Stanford cryptographer Dan Boneh says Bitcoin should prepare for quantum computers, but he does not think panic helps. His warning is more practical: a rushed upgrade could create software bugs that hurt Bitcoin before quantum attackers do.
Good to Know
- Quantum computers could one day break some of the cryptography Bitcoin uses today.
- Dan Boneh says Bitcoin can survive that risk if developers plan the change carefully.
- A post quantum migration means moving Bitcoin users to new address and signature types designed to resist quantum attacks.
Bitcoin Faces a Slow Upgrade Challenge
Bitcoin security depends on cryptography. In simple terms, cryptography lets wallets prove ownership without exposing private keys. A private key is the secret code that lets you spend Bitcoin. A public key helps the network check that a transaction came from the real owner.
Quantum computers may one day threaten parts of that setup. Dan Boneh, a Stanford cryptographer, says Bitcoin should treat that risk seriously. However, he also thinks the main near-term danger may come from a rushed fix, not from a quantum computer suddenly breaking Bitcoin.
In an interview highlighted by Isabel Foxen Duke, Boneh summed up the issue with a careful warning: “Don’t panic, but don’t ignore.”
He also pushed back against very fast timelines. “If you try to aggressively move to a post quantum architecture, like for example by 2029, I think that would be a mistake for the blockchain,” Boneh said, adding that “a hasty transition to post quantum, in my mind, is more likely to cause a catastrophic bug than we’ll be attacked by a quantum computer.”
Changing Bitcoin is hard on purpose. Developers, node operators, miners, wallet providers, exchanges, and users all need enough time to test upgrades. A bug in a major cryptographic change could damage trust, freeze coins, or create problems across wallets and services.
The debate grew after a March 30 whitepaper from Google Quantum AI, coauthored by Boneh, looked at how Shor algorithm could attack the 256-bit elliptic curve discrete logarithm problem used in secp256k1. Secp256k1 is the curve Bitcoin uses for many current signatures.
The paper estimated that such an attack could run with “≤1200 logical qubits and ≤90 million Toffoli gates” or “≤1450 logical qubits and ≤70 million Toffoli gates.” It also said certain superconducting systems with 10−3 physical error rates and planar connectivity “can execute in minutes using fewer than half a million physical qubits.”
Those figures sound technical, so here is the easy version. Researchers keep reducing estimates for how powerful a quantum computer would need to be before it can threaten old cryptographic systems. Boneh still does not see a cryptographically relevant quantum computer before 2035 as likely under current funding levels. He said a working threat by the end of the decade “seems very aggressive,” although not impossible if governments treated the field as a national priority.
Bitcoin developers already have proposals on the table. BIP 361, called “Post Quantum Migration and Legacy Signature Sunset,” says more than 34% of all bitcoin had revealed a public key on chain as of March 1, 2026. Coins in those UTXOs could become vulnerable if a strong enough quantum attacker appears.
Gotta Do Something
However, Boneh does not argue that Bitcoin should do nothing. He said Bitcoin “will survive” quantum risk and called claims that it cannot “insane.” The basic route is known: encourage users to move toward post quantum addresses and signatures, then slowly phase out older vulnerable transaction paths.
He wants more design work before Bitcoin commits to a hard schedule. He also prefers a longer transition window over a compressed one. That approach gives wallet makers and exchanges more time to test, and it gives ordinary users more time to move coins safely.
Boneh also raised the idea of hybrid signatures. A hybrid signature combines current elliptic curve cryptography with post quantum cryptography. That way, Bitcoin would not depend on only one new system overnight.
He also said he prefers lattice based signatures over purely hash based designs. Lattice based systems may leave more room for threshold signatures and later cryptographic improvements. Threshold signatures matter because they can let groups, companies, or wallet systems share signing control without relying on one single key.
Google Set A Deadline
Google has already put a date on its own quantum security plans. By 2029, the company wants all internal systems protected against quantum computers, which shows how seriously major tech firms now treat the risk. That deadline does not directly control Bitcoin, but it does add pressure on developers, wallet providers, exchanges, and long-term holders to prepare early. Google says quantum computers could threaten today’s encryption and digital signatures, while about 6.5 million BTC may already sit in address types considered vulnerable, even though a large share may be lost forever.