An article by Udi Wertheimer a few weeks ago made headlines in crypto media with a clear assertion: the Lightning Network is “powerless” in a post-quantum world, and its developers can do nothing about it. The title circulated quickly. For companies that have built a real payments infrastructure on Lightning or are in the process of evaluating it, the implications were troubling.
This deserves a measured response.
Wertheimer is a respected Bitcoin developer, and his underlying concern is legitimate: quantum computers, if they ever become powerful enough, will pose a real long-term challenge to the cryptographic systems on which Bitcoin and Lightning depend. This part is true and the Bitcoin development community is already seriously working on it. But portraying Lightning as “helpless” obscures more than it reveals, and the companies making infrastructure decisions deserve a clearer picture.
What Wertheimer was right
Lightning channels require participants to share public keys with their counterparty when opening a payment channel. In a world where cryptographically relevant quantum computers (CRQCs) exist, an attacker who obtains these public keys could theoretically use Shor’s algorithm to derive the corresponding private key and, from there, steal funds.
This is a real structural property of how Lightning works. What the title leaves out
The threat is much more specific and conditional than “your Lightning balance may be stolen.”
First, the channels themselves are hash-protected when opened. Funding transactions use P2WSH (Pay-to-Witness-Script-Hash), which means that the raw public keys inside the 2-of-2 multisig arrangement are hidden on-chain for as long as the channel remains open. Lightning payments are also hash-based, routed via HTLCs (Hashed Time-Lock Contracts), which rely on revealing a hash pre-image rather than exposed public keys. A quantum attacker passively monitoring the blockchain cannot see the keys he would need.
The realistic attack window is much narrower: forced closure. When a channel is closed and a commit transaction is broadcast to the chain, the lock script becomes publicly visible for the first time, including the local_delayedpubkey, a standard elliptic curve public key. By design, the node broadcasting it cannot immediately claim its funds: a CSV (CheckSequenceVerify) timelock, typically 144 blocks (around 24 hours), must first expire.
In a post-quantum scenario, an attacker monitoring the memory pool could see that a commit transaction is confirmed, extract the now exposed public key, run Shor’s algorithm to derive the private key, and attempt to spend the output before the timeout expires. HTLC exits during forced shutdown create additional windows, some as short as 40 blocks, or approximately six to seven hours.
This is a real and specific vulnerability. But it’s a race against time against an attacker who must actively solve one of the hardest math problems in existence, within a fixed window, for each individual result he wishes to steal. This is not a passive, silent leak on every Lightning wallet simultaneously.
Verifying the reality of quantum hardware
Here’s the part that rarely makes headlines: cryptographically relevant quantum computers don’t exist today, and the gap between where we are and where we should be is huge.
Breaking Bitcoin’s elliptic curve cryptography requires solving the discrete logarithm on a 256-bit key, a number of approximately 78 digits, using millions of stable, error-corrected logic qubits operating over an extended period of time. The largest number ever accounted for using Shor’s algorithm on real quantum hardware is 21 (3 × 7), obtained in 2012 with significant classical post-processing assistance. The most recent record is a hybrid quantum-classical factorization of a 90-bit RSA number, an impressive advance, but still about 2⁸³ times smaller than what it would actually take to break Bitcoin.
Google’s quantum research is real and worth watching. Deadlines discussed by serious researchers range from optimistic estimates for the late 2020s to more conservative projections for the 2030s or beyond. None of this means “your Lightning balance is at risk today.”
The development community is not standing idly by
Wertheimer’s talk that Lightning developers are “helpless” is also out of step with what’s actually happening. Since December alone, the Bitcoin development community has produced more than five serious post-quantum proposals: SHRINCS (signatures based on a 324-byte stateful hash), SHRIMPS (2.5 KB signatures on multiple devices, about three times smaller than the NIST standard), BIP-360, Blockstream’s hash-based signatures document, and opcode proposals based on OP_SPHINCS, OP_XMSS and STARK in tapscript.
Correct framing does not mean that Lightning is broken beyond repair. The fact is that Lightning, like all of Bitcoin and like most of the Internet’s cryptographic infrastructure, requires a base layer upgrade to become quantum-resistant, and that work is underway.
What this means for businesses relying on Lightning today
Lightning processes real-world payment volume today for brick-and-mortar businesses, iGaming platforms, crypto exchanges, neobanks, and payment service providers that move money globally at fractions of a cent with instant finality. The question businesses should ask themselves is not whether they should abandon Lightning based on a theoretical future threat, but whether the teams building Lightning infrastructure are paying attention to what’s coming and planning accordingly.
The answer, based on the volume and quality of post-quantum research underway in the Bitcoin development community, is yes.
The Lightning Network is not helplessly broken. It faces the same long-term crypto challenge as the entire digital financial system, and a development community is actively working to address it. It’s a different story than the one told in the title.
