Will Quantum Kill Crypto?
When you talk about Quantum Computing, do you actually have any idea what you're talking about? Neither did I, so here's a stab at shedding some light on the matter...
We hear it constantly. Quantum computers are going to break crypto. It comes up at dinners, on panels, in the replies. We nod along, agree it sounds like a problem, and move on. None of us have ever actually stopped to look.
Which is awkward, because we spend half our lives frustrated at exactly that behaviour in other people. The ones who wrinkle their nose at crypto, call it magic internet money, and slap a label on it without ever once asking a real question. We complain about them weekly. And here we were doing the same thing to quantum.
So when I was invited to the Economist’s 5th annual Commercialising Quantum conference, I took it. No better place to learn than from the people actually building it.
Now, I’ve met some clever people at crypto conferences over the years, but this was a different level. If crypto is everything you don’t understand about money, stacked on everything you don’t understand about computers, then quantum is everything you don’t understand about physics stacked on everything you don’t understand about, well, anything. With my finance background, I was out of my depth before the coffee went cold.
What follows is my attempt to relay the day as it was explained to me: slowly, patiently, and mostly as though I were five. By the end you should know roughly what quantum is, what it isn’t, and why most of the headlines aimed at crypto deserve a calmer read than they get. I asked a lot of stupid questions to get here, which I’ll share with you as I think they’re useful in the journey to understanding.
One honest caveat before we start. After one day, I do not understand quantum computing well enough to build one, and neither will you after one newsletter. But you will understand it well enough to read the next scary headline, find the single fact that matters, and decide whether to care. For an asset class that gets a fresh quantum death notice every quarter, we thought it was important to understand.
First, the thing nobody actually explains
The morning opened with Lord Vallance, the UK’s science minister, talking about money: two billion pounds committed to quantum over the next decade. Then IBM took the stage and started talking about the machines, and within about ninety seconds, I realised I did not know what a quantum computer was. I knew the word “qubit” the way I know the word “mitochondria.” Confidently, and uselessly.
So here is what I had to get straight before anything else made sense. It is the question I’d have been too embarrassed to ask out loud, so I cornered a few people afterwards instead.
What is a qubit?
A normal computer stores everything as switches. On is a 1, off is a 0. Billions of tiny switches, each parked in one position. That is all a “bit” is.
A qubit is the same idea, built from something small enough to break the rules: a single atom, or a tiny circuit pretending to be one. Because it is that small, it is allowed to sit undecided between 0 and 1, leaning toward both at once, until the moment you look. Then it picks a side.
My stupid question: “so it’s both at once, like it’s doing two things?” Sort of, but that’s the trap everyone falls into. The point isn’t that it holds both answers. The point is you can line up a load of these undecided atoms so that, when you finally look, the wrong answers cancel each other out and the right one is left standing. Picture noise-cancelling headphones, but pointed at wrong answers instead of screeching tube tracks.
That cancelling trick only works on a narrow set of problems. For everything else, your laptop is better. Hold onto that sentence. It deflates more hype than anything else in this piece.
This matters more than it looks. Almost all quantum fear quietly assumes a quantum computer is just a very fast normal computer that will chew through everything quicker, passwords included. It isn’t. It’s a strange, narrow instrument: extraordinary at a short list of specific tasks, useless at the rest. So the only question that matters for us is whether breaking crypto is on that short list, and if so, when. We’ll get there. Slowly, like I did.
Wait, isn’t this just AI?
This was my second stupid question, and apparently a common one, because the room had a practised answer. Quantum and AI get lumped together constantly. Two futuristic words, same breath, often the same sentence. They are not the same thing, and confusing them will lead you wrong.
The cleanest way I heard it put was at the IMB stool: AI is software that requires lots of data. Quantum is a compute hardware that needs less data to simulate infinite possibilities. One is a brilliant pattern-spotter who has read the whole internet. The other is a strange machine that can model the physical world the way nothing else can. They live on completely different layers.
What is each good at? AI is unmatched at anything with mountains of examples to learn from: language, images, prediction. It runs, today, on ordinary computers and the great barns of GPUs you’ve read about. Quantum is suited to a narrow band of problems where nature itself behaves quantumly: simulating molecules, certain optimisation puzzles, and the cryptography problem we’re circling. What can’t they do? AI is a confident guesser, not a precise simulator of physics. Quantum is hopeless at the everyday and, right now, can only manage very short calculations before it falls apart.
Here’s the part I found most useful, because it cuts against the hype. They mostly help each other rather than fight. AI is already essential to building quantum computers: tuning the hardware, spotting errors, and keeping this fragile thing calibrated. And quantum may one day accelerate narrow, expensive corners of AI, and ease its enormous energy bill. One panel made the point that AI and quantum need each other at the moment, each propping up the other’s weaknesses.
But, and this is the honest bit the vendors skip, they will also compete. There are already signs that clever AI running on ordinary computers can model some chemistry and physics about as well as a quantum machine, for now, at a fraction of the cost. So the neat story of “quantum and AI, best friends forever” has a rivalry underneath it. In some tasks, one will simply be the better, cheaper tool. We found that more believable than the friendship version, and more useful to remember.
Why the machines are so fiendishly hard to build
The next thing I learned is that these machines are absurdly fragile and eye-wateringly expensive. Understanding why unlocks almost everything else.
That undecided state is delicate beyond belief. A stray vibration, a flicker of heat, a single particle of light landing on the atom, and the whole thing collapses into noise before your sum is finished. The physicists call it decoherence. I came to think of it as the enemy, because every hard thing about building these machines is really a fight against it. It’s why some run colder than deep space, and why others keep their atoms suspended in beams of laser light, sealed inside little glass vacuum chambers that looked like something out of a sci-fi movie.
I got the clearest explanation of the entire day at the Microsoft stand. I asked what felt like the obvious question: why not just keep bolting on more qubits until you have enough? The answer reframed the whole thing.
The TV static problem, and the fix
One raw qubit is noisy. Picture TV static. Here’s the cruel part: add more of them and, left alone, the static gets louder, not clearer. Every extra qubit is one more fragile thing for the world to disturb. More is worse.
The fix isn’t a better atom. It’s a trick. You take a crowd of noisy qubits and gang them together so the group holds one piece of information reliably, even though no single member can be trusted. Some of the qubits don’t even store your answer. Their entire job is to be checkers: they sit there watching their neighbours and raising a hand when one steps out of line. The genuinely clever bit is that they check without ever looking at the answer (which would collapse it). They only ever ask “do you two agree?”, never “what are you?”. From the pattern of agreements, the system works out which qubit slipped and fixes it, while the actual answer stays hidden the whole time.
The reliable thing you build this way is a logical qubit. The crowd of noisy ones underneath are physical qubits.
This single distinction was the most valuable thing I carried out of the building. When you read that some company has “1,000 qubits,” they almost always mean physical ones: the noisy raw material. The number that actually matters, the count of reliable logical qubits, is far smaller and far harder to grow.
How much harder? Microsoft and their hardware partner Atom Computing gave the concrete figures, and they’re worth seeing. Their headline machine, due late 2026, makes 50 logical qubits out of roughly 1,225 physical ones. That’s about 24 noisy qubits to produce a single trustworthy one. When they first proved the trick worked, they took those raw atoms, whose individual error rate was a hopeless 42%, and built logical qubits with an error rate of 10.2%: four times better than the parts they were made from. That gap is the achievement. That’s the whole industry in one number.
The field even has a ladder for it. Level 1 is noisy qubits with no error correction: everything you can buy today. Level 2 is the checker trick working, producing reliable logical qubits: the genuine frontier, right now. Level 3 is having enough of them to do serious, sustained work, and that is still years out. Keep that ladder in mind. It’s about to do some heavy lifting.
So many machines, and the question that cuts through them
By mid-morning I’d reached the part of the floor where, frankly, I had no idea what I was even looking at and even after asking “What is that?” I wasn’t much wiser. Five or six completely different ways to build a qubit, each with a serious company behind it, each certain it has the answer.
I’ll spare you the full zoo. Some build qubits from circuits on ultra-cold chips (IBM, Google). Some from charged atoms pinned in electric fields (IonQ). Some from neutral atoms held in laser tweezers (Infleqtion, and the machine behind the Nordic “Magne” project). Some from particles of light (PsiQuantum, ORCA). Some from electrons in silicon. One French outfit, C12, uses carbon nanotubes. Each approach is strong precisely where another is weak. Fast but fragile. Pristine but slow. Easy to scale but hard to steer. Nobody has all the virtues at once.
If that trade-off sounds familiar, it should. It’s Quantum’s version of the blockchain trilemma. We’re used to the idea that a chain seems forced to pick two of speed, cost, and decentralisation, and that chasing one tends to cost you another. Quantum hardware has the same shape of problem: speed, stability, and scale, pick your strengths and pay for them elsewhere. And just as in crypto, the interesting bets are the teams claiming a genuine path to all three at once, not the ones optimising a single corner. Every honest person on stage said the same thing: there is no winner yet. Which is genuinely useful to know, because anyone who tells you the race is already won is selling something.
The sharpest session, for my purposes, was a panel bluntly titled “Why qubit quality could matter more than quantity,” with Fujitsu and C12 among others. It handed me the one question I now ask whenever someone waves the word quantum around. A thousand noisy qubits can be useless. Fifty clean ones can do real work. So the headline qubit count, the number everyone sprints to put in a press release, is close to meaningless on its own. What matters is quality: how often each operation slips, and how long a qubit survives before decoherence wins.
Qubit count is the vanity metric. A useful machine needs scale and a low error rate together. Top-right is where you want a machine to sit. When a vendor leads with qubit count alone, that’s the tell.
So I stopped being impressed by qubit counts. The number on the press release counts the switches. It says nothing about how many work, how long they last, or how often they lie. The duller, better question, the one I watched land at the Fujitsu stand: what’s your error rate?
When does any of this actually arrive?
Fair question, and the conference was unusually disciplined about it. The common mistake is treating quantum as a yes/no event: is it ready? It isn’t one event. It arrives in stages, and different stages unlock different things.
IBM laid out a timeline I found credible precisely because it wasn’t breathless. Useful scientific work this year. A genuinely fault-tolerant machine (Level 3, a couple of hundred logical qubits) around 2029. A much bigger one, on their roadmap, named Blue Jay, around 2033. And the marker that piqued my attention, because it was on IBM’s own slide: roughly 2035 for what they called “cryptographic relevance.” The point at which a machine could, in principle, break the encryption we lean on today.
The UK frames the same march in raw capability: a million reliable operations, then a billion, then a trillion, that last one pencilled in for around 2035 as well. The numbers rhyme across every source I saw, which is about as much agreement as this field offers.
Then a chart put crypto in its place. Literally.
Each region is a type of problem, placed by how big a machine it needs. Chemistry and optimisation sit within reach this decade. Breaking cryptography sits in the hardest corner, top-right, demanding both the most qubits and the longest computations. It’s the last thing these machines will manage, not the first.
That picture calmed me more than any reassurance could. Look again at where breaking cryptography sits: not just top-right, but only the very edge of that region is in reach by 2035. IBM’s own slide makes the same admission. The 2035 marker isn’t “quantum breaks all encryption.” It’s “quantum can, in principle, nibble the easiest edge of it.” The thing crypto fears most is, on the physics, the single hardest thing on the board, and even the optimistic date only scratches its outermost layer. It comes last, and it comes slowly. Which doesn’t mean we ignore it. It means we can finally talk about it properly.
What it actually means for crypto
Here’s the part I came for. Strip away the noise and the quantum threat to crypto comes down to two algorithms doing two very different things.
Shor vs Grover: the two threats
Shor’s algorithm is the dangerous one. Your wallet is a pair of keys: a private one you keep secret, and a public one derived from it. The maths linking them is a one-way street normal computers can’t reverse. Shor’s algorithm reverses it. A big enough quantum machine could take your public key and work out your private key, and then it owns your coins. It doesn’t “decrypt” anything. It forges the signature that proves ownership. That’s the existential bit.
Grover’s algorithm is the manageable one. It speeds up brute-force guessing, which threatens the hashing that secures a chain’s history and its mining (SHA-256, for Bitcoin). But it only delivers a modest, square-root speedup: in practice it halves the strength. SHA-256 stays comfortably out of reach. The fix, where one’s even needed, is just longer keys.
One line to keep: quantum threatens the signatures that prove who owns a coin, not the machinery that secures the chain. Real, but narrower and more fixable than the headlines suggest.
The day handed me one genuinely uncomfortable insight, and it’s why complacency is the wrong response.
The threat doesn’t begin the day the machine switches on. It begins now, through something the security crowd calls “harvest now, decrypt later.” An adversary records data today and waits to crack it once the hardware exists. For a blockchain, this has a specific and nasty edge.
On most chains your public key stays hidden, tucked behind a hash, until the first time you spend from an address. Receive funds and never move them, and your key stays cloaked, safe even past the arrival of these machines. But the instant you send a transaction, your public key is written on-chain, in public, forever. Which means a patient adversary can compile, today, a list of every address that has ever transacted, and simply wait for the machine that turns those exposed keys into stolen coins. A large share of Bitcoin sits in exactly those addresses, including much of the long-dormant, presumed-lost early supply that can never be moved to safety because nobody holds the keys.
And there’s a practical gap between “theoretically possible” and “actually happens” that the physics alone hides. These machines are extraordinarily expensive to run. One of the bluntest lines of the day came from the stage: we’d never buy a quantum computer, only rent one. Even the people building them treat owning one as faintly absurd. So picture who could actually point a private, dedicated quantum computer at the Bitcoin network in 2035: someone with the resources of a state or a giant. Now ask what they’d win. The prize for cracking Shor’s against Bitcoin is stealing Bitcoin. But the very act of demonstrating you can forge any signature at will would vaporise confidence in the asset, and the coins you stole would be worth roughly nothing by the time you’d moved them. You’d spend a fortune to win a pile of ash. The theoretical ability may well arrive around 2035. The rational, well-resourced attacker who’d actually pull the trigger is further off still, because the maths of the heist doesn’t work.
The investment consequence is the part worth underlining. The risk to a token doesn’t arrive in 2035 when the machine is finished. It arrives the moment the market believes, credibly, that the machine is coming. Markets price fear ahead of fact. The repricing could land years before any qubit touches a real key. That gap, between credible fear and actual capability, is the window we’ll be watching.
Where this leaves us
This is where the reporter steps aside and the fund speaks.
We don’t hold Bitcoin. Quantum isn’t the only reason, but it’s on the list, and this trip moved it up. The exposed-key problem above is bad enough. Worse is that the Bitcoin community has no agreed way to protect those millions of dormant, lost-key coins without doing something deeply un-Bitcoin: freezing them, or forcing a migration, either of which dents the very decentralisation and credible neutrality that the whole thing is built on. It’s a genuine bind. Conservatism is usually Bitcoin’s great strength. Here it’s a trap, and there’s no clean way out that we’ve seen.
It’s also a large part of why we like Ethereum. The quantum researchers doing the serious work are, in several cases, inside or alongside the Ethereum Foundation, and it shows. When Google published its revised estimate of how few qubits it might take to break today’s encryption, Ethereum’s people were already engaging with it rather than waving it off. There’s a public, funded path to quantum-safe signatures built into Ethereum’s normal upgrade cycle. There’s even a recent proposal that lets an ordinary account start protecting itself for around seven cents, no fork required, with the heavier migration able to come later. None of it is finished. All of it is real, and moving. A chain that’s already arguing about how to defend against a 2035 threat is a chain taking its own survival seriously.
We’re not telling you to sell anything over a risk that’s a decade out. We’re telling you the question is now on our list: when this threat becomes real, can this chain actually adapt, or is it structurally stuck? The assets with a credible answer carry less of this particular long-tail risk than the ones without.
That’s the whole point of the day, really. Not that quantum is coming for crypto tomorrow. It isn’t. It’s that I can now read the next frightening headline, find the one fact that matters (physical qubits or logical ones, what’s the error rate, how many reliable operations, and does the threatened chain have a migration path) and tell you whether to care.
Usually, the answer is: not yet. Knowing why not yet, and exactly what would change it, is the important part. We came back able to do that job.



