1. The Moment the Timeline Changed
When Google revealed its Willow quantum chip in December 2024, the dominant response within the crypto industry was reassurance. The arithmetic was comforting: Shor's algorithm — the quantum technique capable of breaking the elliptic curve cryptography that secures Bitcoin and most other blockchain networks — would require roughly 5,000 logical qubits to run against current encryption. Each logical qubit demands thousands of physical qubits for error correction. Willow had 105. The gap appeared enormous. Sixteen months later, Google has set a public corporate deadline of 2029 to complete the migration of its authentication services to post-quantum cryptography, citing accelerating progress in quantum hardware development, error correction techniques, and quantum factoring resource estimates. The qubit count has not changed. What has changed is the error correction trajectory — and the institutional posture of the organisation building the hardware.
2. What Google's Deadline Actually Signals
When a company that manufactures quantum computers publicly sets a deadline for migrating away from the cryptography those computers will eventually break, it is not communicating a worst-case scenario. It is communicating an operationally prudent response to a threat it believes is approaching within a planning horizon relevant to business continuity. Google's blog post announcing the 2029 timeline explicitly cited two categories of risk. The first is store-now-decrypt-later attacks, which are already occurring: adversaries are harvesting encrypted data today with the expectation of decrypting it once quantum hardware reaches sufficient capability, a threat relevant to any long-lived secret including financial transaction data, identity credentials, and communications. The second is the future threat to digital signatures — the cryptographic mechanism that governs who can spend Bitcoin and authorise blockchain transactions. Google characterised the 2029 deadline as reflecting "migration needs for the PQC era in light of progress on quantum computing hardware development, quantum error correction, and quantum factoring resource estimates" — language that describes acceleration, not stasis.
3. The Exposed Supply Question
The magnitude of Bitcoin's exposure to a successful quantum attack depends substantially on which addresses are vulnerable and how much Bitcoin they hold. Older Pay-to-Public-Key addresses — used predominantly in the network's early years — expose the public key directly, making them theoretically susceptible to quantum attacks without any additional information. Approximately 1.6 million BTC reside in these older address formats, spread across more than 32,000 wallets averaging approximately 50 BTC each. A separate, more conservative estimate cited by ARK Invest places the total quantum attack surface at approximately 35% of the total Bitcoin supply, accounting for all address types where public keys are exposed at some point during the transaction lifecycle. The 1.6 million BTC figure represents the most immediately vulnerable cohort, but the broader number captures the systemic exposure if quantum capability advances sufficiently to crack keys within the time window that a transaction's public key is exposed during signing.
4. Bitcoin's Response: Silence
Ethereum co-founder Vitalik Buterin raised the alarm about quantum computing risks in October 2024, more than a month before Google's Willow chip announcement, explicitly calling for each component of the Ethereum protocol that relies on elliptic curves to develop a hash-based or otherwise quantum-resistant replacement. The Ethereum Foundation responded as though receiving a directive and began executing accordingly. Bitcoin's response to the same information, and to Google's 2029 deadline, has been what analysts are now characterising as silence. There is no coordinated post-quantum migration plan for Bitcoin. There is no dedicated engineering team. There is no funding structure. There is no agreed timeline. The last major cryptographic upgrade to Bitcoin's protocol — Taproot — took years of deliberation and debate before its activation in 2021, and that change was far less structurally demanding than a full migration to post-quantum cryptographic schemes.
5. Ethereum's Eight-Year Head Start
The contrast between Bitcoin's position and Ethereum's could not be more stark. The Ethereum Foundation launched a dedicated post-quantum security hub this week — pq.ethereum.org — representing the public face of a security effort that has been underway since 2018. The foundation's post-quantum team, cryptography team, protocol architecture team, and protocol coordination team have spent eight years building toward a migration that touches every layer of the protocol simultaneously. More than ten client development teams are currently shipping weekly devnets as part of a programme the Ethereum Foundation calls PQ Interop — a coordinated effort to ensure that all of Ethereum's client software implementations can operate correctly after the migration. The published roadmap maps specific milestones across four upcoming hard forks, from the initial introduction of a post-quantum key registry through full post-quantum consensus. Ethereum has also set a 2029 target for completion, aligning its internal planning with Google's externally declared deadline.
6. The Governance Gap That Makes Bitcoin's Challenge Unique
Bitcoin's inability to respond to the quantum threat at the pace that Ethereum or Google can is not a failure of awareness or technical capability — it is a structural consequence of how the network is designed. Bitcoin has no central authority capable of mandating a migration timeline. Protocol changes require broad consensus among a decentralised developer community, a set of node operators who must adopt software updates, and a miner base whose cooperation is necessary for coordinated hard forks. That decentralisation is the source of Bitcoin's most valued properties — its resistance to censorship, its immunity to unilateral governance decisions, its predictable monetary policy — but it is a liability when facing a deadline-driven technical challenge. The community's historical culture treats urgency with scepticism and values deliberation over speed. Those instincts protect against poorly considered changes but make rapid coordinated responses to external timelines structurally difficult.
7. What a Bitcoin Post-Quantum Migration Would Require
The technical requirements of a Bitcoin post-quantum migration are formidable. Elliptic curve cryptography — specifically the Elliptic Curve Digital Signature Algorithm (ECDSA) and the Schnorr signature scheme introduced by Taproot — would need to be replaced with quantum-resistant alternatives such as lattice-based schemes standardised by the National Institute of Standards and Technology, including ML-DSA. This is not a simple parameter change. It requires changes to address formats, transaction structures, signature verification logic, and potentially the consensus rules themselves. It also requires a mechanism for migrating the approximately 1.6 million BTC currently in quantum-vulnerable Pay-to-Public-Key addresses — a process that requires the owners of those funds to take action, and raises the question of what happens to funds in wallets whose keys have been lost, abandoned, or where the holder is deceased. The governance process for agreeing on and activating such changes, through the Bitcoin Improvement Proposal mechanism, would likely take years even with broad support.
8. NIST Standards Provide a Starting Point
One concrete element that has changed the landscape for post-quantum migration across all cryptographic systems is the formalisation of post-quantum cryptographic standards by NIST. The institute completed its standardisation process in 2024, providing the ML-DSA, SLH-DSA, and ML-KEM algorithms as the endorsed post-quantum alternatives to currently deployed schemes. Google's Android 17 is integrating ML-DSA digital signature protection in alignment with these NIST standards. The existence of finalised, standardised algorithms removes one category of technical uncertainty from the Bitcoin migration question — developers no longer need to debate which post-quantum scheme to target. What remains is the governance process for deciding to make the change, the engineering work of implementing it, and the coordination challenge of migrating existing vulnerable holdings.
9. The Store-Now-Decrypt-Later Threat Is Present Tense
One element of the quantum threat that is not hypothetical or future-dated is the store-now-decrypt-later attack vector. If adversaries are already harvesting encrypted Bitcoin transaction data — including the transaction metadata and, in some cases, public key exposure that occurs when addresses are reused or when Pay-to-Public-Key outputs are created — they can store that data indefinitely and decrypt it once quantum hardware reaches sufficient capability. The 2029 deadline is not the date at which Bitcoin becomes vulnerable. It is the date by which Google believes systems relying on current cryptographic standards should already have completed their migration. For Bitcoin, where the migration process would itself take years from the moment a decision is made, the relevant question is when the community needs to begin, not when they need to finish.
10. What the ETH/BTC Divergence May Reflect
Analysts tracking the quantum preparedness gap between Ethereum and Bitcoin have begun to note that the divergence in approach could eventually manifest in market pricing. One security expert was explicit in framing the risk: if Bitcoin's silence on post-quantum migration continues while Ethereum advances through a coordinated, publicly documented, technically rigorous roadmap, the ETH/BTC exchange rate could begin to reflect that divergence in prioritisation. The thesis is straightforward — institutional investors who take the quantum timeline seriously and are allocating to digital assets will increasingly distinguish between networks with credible quantum mitigation strategies and those without. Google's 2029 deadline, validated by the same organisation that is building the hardware capable of breaking current cryptography, narrows the comfortable distance between the theoretical future threat and the planning horizon within which that future becomes operationally relevant.