According to the source, the core quantum threat to Bitcoin is that a sufficiently large fault-tolerant quantum computer running Shor’s algorithm could derive private keys from revealed ECDSA or Schnorr public keys, enabling unauthorized spends, while this is not feasible with today’s machines. source: Shor 1997; Bitcoin.org Developer Guide; BIP340 2020. UTXOs whose public keys have not been revealed on-chain are more resilient in the near term because address protection relies on hash preimages where Grover’s algorithm provides only a quadratic speedup, preserving roughly 128-bit security for SHA-256-based constructions. source: NISTIR 8105 2016; Bitcoin.org Developer Guide. There is currently no practical quantum computer capable of breaking Bitcoin’s public-key cryptography, but NIST finalized post-quantum standards in 2024 (ML-KEM, ML-DSA, SLH-DSA) that can guide migration paths for future signature schemes. source: NIST FIPS 203–205, 2024. Traders should monitor any BIPs proposing post-quantum signature types and watch for unusual spends from legacy P2PK or long-dormant outputs, as coordinated migrations can elevate on-chain congestion and fees that impact execution and volatility. source: BIP341 2021; Bitcoin Wiki Pay to Pubkey; Bitcoin.org Transactions–Fees.

According to the source, Q-Day describes the point when cryptographically relevant quantum computers can use Shor’s algorithm to break Bitcoin’s ECDSA and Schnorr signatures, endangering funds once their public keys are exposed; source: Shor 1994; source: BIP340; source: Bitcoin Wiki (Quantum computing and Bitcoin). For Bitcoin specifically, coins become vulnerable only after a spend reveals the public key, while unspent outputs with unrevealed keys retain stronger pre-spend safety; source: Bitcoin.org Developer Guide; source: Bitcoin Wiki. Early P2PK outputs and any reused addresses that have exposed public keys are structurally more at risk if a sufficiently powerful quantum computer emerges; source: Bitcoin Wiki; source: Bitcoin.org Developer Guide. No quantum computer currently exists that can break 256-bit ECC in practice, and NIST finalized the first post-quantum cryptography standards in 2024 to guide migration (ML-KEM, ML-DSA, SLH-DSA), indicating preparation rather than immediate breakage; source: NIST 2024 FIPS 203–205. U.S. national security guidance targets migration to post-quantum algorithms over the coming decade, underscoring a medium- to long-term threat horizon for public-key systems like ECDSA/Schnorr; source: NSA CNSA 2.0, 2022. For traders, key watchpoints include Bitcoin Core and BIP discussions on introducing post-quantum signature types via soft fork (demonstrated feasible by past upgrades like Taproot), the share of UTXOs with exposed public keys, and NIST/industry PQC adoption milestones; source: BIP341 Taproot; source: Bitcoin Wiki; source: NIST 2024. A credible roadmap to post-quantum migration and on-chain movement to new address types would be a critical market catalyst for BTC volatility and fees, making custody policies that minimize key exposure and reuse a prudent risk control; source: Bitcoin Wiki; source: Bitcoin.org Developer Guide.