What is Q-Day?

PUB: 2026-05-20

ETA: [ 5 MIN ]

CAT: Featured

One day, quantum computers will become powerful enough to break the elliptic curve cryptography that protects Bitcoin wallets and most other crypto. This is widely called “Q-Day.” There’s no exact date for when this might happen, but predictions place its possibility as close as the next few years. So Q-Day is now a “when” question.

A Project Eleven report has set a baseline timeline of 2033, with a fast-track scenario set in 2030 (four years from now), and 2042 as the latest year when this could occur in the slowest turn of events. Should it happen right now, addresses holding around 6.9 million BTC would face the serious threat of exposure.

The Short Definition

Q-Day is the moment a “cryptographically relevant quantum computer” comes online.

That’s what it is in technical terms. It’s a machine powerful enough to run Shor’s algorithm at a scale that breaks the public-key cryptography used by Bitcoin, Ethereum, XRP, Cardano, and all the rest, or at the very least nearly any other blockchain in existence.

It also happens to be the same kind of cryptography used by your bank, your internet provider, your VPN, and the HTTPS connection that led you to this very website. But crypto is the most vulnerable due to the blockchain’s immutable and public nature, which are the things that were supposed to be its core strengths.

A bank can protect itself and its clients by freezing accounts, and a blockchain can’t, by design.

If the name sounds familiar, it’s because it was intentionally coined as such. It’s a nod to “D-Day,” and its alternative moniker, “Y2Q”, was purposefully borrowed from “Y2K.” Like these two events, one real and one feared but ultimately missed, Q-Day names a milestone. The calendar is wide open.

Why Your Bitcoin Uses Cryptography That Quantum Computers Can Break

Every Bitcoin wallet is built around a pair of keys.

The private key signs transactions. As for the public key, its role is to allow the network to verify those signatures. The relationship between the two is mathematical. You can easily derive the public key from the private one, but taking the other route would take a regular computer billions of years. That asymmetry works to Bitcoin’s advantage.

Running this asymmetry is a mathematical concept called elliptic curve cryptography (ECC). Bitcoin uses a curve called secp256k1 with the ECDSA signature scheme. ECC is fast and well-studied. It’s also, by a quirk of how Peter Shor’s 1994 algorithm works, exactly the kind of problem an adequately powerful quantum computer can solve in minutes instead of millennia.

Shor’s algorithm runs on quantum hardware and reverses the one-way function at the heart of ECC. Give it a public key, and it produces the private key. There’s no patch for ECC against Shor. The only fix is to stop using ECC altogether.

Here’s What Q-Day Doesn’t Mean

A lot of headlines would have you think that Q-Day spells the death of Bitcoin or wipes out the value of all crypto overnight. That’s a stretch.

Bitcoin mining is largely safe. Mining relies on SHA-256, a hash function. Quantum computers attack hashes too, via Grover’s algorithm, but Grover only halves the effective security. SHA-256 stays usable even in a post-quantum world.

Most of the blockchain ledger is out of reach as well. Past transactions, once buried under enough blocks, can’t be rewritten by a quantum attacker. Past transactions are safe. Live wallets are the problem.

Symmetric encryption is generally safe, too. AES-256, the standard beneath most of your everyday encrypted data, drops to AES-128-equivalent security under Grover. For now, that’s still secure. It’s less so than AES-256, but probably enough for most purposes.

What will come under serious threat with Q-Day are digital signatures. This means wallets, account abstraction contracts, multisig schemes, threshold signatures, and identity systems that rely on ECC or RSA. That includes basically every crypto wallet in use today.

Which Wallets Are Truly at Risk

The threat is not uniform across Bitcoin, either. It depends on whether the public key for a given address is already visible on-chain.

Older address formats publish the public key directly. P2PK addresses, the original format Satoshi used in 2009, sit defenseless on the blockchain in the face of the quantum threat. Anyone with a sufficiently powerful quantum computer could read the public key today, derive the private key on Q-Day, and move the funds.

Newer formats hash the public key. P2PKH and the bech32 formats starting with “bc1” store only a hash. The actual public key is only revealed when you spend from the address. As long as the address has never sent funds, the public key stays hidden, and a quantum attacker has nothing to work with.

This is why Project Eleven puts about 6.9 million BTC in the vulnerable group. Around a third of all Bitcoin ever mined sits in addresses that have already broadcast their public key. That includes:

All P2PK addresses (the original 2009 format),
Any address that has sent and then received funds again (a practice called address reuse),
Spent Taproot addresses since 2021, which publish the key as a side effect of being spent,
Around 1 million BTC that’s believed to belong to Satoshi Nakamoto, all in P2PK.

The same logic applies on Ethereum, where the situation is even more dire. Here, more than 65% of all ETH sits in quantum-exposed addresses, because every Ethereum transaction reveals the public key.

If you hold Bitcoin in a fresh bech32 address you’ve never spent from, you’re not in the immediate danger zone. That can change the moment you spend, depending on how the network has migrated by then.

When Is Q-Day Actually Coming

Nobody knows. People doing the engineering put the honest range at five to twenty years from now. The aggressive end has compressed sharply in 2026.

There are three estimates that stand out and include those from Project Eleven, Google Quantum AI, and the National Institute of Standards and Technology (NIST), which is part of the U.S. Department of Commerce.

Project Eleven

Its 110-page report titled “The Quantum Threat to Blockchains 2026” puts Q-Day at 2030 in the aggressive scenario and 2033 in the baseline. The probability of arrival by 2033 stands at over 50%, and the argument is that quantum progress tends to arrive in bursts as opposed to a smooth curve, so the perceived gap can close faster than expected.

Google Quantum AI

A whitepaper called “Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities” revised the qubit threshold for breaking secp256k1 down by around 20x, to under 500,000 physical qubits. Google’s own internal deadline to migrate to post-quantum cryptography moved to 2029. One of the paper’s co-authors, Ethereum Foundation researcher Justin Drake, said publicly that he now sees at least a 10% chance Q-Day arrives by 2032.

NIST

In its internal report “Transition to Post-Quantum Cryptography Standards,” the U.S. institution recommends migration to post-quantum cryptography by 2035, a timeline the Project Eleven report suggests is now optimistic.

In April 2026 a researcher Giancarlo Lelli won a 1 BTC bounty from Project Eleven for cracking a 15-bit ECC key on publicly available quantum hardware. Bitcoin uses 256-bit keys, so the gap is clearly enormous. The framing that has shifted is whether closing that gap is a physics problem or an engineering one. The expert consensus has tilted toward engineering, and unfortunately so, as engineering problems get solved on engineering timelines.

Harvest Now, Decrypt Later

One part of the Q-Day threat is already in motion today, regardless of when the actual machine arrives.

It’s called “harvest now, decrypt later.” A malicious actor records publicly visible cryptographic data now (public keys, signatures, encrypted blobs, etc.) and stores it. When a quantum computer becomes available, they decrypt the lot.

For Bitcoin, this means every public key that has ever been broadcast is already on a hard drive somewhere, waiting for Q-Day, as the harvest happened years ago. The decrypt is what we’re waiting on. This is why crossing that bridge when we get to it isn’t a strategy. Every address you use today that exposes its public key is already in the dataset.

Possible Fixes

The replacement for ECC is a family of algorithms called post-quantum cryptography, or PQC.

NIST finalised its first PQC standards in August 2024 (ML-KEM, ML-DSA, SLH-DSA) and added HQC in March 2025. They’re based on mathematical problems that quantum computers can’t solve efficiently and include lattice problems and hash-based signatures, among others.

But there’s a catch. PQC signatures are 10 to 50 times larger than ECDSA signatures. For a blockchain that pays for every byte of block space, that’s not what you would call a free upgrade. Bitcoin proposals are weighing different schemes for different cost profiles.

One is WOTS+ and XMSS, which are hash-based and conservative. Quip Network launched a Bitcoin wallet using WOTS+ in April 2026, sitting on the Arch Network smart contract layer so it doesn’t require a soft fork.

Then, there are lattice-based schemes (Falcon, Dilithium), which are smaller but newer. This is where Ethereum is leaning. Also, STARK-based compression could shrink the on-chain footprint at the cost of compute.

On Bitcoin itself, three competing proposals are live as of mid-2026. These include BIP-361 (“Post Quantum Migration and Legacy Signature Sunset”), led by Jameson Lopp. It phases out vulnerable addresses on a five-year timeline, and coins that fail to migrate would get frozen, including Satoshi’s 1 million BTC.

Paul Sztorc’s eCash hard fork is a more radical restructure into seven sidechains, one with built-in quantum resistance. Finally, there’s Quip / WOTS+, the L2 approach that requires no protocol change.

Ethereum’s plans are further along on paper but still years from execution. Solana is partnered with Project Eleven, and Ripple’s XRP Ledger has a multi-phase roadmap. Zcash is rolling out quantum-recoverable wallets and targeting full post-quantum status in 12 to 18 months. QRL, IOTA, Abelian, and Cellframe were built to be quantum-resistant.

The hard part is coordinating the whole thing. A quantum migration touches the deepest layer of the protocol, and even an optimistic estimate puts migrating all Bitcoin UTXOs to post-quantum addresses at 76 days of full block space dedicated to nothing else.

What This Means if You Hold Crypto

There are a few practical points, and none of them are cause for panic.

Stop reusing addresses. Every time you spend from a Bitcoin address and then receive funds back to the same address, you move funds to an exposed sphere. This has now shifted from a privacy recommendation to a security one.

Pay attention to address types. If your wallet still uses legacy formats (addresses starting with 1) or older SegWit, the upgrade path to a bech32 address you’ve never spent from is advised.

Keep an eye on hardware wallet roadmaps. Trezor’s Safe 7 ships with hardware capable of handling future post-quantum firmware updates, and Ledger has published research on the constraints of running PQC inside secure elements. Tangem and others are following.

Be skeptical when encountering claims of “quantum-resistant” tokens. A handful of chains were built for this, but most projects assuming the label aren’t. The list of legitimately post-quantum networks is short and verifiable.

Don’t use a Q-Day timeline as a sole basis for moving your funds. Self-custody mistakes will lose you more Bitcoin in 2026 than quantum computers will.

What to Watch

Three things will determine how the next few years play out.

The first is hardware milestones. Logical qubit counts, gate fidelity, and the gap between published demonstrations (15 bits today, 256 bits at Q-Day) are the main indicators. The second is governance. Bitcoin will not migrate without a fight. BIP-361 might gain traction. An L2 solution like Quip could become the de-facto answer, or the network splits. All this remains the open question.

The third is markets. Panic will probably hit before any actual break does. A credible rumor or a partial demonstration could move prices hard before any actual cryptographic break happens. The Coinbase advisory board’s April 2026 report warned about this scenario.

Q-Day is a deadline, and the crypto industry should treat it as one.

Sources:

Project Eleven Q-Day Report (May 2026)
Google Quantum AI, Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities (March 2026)
Coinbase Advisory Board paper on post-quantum migration (April 2026)
BIP-361 specification on GitHub
NIST Post-Quantum Cryptography Standards (FIPS 203, 204, 205)
Bernstein research note on quantum risk to Bitcoin (April 2026)
Ark Invest / Unchained quantum risk report (March 2026)

Sead Fadilpašić

Contributor

Sead Fadilpašić is a journalist and content writer who covers blockchain, cybersecurity, privacy, technology, and digital business. His work is featured on a wide range of international publications and technology websites, including Cryptonews and Tom's Hardware. His work focuses on cybersecurity threats, data privacy, emerging technologies, and the broader impact of technology on businesses and consumers. Based in Sarajevo, Bosnia and Herzegovina, he has been reporting on technology-related topics for more than a decade.

>_ View output

Menu

Search