam Back’s November 15 remarks on X cut through that noise with something the discourse desperately lacks: a timeline grounded in physics rather than panic.
Back, the Blockstream CEO, whose Hashcash proof-of-work system predates Bitcoin itself, responded to a question about accelerating quantum research with a blunt assessment.
Bitcoin faces “probably not” any vulnerability to a cryptographically relevant quantum computer for roughly 20 to 40 years.
More importantly, he stressed that Bitcoin doesn’t have to wait passively for that day.
NIST has already standardized quantum-secure signature schemes, such as SLH-DSA, and Bitcoin can adopt these tools through soft-fork upgrades long before any quantum machine poses a genuine threat.
His comment reframes quantum risk from an unsolvable catastrophe into a solvable engineering problem with a multi-decade runway.
That distinction matters because Bitcoin’s actual vulnerability isn’t where most people think, as the threat doesn’t come from SHA-256, the hash function that secures the mining process. It comes from ECDSA and Schnorr signatures on the secp256k1 elliptic curve, the cryptography that proves ownership.
A quantum computer running Shor’s algorithm could solve the discrete logarithm problem on secp256k1, deriving a private key from a public key and invalidating the entire ownership model.
In pure mathematics, Shor’s algorithm renders elliptic curve cryptography obsolete.
The engineering gap between theory and reality
But mathematics and engineering exist in different universes. Breaking a 256-bit elliptic curve requires somewhere between 1,600 and 2,500 logical, error-corrected qubits.
Each logical qubit demands thousands of physical qubits to maintain coherence and correct errors.
One analysis, based on the work of Martin Roetteler and three other researchers, calculates that breaking a 256-bit EC key within the narrow time window relevant to a Bitcoin transaction would require approximately 317 million physical qubits under realistic error rates.
It is essential to consider where quantum hardware actually stands. Caltech’s neutral-atom system operates around 6,100 physical qubits, but these are noisy and lack error correction.
More mature gate-based systems from Quantinuum and IBM operate in the tens to low hundreds of logical-quality qubits.
The gap between current capability and cryptographic relevance spans several orders of magnitude, not a small incremental step, but a chasm that requires fundamental breakthroughs in qubit quality, error correction, and scalability.
NIST’s own post-quantum cryptography explainer states this plainly: no cryptographically relevant quantum computer exists today, and expert estimates for its arrival vary so widely that some specialists think “less than 10 years” remains a possibility. In contrast, others place it firmly past 2040.
The median view clusters around the mid-to-late 2030s, making Back’s 20-to-40-year window conservative rather than reckless.
The migration roadmap already exists
Back’s “Bitcoin can add over time” comment points toward concrete proposals already circulating among developers.
BIP-360, titled “Pay to Quantum Resistant Hash,” defines new output types where spending conditions include both classical signatures and post-quantum signatures.
A single UTXO becomes spendable under either scheme, allowing for a gradual migration rather than a hard cutoff.
Jameson Lopp and other developers have built on BIP-360 with a multi-year migration plan. First, add PQ-capable address types via soft fork. Then gradually encourage or subsidize moving coins from vulnerable outputs into PQ-protected ones, reserving some block space each block specifically for these “rescue” moves.
Academic work dating back to 2017 has already recommended similar transitions. A 2025 preprint from Robert Campbell proposes hybrid post-quantum signatures, where transactions carry both ECDSA and PQ signatures during an extended transition period.
The user-side picture reveals why this matters. Roughly 25% of all Bitcoin, between four and six million BTC, sits in address types where public keys are already exposed on-chain.
Early pay-to-public-key outputs from Bitcoin’s first years, reused P2PKH addresses, and some Taproot outputs all fall into this category. These coins become immediate targets once Shor on secp256k1 becomes practical.
Modern best practice already provides substantial protection. Users who employ fresh P2PKH, SegWit, or Taproot addresses without reusing them benefit from a critical timing advantage.
For these outputs, the public key remains hidden behind a hash until the first spend, compressing the attacker’s window to run Shor within the mempool confirmation period, measured in minutes rather than years.
The migration job isn’t starting from scratch, it’s building upon existing good practices and transitioning legacy coins into safer structures.
The post-quantum toolbox is ready
Back’s mention of SLH-DSA wasn’t casual name-dropping. In August 2024, NIST finalized the first wave of post-quantum standards: FIPS 203 ML-KEM for key encapsulation, FIPS 204 ML-DSA for lattice-based digital signatures, and FIPS 205 SLH-DSA for stateless hash-based digital signatures.
NIST also standardized XMSS and LMS as stateful hash-based schemes, with the lattice-based Falcon scheme in the pipeline.
Bitcoin developers now have a menu of NIST-approved algorithms, along with reference implementations and libraries.
Bitcoin-focused implementations already support BIP-360, indicating that the post-quantum toolbox exists and continues to mature.
The protocol doesn’t need to invent brand-new mathematics, it can adopt established standards that have undergone years of cryptanalysis.
That doesn’t mean implementation comes without challenges. A 2025 paper examining SLH-DSA found susceptibility to Rowhammer-style fault attacks, emphasizing that while security rests on ordinary hash functions, implementations still require hardening.
Post-quantum signatures also consume more resources than their classical counterparts, raising questions about transaction sizes and the economics of fees.
But these represent engineering problems with known parameters, not unsolved mathematical mysteries.
Why 2025 isn’t about quantum
BlackRock’s iShares Bitcoin Trust (IBIT) amended its prospectus in May 2025 to include extensive disclosures about quantum computing risk, warning that a sufficiently advanced quantum computer could compromise Bitcoin’s cryptography.
Analysts immediately recognized this as standard risk-factor disclosure, boilerplate language alongside generic technology and regulatory risks, rather than a signal that BlackRock expects imminent quantum attacks.
The near-term threat is investor sentiment, rather than the technology of quantum computing itself.
A 2025 SSRN study found that news related to quantum computing triggers some rotation into explicitly quantum-resistant coins. Still, conventional cryptocurrencies exhibit only modest negative returns and volume spikes around such news, rather than structural repricing.
When examining what actually drove Bitcoin’s movement throughout 2024 and 2025, going through ETF flows, macroeconomic data, regulation, and liquidity cycles, quantum computing rarely appears as a proximate cause.
CPI prints, ETF outflow days, and regulatory shocks drive price action, while quantum computing generates headlines.
Even articles sounding the loudest alarms about “25% of Bitcoin at risk” frame the threat as years away while emphasizing the need to start upgrading now.
The framing consistently lands on “governance and engineering problem” rather than “sell immediately.”
Stakes are about defaults, not deadlines
Bitcoin’s quantum story isn’t really about whether a cryptographically relevant quantum computer arrives in 2035 or 2045. It’s about whether the protocol’s governance can coordinate upgrades before that date becomes relevant.
Every serious analysis converges on the same conclusion that the time to prepare is now, precisely because migration takes a decade, not because the threat is imminent.
The question that will determine Bitcoin’s quantum resilience is whether developers can build consensus around BIP-360 or similar proposals, whether the community can incentivize migration of legacy coins without fracturing, and whether communication can stay grounded enough to prevent panic from outrunning physics.
In 2025, quantum computing poses a governance challenge that necessitates a 10- to 20-year roadmap, rather than a catalyst that will dictate this cycle’s price action.
Physics advances slowly, and a roadmap is visible.
Bitcoin’s role is to adopt PQ-ready tools well before the hardware arrives, and to do so without the governance gridlock that can turn a solvable problem into a self-inflicted crisis.
The post Why Adam Backs thinks Bitcoin’s 20-year quantum runway matters more than today’s headlines appeared first on CryptoSlate.
This article was originally published on Bitcoin Magazine.
