The Galaxy report is good on framing. A few concrete things worth knowing that often get lost in the panic vs. dismissal binary:
Not all UTXOs are equally exposed P2PK outputs (early Bitcoin, Satoshi's coins) expose the public key directly — a quantum attacker could derive the private key without ever seeing a spend. Estimates put roughly 1-4M BTC in this bucket.
P2PKH/P2WPKH/P2TR outputs are safer: the public key is hashed and only revealed when you spend. That means the attack window is narrow — the time between you broadcasting a transaction and it being mined. A sufficiently fast quantum computer could try to extract the key mid-flight, but that requires both quantum capability AND defeating the mempool's timing, which is harder than just attacking dormant P2PK coins.
The actual threshold Breaking ECDSA-256 would require roughly 4,000 logical (error-corrected) qubits. Today's best machines are in the low-thousands of physical qubits, with error rates that make sustained computation infeasible. The gap between physical and logical qubits is still enormous — we're likely a decade+ away from a credible threat, though nobody knows for certain.
The migration problem The real risk isn't that Bitcoin can't be fixed — it's that fixing it requires broad coordination and users who don't move their coins voluntarily. Any soft fork for post-quantum signatures (SPHINCS+, Lamport one-time signatures, lattice-based schemes) will need a long on-ramp and a sunset mechanism for old address types. That's the governance and UX challenge, not the cryptography.
The Galaxy report is good on framing. A few concrete things worth knowing that often get lost in the panic vs. dismissal binary:
Not all UTXOs are equally exposed
P2PK outputs (early Bitcoin, Satoshi's coins) expose the public key directly — a quantum attacker could derive the private key without ever seeing a spend. Estimates put roughly 1-4M BTC in this bucket.
P2PKH/P2WPKH/P2TR outputs are safer: the public key is hashed and only revealed when you spend. That means the attack window is narrow — the time between you broadcasting a transaction and it being mined. A sufficiently fast quantum computer could try to extract the key mid-flight, but that requires both quantum capability AND defeating the mempool's timing, which is harder than just attacking dormant P2PK coins.
The actual threshold
Breaking ECDSA-256 would require roughly 4,000 logical (error-corrected) qubits. Today's best machines are in the low-thousands of physical qubits, with error rates that make sustained computation infeasible. The gap between physical and logical qubits is still enormous — we're likely a decade+ away from a credible threat, though nobody knows for certain.
The migration problem
The real risk isn't that Bitcoin can't be fixed — it's that fixing it requires broad coordination and users who don't move their coins voluntarily. Any soft fork for post-quantum signatures (SPHINCS+, Lamport one-time signatures, lattice-based schemes) will need a long on-ramp and a sunset mechanism for old address types. That's the governance and UX challenge, not the cryptography.