Quantum computers capable of breaking the Bitcoin blockchain do not exist today. However, the developers are already planning a wave of upgrades to build defenses against the potential threat, and rightly so, as the threat is no longer hypothetical.
This week, Google published research suggesting that a sufficiently powerful quantum computer could crack Bitcoin’s core cryptography in less than nine minutes, a minute faster than the average Bitcoin block settlement time. Some analysts believe such a threat could become a reality by 2029.
The stakes are high: About 6.5 million Bitcoin tokens, worth hundreds of billions of dollars, are located at addresses that a quantum computer could directly target. Some of these coins belong to the pseudonymous creator of Bitcoin, Satoshi Nakamoto. Furthermore, the potential compromise would harm the core principles of Bitcoin – “trust the code” and “sound money”.
Here’s what the threat looks like, along with proposals under consideration to mitigate it.
Two ways a quantum machine could attack Bitcoin
Let us first understand the vulnerability before discussing the proposals.
The security of Bitcoin is based on a one-way mathematical relationship. When you create a wallet, a private key and a secret number are generated, from which a public key is derived.
Spending Bitcoin tokens requires proving ownership of a private key, not by revealing it, but by using it to generate a cryptographic signature that the network can verify.
This system is foolproof because it would take modern computers billions of years to break elliptic curve cryptography – specifically the Elliptic Curve Digital Signature Algorithm (ECDSA) – in order to reverse engineer the private key from the public key. Thus, the blockchain would be computationally impossible to compromise.
But a future quantum computer can turn this one-way street into a two-way street by deriving your private key from the public key and draining your coins.
The public key is exposed in two ways: from inactive coins on-chain (long exposure attack) or from moving coins or pending transactions in the memory pool (short exposure attack).
Paid Public Key (P2PK) addresses (used by Satoshi and early miners) and Taproot (P2TR), the current address format enabled in 2021, are vulnerable to the long exposure attack. The coins in these addresses do not need to move to reveal their public keys; the exposition has already occurred and is readable by anyone on earth, including a future quantum attacker. Around 1.7 million BTC is in old P2PK addresses, including Satoshi coins.
Short exposure is linked to the mempool – the waiting room for unconfirmed trades. While transactions wait to be included in a block, your public key and signature are visible to the entire network.
A quantum computer could access this data, but it would only have a brief window – before the transaction is confirmed and buried under additional blocks – to derive the corresponding private key and act on it.
Initiatives
BIP 360: Deleting the public key
As previously noted, every new Bitcoin address created using Taproot today permanently exposes a public key on-chain, giving the future quantum computer a target that will never go away.
The Bitcoin Improvement Proposal (BIP) 360 removes the public key permanently embedded in the chain and visible to everyone by introducing a new output type called Pay-to-Merkle-Root (P2MR).
Recall that a quantum computer studies the public key, reverse engineers the exact form of the private key, and forges a working copy of it. If we remove the public key, the attack no longer has any basis to work on. Meanwhile, everything else, including Lightning payments, multi-signature setups, and other Bitcoin features, remains the same.
However, if implemented, this proposal will only protect new coins in the future. The 1.7 million BTC already in exposed old addresses is a separate issue, addressed by other proposals below.
SPHINCS+ / SLH-DSA: post-quantum signatures based on hashing
SPHINCS+ is a post-quantum signature scheme built on hash functions, avoiding the quantum risks faced by elliptic curve cryptography used by Bitcoin. Although Shor’s algorithm threatens ECDSA, hash-based designs like SPHINCS+ are not considered as vulnerable.
The system was standardized by the National Institute of Standards and Technology (NIST) in August 2024 as FIPS 205 (SLH-DSA) after years of public review.
The safety trade-off is size. While current Bitcoin signatures are 64 bytes, SLH-DSAs are 8 kilobytes (KB) or more in size. As such, adopting SLH-DSA would significantly increase demand for block space and increase transaction fees.
As a result, proposals such as SHRIMPS (another hash-based post-quantum signature system) and SHRINCS have already been introduced to reduce signature sizes without sacrificing post-quantum security. Both build on SHPINCS+ while aiming to retain its security guarantees in a more practical and space-efficient form suitable for blockchain use.
Tadge Dryja’s validation/revelation system: an emergency brake for Mempool
This proposal, a soft fork suggested by Lightning Network co-creator Tadge Dryja, aims to protect transactions in the mempool against a future quantum attacker. To do this, it separates the execution of the transaction into two phases: Commit and Reveal.
Imagine informing a counterparty that you will send them an email, and then sending an email. The first is the validation phase and the second is the revelation phase.
On the blockchain, this means you first post a sealed fingerprint of your intent – just a hash, which reveals nothing about the transaction. The blockchain timestamps this fingerprint permanently. Later, when you broadcast the actual transaction, your public key becomes visible – and yes, a quantum computer monitoring the network could derive your private key and forge a competing transaction to steal your funds.
But this fake transaction is immediately rejected. The network checks: does this expense have a prior commitment recorded on-chain? Yours does. This is not the case with the attacker – he created it moments ago. Your pre-registered fingerprint is your alibi.
The problem, however, lies in the increased costs due to dividing the transaction into two phases. It is therefore described as a temporary bridge, practical to deploy while the community works to build quantum defenses.
Hourglass V2: Slow down the expense of old parts
Brought to you by developer Hunter Beast, Hourglass V2 targets the quantum vulnerability linked to approximately 1.7 million BTC held in older, already exposed addresses.
The proposal accepts that these coins could be stolen in a future quantum attack and seeks to slow the hemorrhaging by limiting sales to one bitcoin per block, to avoid a catastrophic overnight selloff that could blow up the market.
The analogy is that of a bank run: you can’t stop people from withdrawing their funds, but you can limit the rate of withdrawals to prevent the system from collapsing overnight. The proposal is controversial because even this limited restriction is seen by some in the Bitcoin community as a violation of the principle that no external party can ever interfere with your right to spend your coins.
Conclusion
These proposals are not yet activated, and Bitcoin’s decentralized governance, covering developers, miners and node operators, means that any upgrades will likely take time to materialize.
Still, the steady stream of proposals leading up to this week’s Google report suggests the issue has long been on developers’ radar, which could help ease market concerns.
