Countdown to Quantum Computer Doomsday? Blockstream CEO: Bitcoin Has 20 Years of Preparation Time

Blockstream CEO Adam Back stated that Bitcoin may not face any cryptography-related quantum computer attacks in the next 20 to 40 years. For many years, quantum computers have been the most concerning doomsday scenario in the crypto assets field, and this threat reemerges periodically whenever a lab announces a qubit milestone.

The Periodic Panic of Quantum Computer Apocalypse

For many years, the doomsday scenario of quantum computers has been the most concerning threat in the Crypto Assets domain, a distant yet existential phenomenon that re-emerges periodically whenever a lab announces a milestone in qubits. The story unfolds along a predictable trajectory: researchers achieve some incremental breakthroughs, predictions of “Bitcoin is dead” erupt on social media, and then the news cycle moves on.

But Adam Back's comments on X on November 15 broke this confusing situation, proposing something that the field desperately lacks: a timeline based on physics rather than panic. Back, CEO of Blockstream, has stated that his Hashcash proof-of-work system predates Bitcoin itself. When asked how to accelerate quantum research, he gave a blunt assessment: Bitcoin “may” not face any cryptography-related attacks from quantum computers in the next 20 to 40 years.

More importantly, he emphasized that Bitcoin does not have to passively wait for that day to come. NIST has already standardized quantum-safe signature schemes (such as SLH-DSA), and Bitcoin can adopt these tools through soft fork upgrades long before any quantum machine poses a real threat. His comments redefine the doomsday risk of quantum computers from an unsolvable disaster to an engineering problem that can be addressed, with decades of time to solve it.

This distinction is crucial because the real vulnerability of Bitcoin is not what most people think. The threat does not come from the hash function SHA-256 used to secure the mining process, but from ECDSA and Schnorr signatures based on the secp256k1 elliptic curve, which are cryptographic technologies used to prove ownership. A quantum computer running Shor's algorithm can solve the discrete logarithm problem on secp256k1, deriving the private key from the public key, thereby rendering the entire ownership model ineffective. In the realm of pure mathematics, Shor's algorithm renders elliptic curve cryptography obsolete.

The Huge Gap Between Engineering Theory and Reality

However, mathematics and engineering exist in different fields. Breaking a 256-bit elliptic curve requires about 1,600 to 2,500 logical error-correcting qubits. Each logical qubit requires thousands of physical qubits to maintain coherence and correct errors. An analysis based on the work of Martin Roetteler and three other researchers concluded that cracking a 256-bit EC key within the narrow time window associated with Bitcoin transactions would require approximately 317 million physical qubits at practical error rates.

Understanding the current state of quantum hardware is crucial. The neutral atom system at Caltech operates around 6100 physical quantum bits, but these qubits are noisy and lack error correction mechanisms. The more mature gate-based systems from Quantinuum and IBM can run dozens to hundreds of logically sound quantum bits. The gap between current capabilities and cryptography relevance spans several orders of magnitude; this is not a minor improvement, but a chasm that requires fundamental breakthroughs in qubit quality, error correction, and scalability.

The National Institute of Standards and Technology (NIST) clearly stated in its post-quantum cryptography explanation: Currently, there are no quantum computers related to cryptography, and experts have significant differences in their predictions for its emergence. Some experts believe that it could be realized in “less than 10 years,” while others assert that the emergence of quantum computers will have to wait at least until after 2040. The median viewpoint is concentrated in the mid to late 2030s, which makes the 20 to 40-year time window proposed by Back appear conservative rather than reckless.

The leap from the current 6,100 physical quantum bits to the required 317 million physical quantum bits requires not only engineering optimization but also breakthroughs in fundamental physics. Advocates of quantum computer doomsday theories often overlook this exponential gap, misreading the incremental growth in the number of quantum bits as an imminent threat.

The migration roadmap is already in place and maturing

Back's comment that “Bitcoin can upgrade over time” points to specific proposals that have already circulated among developers. BIP-360, titled “Payment Anti-Quantum Hash,” defines a new output type where spending conditions include classical signatures and post-quantum signatures. A single UTXO can be used under both schemes, allowing for a gradual migration rather than a hard stop.

Jameson Lopp and other developers have established a multi-year migration plan based on BIP-360. First, a new address type supporting PQ will be added through a soft fork. Then, gradually encourage or subsidize the transfer of tokens from vulnerable output addresses to PQ-protected output addresses, reserving some block space in each block specifically for these “rescue” operations. As early as 2017, similar transition plans had already been proposed in academia.

The analysis from the client reveals the importance of this point. Approximately 25% of Bitcoin (around 4 to 6 million coins) exists in address types where the public key has been made public on the chain. Early public key payments (P2PKH) outputs, reused P2PKH addresses, and some Taproot outputs fall into this category. Once the Shor attack based on secp256k1 becomes feasible, these coins will immediately become targets of the attack.

Bitcoin protection layers against quantum threats

High-Risk Assets (25%): Old addresses with exposed public keys are directly attackable by quantum computers.

Medium Risk Assets: Modern addresses that are reused, with public keys exposed after the first transaction.

Low-risk assets: brand new unused SegWit/Taproot address, with the public key hidden behind a hash.

Zero Risk Assets: Addresses that adopt the PQ signature scheme in the future are completely resistant to quantum attacks.

Modern best practices have provided a considerable degree of protection. Users who utilize brand new P2PKH, SegWit, or Taproot addresses without reusing them can gain a critical time advantage. For these outputs, the public key remains hidden behind the hash value until it is spent for the first time, thereby compressing the time window for attackers to run Shor's algorithm in the memory pool confirmation period, which is measured in minutes rather than years.

Post-Quantum Toolbox is Ready

Back mentioned that SLH-DSA is not mentioned randomly. In August 2024, NIST finally determined the first batch of post-quantum standards: FIPS 203 ML-KEM for key encapsulation, FIPS 204 ML-DSA for lattice-based digital signatures, and FIPS 205 SLH-DSA for stateless hash digital signatures. NIST also standardized XMSS and LMS as stateful hash schemes, while the lattice-based Falcon scheme is also under development.

Bitcoin developers can now choose from a range of NIST-approved algorithms, while also referencing corresponding implementations and libraries. Bitcoin-centered implementations have already supported BIP-360, indicating that post-quantum toolkits are already in existence and continuously maturing. This protocol does not require inventing entirely new mathematics; it can adopt established standards that have undergone years of cryptanalysis.

However, this does not mean that the implementation process is smooth sailing. A paper published in 2025 studied SLH-DSA and found it to be vulnerable to Rowhammer-style fault attacks, emphasizing that while security relies on common hash functions, hardening is still required during the implementation process. Post-quantum signatures also consume more resources than classical signatures, raising concerns about transaction scalability and cost-effectiveness. However, these are engineering problems with known parameters, not unsolved mathematical puzzles.

The difference between the doomsday scenario of quantum computers and the actual engineering challenges is that the former is an uncontrollable physical threat, while the latter is a problem that can be solved through software upgrades, community coordination, and time management.

The threat in 2025 is governance, not quantum physics

BlackRock's iShares Bitcoin Trust (IBIT) amended its prospectus in May 2025 to include extensive disclosure regarding quantum computer risks, warning that sufficiently advanced quantum computers could compromise Bitcoin's encryption technology. Analysts immediately recognized this as a standard risk factor disclosure, presented in a format language listed alongside generic technology and regulatory risks, rather than a signal from BlackRock that a quantum attack is expected to occur soon. The recent threat lies in investor sentiment, rather than the quantum computer technology itself.

A study by SSRN in 2025 found that news related to quantum computers would trigger some funds to shift towards cryptocurrencies specifically targeting quantum computing. However, traditional cryptocurrencies only exhibited slight negative returns and a surge in trading volume before and after such news releases, rather than structural repricing. When examining the true drivers of Bitcoin trends in 2024 and 2025, quantum computing is rarely seen as a direct cause, alongside ETF fund flows, macroeconomic data, regulation, and liquidity cycles.

The question of determining the quantum resilience of Bitcoin is: can developers reach a consensus around BIP-360 or similar proposals; can the community incentivize the migration of traditional coins without splitting; and can communication remain rational enough to prevent panic from exceeding physical laws. By 2025, quantum computers will pose governance challenges, necessitating the formulation of a roadmap for the next 10 to 20 years, rather than being a catalyst for determining the price trend in this cycle. The development of physics is slow, but its roadmap is clearly visible. The role of Bitcoin is to adopt PQ-ready tools before the hardware arrives, and doing so does not cause a governance deadlock, thus preventing a solvable problem from turning into a self-inflicted crisis.