Your Bitcoin Is on Borrowed Time
An interactive deep-dive into post-quantum cryptography for blockchain — run real Dilithium, FALCON, and SPHINCS+ in your browser and see why the clock is ticking.
Two research papers landed in early 2025 and the crypto world hasn’t been the same since.
The first, from Google Quantum AI, took Shor’s famous algorithm — the one that theoretically breaks all public key cryptography — and tailored it specifically to crack Bitcoin and Ethereum signatures. Their result: a quantum computer running on just ~1,200 logical qubits can recover your private key from your public key. The quantum circuit is shockingly shallow — only ~100 million Toffoli gates. On a fast superconducting machine, each gate takes ~10 microseconds. Total runtime: under 17 minutes.
Not years. Not days. Minutes.
The second paper, from a Pasadena startup called Oratomic, took Google’s optimized circuit and asked: how many physical qubits does this actually need? Previous estimates said millions. Oratomic, using exotic error-correcting codes called qLDPC on neutral atom hardware, brought that number down to 26,000 physical qubits. That’s a 40x improvement over the previous state-of-the-art. The tradeoff: neutral atoms are slower (~100 Hz vs superconducting’s ~100 kHz), so a single crack takes ~10 days instead of minutes. But the hardware is dramatically simpler to build.
Here’s what makes this terrifying: 25% of all Bitcoin and 65% of all Ether sit in addresses where the public key is already exposed on-chain. Those funds can’t hide. The moment a sufficiently powerful quantum computer exists, they’re gone.
This post is an interactive companion to a research paper I co-authored comparing post-quantum signature schemes for blockchain. Instead of reading tables, you’ll run real cryptography in your browser — sign messages, race algorithms, and see exactly why the clock is ticking.
1. The quantum clock
There are two families of quantum computers racing toward this threshold — and they attack the problem differently.
Fast-clock machines (superconducting, photonic) run at ~100 kHz. Google, IBM, and others are building these. They’d crack a key in minutes, but need ~500,000 physical qubits using conservative surface code error correction (a 400:1 physical-to-logical ratio, already demonstrated by Google on real hardware last year).
Slow-clock machines (trapped ion, neutral atom) run ~1,000x slower at ~100 Hz. Oratomic is building these. A single crack takes ~10 days — but they need only 26,000 physical qubits thanks to more efficient error-correcting codes that bring the physical-to-logical ratio closer to 10:1.
Either way, the destination is the same. Watch the qubit count climb:
Once a fault-tolerant quantum computer crosses 1,200 logical qubits, Shor's algorithm can factor the elliptic-curve discrete log underlying ECDSA in ~minutes. At current trajectory, this window opens around 2030–2032 — Q-Day.
(P2PK outputs)
(reused addresses)
estimate
The confidence in Q-Day by 2032 — the day a quantum computer recovers a real private key — has shot up significantly. There may be at least a 10% chance it happens. And here’s the thing about low-hanging fruit: the Google optimizations came from surprisingly simple observations. Craig Gidney, the lead author and arguably the world’s top quantum circuit optimizer, squeezed a 10x improvement out of Shor’s algorithm for RSA just last year. This was his team’s first time attacking elliptic curves. AI hasn’t even been tasked to find optimizations yet. The logical qubit count could plausibly go under 1,000 soon.
One more thing that should keep you up at night: Google published their result using a zero-knowledge proof — they proved the algorithm works without revealing the actual optimizations. The message is clear: from now on, assume the best quantum attacks are being self-censored for commercial or national security reasons. A sudden blackout in academic publications would be the tell-tale sign.
2. What’s actually at risk
Let’s be precise about what breaks and what doesn’t.
Bitcoin mining (proof-of-work) is safe. Grover’s algorithm gives quantum computers a quadratic speedup on brute-force search — cutting SHA-256 mining from 2^256 to 2^128 operations. That sounds dramatic, but it’s still astronomically expensive. Commercially viable quantum mining is decades, possibly centuries away.
ECDSA signatures are not safe. Every Bitcoin transaction is signed with ECDSA on the secp256k1 curve. Every time you spend from an address, your public key goes on-chain. From that moment, a quantum computer with ~1,200 logical qubits can derive your private key and drain your wallet.
The worst part: harvest now, decrypt later. Adversaries can record today’s transactions and crack them years from now when quantum hardware matures. Your transaction from 2024 is a ticking time bomb.
Here’s the curve that secures trillions of dollars. Click on it to explore, or switch to signing mode to create a real ECDSA signature:
click near the curve to snap to a point and see its reflection
no point selected — click the curve
The security of ECDSA relies on one assumption: given a public key (a point on the curve), you cannot work backwards to find the private key. This is the elliptic curve discrete logarithm problem. Classical computers can’t solve it. Quantum computers can.
Key Generation: Pick a random integer d (private key). Compute Q = dG where G is the curve’s generator point. Q is your public key. The multiplication dG means “add G to itself d times” — easy to compute forward, impossible to reverse.
Signing: Hash the message to get e. Pick random k, compute point P = kG. The signature is (r, s) where r = P.x mod n, and s = (e + dr) * k^-1 mod n.
Verification: From (r, s), the message hash e, and public key Q, recompute the point P and check that P.x mod n equals r.
3. How it breaks: Shor’s algorithm
A classical computer trying to crack ECDSA would need to try every possible private key one at a time. For a 256-bit key, that’s 2^256 attempts — more than atoms in the observable universe. At a trillion guesses per second, it would take longer than the age of the universe. ECDSA is provably safe against classical attack.
Shor’s algorithm doesn’t guess. It cheats.
A quantum computer creates a superposition of all possible private keys — testing every single one simultaneously. Then it uses quantum interference to cancel out wrong answers and amplify the right one. One measurement, and the private key falls out.
The circuit is breathtakingly efficient: ~100 million Toffoli gates. Two clever optimizations bring the crack time to single-digit minutes. The first parallelizes computation across multiple quantum devices. The second feeds the public key to the quantum computer mid-flight, after a generic setup phase — meaning the expensive “boot up” only happens once, then you can crack key after key.
Watch it happen. The keys below are real — generated just now in your browser using the same secp256k1 curve that secures Bitcoin:
Ready. Press run to simulate Shor's algorithm.
This visualization is a simulation — running actual Shor’s requires a quantum computer. But the public key shown is genuine ECDSA, generated with @noble/curves in your browser. A quantum computer wouldn’t need to know the private key to find it. It would derive it from the public key alone.
4. The fix: post-quantum signatures
NIST has standardized three post-quantum signature schemes. Each relies on a different hard problem that quantum computers can’t solve. Let’s meet them.
Contender 1: CRYSTALS-Dilithium (lattice-based)
Dilithium’s security comes from the shortest vector problem in high-dimensional lattices. Try finding the shortest vector in 2D — then imagine doing it in 500 dimensions:
Click the lattice point closest to the origin (the yellow dot). In 2D, this is easy. In 500+ dimensions, it's believed to be impossible — even for quantum computers.
In 2D, your eyes do the work. In 500+ dimensions, this problem is believed to be NP-hard — no known algorithm, classical or quantum, can solve it efficiently. This is what makes Dilithium quantum-safe.
Now run real Dilithium signing in your browser:
Key Generation: Sample a random seed rho, expand into matrix A over polynomial ring R_q. Sample short secret vectors s1, s2. Compute t = As1 + s2. Public key is (rho, t1). Knowing A and t, recovering s1 is the Module-LWE problem — hard even for quantum.
Signing (Fiat-Shamir with Aborts): Sample masking vector y. Compute w = Ay. Hash high-order bits of w with message to get challenge c. Compute z = y + cs1. If z is too large (would leak info about s1), reject and retry. This “abort” mechanism is crucial for security.
Verification: Check that Az - ct1*2^d has the right high-order bits, and that ||z|| is bounded. No knowledge of s1 needed.
Contender 2: FALCON (NTRU lattice-based)
FALCON uses a different lattice construction — NTRU — combined with Fast Fourier sampling over a tree structure. It produces the most compact signatures among lattice schemes:
NTRU Equation: Find four polynomials f, g, F, G in Z[x]/(x^n+1) satisfying fG - gF = q mod (x^n+1). The public key is h = g/f mod q. The secret key is the full (f, g, F, G) basis.
Signing: Hash the message to a target point. Use the secret basis to sample a short lattice vector close to that point via discrete Gaussian sampling over the NTRU lattice. The short vector is the signature.
Why it’s compact: FALCON’s tree-based Gaussian sampling produces shorter signatures than Dilithium’s rejection sampling, but requires floating-point arithmetic during signing, making implementation more complex.
Contender 3: SPHINCS+ (hash-based)
SPHINCS+ takes a completely different approach — its security relies only on hash functions. No lattices, no number theory. If SHA-256 is secure, SPHINCS+ is secure. It uses a “hypertree” of Merkle trees:
Each leaf is backed by a WOTS+ key — a chain of hash function applications. To sign, you reveal a portion of the chain; to forge, an attacker would need to invert a hash. WOTS+ is used only once, preventing signature reuse attacks.
SPHINCS+ relies exclusively on the collision and preimage resistance of SHA-2 or SHAKE — no lattices, no number theory, no elliptic curves. The tradeoff: signatures are ~29 KB vs. ~3 KB for Dilithium, and signing takes ~860 ms vs. ~0.3 ms. But the security assumption is the most conservative of any NIST PQC standard.
WOTS+ (Winternitz One-Time Signatures): Each leaf node contains a WOTS+ key pair. To sign, iterate a hash function — the number of iterations per chain depends on the message hash digits. One key pair, one signature.
FORS (Forest of Random Subsets): A few-time signature scheme between the message and WOTS+. Splits the message hash into k chunks, each selecting a leaf from k small Merkle trees.
Hypertree: Multiple layers of Merkle trees stacked on top of each other. Each layer authenticates keys in the layer below. The root of the top tree is the public key.
Stateless: Unlike XMSS (stateful), SPHINCS+ randomly selects leaves. The hypertree structure is large enough that collisions are astronomically unlikely.
5. The showdown
Now let’s race them. ECDSA, Dilithium, and FALCON sign the same message live in your browser. SPHINCS+ data comes from the research paper (it’s too slow for a comfortable live demo — you’ll see why):
Dilithium is the speed king among post-quantum schemes — faster than ECDSA for key generation and verification. FALCON trades slower key generation for more compact signatures. SPHINCS+ is the slowest but has the strongest security assumptions (pure hash functions).
6. The elephant in the block
There’s a problem. Post-quantum signatures are huge. SPHINCS+ signatures are 29KB — compared to ECDSA’s 64 bytes. If every Bitcoin transaction carried a SPHINCS+ signature, a 1MB block would fit almost nothing:
every bitcoin transaction must include a public key and a signature so nodes can verify the sender. post-quantum signatures are dramatically larger — which directly limits how many transactions fit in each 1 MB block.
~10,416 transactions fit in a 1 MB block
~190 transactions fit in a 1 MB block
~639 transactions fit in a 1 MB block
~33 transactions fit in a 1 MB block
~33 transactions fit in a 1 MB block
Toggle IPFS to see the solution from our paper.
7. The IPFS trick
Instead of storing the full signature and public key on the blockchain, store them on IPFS (InterPlanetary File System) and put only the 32-byte content hash on-chain. Every algorithm’s on-chain footprint becomes identical — 32 bytes:
press "send a transaction" to begin
This approach reduces FALCON’s mining time by 57% and Dilithium’s by 50%. Block capacity is preserved while gaining quantum resistance.
8. So which one should you pick?
It depends on what you value. Adjust the weights below and see how the ranking shifts:
Drag the sliders to set what matters most to you. The ranking updates in real time.
Our paper’s recommendation: Dilithium + IPFS is the sweet spot for most blockchain applications. It has the fastest signing and verification, mature NIST standardization, and the IPFS integration solves its larger key/signature sizes. If you can’t use IPFS, FALCON’s compact signatures make it the better standalone choice.
The clock is ticking
Let’s recap what we know:
- The algorithm exists. Shor’s algorithm, optimized for secp256k1, needs ~1,200 logical qubits. The circuit is only 100M gates deep.
- The hardware is closing in. IBM shipped 4,158 qubits in 2025. Google demonstrated error correction on real hardware. Oratomic needs only 26,000 physical qubits.
- The timeline is real. There’s a meaningful chance of Q-Day by 2032. Not certain — but not negligible.
- The targets are exposed. 25% of Bitcoin and 65% of Ether have public keys sitting on-chain right now. They can’t be un-exposed.
- The threat is already active. Harvest-now, decrypt-later means adversaries are recording today’s transactions to crack them tomorrow.
But we also know:
- The replacements work. You just ran them in your browser. Dilithium signs in under a millisecond. FALCON produces compact signatures. SPHINCS+ relies only on hash functions.
- The standards are done. NIST finalized ML-DSA, FALCON, and SLH-DSA. The libraries are production-ready.
- The bloat is solvable. IPFS reduces every signature to 32 bytes on-chain, cutting mining times by 50%+.
The math is settled. The code exists. The only thing missing is the will to migrate.
Every day a blockchain runs on ECDSA alone is another day of accumulated debt to a future that’s arriving faster than anyone expected. The question was never if. It was always when. And “when” just got a lot closer.
Want to try signing your own messages? Head to the playground to run all four algorithms side by side on any text you want.
This post is based on our research paper: A Quantum-Resistant Blockchain System: A Comparative Analysis — Thanalakshmi, Rishikhesh, Marion Marceline, Joshi, Cho (Mathematics, 2023).