ResearchBeginner11 min read2026-07-16

Quantum Computing Threat Timeline for Blockchain: 2024 to 2035

TL;DR: Quantum computers cannot yet break Bitcoin or Ethereum encryption. Today's machines are in the "NISQ era": powerful enough to demonstrate quantum phenomena but far too noisy for the fault-tolerant operation needed to run Shor's algorithm against real cryptographic keys. The Webber et al. 2022 research estimates roughly 4,000 logical qubits are needed to break 256-bit elliptic curve cryptography, a threshold credible estimates place in the mid-2030s. Start migrating now because the data being stored on-chain today will still be vulnerable then.

What "NISQ Era" Means and Why It Matters for Blockchain

NISQ stands for Noisy Intermediate-Scale Quantum. It describes the current generation of quantum computers: machines with 50 to several thousand physical qubits that can perform quantum operations but make too many errors to run complex algorithms reliably without fault-tolerant error correction. Today's quantum computers cannot break Bitcoin's elliptic curve cryptography, and will not be able to until they cross the fault-tolerant threshold.

Understanding the NISQ era is important because it separates the real quantum threat timeline from both premature alarm and unwarranted dismissal. Quantum computers have been running real experiments for years. Google's Sycamore processor demonstrated a form of quantum computational advantage in 2019 with 53 qubits. IBM's processors have grown from 27 qubits in 2019 to over 1,000 physical qubits by late 2023. These milestones are real and meaningful. But raw qubit count tells only part of the story: what matters for cryptographic attacks is the number of logical, error-corrected qubits, and those require many physical qubits per logical qubit to implement quantum error correction.

The distinction between physical and logical qubits is the central concept for assessing the quantum threat to blockchain. Physical qubits are the actual quantum hardware components. They make mistakes. Logical qubits are error-corrected computational units built from many physical qubits working together; they are reliable enough to run complex algorithms. The ratio of physical to logical qubits required depends on the error rate of the physical hardware and the error correction code used, but typical estimates range from hundreds to thousands of physical qubits per logical qubit under current technology. This is why a machine with over 1,000 physical qubits is still far from the fault-tolerant cryptographic attack threshold.

Key Hardware Milestones from 2019 to 2025

Tracking quantum hardware milestones gives a factual baseline for assessing how quickly the field is progressing. The most publicly documented milestones come from IBM, Google, and a small number of other major players. These numbers are verifiable from published announcements and peer-reviewed papers.

Year System Physical Qubits Significance
2019 Google Sycamore 53 Claimed quantum computational advantage on a narrow benchmark task
2021 IBM Eagle 127 First IBM processor to exceed 100 qubits; introduced heavy-hex qubit layout
2022 IBM Osprey 433 More than tripled Eagle's qubit count; error rates remained a limiting factor
2023 IBM Condor 1,121 First quantum processor to exceed 1,000 qubits; still NISQ, not fault-tolerant
2023 IBM Heron 133 Smaller count but significantly improved error rates; IBM's focus shifted to quality over quantity
2024 Google Willow 105 Demonstrated below-threshold error correction: adding more qubits reduced error rates, a prerequisite for fault-tolerant operation

The Google Willow result in December 2024 is particularly significant for the long-term timeline. Demonstrating that error rates decrease as qubit count increases (below-threshold error correction) is the key engineering proof-of-concept needed for scalable fault-tolerant quantum computing. It does not mean fault-tolerant machines are imminent, but it removes one of the major theoretical uncertainties about whether scaling up physical qubit counts can yield useful logical qubits.

What "Cryptographically Relevant" Actually Means

A cryptographically relevant quantum computer is one powerful enough to run Shor's algorithm against real cryptographic key sizes within a practical time window, typically defined as hours to days rather than years or millennia. No such machine exists today. The term distinguishes machines that can threaten real-world cryptography from the NISQ-era machines that are scientifically interesting but cannot execute the sustained, error-free computation required for cryptographic attacks.

Shor's algorithm solves the discrete logarithm problem and the integer factorization problem, the two mathematical foundations of ECDSA and RSA respectively, in polynomial time on a fault-tolerant quantum computer. Running Shor's algorithm against a 256-bit elliptic curve key (the size used by Bitcoin and Ethereum) requires a quantum circuit with millions of gates executed reliably in sequence. Current NISQ machines can run circuits with hundreds to thousands of gates before errors accumulate to the point of producing garbage output. The gap between "thousands of gates" and "millions of gates" is enormous in engineering terms.

The practical significance of "cryptographically relevant" for blockchain holders is that the threat is not a binary switch that flips on a single date. Quantum computing capability is increasing incrementally. At some point on that incremental curve, machines will exist that can break a 256-bit elliptic curve key in days. Later, in hours. Eventually in minutes. The data that is on-chain today, including all those exposed ECDSA public keys, will still be there when machines reach each of those thresholds. Use the QuanChain quantum threat calculator to estimate your current exposure level based on your address types and holdings.

The Webber et al. 2022 Resource Estimate

The most widely cited quantitative analysis of the quantum computing resources needed to break Bitcoin's cryptography is the 2022 paper by Mark Webber and colleagues, titled "The impact of hardware specifications on reaching quantum advantage in the fault tolerant regime," published in AVS Quantum Science. It provides the most detailed engineering analysis of the physical qubit requirements for cryptographic attacks available in the peer-reviewed literature.

The Webber et al. paper estimates that breaking a 256-bit elliptic curve key in one hour requires approximately 317 million physical qubits, assuming current error-correction approaches with superconducting qubit technology. For a longer attack window of one day, the estimate drops to approximately 13 million physical qubits. A one-month attack window, which would be sufficient to threaten long-held dormant addresses, requires approximately 1.9 million physical qubits.

In terms of logical qubits, the core of the computation requires approximately 4,000 fault-tolerant logical qubits for the elliptic curve discrete logarithm computation. The large physical qubit counts in the paragraph above reflect the overhead needed to encode those 4,000 logical qubits using quantum error correction at the assumed physical error rates. As physical error rates improve (as demonstrated in the Google Willow result), the physical-to-logical ratio improves, reducing the physical qubit requirement for a given attack timeline.

The paper's analysis is based on specific hardware assumptions that will evolve over time. It should be read as a quantitative lower bound on complexity under stated assumptions, not as a precise prediction of when the attack becomes feasible. The authors explicitly note that improvements in qubit connectivity, gate fidelity, and error correction code efficiency could reduce the resource requirements substantially. The paper is available at AVS Quantum Science for readers who want to examine the assumptions directly.

NIST Migration Deadlines and the Regulatory Timeline

NIST and other standards bodies have published concrete migration deadlines that organizations should treat as outer bounds rather than targets. The NSA's CNSA 2.0 guidance (October 2022) mandates that all national security systems complete transition to approved post-quantum algorithms by 2033, with milestones beginning in 2025. NIST's own transition guidance in SP 800-131A sets deprecation timelines for legacy algorithms that create compliance obligations for regulated industries.

The key milestones from NIST and NSA guidance that blockchain participants should track are: the deprecation of ECDSA for new systems in national security applications from 2025 onward (CNSA 2.0); the expected finalization of additional NIST PQC standards (beyond the August 2024 FIPS 204/205/206 publications) covering signature schemes with smaller keys; and the 2030 to 2033 window by which all ECDSA-based systems in regulated sectors are expected to be fully migrated.

These deadlines affect blockchain primarily through their downstream regulatory impact. Financial institutions, custodians, and enterprise blockchain users operating under financial regulation, healthcare data rules, or government contracts will face compliance requirements to demonstrate PQC migration before those deadlines arrive. Blockchain networks and applications that have not built migration paths by 2028 to 2030 risk being unusable for regulated use cases before the quantum threat itself becomes technically active.

What to Watch Between Now and 2035

Tracking quantum computing progress does not require reading every research paper. A small set of indicators will tell you when the threat timeline is compressing faster than expected.

The most important indicator is fault-tolerant logical qubit demonstrations. The Google Willow result (December 2024) showed below-threshold error correction in a limited system. Watch for announcements of sustained logical qubit operation across circuits with thousands of gates: that is the engineering milestone that bridges from NISQ to early fault-tolerant operation. IBM's public roadmap targets fault-tolerant demonstrations in the latter half of the 2020s.

The second indicator is algorithmic improvements. Quantum cryptanalysis research occasionally produces results that reduce the resource requirements for attacking specific cryptographic schemes. Any peer-reviewed result claiming to reduce the qubit count for attacking 256-bit elliptic curve keys below the Webber et al. estimates should be treated as a timeline compression signal.

The third indicator is government and financial sector behavior. When national security agencies accelerate their own PQC migration timelines beyond what is publicly announced, or when major financial institutions publish quantum migration completion announcements ahead of regulatory deadlines, it may signal non-public intelligence about quantum capability advances. The NSA's proactive CNSA 2.0 announcement in 2022, several years before any public quantum computing breakthrough that would seem to require it, is itself worth noting as a possible leading indicator.

The QuanChain quantum threat calculator incorporates updated hardware milestone data and provides a real-time estimate of the time horizon for cryptographic risk to specific address types and holding values. Use it to translate these abstract milestones into concrete exposure estimates for your specific situation.

Frequently Asked Questions