For more than a decade, the security of the Bitcoin network has rested on a mathematical certainty: the sheer impossibility of reverse-engineering a private key from a public one using classical computers. This “one-way street” of cryptography is what allows users to prove ownership of their funds without revealing the secret keys that control them.
Although, the horizon is shifting. While functional quantum computers capable of dismantling this security do not yet exist, the threat has moved from the realm of science fiction to a technical roadmap. Recent research from Google suggests that a sufficiently powerful quantum machine could potentially crack Bitcoin’s core cryptography in under nine minutes—a window of time shorter than the average interval between Bitcoin block settlements. Some analysts suggest this capability could emerge as early as 2029.
The implications are systemic. Roughly 6.5 million bitcoin tokens, representing hundreds of billions of dollars in market value, are held in addresses that a quantum computer could theoretically target. This includes the legendary holdings of Bitcoin’s pseudonymous creator, Satoshi Nakamoto. For a network built on the ethos of “trust the code,” the prospect of a quantum breach is not just a financial risk, but an existential one.
In response, a coalition of developers and cryptographers is working on quantum-proofing Bitcoin. These initiatives aim to replace vulnerable legacy systems with post-quantum cryptography (PQC) before the hardware arrives to challenge them.
The Vulnerability: How Quantum Attacks Work
Bitcoin currently relies on the Elliptic Curve Digital Signature Algorithm (ECDSA). In simple terms, ECDSA allows a user to generate a public key from a private key. While a classical computer would take billions of years to work backward from the public key to the private key, a quantum computer using Shor’s algorithm can perform this calculation almost instantaneously.
The risk manifests in two distinct ways: long-exposure and short-exposure attacks.
Long-exposure attacks target coins that have already revealed their public keys on the blockchain. This includes early Pay-to-Public-Key (P2PK) addresses—where roughly 1.7 million BTC reside—and the more recent Taproot (P2TR) format activated in 2021. Because these public keys are permanently etched into the ledger, a quantum attacker can study them at leisure to derive the private keys.
Short-exposure attacks occur in the “mempool,” the digital waiting room where unconfirmed transactions sit before being included in a block. When a user broadcasts a transaction, their public key is revealed. A quantum attacker could potentially intercept this data, derive the private key, and forge a competing transaction to steal the funds before the original transaction is confirmed.
Proposed Defenses and Technical Initiatives
The Bitcoin community is exploring several layers of defense, ranging from new address types to emergency “brakes” for the network.
BIP 360 and the Removal of Public Keys
One of the most direct approaches is outlined in Bitcoin Improvement Proposal (BIP) 360. The proposal suggests introducing a new output type called Pay-to-Merkle-Root (P2MR). By removing the permanently embedded public key from the chain, the proposal effectively removes the target that a quantum computer needs to begin its reverse-engineering process.
While this would secure new coins moving forward, it does not solve the problem for the millions of BTC already sitting in exposed legacy addresses.
Standardizing Post-Quantum Signatures
To replace ECDSA entirely, developers are looking toward hash-based signatures, which are inherently resistant to Shor’s algorithm. The most prominent candidate is SPHINCS+, a scheme that was officially standardized by the National Institute of Standards and Technology (NIST) in August 2024 as FIPS 205 (SLH-DSA).
The primary challenge with SLH-DSA is efficiency. A standard Bitcoin signature is 64 bytes; an SLH-DSA signature can exceed 8 kilobytes. Implementing this would dramatically increase the amount of data stored on the blockchain, potentially leading to higher transaction fees and slower network performance. This has led to the development of secondary proposals, such as SHRIMPS and SHRINCS, which aim to compress these signatures without compromising their quantum resistance.
The Mempool “Emergency Brake”
To combat short-exposure attacks, Lightning Network co-creator Tadge Dryja has proposed a “Commit/Reveal” soft fork. This system splits a transaction into two phases:
- Commit: The user publishes a hashed “fingerprint” of their intent to spend. This reveals nothing about the public key.
- Reveal: The user later broadcasts the actual transaction.
If a quantum attacker tries to forge a transaction during the reveal phase, the network will reject it because the attacker lacks the pre-registered “commit” fingerprint. This acts as a digital alibi, ensuring only the original owner can execute the spend.
Hourglass V2: Managing the Legacy Collapse
Perhaps the most controversial proposal is Hourglass V2, suggested by developer Hunter Beast. Acknowledging that some legacy coins may be impossible to save, Hourglass V2 proposes limiting the amount of Bitcoin that can be spent from old, exposed addresses to one BTC per block.
The goal is to prevent a “quantum bank run”—a scenario where a quantum attacker liquidates millions of BTC instantly, crashing the market. However, many in the community view any restriction on the ability to spend one’s own coins as a violation of Bitcoin’s core principles.
Comparing Quantum-Proofing Strategies
| Proposal | Primary Target | Mechanism | Main Trade-off |
|---|---|---|---|
| BIP 360 | New Addresses | Pay-to-Merkle-Root | Does not protect legacy coins |
| SLH-DSA | Network-wide | Hash-based signatures | Significant increase in data size |
| Commit/Reveal | Mempool | Two-phase execution | Increased transaction costs |
| Hourglass V2 | Legacy Coins | Spending rate limits | Controversial restriction of funds |
The Road to Implementation
Unlike a centralized company, Bitcoin cannot simply “push an update.” Any change to the protocol requires a consensus among developers, miners, and node operators. This decentralized governance ensures stability, but it likewise means that implementing quantum-resistant upgrades will be a slow, iterative process.
The current momentum suggests that the community is not waiting for the threat to materialize. The alignment with NIST standards and the emergence of BIPs specifically targeting quantum vectors indicate that the groundwork for a migration is already being laid.
Disclaimer: This article is for informational purposes only and does not constitute financial, investment, or legal advice.
The next critical milestone for the network will be the continued refinement of signature compression techniques, which may determine whether post-quantum signatures are practical for daily use. As hardware capabilities evolve, the Bitcoin community’s ability to reach consensus on these upgrades will be the ultimate test of the network’s resilience.
We invite you to share your thoughts on the balance between security and decentralization in the comments below.
