Research

Google's 2030 Quantum Deadline and What It Means for Crypto

Google's Willow chip and NIST's 2030 ECDSA deprecation deadline have reset the quantum threat timeline. Here is what current hardware actually means for Bitcoin, why the migration window is narrowing fast, and what a quantum-safe blockchain looks like.

QuanChain Research
July 2, 2026
9 min read
Share

Why 2030 Is the Date Everyone in Crypto Needs to Know

In December 2024, Google unveiled the Willow quantum chip. In April 2026, Coinbase's Advisory Council estimated that roughly 6 to 6.9 million BTC — about 28 to 30 percent of the circulating supply — sits in addresses that use quantum-vulnerable P2PK signatures. And NIST's IR 8547 draft states plainly that ECDSA should be deprecated by 2030 and fully disallowed by 2035.

None of these events is a fire alarm on its own. Together, they mark a boundary. The question for every blockchain developer, institution, and long-term holder is no longer "will quantum computing threaten crypto?" It is "how much time is left to migrate, and is migration even possible?"

This article answers both questions with specific numbers, a clear timeline, and an honest assessment of where the industry stands in mid-2026.

What Did Google's Willow Chip Actually Prove?

Google's Willow quantum chip, announced in December 2024, has 105 physical qubits. It solved a specific random circuit sampling benchmark in about 5 minutes — a task that Google estimates would take today's fastest classical supercomputer 10 septillion years. That number is real. The benchmark is also deliberately chosen for quantum advantage, not for cryptographic relevance.

The critical distinction is between a demonstration of quantum supremacy and a demonstration of cryptographic threat. Willow showed that quantum processors can outperform classical machines on a narrow class of problem. It did not show that those processors can break ECDSA. To understand why, you need to understand the difference between physical qubits and logical qubits.

For a deeper look at what quantum supremacy actually means versus what it is often reported to mean, see our article on quantum supremacy vs. quantum advantage.

How Many Qubits Does It Take to Break Bitcoin?

Breaking Bitcoin's ECDSA secp256k1 signature scheme requires an estimated 4,000 or more logical, error-corrected qubits. Google's Willow chip has 105 physical qubits. At current error rates, each logical qubit requires roughly 1,000 physical qubits for reliable error correction. This means the world's most advanced public quantum processor is approximately 4 million physical qubits short of the threshold needed to threaten Bitcoin.

The 4,000 logical qubit figure comes from academic estimates for running Shor's algorithm against 256-bit elliptic curve discrete logarithm — the mathematical problem that protects ECDSA private keys. Some estimates place the requirement as high as 10,000 logical qubits, depending on the error correction scheme and algorithm optimizations used.

The physical-to-logical qubit ratio is the crux of the problem. Physical qubits are noisy. They decohere within microseconds to milliseconds and produce errors at rates that make direct computation unreliable. Quantum error correction encodes one logical qubit across many physical qubits so that errors can be detected and corrected. Current surface code implementations require roughly 1,000 physical qubits per logical qubit.

The details of different qubit types and quantum hardware architectures matter here — superconducting qubits, trapped ions, and photonic approaches all have different error profiles, which changes the physical-to-logical overhead.

What Is Google's Quantum Computing Timeline?

Google has set internal targets to reach 1 million physical qubits by approximately 2029. That is a roughly 10,000-fold increase from Willow's 105 qubits. If achieved, it would put Google within the physical qubit range needed to support a cryptographically relevant quantum computer — but only if error correction efficiency improves in parallel.

Google's roadmap is ambitious and subject to the same scaling challenges every quantum hardware team faces: qubit connectivity, coherence times, gate fidelity, and the engineering complexity of cryogenic systems at scale. Doubling qubit count is not the same as doubling capability.

IBM's roadmap runs on a parallel track. The company has publicly targeted a 100,000 qubit system by 2033. For context on how IBM's approach compares, see our IBM quantum roadmap analysis.

The Quantum Threat Timeline: 2024 to 2035

The following table maps the key milestones from Google's Willow announcement through NIST's enforcement deadlines. These are not predictions of when Bitcoin breaks — they are the documented hardware targets and regulatory dates that define the migration window.

Year Event Significance for Crypto
2024 Google Willow — 105 physical qubits Quantum supremacy on benchmark task. No cryptographic threat.
2026 Current state — hundreds of physical qubits across labs No quantum computer can break ECDSA today. Migration window is open but narrowing.
2029 Google's internal target: 1 million physical qubits Physical qubit count enters the theoretical range for a CRQC if error correction improves significantly.
2030 NIST IR 8547 draft: ECDSA deprecation target Federal systems and regulated industries must begin migration off ECDSA.
2033 IBM targets 100,000+ qubit system Large-scale quantum systems from multiple vendors increase CRQC probability.
2035 NIST IR 8547 draft: ECDSA disallowed ECDSA-based systems are out of compliance. Blockchain networks face existential regulatory and security risk.

Current Hardware vs. What's Needed to Break ECDSA

Metric Best Available (2026) Required to Break ECDSA
Physical qubits ~105 (Google Willow, Dec 2024) ~4–10 million (estimated)
Logical (error-corrected) qubits <1 (experimental demonstrations only) ~4,000–10,000
Physical-to-logical ratio (current) ~1,000:1 Needs to drop significantly (target: ~100:1 or better)
Error rate per gate ~0.1–1% (system dependent) <0.01% for viable error correction at scale
Time to break one ECDSA key Not feasible at any timescale Estimated hours on a sufficiently fault-tolerant system

The "Harvest Now, Decrypt Later" Threat Is Already Active

The most misunderstood aspect of the quantum threat is that it does not require quantum computers to exist today. Sophisticated adversaries are already recording encrypted blockchain data with the explicit goal of decrypting it when quantum hardware matures.

This is called the Harvest Now, Decrypt Later (HNDL) attack. On a public blockchain like Bitcoin, every transaction is permanently, publicly recorded. The public keys exposed in P2PK outputs, the transaction graphs, the address histories — all of it is already harvested. No active effort is required. A quantum attacker in 2031 just downloads the blockchain.

This is why the NIST 2030 deprecation deadline is not about when quantum computers will definitely break ECDSA. It is about when encrypted data recorded today must be assumed vulnerable. The NIST IR 8547 draft threat model accounts for the fact that adversaries with long time horizons can afford to wait.

For Bitcoin specifically, the HNDL risk is concentrated in early outputs. Coinbase's Advisory Council estimated in April 2026 that 6 to 6.9 million BTC — roughly 28 to 30 percent of supply — sits in P2PK addresses that expose the public key directly. For more on this specific risk, see our breakdown of Satoshi's coins and quantum risk.

When Will Quantum Computers Break Bitcoin?

No quantum computer can break Bitcoin's ECDSA signatures today, and the most optimistic credible timeline places a cryptographically relevant quantum computer in the early-to-mid 2030s at the earliest. However, asking "when does it break?" is the wrong question. The right question is "when must migration be complete?" — and that answer is significantly sooner.

Migrating a major blockchain from ECDSA to a post-quantum signature scheme is not a software update. It requires protocol-level changes, wallet software upgrades across every user and service provider, exchange integrations, hardware wallet firmware updates, and a coordinated multi-year transition. Industry estimates for this kind of migration run from 5 to 10 years.

Understanding how Grover's algorithm compounds the hash function risk alongside Shor's ECDSA attack is also important for understanding the full threat surface.

What NIST's 2030 Deadline Actually Requires

The NIST IR 8547 draft is the most concrete regulatory signal the crypto industry has received about the quantum threat. It states two things plainly:

  • ECDSA should be deprecated by 2030 — new systems should not adopt it, and existing systems should begin migration.
  • ECDSA should be disallowed by 2035 — systems under federal jurisdiction must have completed migration.

NIST has already finalized three post-quantum cryptographic standards. NIST FIPS 204 standardizes ML-DSA as the primary post-quantum signature scheme. FIPS 205 standardizes SLH-DSA. FIPS 203 standardizes ML-KEM for key encapsulation. These are published federal standards, not proposals. The full context of the NIST post-quantum migration timeline explains what compliance means in practice.

QuanChain's Approach: Quantum-Safe from Genesis

The migration problem that faces Bitcoin and Ethereum does not exist for QuanChain, because QuanChain was built with post-quantum cryptography as a first-class design constraint from the first block.

Every transaction on QuanChain uses ML-DSA-87, the highest security level of the algorithm standardized in NIST FIPS 204. ML-DSA-87 provides 256-bit post-quantum security. There is no ECDSA on QuanChain's chain, no P2PK outputs, and no legacy key material to migrate.

QuanChain also implements the TADEQS architecture — Threat-Adaptive Dynamic Encryption and Quantum Security — which ensures no public key is ever exposed on-chain. This eliminates the HNDL attack surface at the protocol level. For a deeper explanation of how the algorithm works, see our article on ML-DSA and the CRYSTALS-Dilithium family.

What the Crypto Industry Should Do Right Now

The 2030 NIST deadline is four years away. The migration window for major blockchain infrastructure is measured in years, not months. These two facts together create a clear priority order for anyone building or holding digital assets:

  1. Audit signature exposure. Identify which wallets, contracts, and protocol components use ECDSA or other quantum-vulnerable schemes.
  2. Evaluate migration feasibility. For existing blockchain networks, understand concretely what a post-quantum migration would require and what the realistic timeline is.
  3. Move long-term holdings to quantum-safe infrastructure. Assets intended to be held for a decade or more should be evaluated against the 2030 to 2035 regulatory timeline.
  4. Build new applications on post-quantum foundations. Any infrastructure being designed today that is expected to still be running in 2030 should use NIST-standardized post-quantum algorithms from the start.

Frequently Asked Questions

Frequently Asked Questions

Related Articles