Q-Day could destroy bitcoin – and our retirement savings

My first exposure to bitcoin was unglamorous. It was the early 2010s, and I heard about it through the chatter of students in my college maths classes and the occasional report of the cryptocurrency being used on black markets like the infamous Silk Road. Bitcoin’s siren song rang loudly for some of my peers, but my ears were stuffed with pure physics: Slater determinants, Raman scattering and Cooper pairs. I mean to say that I was striving towards some romanticised idea of being an old-school theoretical physicist, and something like “mining for crypto” just didn’t seem to be a part of that. Recently, however, I have learned that I may have been naïve, as the issue of bitcoin and its safety became relevant to my work as a physics reporter – and also to my savings.

This change in perspective started a couple months ago when researchers at Google, the Ethereum Foundation (a non-profit that supports the eponymous cryptocurrency) and a couple of universities published a 57-page paper on the threat quantum computers represent to the safety of various cryptocurrencies. I saw the paper while I was eating breakfast in my dining room in Queens, New York, and by the time I made it to New Scientist’s Manhattan office about an hour and a half later, I knew it would overtake my life for the next day.

The whirlwind feeling of breaking news whipped up as a second paper by researchers at the quantum computing start-up Oratomic appeared online. It didn’t just echo the imminent threat quantum computers posed to cryptocurrency, but reinforced it with an even more aggressive timeline for when we might see it become real. The key metric in either paper was the number of quantum bits – or qubits, which are the building blocks of any quantum computer – that a device would need to break one very commonly used form of encryption. Google’s team put the number at 500,000 qubits, while the researchers at Oratomic argued for 10,000. This is shockingly close to the largest qubit array that already exists, which counts 6100 qubits.

These qubits have not been used in a computation yet, but it is increasingly feeling like we are nearing a cryptography crisis – so-called Q-Day, when quantum computers render most codes currently safeguarding our digital communications and transactions ineffective. Accordingly, Google has been urging everyone to move to post-quantum cryptography (PQC), which would prevent Q-Day, by 2029.

Could quantum computers really become such villains so soon? I called everyone I could and did my best to figure out how much of a threat quantum computers are to encryption in general, my interest being wider than cryptocurrencies. But researchers kept bringing up bitcoin.

The type of encryption bitcoin uses is built around what’s called the elliptic curve discrete logarithm problem (ECDLP). The idea is simple: this is a mathematical problem that is incredibly hard to solve for conventional computers, so if cracking encryption can be reduced to solving ECDLP, then that encryption should be incredibly safe. Because of this, ECDLP-based encryption is widely used. For instance, it protects many internet communications like bank transactions, and it is also used for securing nearly every major cryptocurrency.

But for almost three decades researchers have also understood, with a high degree of certainty, that a powerful enough quantum computer could easily break all that. They even have a mathematical recipe for how to do so – the famous Shor’s algorithm.

Turning Shor’s into a program that could be run on a real machine, however, has proved troublesome. First and foremost, a large and error-proof quantum computer didn’t exist in the 1990s, or the 2000s, or the 2010s – and it still really doesn’t in the 2020s. But quantum computers keep getting bigger. And alarmingly, the estimates of how big a quantum computer needs to be to break ECDLP-based encryption with Shor’s algorithm keep decreasing. In 2019, researchers were debating about tens of millions of qubits; now, Oratomic was putting forward a much less intimidating 10,000.

Moreover, Google’s researchers say that the first sign that quantum computers have lived up to their promise as dangerous decryption machines may appear on the blockchain, the technology that underpins how cryptocurrencies work. Specifically, researchers identified a way in which a quantum computer could perform an “on-spend” attack, stealing the currency being transferred during the roughly 10-minute window it takes to make a bitcoin transaction.

Reading between the lines of the paper, it was clear to me that it was meant to raise concerns among bitcoin users, to make them take PQC more seriously. That’s necessary because bitcoin has a decentralised governance structure, which means any changes to its protocol require consensus among users.

“I’m very worried, and I very much agree with what Google is saying,” cryptocurrency pioneer Eli Ben-Sasson at StarkWare told me a few weeks later. “I’m very disappointed by the ossification of bitcoin development.” JP Aumasson, a cryptographer who worked on one of the signature PQC algorithms, echoed the sentiment. “I’m really not impressed by what they [the bitcoin community] have been doing in terms of post-quantum transition,” he plainly told me, even as he admitted reservations about whether cryptographically relevant quantum computers will arrive as soon as many experts now predict them to.

The worlds of technology, finance and nearly everyone else who worries about information security are now considering changing all of their encryption to quantum-safe algorithms and protocols by the end of the decade. Aumasson predicts we have until 2036 rather than 2029 to make the switch, a less hurried timeline. But he says that bitcoin users ought to be an exception. “When I see the decision-making process of the bitcoin community and how fast, or maybe how slow, they move, I think they better hurry up,” he says.

One particularly worrisome aspect of the threat facing bitcoin is that the safety of currencies – crypto or otherwise – relies not just on technology but also on perception. “It might be sufficient to just spread the rumour [that bitcoin is vulnerable]… then the market will panic,” says Aumasson. The financial losses would be enormous.

Several proposals for how to make bitcoin quantum-safe through a software update already exist, but putting them into action would require the disparate and wide bitcoin community to reach consensus on whether, how and when to do so. It’s been roughly half a decade since bitcoin’s last such effort and Ben-Sasson says that, in recent years, any issue concerning changes to bitcoin’s infrastructure has attracted controversy and conflict. “We’re in this very sad state where everyone, I think, understands what is needed and knows that it’s not a big deal, but everyone’s sort of afraid of even talking about it, because who knows when anonymous, crazy crypto mobs are going to attack you,” he says.

Avihu Levy, one of Ben-Sasson’s colleagues at StarkWare, recently developed a way to make bitcoin quantum-safe without a software update, but the amount of computational power that this would require for every new, safe transaction would be so great that it would increase the cost of doing business more than 200 times.

It’s everyone’s problem

The trouble at hand is a diabolical intertwining of emerging technology, advanced mathematics and plain old follies of human nature. But, as someone who has more or less successfully tuned out any noise about bitcoin for nearly a decade, I found myself wondering: do I, too, have to care about this now? Or could my refusal to participate in anything blockchain-related protect me from bitcoin’s messy clash with quantum technology? To my horror, the answer to the latter question turned out to almost certainly be a resounding “no.”

This is because I, like many workers in the US, have a retirement account. In June of 2025, New York Times finance columnist Jeff Sommer reported on uncovering unexpected bitcoin in his own retirement account. It snuck in because his account was connected to an index fund that included stock from a company known as Strategy, whose primary asset is bitcoin. As I am writing this in May 2026, Bitcoin Treasuries, a website that tracks digital assets, has Strategy firmly at number one when it comes to public companies that own bitcoin. As Sommer’s reporting made clear, investment funds run by all the prominent companies in that space, such as Fidelity, Vanguard, BlackRock and Morgan Stanley, include shares of Strategy.

My own retirement account is run by Fidelity, so chances are that if the price of bitcoin were to fluctuate wildly – for instance, because of a quantum panic – there would be a ripple effect that runs from bitcoin to Strategy to Fidelity to my ability to retire. Several US states, including California, North Carolina, Texas and Louisiana, hold shares of Strategy in retirement funds they have set up, for instance, for state employees and public school teachers. Recently, the administration of President Donald Trump indicated that it wanted to make it easier to fold cryptocurrency directly into retirement accounts, for instance by rescinding past guidance against it. While definitive regulatory changes have not happened yet, some in the cryptocurrency community see them on the horizon.

No simple solution seems to be in sight, other than rooting for and encouraging cooperation among people invested in bitcoin’s future. We built much of what is good in society by working together; futuristic technologies such as quantum computing and the blockchain should not give us a blanket permission to forget that consensus is one of the oldest and most important enabling technologies. Ben-Sasson has co-authored a book on cryptocurrency that he hopes will bring more educated and rational users into the fold. The government could help too, and Aumasson was quick to remind me that regulations, fines and public shame can go a long way.

While the current administration in the US seems to be very much leaning away from regulating cryptocurrency, this could change following elections in the next few years. And though it is always a fool’s errand for a journalist to try to predict the future, I am keeping my fingers crossed for my retirement.