Quantum computers and proof-of-work mining

Quantum computers are not a practical threat to proof-of-work mining for the foreseeable future. Grover's algorithm offers a quadratic speedup on the hash search at the heart of mining, but the speedup parallelizes poorly, error-corrected quantum hardware runs many orders of magnitude slower than ASICs, and difficulty adjustment absorbs gradual gains. Bitcoin's real quantum exposure is in its signatures, not its mining.

What mining computes

Bitcoin miners search for a block header whose double SHA-256 digest falls below a network-defined target, varying a nonce until one succeeds, a mechanism set out in the original Bitcoin design. The search has no structure to exploit: each attempt is an independent evaluation of a cryptographic hash function. The protocol retargets difficulty every 2016 blocks so that blocks keep arriving roughly every 10 minutes regardless of how much hash power joins. Specialized ASIC hardware has pushed the network's combined rate to a scale measured in hundreds of exahashes per second as of early 2026, an enormous baseline that any quantum competitor would have to beat.

What Grover's algorithm offers

Grover's 1996 algorithm searches an unstructured space of N possibilities in about the square root of N quantum steps, and finding a below-target header is exactly such a search. In principle a quantum miner needs only the square root of the work a classical miner performs, the same quadratic advantage that motivates larger key sizes in symmetric cryptography. That sounds decisive. Three practical factors remove most of the advantage.

Why the advantage fails to materialize

First, Grover's speedup is inherently serial. The quadratic gain comes from one long coherent computation, and splitting the search across k quantum machines improves the total only by a factor of the square root of k, whereas k classical machines deliver k times the throughput. Mining is the ideal workload for massive parallelism, which is precisely what Grover's algorithm cannot use, a point made in the 2017 analysis by Aggarwal, Brennen, Lee, Santha, and Tomamichel.

Second, quantum hardware is slow per operation. A fault-tolerant machine executes error-corrected logical gates at rates around a million times slower than the transistor switching inside an ASIC, and each Grover iteration requires evaluating the full SHA-256 circuit reversibly, thousands of serial gate layers, with the heavy overhead of error correction on every logical qubit. The same study estimated that even optimistic quantum hardware would achieve effective hash rates in the gigahash range, while the classical network already operated billions of times faster, and concluded that ASICs would keep an overwhelming advantage for at least a decade; nothing disclosed as of early 2026 has changed that conclusion.

Third, difficulty adjustment absorbs any gradual improvement. If quantum miners ever contributed meaningful hash power, the retarget would raise difficulty and restore the 10-minute cadence, just as it did when ASICs displaced CPUs and GPUs. Faster hardware changes who earns block rewards, not whether the chain functions.

Quantum 51 percent scenarios

The scenario that would matter is a single actor whose quantum hash power suddenly exceeded the rest of the network combined, enabling deep reorganizations and double spends of recent transactions. Given the parallelism and clock-speed obstacles above, this requires hardware even further beyond current capability than the signature-breaking machines described in quantum threat to ECDSA, and an attacker holding such a machine would find deriving private keys from exposed public keys far easier than out-hashing every ASIC on earth. Analyses of quantum attacks on Bitcoin treat majority-hash-power scenarios as a distant concern for this reason. A quantum computer capable of threatening mining implies one that has long since threatened the signatures.

The real threat is signatures

The contrast is the essential point. Shor's algorithm turns the elliptic curve discrete logarithm from exponentially hard to polynomially easy, a qualitative break with no classical workaround, which is why the serious analysis of Bitcoin's quantum risk concentrates on the signature layer and on which coins have exposed keys (is Bitcoin quantum safe?). Grover's algorithm, by comparison, halves the exponent: preimage attacks on SHA-256 drop from about 2^256 to about 2^128 steps, still unreachable (see NIST security levels), and mining advantages dissolve into difficulty adjustment. Proof-of-work, unusually among cryptographic constructions, is one of the parts of Bitcoin that quantum computing threatens least.

Frequently asked questions

Can a quantum computer mine Bitcoin faster than ASICs today?

No. No existing quantum computer can run Grover's algorithm at useful scale, and even projected error-corrected machines would search many orders of magnitude slower than current ASIC fleets.

Does Grover's algorithm break SHA-256?

No. It reduces brute-force preimage search from about 2^256 to about 2^128 steps, which remains far beyond any plausible computation.

Sources

  1. Quantum attacks on Bitcoin, and how to protect against them (arXiv, 2017)
  2. A fast quantum mechanical algorithm for database search (arXiv, 1996)
  3. Bitcoin: A peer-to-peer electronic cash system (bitcoin.org, 2008)
Cite this entry
"Quantum computers and proof-of-work mining." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/quantum-mining@misc{pqwiki-quantum-mining, title = {Quantum computers and proof-of-work mining}, howpublished = {\url{https://postquantum.wiki/quantum-mining}}, year = {2026}, note = {postquantum.wiki, updated 2026-07-11} }