1. Separating Real Quantum Risk From Inflated Headlines
Quantum computing coverage in the crypto press has grown increasingly alarming, with some headlines suggesting that bitcoin's security could be shattered in minutes or that the network's entire consensus mechanism is within reach of near-term quantum hardware. Two recently published academic papers work to correct that framing — not by dismissing the quantum threat, but by making it precise enough to distinguish what is genuinely at risk from what is physically impossible at any foreseeable scale.
The papers arrive in the immediate aftermath of Google's Quantum AI research lowering the estimated qubit threshold for breaking bitcoin's wallet cryptography, which had already unsettled markets and triggered significant commentary about bitcoin's long-term security. What the new research adds is a rigorous analysis of a separate, often conflated question: could quantum computers also attack bitcoin's mining process — its proof-of-work consensus — and if so, what would that actually require?
2. Two Categories of Quantum Risk That Are Routinely Confused
Bitcoin's security relies on two mathematically distinct cryptographic foundations, and quantum computers threaten each of them through a different algorithmic mechanism. Understanding the separation is essential for evaluating what any quantum advance actually means for the network.
The first is the wallet ownership system, which relies on elliptic curve cryptography — specifically the secp256k1 curve — to create the key pairs that establish who controls each bitcoin. Shor's algorithm, a quantum procedure, can in principle derive a private key from a known public key, which would allow an attacker to spend funds from any wallet whose public key has been exposed. This is the threat that Google's recent paper addressed, and it is the one that researchers and developers widely regard as a genuine and time-limited concern requiring active preparation.
The second is bitcoin's mining process, which relies on SHA-256 — a hashing algorithm — to create the proof-of-work that secures each block. Grover's algorithm can, in theory, provide a quadratic speedup on the trial-and-error search that miners perform to find valid block hashes. If a single entity could dominate that process with quantum hardware, it could potentially execute a 51% attack — rewriting transaction history, double-spending coins, or censoring the network. This is what the first of the two new papers sets out to price, end to end.
3. The BTQ Paper: Pricing the Full Quantum Mining Stack
The paper titled "Kardashev Scale Quantum Computing for Bitcoin Mining," authored by Pierre-Luc Dallaire-Demers of BTQ Technologies and published in March 2026, represents the first comprehensive end-to-end cost estimate for a fault-tolerant quantum mining attack on bitcoin. Previous theoretical analyses had noted Grover's quadratic speedup without accounting for the full hardware stack required to make that speedup usable in a real-world proof-of-work environment.
Dallaire-Demers' approach is to model every component of the attack pipeline, not just the algorithmic speedup. This includes constructing reversible quantum circuits that implement double-SHA-256 (the specific hashing operation bitcoin uses), implementing surface-code error correction to keep the computation stable across the required number of steps, accounting for the "magic state distillation" overhead required for fault-tolerant quantum operations, and modeling the fleet of machines that would need to run in parallel given bitcoin's ten-minute block timing constraint.
The paper introduces an open-source resource estimator that performs this full-stack accounting, making the underlying assumptions auditable and reproducible. The conclusions are definitive enough that Dallaire-Demers said the paper "does something the industry has needed for years — it prices the quantum mining question end to end and closes it."
4. The Numbers: A Fleet Drawing the Energy of a Star
The scale of resources the paper identifies as necessary to mount a quantum 51% attack on bitcoin is not merely impractical in engineering terms — it is physically unreachable under any reasonable projection of technological or civilizational development.
Even under the most favorable scenario the paper examines — a partial-preimage attack setting that is deliberately optimistic about what quantum hardware can achieve — a competitive quantum mining fleet operating with superconducting surface-code technology would require approximately 10^8 physical qubits and consume approximately 10^4 megawatts of power. For reference, 10,000 megawatts is roughly equivalent to the output of ten large nuclear power plants operating simultaneously.
At bitcoin's actual January 2025 mainnet mining difficulty — the real-world parameter against which any attack would be mounted — the requirements scale catastrophically beyond even that optimistic estimate. The fleet would require approximately 10^23 physical qubits drawing approximately 10^25 watts of power. The latter figure is the energy output of a small star. The entire current bitcoin network draws approximately 15 gigawatts, roughly fifteen large power plants. The quantum mining fleet required to dominate it would need energy output more than a quintillion times larger. A quantum 51% attack, the paper concludes, is not merely expensive. It is physically unreachable at any scale a real civilization could power.
5. Why Grover's Advantage Collapses in Practice
The reason that Grover's quadratic speedup — which sounds significant in the abstract — evaporates when applied to bitcoin mining is rooted in the overhead costs of actually running the algorithm on fault-tolerant hardware. Quantum computers are not the error-free, perfectly controlled systems that theoretical analysis assumes. Every step in a quantum computation involves physical qubits that are susceptible to noise, decoherence, and errors. Running Grover's algorithm on the complexity of SHA-256 requires not just the qubits that perform the computation, but thousands of additional qubits per logical qubit dedicated to error correction — specifically, the surface code that continuously monitors neighboring qubits and corrects errors in real time.
The compounding effect of this overhead across the enormous computation required for SHA-256 mining means that the theoretical two-times speedup Grover provides over classical mining is overwhelmed by the hardware requirements needed to achieve it reliably. Additionally, bitcoin produces a new block every ten minutes, creating a timing constraint: a quantum miner would need to complete its computation within that window, forcing parallelization across an astronomically large fleet of machines rather than sequential operation. Each machine in the fleet requires its own error correction infrastructure, multiplying the resource requirements further.
The result is that Grover's algorithm, while theoretically advantageous, is practically useless for bitcoin mining at any hardware scale that exists or is credibly anticipated in any relevant timeframe.
6. The Second Paper: A Dog Named Scribble Defeats Quantum Factoring Claims
The second paper discussed, from Peter Gutmann of the University of Auckland and Stephan Neuhaus of Zürcher Hochschule in Switzerland, addresses a different component of the quantum narrative: the steady stream of announcements claiming that quantum computers have achieved new factoring records that represent meaningful steps toward breaking real-world encryption.
The authors set out to replicate every major quantum factoring "breakthrough" published in the academic literature over roughly the past two decades. Their methodology was deliberately provocative: they reproduced the results using a 1981 Commodore VIC-20 home computer, an abacus, and a dog named Scribble trained to bark three times. The exercise was not merely satirical. Its methodological point is that the problems being solved in these demonstrations are so substantially simplified relative to the mathematical challenges involved in actual cryptographic systems that essentially any computational device — including pre-digital tools — can solve them. The "breakthroughs" rely on problem instances that reduce the factoring challenge to a scale that is trivially manageable, then present the result as if it represents meaningful progress toward breaking real encryption.
The paper's implication for the bitcoin context is significant. It does not argue that quantum computers will never threaten encryption. It argues that the specific demonstrations being cited as evidence of progress are not what they appear to be, and that the public and media perception of how close quantum computers are to cryptographically relevant factoring is substantially inflated by papers that prioritize headline-friendly results over meaningful computational progress.
7. What Remains Genuinely Concerning
The combined message of both papers is not that quantum computing is harmless to bitcoin. It is that the threat is more precisely located than popular coverage suggests. The BTQ paper explicitly reinforces this: its primary conclusion is that the real near-term quantum risk for bitcoin is not the mining layer but the authentication layer — the wallet key system that relies on elliptic curve cryptography and is vulnerable to Shor's algorithm.
Shor's algorithm, applied to bitcoin's ECDSA key pairs, remains a genuine and time-bounded threat. Google's earlier research lowered the estimated qubit threshold for a functional attack from millions of physical qubits to under 500,000, compressing the credible threat timeline toward the early 2030s under optimistic hardware projections. Approximately 6.9 million BTC — roughly one-third of circulating supply — sits in wallets where the public key has already been permanently exposed, making those coins vulnerable to at-rest quantum attack without any time pressure once capable hardware exists. These are the risks that warrant active preparation, including the BIP 360 proposal, the SPHINCS+ post-quantum signature standard, and the commit/reveal schemes that bitcoin developers are currently advancing.
8. Market Pricing of the Two Different Risks
Derivatives markets and prediction market data offer an interesting window into how traders are pricing the two distinct categories of quantum risk. Markets currently assign little probability to bitcoin replacing its SHA-256 mining algorithm before 2027 — consistent with the BTQ paper's finding that the mining threat is not credible on any near-term timeline and that the network has no urgent reason to replace the algorithm that secures its consensus.
By contrast, traders assign approximately 40% probability to upgrades like BIP 360 being deployed — the proposal that would introduce quantum-resistant wallet formats and allow users to migrate funds from exposed addresses to safer ones. That figure reflects a market consensus that wallet vulnerability is a real and moderately near-term concern requiring active developer response, while mining vulnerability is not.
The divergence in market pricing mirrors the academic consensus expressed in the two papers: one threat is a distant theoretical scenario that physics renders impossible at any foreseeable scale; the other is a genuine, time-bounded vulnerability in a specific component of the system that developers are already working to address.
9. BTQ's Broader Quantum Proof-of-Work Vision
Beyond their immediate findings on quantum mining economics, the BTQ Technologies papers support a broader strategic argument that the company has been advancing through its Bitcoin Quantum architecture project. Rather than attempting to retrofit quantum hardware into the existing SHA-256 proof-of-work framework — which the paper demonstrates is physically impractical — BTQ argues that the long-term evolution of quantum-resilient consensus should involve designing mining processes natively suited to the computational strengths of quantum hardware.
BTQ's Quantum Proof of Work approach builds consensus around computational tasks that quantum systems perform efficiently rather than forcing quantum machines to compete at classical mining's requirements. The company's published modeling suggests that a quantum sampler consuming approximately 0.25 kilowatt-hours over a ten-minute block interval could achieve results requiring approximately 390 kilowatt-hours from classical equivalents — an energy efficiency advantage on the order of 1,500 times. Whether quantum-native consensus mechanisms will eventually become relevant to bitcoin's architecture remains speculative, but the BTQ paper provides a theoretically grounded argument for why the path to quantum-resilient bitcoin leads through redesign rather than acceleration of existing mining.
10. The Calibration the Quantum Narrative Needed
The cumulative contribution of these two papers is a calibration of a narrative that had been running ahead of the evidence. Quantum computing does pose genuine and serious long-term risks to bitcoin — specifically to the cryptographic foundations of wallet ownership. Those risks require active preparation, and the window for completing that preparation is not unlimited given the trajectory of hardware development.
What the papers demonstrate is that not all quantum risks are equal, not all "breakthroughs" are what they appear to be, and the specific threat of quantum mining domination is so far beyond any physically achievable scale that it can be removed from the near-term threat model entirely. The energy required to execute a quantum 51% attack on bitcoin's proof-of-work consensus is measured in stellar output. The energy required to attack a wallet whose public key has been exposed is measured in the power consumption of a future data center. The second problem is the one that deserves the industry's attention and resources.