Quantum Leap?
Disentangling fact from fiction in bitcoin and quantum computing
Author’s Note: This piece is intended to be an approachable summary for mainstream readers and capital allocators evaluating bitcoin, and it may be updated over time as new technological advancements are made. We would like to thank Adam Back and Hunter Beast for their technical review and feedback.
As the largest investment platform focused on bitcoin, we field questions about bitcoin every day, and there are a handful of concerns that are common to almost everyone exploring the space. Most of these have been pretty clearly addressed just by the natural course of history; for example, every year that bitcoin maintains its massive lead in network effects, resilience, and value accrual relative to the rest of “crypto,” it’s progressively clearer why bitcoin can’t be easily copied or outcompeted, and every failed government ban of bitcoin – or more recently, various governments’ pivots to embracing bitcoin – only further cement why “the government will ban it” isn’t a strong bear case. But one long-running concern we frequently hear that is harder to quickly dispel at this point in bitcoin’s history is the potential for advances in quantum computing to eventually compromise bitcoin security in some critical way.
This concern has recently been in focus once again thanks to the announcement of Willow, Google’s newest quantum computing chip. The Willow chip represents a noteworthy step forward in the decades-long process of building a quantum computer that can eventually perform practical applications like compromising the public-key cryptography securing many systems including bitcoin, so its arrival has predictably inspired the latest round of bitcoin obituaries. However, while Willow shows impressive progress on some key dimensions, the journey toward a cryptanalytically relevant quantum computer (“CRQC”) – that is, a quantum computer that can threaten modern cryptography – remains in its infancy with many massive hurdles still to overcome, and recent updates are unlikely to alter existing timelines for quantum computing development. Meanwhile, this issue is far from unknown to bitcoin developers, and a variety of potential mitigating solutions are already available today. All the same, the progress of quantum computing could certainly accelerate from here, so it’s worth developing a clear idea of how a sufficiently scaled quantum computer could ultimately affect bitcoin and how the network might be able to respond.
Some Very Brief Background
Before diving in, it may be helpful to briefly review some key premises built into most modern digital security systems, including (but not limited to) bitcoin. Modern cryptographic security relies on various forms of assumed “computational hardness” – that is, the assumption that certain math problems are complex enough to be effectively infeasible for conventional computers. One example is the discrete log problem, which posits in simplest terms that it is extremely difficult to determine the solution to logb(a) when a and b are very large prime numbers.¹ Application of this problem to an elliptic curve allows for elliptic curve cryptography, an iteration of which underpins the generation of bitcoin’s public/private key pairs and the signature algorithm used for most bitcoin transactions (Elliptic Curve Digital Signature Algorithm, or ECDSA). This system rests on the fundamental asymmetry of “one-way functions”: it is trivial to produce and validate a signature for a public key (a particular point somewhere on the elliptic curve) if its private key (a randomly generated value) is known, but the discrete log problem makes it prohibitively difficult to reverse-engineer that same private key if only the public key is known.
This problem is difficult enough that there is no better approach for classical computers than guessing and checking many potential solutions for the private key – also known as “brute forcing” – but this is still practically infeasible even for the most advanced conventional supercomputer. Since a bitcoin private key is a 256-bit number, there are 2^256 or approximately 1.1 x 10^77 possible alphanumeric combinations in bitcoin’s keyspace, a figure roughly comparable to the number of atoms in the entire observable universe.² For the best known conventional algorithms, the difficulty of breaking a 256-bit key is the square root of the keyspace size (2^128 in this case),³ so if the world’s fastest conventional supercomputer were to focus solely on cracking a single bitcoin private key, it would need roughly 2 x 10^20 seconds, or 6.2 trillion years. For those keeping score at home, that would amount to ~450x longer than even the estimated age of the universe (~13.8 billion years).⁴ A graphic from Jameson Lopp may help to illustrate the scale we’re dealing with:
There are some proposed solutions for solving the discrete log problem efficiently, the most notable of which is Shor’s algorithm. However, all such approaches are untenable with conventional computers and explicitly rely on the development of a CRQC, whose basic computational units are known as “qubits.” In contrast to the binary “bits” familiar to users of conventional computers – which can only be in a 0 or 1 state at any given time – qubits can exist in a “superposition” of both states simultaneously and can be “entangled,” meaning the 0/1 state of different qubits can be directly linked regardless of their proximity to one another. Taken together, these properties could support greater processing power and more efficient parallel processing, potentially allowing a quantum computer to process many possibilities at once and (among other things) solve Shor’s algorithm exponentially faster than even the fastest classical supercomputer.⁵
Among the many issues that have historically plagued the development of this new mode of computing is the notorious difficulty of error correction to make a quantum computer’s operations reliable, particularly when scaling a quantum chip up to the sizes necessary for any kind of practical application. This was why Google’s recent announcement grabbed headlines: whereas prior attempts had shown worse errors at larger sizes, Willow is the first chip to successfully demonstrate exponentially better error correction with bigger qubit lattices, suggesting the eventual feasibility of practically scalable quantum computing hardware and, in turn, potential progress toward challenging the computational hardness assumptions baked into modern cryptography.
While practical quantum computing still has many hurdles ahead of it, bitcoin in its current form could be vulnerable to a CRQC attack in a few ways. At the highest level, bitcoin relies on two key cryptographic algorithms for most of its security: the previously discussed ECDSA, which generates keys and signs transactions, and SHA-256, which helps to generate addresses and is the core algorithm used in bitcoin mining. The latter would be much more resilient against even a very advanced quantum computer since Grover’s algorithm, the best known quantum approach for breaking SHA-256, only provides a quadratic advantage (rather than an exponential one), meaning such an attack would still likely be computationally infeasible even for a quantum computer.⁶ Bitcoin mining also has other defenses against a CRQC, including the sheer scale of network hashrate that a quantum computer would confront when attempting disruptive attacks, the difficulty adjustment, and changes that could be applied to mining’s underlying Proof of Work function to compensate for quantum miner participation.⁷ As a result, ECDSA would most likely be the first or only target of quantum computing attacks, and that will be the primary focus of this piece.
Putting Concerns in Context
Google’s Willow clearly represents a noteworthy milestone in the long history of quantum computing and has understandably reignited concerns about existing cryptographic systems like bitcoin that secure the world’s data and financial assets. That said, before prematurely declaring bitcoin dead yet again, it’s important to properly frame the actual impact of the announcement and its potential implications.
This is not a new concern. Anyone not following either bitcoin or quantum computing closely may be tempted toward a kneejerk view that Willow represents a previously undiscovered vulnerability to cybersecurity. But contrary to recent headlines in outlets like the Wall Street Journal which bizarrely claim that quantum computing has not been on anyone’s radar until now, this issue has been deeply analyzed by bitcoin enthusiasts for over a decade. The question of quantum computing was discussed in depth on bitcointalk.org at least as early as 2010, with specific discussion about vulnerabilities in bitcoin signatures as early as 2012. (As an aside, this is a good example of the rule of thumb that any concern one may have about bitcoin was already discussed at length on bitcoin web forums over 10 years ago.) More broadly, this risk is something cryptography experts well beyond bitcoin have been considering for decades, and there are already several quantum-resistant cryptography implementations available for deployment in bitcoin and elsewhere (discussed in greater depth below).
Bitcoin should be among the least of one’s worries. Virtually every sensitive system in the world – including bank and brokerage accounts, health records, personal identity information held by companies and governments, etc – relies on some form of asymmetric computational hardness for security, so any fears about quantum computing’s long-term impact on bitcoin must extend to these targets as well. While it’s possible that bitcoin’s ECDSA signatures may be more vulnerable to quantum attacks than the RSA-based cryptography that protects many other systems (though even that is up for debate), it’s safe to say that if ECDSA were ever cracked by a quantum computer, other frameworks would not be far behind. Moreover, while bitcoin would be a highly valuable target, the aggregate value of bank and brokerage accounts in the US alone still dwarfs bitcoin’s ~$2 trillion market cap by many multiples, making legacy systems a much richer prize.⁸ While it’s conceivable that a state actor not motivated by profit could covertly develop the first CRQC (or that they already have), such an actor would likely be reluctant to tip its hand by targeting bitcoin before first disrupting more strategically valuable targets like legacy banking rails or government intelligence databases. The upshot here is that it would be an internally inconsistent view to avoid bitcoin due to quantum computing risk while opting to store wealth in systems that would be both just as vulnerable and likely more attractive targets to both private and state actors.
Practical applications of quantum computing still have a long and uncertain road ahead. While Willow showed a breakthrough in its ability to successfully reduce error rates at larger qubit grid sizes, the quantum computing field still faces significant hurdles to reaching practical viability for applications like breaking traditional cryptography. These challenges include:
Logical qubit capacity: Given the instability and error frequency of quantum computers, a critical variable in this field is the relationship between “physical qubits” (the actual hardware components built into a chip) and “logical qubits,” which are the error-corrected results of many physical qubits interacting. For example, Google’s Willow chip uses up to 105 physical qubits to produce 1 logical qubit that would be useful for quantum algorithms and computations. Other systems like the H1 processor developed by Microsoft and Quantinuum have produced 12 logical qubits with only 56 physical qubits, though this system has not shown exponentially improving error rates at larger grid sizes like Willow.⁹ These figures are noteworthy because various estimates suggest breaking the 256-bit ECDSA that secures bitcoin private keys would require something north of 2,500 logical qubits, several orders of magnitude above what the bleeding edge technology can produce today.¹⁰ While Willow’s exponentially declining error rates could be a foundation for building toward this level, it’s still far from clear if the chip’s error correction effect could be scaled sufficiently to allow for arbitrarily large logical qubit values, particularly as physical lattices get much larger.
Stability and coherence time: Closely related to error correction is the need for systems that can maintain quantum coherence – the stable state in which useful quantum operations are possible – for longer periods of time. Better coherence times can improve error correction and effectively boost the “yield” of a system’s physical qubits, but coherence is fragile and can be easily disrupted, hence the need for highly controlled environments, and the longest recorded coherence times for general purpose superconducting chips like Willow are still measured in microseconds, or millionths of a second.¹¹ The Willow chip recorded a coherence time of ~68 microseconds, which was a 5x improvement vs Google’s prior-generation chip but still well short of even the most optimistic estimates for the minimum coherence time needed to solve the discrete log problem. For instance, one estimate from 2020 suggests a quantum computer would need at least ~11 full seconds of coherence under absolutely ideal conditions to execute Shor’s algorithm, representing a more than 100,000x improvement vs Willow’s current coherence time.¹² Given the practical constraints associated with quantum computing (e.g. time needed for error correction, measurement, processing of results, etc), this coherence estimate is still likely optimistic, and it’s important to note that actual required runtimes to break a private key even in this ideal state would probably be closer to one hour at minimum (which, as we’ll see, may be prohibitively long for many potential attacks on bitcoin).¹³
Physical scaling constraints: Recent estimates have suggested something like 317 million physical qubits would be needed to crack an ECDSA private key within an hour or 13 million within a day – the most relevant time thresholds for bitcoin, as we’ll see below – highlighting just how physically demanding this process would be in practice.¹⁴ While ongoing improvements in error correction and coherence could reduce the absolute physical qubits needed to reach critical logical qubit thresholds, practically operating a system anywhere near this scale would still require, among other things: a huge physical footprint; precise control of extremely low temperatures; advanced interconnectivity and control systems; and extremely granular fabrication processes for all the key components, which would be even more delicate than the notoriously complex manufacturing process for traditional semiconductors.¹⁵ And that’s all before considering the power consumption of operating such a system, which various estimates peg at something like 100MW, or roughly the capacity of a small combined cycle power plant.¹⁶ Even assuming progressively better ancillary technologies for things like temperature control and interconnectivity, practical quantum computing will likely remain an extremely physically complex and capital intensive proposition for many years, a major hurdle for aspiring attackers (particularly since, as we discuss in more depth shortly, the energy cost for any such attack would scale linearly with the number of public keys targeted).
Real-world applicability: A frequently hyped element of the Willow announcement was the chip’s five-minute completion of a benchmarking test (Random Circuit Sampling, or RCS) that would take classical computers 10 septillion years to perform. A quick glance at this result could lead a casual observer to extrapolate that Willow either already has surpassed or will soon surpass classical computers in the performance of everyday applications, but this would be a serious misconception. The RCS benchmark has no real-world applications, but rather was specifically designed to be infeasible for a classical computer while accentuating the strengths of a quantum computer to determine if a quantum chip can successfully perform a conventionally infeasible operation – basically a kind of go/no-go checkpoint for a quantum chip’s progress. While clearing the RCS benchmark was a noteworthy milestone and a precondition to eventually moving to practical applications, this test alone doesn’t tell us much about the probability that Willow will be able to perform real-world tasks anytime soon.
This wide array of hurdles helps explain why Google’s Quantum AI director noted in the wake of the Willow announcement that breaking modern cryptography is “at least 10 years away” and that the new Google chip doesn’t change previously established timelines at all. Similarly, Nvidia CEO Jensen Huang recently projected that we’ll need roughly another 20 years to achieve useful quantum computers.
Bitcoin’s Potential Vulnerabilities
All those significant caveats aside, it’s still no doubt disconcerting to think that bitcoin could one day be stolen by a quantum attack through a compromise of the signatures that secure bitcoin balances. However, it’s important to note that such a scenario could only take place under very specific circumstances, even assuming the emergence of a practical and cost-effective CRQC. There are four potential quantum vulnerability scenarios for bitcoin’s ECDSA signatures, each of which in some way involves revealing a public key to the bitcoin network – without that critical information, no form of quantum attack on bitcoin private keys would be possible.
Obsolete addresses: Bitcoin’s very first address format¹⁷ was known as “Pay-to-Public-Key” or “P2PK.” Whereas later address types pay bitcoin to the hash of a public key or a redeem script, thereby hiding this sensitive information about the recipient from the network, P2PK addresses receive bitcoin directly to, as the name suggests, an exposed public key. Such addresses would be vulnerable to a CRQC because they give an attacker the starting point they would need (i.e. the revealed public key) to make an attempt at reverse-engineering the associated private key. These addresses have been effectively deprecated for more than a decade, and no modern wallet software generates them, so this category is not applicable to the vast majority of bitcoin holders.¹⁸
That said, roughly 8% of bitcoin’s total supply currently sits in very old P2PK addresses, including about 1 million bitcoin commonly attributed to bitcoin’s creator Satoshi Nakamoto. Since this address format is theoretically the most vulnerable to a quantum attack and most of these addresses contain 50 bitcoin (~$5 million at time of writing), these balances would likely be the first to be targeted, thereby alerting the rest of the bitcoin network to the potential arrival of a CRQC. This protective effect for later address types has led some developers to term these coins “Satoshi’s Shield.”
Taproot addresses: While most address formats introduced after P2PK encode the critical receiving information within a hash, Taproot (P2TR), bitcoin’s most recently introduced address format, also uses exposed public keys. Uptake of this address format is still nascent and many wallets still have yet to build out support for P2TR, so these addresses currently secure <1% of bitcoin’s supply. That said, Taproot addresses could also offer one potential upgrade path for bitcoin users to relatively seamlessly transition to quantum-resistant addresses if that becomes necessary down the road (discussed more below).
Re-used addresses: While bitcoin held in post-P2PK and pre-Taproot addresses that have never sent any transactions benefit from hidden public keys, that protection disappears when coins from those addresses are first spent. Spending from any address type requires revealing the public key for that address, so any users concerned about quantum safety should be sure to not receive any bitcoin to addresses that have already sent a transaction. This is the category that could most realistically impact the widest array of bitcoin holders if a CRQC were to be developed, as estimates suggest something like 50% of bitcoin are currently held in re-used addresses.¹⁹ However, any risk here can also be easily eliminated by simply avoiding address reuse, which is a best practice for many other reasons and is already the default behavior of most wallets.
“In-flight” transactions: The least likely but most potentially concerning vulnerability for bitcoin in its current state is the possibility of recently broadcast transactions being “sniped” by an attacker while awaiting confirmation in bitcoin’s blockchain. Since spending bitcoin from any address type requires revealing a public key, a sufficiently powerful CRQC could potentially scan mempools for valuable “in-flight” transactions and reverse-engineer private keys for the associated addresses before transaction confirmation. This would be the most problematic quantum attack as it would make any bitcoin transaction inherently very risky, but it would also be far and away the most difficult for an attacker to execute given bitcoin’s relatively short blocktime – new blocks are confirmed, on average, every 10 minutes, so a CRQC would need to be powerful and fast enough to reliably crack private keys in that window. This would be a very high-risk proposition for an attacker, as any energy expended in the attempt would be an irrecoverable sunk cost should the attack fail (the same game of chicken faced by dishonest bitcoin miners today). Meanwhile, pending significant improvements in parallelization, any quantum attack would only be able to break one public key at a time, so the energy expenditure required for more attacks would scale linearly with the number of attacks performed (that is, 100 public keys targeted would require roughly 100x the energy cost), further disincentivizing attacks on all but the most valuable transactions.
The key takeaway here is that, contrary to the impression fostered by much of the mainstream commentary on this topic, any bitcoin stored in a single-use address employed by most modern wallets could not be compromised even by an advanced quantum computer, and anyone with bitcoin in a reused address can gain robust security against most conceivable quantum attacks with some fairly trivial UTXO management. Even in the “in-flight” scenario and assuming no changes to bitcoin, attackers would face an incredibly high bar with a potentially unattractive risk-reward skew in most cases.
How Could Bitcoin Respond?
When considering both the hurdles still facing practical quantum computing and the various ways that much of the risk to bitcoin can already be mitigated even with no changes to the network, it should be clear that sensationalized headlines about bitcoin’s security are overblown. All the same, if bitcoin is ultimately expected to store hundreds of trillions in global wealth for centuries, it’s reasonable to look for ways to improve security over time for progressively greater assurances against even the most unlikely left-tail risks. Moreover, the National Institute of Standards and Technology (NIST), which sets US cybersecurity standards, recommends all systems upgrade to quantum-resistant cryptography by 2035, and an application of Moore’s Law to quantum chips would suggest critical qubit thresholds could be reached around 2040, so it’s undoubtedly prudent to consider potential upgrades before these dates (particularly since quantum development could accelerate even more rapidly from here).²⁰
Fortunately, there are already three NIST-approved quantum-safe algorithms that could lay the foundation for better security both in bitcoin and digital systems more broadly. All of these options are available for production and practical application today, and there are other implementations in development that will likely also play a role in the future. Meanwhile, since this issue has been discussed among bitcoin developers for some time, there are already several proposals at various stages of maturity that could be deployed to enhance bitcoin’s resistance to theoretical quantum attacks. Probably the most developed proposal is Hunter Beast’s BIP-360, which includes support for two of the NIST-approved quantum-safe algorithms and two others. This upgrade would add a new address format called P2QRH (“Pay to Quantum-Resistant Hash”), which, like most modern address formats, would hide each address’s public key within a hash. While these addresses would still reveal public keys at the time of spending, that information could not be used by a CRQC to reverse engineer private keys as part of an “in-flight” attack since P2QRH’s key pairs would be generated with quantum-safe algorithms. BIP-360 comes with some trade-offs, including the larger size of its quantum-resistant signatures and the fact that its implementation would require a soft fork (and thus a good deal of consensus-building among bitcoin users), but it could be a valuable foundation to future-proof bitcoin for the very long term.
Of course, it’s likely that best practices in this field will evolve as our understanding of quantum computing develops, and the quantum-safe primitives we have today would no doubt benefit from more real-world stress testing. These points are potentially an argument for moving cautiously with any bitcoin upgrades to avoid creating technical debt that swiftly becomes obsolete as quantum-safe cryptography matures. To that end, the ecosystem could also explore earlier-stage constructs like the ideas suggested by bitcoin veteran Matt Corallo in this recent bitcoin developer mailing list thread, which would leverage the existing capabilities of bitcoin’s recent Taproot upgrade to enable alternative, quantum-resistant spending conditions that could be used as emergency fallback options if CRQC development dramatically accelerated. Elsewhere, pseudonymous developer Conduition has also published a more fleshed out proposal that may be worth consideration. Notably, neither of these paths would require soft forks today, delaying both the need for consensus-building and costly on-chain transactions to move to quantum-safe addresses until a quantum threat is closer and more fully defined. Additionally, these paths could allow for greater flexibility into the future as the cryptography sphere further researches and builds out post-quantum algorithms. We encourage interested readers to take a deeper dive into these proposals, and we note this is not an exhaustive list of proposed solutions that could be deployed.
This discussion is not as an endorsement of any particular path, but simply an illustration that even in a downside case, the emergence of CRQCs would not be an intractable problem that bitcoin couldn’t solve. In fact, bitcoin is probably better suited to tackle this problem than the vast majority of software stacks protecting the rest of the world’s data. As a monetary network based on an endogenous digital bearer asset rapidly accruing value, bitcoin offers an embedded incentive for those working on it to move quickly and decisively if necessary to protect the project’s significant embedded value, a dynamic less likely to animate most government and corporate cybersecurity teams. Meanwhile, as an open source project securing ~$2 trillion in wealth, bitcoin is one of the most scrutinized and battle-tested pieces of software in the world and has attracted some of the world’s best developer talent to maintain and improve upon it, a claim few banking IT departments can make.
Conclusion
As with any legitimate risk, it would be misguided to completely dismiss the long-term potential for quantum computing to disrupt bitcoin and most other cryptographically-secured systems. On balance, though, the significant hurdles still facing quantum computing, the likely timelines needed to reach practically relevant quantum computers, and the various upgrade paths already available for the world’s digital infrastructure collectively suggest that progress toward a CRQC is not presently an existential bear case for bitcoin (and if it is, as discussed before, then it’s an even greater bear case for legacy financial rails and securities markets). But for readers who may still find themselves on the fence due to the complex, black-box nature of this field of study – and especially for those readers who have delayed an allocation to bitcoin because of this concern – it may be helpful to reduce this question to a simple expected value calculation. The table below shows that even if we apply extremely high probabilities to existential quantum risks for bitcoin, the probability-weighted upside to bitcoin’s current price would still imply 10-50x+ appreciation from here.²¹
This is obviously an illustrative, oversimplified binary, but it distills an important point for anyone still on the sidelines because of quantum computing risk. If any version of the bitcoin bull thesis proves correct, the asset is likely to continue capturing an appreciable percentage of the world’s total wealth, leading to substantial price upside from here (we recommend The Bullish Case for Bitcoin and Gradually, then Suddenly as refreshers on this view). Even if we were to apply a 50% chance of a sudden advanced quantum attack that sends bitcoin’s value to zero literally overnight – a probability which seems several orders of magnitude too high given everything we’ve covered in this piece so far – bitcoin at ~$100,000 is still extraordinarily attractive on a probability-adjusted basis. The development of quantum computing warrants close monitoring, but in any fair analysis, it should not be a barrier to owning bitcoin.
1 For example, the result of this function where a = 8 and b = 2 is 3 because 2^3 = 8. This is easy to determine when these values are small composite numbers (even without a calculator), but becomes exceptionally difficult when a and b are both sufficiently large prime numbers (even for a conventional supercomputer).
2 See Mastering Bitcoin and this lengthy Bitcoin Stack Exchange discussion for sources and additional detail.
3 See Pollard’s Rho algorithm as an example of one of the best known conventional computer algorithms that would only provide a quadratic speedup for an attacker.
4 Result based on 128-bit security, which gives 3.4 x 10^38 searchable keys divided by 1.7 x 10^18 guesses per second = 1.95 x 10^20 seconds or 6.2 trillion years required. It’s worth noting that the operations necessary to brute force a private key are more complicated than the simple floating point operations for which the fastest supercomputers are optimized, so in practice this process would most likely take even longer than reflected here.
5 This primer from Scientific American offers a longer discussion of these concepts.
6 See Cisco Systems, 2017 for more.
7 See Ten31’s discussion with Matt Corallo on this topic from December 2024.
8 Per the Federal Reserve, US commercial bank accounts collectively hold ~$18 trillion, while Vanguard and Charles Schwab alone hold ~$20 trillion in total client assets.
9 Microsoft and Quantinuum announcement, September 10, 2024.
10 Kudelski Security Research, 2021.
11 Other approaches like trapped-ion quantum computing have shown much longer coherence times, but usually at the expense of computation speed or lack of scalability to multi-qubit architectures required for practical quantum computing tasks.
12 University of Surrey, 2020. See calculations and discussion on pages 6-7.
13 Microsoft Research, 2017. See table and discussion on page 21.
15 See this overview from McKinsey and this 2024 research paper from various industry professionals for more detail on quantum computing’s physical scaling challenges.
16 See estimates for quantum computing power consumption here and here.
17 For the purists, P2PK is technically not an address format at all since the whole point is it doesn’t generate an address for receiving bitcoin. We call it an address type here for ease of discussion.
18 We recommend this summary overview from Unchained for more information on bitcoin’s various address formats.
20 See NIST memo on post-quantum cryptography and Introduction to Quantum Computing for Business.
21 Analysis assumes $100,000 current bitcoin price and approximately $500 trillion in addressable global wealth, per latest estimates from Boston Consulting Group.