How Fast Could a Quantum Computer Mine SHA-256? (Reality Check, 2025)

TL;DR

• Bitcoin mining = search for any input whose double-SHA-256 is below a target.

• Quantum best case uses Grover’s algorithm, which needs about (π/4)·√(1/p) oracle calls where p is success probability per try. That’s only a √· speedup, not exponential. NIST Computer Security Resource Center+1

• At today’s difficulty, that works out to roughly 10¹¹–10¹² Grover iterations per block. Quantum Canary

• Building one SHA-256 “oracle call” on a fault-tolerant quantum computer is massively expensive: ~6k logical qubits and depth around 2¹⁵³.⁸ surface-code cycles for a full preimage attack circuit (implying huge per-iteration cost). Cambridge/NIST-linked work shows overall costs can be >2.75×10¹¹ times larger than the naïve query count suggests. arXiv+1

• Bottom line: No practical speed advantage over modern ASIC miners with any near-term quantum hardware.

How mining maps to Grover

Classical view. The probability that one hash meets Bitcoin’s target is approximately

$$p \approx \frac{1}{\text{difficulty}\times 2^{32}}$$

and the network needs on average difficulty × 2³² hashes per block. Bitcoin Stack Exchange

Quantum view. Grover finds a solution in about

$$Q \approx \frac{\pi}{4}\sqrt{\frac{1}{p}}=\frac{\pi}{4}\cdot 2^{16}\sqrt{\text{difficulty}}$$

oracle calls (each “call” evaluates a reversible SHA-256 within the Grover iterate). NIST Computer Security Resource Center

Numerical feel. If difficulty ~ $10^{14}$ (typical order of magnitude in recent years),

$$Q \approx \frac{\pi}{4}\cdot 65{,}536\cdot 10^7 \approx 5\times 10^{11}$$

calls—squarely in the 10¹¹–10¹² range cited by recent analyses. Quantum Canary

Why “√N fewer tries” still isn’t fast in practice

1. Heavyweight oracle. Reversible SHA-256 for Grover needs thousands of logical qubits and deep circuits. A leading estimate for a full SHA-256 preimage attack circuit is ~2¹².⁶ logical qubits (~6,000) and ~2¹⁵³.⁸ surface-code cycles, yielding a total cost around 2¹⁶⁶ logical-qubit-cycles—~2.75×10¹¹× worse than the bare query count. arXiv+1

2. Fault tolerance overhead. Mapping ~6k logical qubits to physical qubits under surface code often requires millions of physical qubits at today’s error rates—before any parallelization. (Same sources.) arXiv

3. Clock speed gap. ASIC miners perform trillions of SHA-256 hashes per second today; a fault-tolerant quantum computer’s Grover iterations would tick at a much slower effective rate because each iteration spans many sequential error-corrected subroutines. (Inference based on the above resource estimates.) arXiv

Net effect: Even though Q ≪ N, time-to-solution for a realistic quantum miner would be longer than a top classical miner.

“So… how fast could it be?” (scenario math)

If a fault-tolerant QC could execute one Grover iteration in T seconds, the expected time per block is roughly

$$T_{\text{block}} \approx Q\cdot T \approx \frac{\pi}{4}\cdot 2^{16}\sqrt{\text{difficulty}}\cdot T.$$

• With difficulty ~ $10^{14}$ and optimistic $T=10^{-6}$ s (one microsecond per iteration—far beyond credible near-term), you still get ~5×10⁵ seconds (~6 days) per block on a single quantum core. Realistic $T$ from fault-tolerant resource studies would be orders of magnitude slower, pushing timescales to years without massive (and currently infeasible) parallelization. (Order-of-magnitude inference; see overhead sources.) arXiv

Common questions

Doesn’t quantum give an exponential speedup?
Not here. Mining is an unstructured search, and the best known quantum algorithm (Grover) gives quadratic (√) improvement only. NIST Computer Security Resource Center

Could smarter quantum algorithms beat √N for SHA-256?
Not under the standard “random-oracle” model used for hash functions; no general super-Grover speedups are known. (State of the art remains Grover/BHT for search/collision.) NIST Computer Security Resource Center

What about “quantum annealers” or special chips?
They don’t implement fault-tolerant Grover with a SHA-256 oracle and haven’t shown a scalable advantage for Bitcoin’s puzzle. Peer-reviewed resource estimates overwhelmingly assume gate-model, error-corrected machines. arXiv

Will quantum break Bitcoin sooner via signatures?
If anything, signatures (ECDSA/Schnorr) are the nearer-term concern because Shor’s algorithm is exponential for discrete logs—whereas SHA-256 mining only gets √-speedup. (General NIST discussion of Grover vs. Shor for symmetric vs. public-key crypto.) NIST Computer Security Resource Center

Bottom line

• In theory: A quantum miner needs ~(π/4)·2¹⁶·√D iterations; at current difficulty that’s ~10¹¹–10¹² iterations per block. Quantum Canary

• In practice: Each iteration is so costly (logical-qubit count and code-cycle depth) that quantum mining is slower than today’s ASIC farms by a wide margin. No credible blueprint shows a practical advantage with foreseeable hardware. arXiv+1

Sources & further reading

• Grover’s algorithm and √-speedup for symmetric primitives. NIST Computer Security Resource Center

• Quantum resource estimates for SHA-256 preimage attacks (logical qubits, surface-code cycles; overhead vs. naïve queries). arXiv+1

• Mining difficulty math: expected hashes ≈ 2³² × difficulty; success probability per hash ≈ 1/(difficulty·2³²). Bitcoin Stack Exchange

• Recent estimate of Grover-iteration count per block at current difficulty. Quantum Canary

• High-level treatments of quantum mining conditions and theory. MDPI

Keep exploring (Coin Miner)

• Blog home: https://coinminer.com.au/blogs/crypto-mining-blog

• Mining calculator: https://coinminer.com.au/pages/mining-calculator

• Shop ASIC miners: https://coinminer.com.au/collections/asic-miners

Educational content only. Figures reflect sources available as of 29 September 2025 (AEST) and may change as methods and hardware evolve.