(facepalm)

Please, first read:

https://bitcointalk.org/index.php?topic=131778.0https://bitcointalk.org/index.php?action=search2&search=quantumedit:

We have covered this topic many times before. Quantum computing is not a threat to Bitcoin in any reasonable timeframe. Does this need to be in the FAQ?

It's a 128-qubit machine. If you have to ask the price, that means you can't afford it (nor program it). It requires a specially built facility to house it.

From Proos and Zalka (2008):

http://arxiv.org/pdf/quantph/0301141.pdfWe show in some detail how to implement Shor’s eﬃcient quantum algorithm for discrete logarithms for the particular case of elliptic curve groups. It turns out that for this problem a smaller quantum computer can solve problems further beyond current computing than for integer factorisation. **A 160 bit elliptic curve cryptographic key could be broken on a quantum computer using around 1000 qubits while factoring the security-wise equivalent 1024 bit RSA modulus would require about 2000 qubits**. In this paper we only consider elliptic curves over GF(p) and not yet the equally important ones over GF(2^n) or other ﬁnite ﬁelds. The main technical diﬃculty is to implement Euclid’s gcd algorithm to compute multiplicative inverses modulo p. As the runtime of Euclid’s algorithm depends on the input, one diﬃculty encountered is the “quantum halting problem”

Bitcoin uses the

*secp256k1* elliptic curve. This means 256-bit keys on a Koblitz curve. The p means prime field, GF(p).

The NSA informs us that a 256 bit elliptic curve key is equivalent to a 3072 bit RSA modulus. Therefore 1000 qubits is nowhere near close enough to solve even much weaker keys than the one Bitcoin uses, and the D-Wave machine provides only 128.

Even assuming quantum computers get much cheaper over time, you're not going to have a cryogenically cooled room sized machine in your house any time soon. And even if one day this becomes possible, there are several mitigating factors:

- Money sent to a Bitcoin address that has never been used before cannot be stolen even with a fully-capable quantum computer because the address is hashed. So by using wallets that never re-use addresses this problem goes away.
- Crypto schemes based on integer lattices are becoming more efficient every year, and are resistant to quantum computers (or at least, nobody yet discovered an equivalent to Shor's algorithm for them. We could switch to one of these schemes if necesary.