Quantum computers capable of breaking the Bitcoin blockchain do not exist today. However, developers are already considering a wave of upgrades to create protection against the potential threat, and rightly so, because the threat is no longer imaginary.
This week, Google published research showing that a sufficiently powerful quantum computer could crack Bitcoin’s core cryptography in less than nine minutes – which is a minute faster than the average Bitcoin block settlement time. Some analysts believe such a threat could become a reality by 2029.
The stakes are high: About 6.5 million Bitcoin tokens, worth hundreds of billions of dollars, exist at addresses that a quantum computer could directly target. Some of these coins belong to Satoshi Nakamoto, the pseudonymous creator of Bitcoin. Furthermore, a potential compromise would harm Bitcoin’s core principles – “trust the code” and “sound money.”
Here’s what the threat looks like, along with proposals being considered to mitigate it.
Quantum machines can attack Bitcoin in two ways
Let’s understand the vulnerability before discussing the resolutions.
Bitcoin’s security is built on a one-way mathematical relationship. When you create a wallet, a private key and a secret number are generated, from which a public key is obtained.
Spending Bitcoin tokens requires proving ownership of a private key, not by revealing it, but by using it to generate a cryptographic signature that the network can verify.
This system is foolproof because it would take billions of years for modern computers to reverse-engineer the private key from the public key to break elliptic curve cryptography – specifically the Elliptic Curve Digital Signature Algorithm (ECDSA). Therefore, it is said to be computationally impossible to compromise the blockchain.
But a future quantum computer could turn this one-way street into a two-way street by deriving your private key from the public key and minting your coins.
The public key is exposed in two ways: by coins lying idle on the chain (long-exposure attack) or by coins in motion or transactions waiting in the memory pool (short-exposure attack).
Pay-to-Public Key (P2PK) addresses (used by Satoshi and early miners) and Taproot (P2TR), the current address formats active in 2021, are vulnerable to the long exposure attack. Coins at these addresses do not need to be moved to reveal their public keys; The exposure has already been made and anyone on Earth, including a future quantum attacker, can read it. Approximately 1.7 million BTC resides in old P2P addresses – which also includes Satoshi coins.
Short exposure is linked to the mempool – a waiting room for unconfirmed transactions. While transactions sit waiting to be included in a block, your public key and signature are visible to the entire network.
A quantum computer can access that data, but it will only have a brief window – before the transaction is confirmed and buried under additional blocks – to obtain the corresponding private key and act on it.
Initiative
BIP 360: Deleting Public Key
As mentioned earlier, every new Bitcoin address created using Taproot today permanently exposes a public key onchain, giving future quantum computers a goal that will never go away.
Bitcoin Improvement Proposal (BIP) 360 removes public keys permanently embedded on the chain and visible to everyone by introducing a new output type called Pay-to-Merkle-Root (P2MR).
Recall that a quantum computer studies the public key, reverse-engineers the exact shape of the private key and creates a working copy. If we remove the public key, the attack no longer works. Meanwhile, everything else remains the same, including Lightning payments, multi-signature setup, and other Bitcoin features.
However, if implemented, this proposal would further protect only new coins. That 1.7 million BTC already exists on old exposed addresses is a separate problem, addressed by the other proposals below.
SPHINCS+ / SLH-DSA: Hash-Based Post-Quantum Signatures
SPHINCS+ is a post-quantum signature scheme built on hash functions, which avoids the quantum risks faced by elliptic curve cryptography used by Bitcoin. While Shor’s algorithm puts ECDSA at risk, hash-based designs like SPHINCS+ are not seen to be equally vulnerable.
The scheme was standardized as FIPS 205 (SLH-DSA) by the National Institute of Standards and Technology (NIST) in August 2024 after years of public review.
The compromise for safety is size. While current Bitcoin signatures are 64 bytes, SLH-DSA are 8 kilobytes (KB) or more in size. Thus, the adoption of SLH-DSA will rapidly increase the demand for block space and increase transaction fees.
As a result, proposals such as SHRIMPS (another hash-based post-quantum signature scheme) And SHRINCS has already been introduced to reduce signature size without sacrificing post-quantum security. Both build on SHPINCS+, aiming to retain their security guarantees in a more practical, space-efficient form suitable for blockchain use.
Tadge Dryja’s commit/disclosure plan: an emergency break for the mempool
The proposal, a soft fork suggested by Lightning Network co-creator Taj Dryja, aims to protect transactions in the mempool from a future quantum attacker. It does this by separating transaction execution into two phases: commit and commit.
Imagine notifying a counterparty that you will be emailing them, then actually sending an email. The first is the commit phase, and the second is the reveal.
On the blockchain, this means you first publish a sealed fingerprint of your intent – just a hash, which doesn’t reveal anything about the transaction. The blockchain timestamp permanently records that fingerprint. Later, when you broadcast the actual transaction, your public key becomes visible – and yes, a quantum computer monitoring the network can derive your private key from it and create a competing transaction to steal your funds.
But that fraudulent transaction is immediately rejected. The network checks: is the prior commitment to this spend registered on-chain? Yours does. Not the attacker’s – he had made it moments earlier. Your pre-registered fingerprint is your excuse.
However, the issue is the increased cost due to splitting the transaction into two stages. Therefore, it is described as an interim bridge, which is practical to deploy while the community works on building quantum security.
Hourglass V2: Slowing down the spending of old coins
Proposed by developer Hunter Beast, Hourglass V2 targets a quantum vulnerability associated with approximately 1.7 million BTC held in old, already exposed addresses.
The proposal acknowledges that these coins could be stolen in a future quantum attack and attempts to slow the bleeding by limiting sales to one Bitcoin per block, to avoid massive overnight catastrophic liquidations that could derail the market.
The analogy is like running a bank: You can’t stop people from withdrawing money, but you can limit the speed of withdrawals to keep the system from collapsing overnight. The proposal is controversial because even this limited restriction is seen by some in the Bitcoin community as a violation of the principle that no outside party can interfere with your right to spend your coins.
conclusion
These proposals have not yet been activated, and Bitcoin’s decentralized governance spanning developers, miners, and node operators means any upgrades may take time to materialize.
Still, the steady flow of proposals ahead of this week’s Google report suggests the issue has been on developers’ radar for a long time, which may help ease market concerns.