What Happened
In the week following Google's March 31 quantum whitepaper, two research teams published work that reframes where the quantum threat to Bitcoin actually sits. The BTQ Technologies paper examines quantum mining. The Gutmann and Neuhaus paper examines the quantum factoring demonstrations that have driven the broader narrative — and systematically dismantles most of them.
Quantum Mining: The Star Problem
Bitcoin mining is a computational lottery. Grover's algorithm offers a quantum speedup on search problems of this type, theoretically giving a quantum miner an edge over classical ASIC miners. If that edge were sufficient, a quantum actor could dominate Bitcoin's hashrate and execute a 51% attack — rewriting transaction history, double-spending, or censoring the network.
BTQ Technologies asked what it would actually cost to build that capability. The answer: energy requirements scale to the output of a star. The hardware architecture required to run Grover's algorithm at competitive mining speed, accounting for error correction overhead and operational costs, puts this scenario outside any realistic engineering roadmap. Bitcoin's mining security is not what Google's paper was about. Bitcoin's wallet security is.
Quantum Factoring: The Dog With Three Barks
Gutmann and Neuhaus examined every major quantum factoring breakthrough claimed over the past two decades and replicated each result — using a 1981 Commodore VIC-20, an abacus, and a dog named Scribble trained to bark three times. The finding: nearly every claimed breakthrough cheated in one of several ways. Researchers picked numbers whose hidden prime factors were only a few digits apart. Or they did most of the computation classically and only used quantum hardware for a small final step. Or they ran algorithms on inputs specifically designed to make the quantum approach look favorable.
The paper proposes a new evaluation standard: random input numbers, no preprocessing, factors unknown to experimenters before the run. By this standard, no quantum factoring demonstration to date qualifies as a genuine breakthrough. This does not mean quantum factoring is impossible. It means most announced milestones do not represent actual progress toward the scale needed to threaten Bitcoin's elliptic-curve cryptography.
What This Means for You
The threat is real and sits specifically in exposed wallet public keys — not in mining, not in consensus, not in most of the scenarios crypto media has been amplifying. Roughly 1.7 million BTC in early P2PK addresses and 6.9 million BTC across Taproot and reused addresses have exposed public keys. Those are the long-term targets if quantum hardware continues improving.
Bernstein's three to five year transition window and Back's decade-long migration timeline bracket the realistic planning horizon. The practical action today has not changed: do not reuse addresses, understand your address type, watch BIP-360 development. The panic framing is wrong. So is dismissal. The threat is concentrated, technically specific, and preparable for — if the Bitcoin community starts now.
What to Watch
Watch for NIST evaluation of quantum factoring demonstrations against the Gutmann-Neuhaus standard. If the methodology gains formal adoption, it will sharply deflate a significant fraction of future quantum breakthrough headlines. Watch Adam Back's Liquid network experiments for the first production-grade post-quantum signature implementation on a Bitcoin-adjacent chain.