Bitcoin and Quantum Computing
The threat, the timeline, and what Bitcoin holders should know
The Quantum Threat: What's Actually at Risk
Bitcoin's security relies on cryptographic algorithms that are computationally infeasible to break with today's computers. Quantum computers could potentially change that equation—but the reality is more nuanced than headlines suggest.
Bitcoin's Two Cryptographic Pillars
| Technology | What It Does | Quantum Risk |
|---|---|---|
| ECDSA/Schnorr Signatures | Proves ownership of Bitcoin via public/private key pairs | Higher Risk |
| SHA-256 Hashing | Mining, addresses, transaction verification | Lower Risk |
The Signature Vulnerability
Bitcoin uses elliptic curve cryptography (ECDSA) for digital signatures. When you spend Bitcoin, you reveal your public key on the blockchain. A sufficiently powerful quantum computer running Shor's algorithm could theoretically derive your private key from that public key—allowing theft of any remaining funds.
The Hash Function Question
SHA-256 (used for mining and addresses) is more resistant. Grover's algorithm offers only quadratic speedup (like reducing 256-bit security to 128-bit)—still extremely difficult to crack. Most researchers believe mining remains safe from quantum threats for the foreseeable future.
The main threat is to exposed public keys (signature vulnerability), not to the mining/consensus mechanism. Bitcoin could theoretically continue working even if some addresses were compromised.
What's Actually at Risk
Not all Bitcoin is equally vulnerable. The risk depends on whether public keys have been exposed:
Most Vulnerable
- Pay-to-Public-Key (P2PK) addresses — Bitcoin's earliest format, public key directly visible. Includes Satoshi's ~1M coins.
- Reused addresses — Any address that has sent a transaction has revealed its public key
- Taproot addresses — Expose public keys by design (though still require quantum attack)
- Large exchange cold wallets — Some have exposed public keys through past transactions
More Secure
- Pay-to-Public-Key-Hash (P2PKH) — Standard addresses where public key is hashed; only revealed when spending
- Addresses never used for sending — Public key never exposed
Satoshi Nakamoto's estimated 1 million BTC sit in early P2PK addresses—the most vulnerable format. These coins cannot be retroactively secured without moving them, which Satoshi apparently can't or won't do. A quantum attacker could theoretically steal them.
Timeline: When Could This Happen?
The critical question: when will quantum computers be powerful enough to break Bitcoin's cryptography?
Current State
Today's best quantum computers have around 1,000 physical qubits. Breaking ECDSA would require an estimated 8.5 million physical qubits operating together—roughly 8,500x more than we have now.
Google's Willow: 105 qubits
Current state-of-the-art. Performs specific quantum tasks, nowhere near cryptographically relevant.
NIST Deprecation Deadline
US government mandates deprecating vulnerable algorithms. Federal systems must migrate to post-quantum cryptography.
Industry Projections for "Cryptographically Relevant"
Quantum firms project reaching capability to attack ECC within this window. IBM forecasts early 2030s.
NIST Complete Disallowance
ECDSA and similar algorithms fully banned for federal systems. Migration must be complete.
Key Progress Indicators
- Physical qubit count — Growing logarithmically, need ~2-3 orders of magnitude more
- Gate fidelity — Error rates dropping; some systems achieve 99.99% accuracy
- Logical qubits — Error-corrected qubits now reaching dozens (was zero five years ago)
- Investment — $6B+ in quantum startups in recent years
When NIST sets 2030/2035 deadlines, and multiple nations independently adopt similar timelines, it suggests intelligence agencies have credible assessments of quantum progress that justify urgent preparation.
Attack Scenarios
Long-Range Attack
An attacker with unlimited time could work through all addresses with exposed public keys, deriving private keys and stealing funds. This could be done secretly, stealing from dormant wallets first before moving to active ones.
The most valuable targets: Satoshi's coins, lost coins in old addresses, and inactive whale wallets.
Short-Range Attack
Even with limited quantum capability, an attacker could potentially intercept transactions in the ~10 minutes between broadcast and block inclusion. The attacker would derive the private key from the exposed public key, then broadcast a competing transaction (to themselves) with a higher fee.
This "transaction interception" attack is harder but potentially more devastating—it would undermine trust in the entire network.
Geopolitical Scenarios
The first cryptographically relevant quantum computer will likely belong to a nation-state. Scenarios include:
- Hostile actor — Steals vulnerable coins, causes chaos, potentially collapses Bitcoin
- Benign actor — Preemptively secures vulnerable coins to prevent theft (raises questions about property rights)
- Secret capability — Nation maintains quantum advantage for intelligence purposes, doesn't reveal through Bitcoin attacks
Potential Solutions
Post-Quantum Cryptography
NIST has selected new cryptographic algorithms designed to resist quantum attacks. Bitcoin could adopt these through a soft fork, introducing new address types that use post-quantum signatures.
Challenge: Post-quantum signatures are much larger than ECDSA signatures, which would impact block space and transaction costs.
Migration to New Addresses
Users could proactively move funds to quantum-resistant addresses once available. This would protect future transactions but requires active participation from every holder.
The "Frozen Coins" Debate
Some propose soft-forking Bitcoin to add "non-spending conditions" to vulnerable addresses—essentially freezing coins that can't be migrated. This is extremely controversial as it violates Bitcoin's core principle of immutable property rights.
Development Progress
Bitcoin developers are aware of the threat. BIP 360 (Pay to Tapscript Hash) is one proposal for enabling quantum-resistant addresses. However, Bitcoin upgrades move slowly—SegWit took 2.5 years from proposal to activation.
If quantum capability arrives suddenly, there may not be time to implement and activate upgrades. Given that Bitcoin upgrades take years and quantum projections suggest 2030s capability, preparation should arguably be treated as urgent.
What Should Bitcoin Holders Do?
Today
- Don't reuse addresses — Use fresh addresses for receiving; this is already best practice
- Avoid sending from addresses with large balances — Once you send, your public key is exposed
- Stay informed — Follow Bitcoin development proposals related to post-quantum security
When Quantum-Resistant Addresses Arrive
- Migrate promptly — Move funds to new address formats when available
- Update wallets — Ensure your wallet software supports new standards
Perspective
Quantum computing is a real threat that deserves attention, but it's not imminent. Current systems are nowhere near cryptographically relevant. The bigger risk may be not preparing rather than panicking prematurely.
Quantum computers powerful enough to break Bitcoin don't exist yet and won't for years. But the timeline has been steadily compressing, and Bitcoin's slow upgrade process means preparation should start well before the threat materializes.
Key Takeaways
- The threat is to signatures, not mining — ECDSA is vulnerable; SHA-256 mining is more resistant
- Not all Bitcoin is equally at risk — Only addresses with exposed public keys (~20% of supply) are vulnerable
- Timeline is unclear but compressing — Government deadlines suggest 2030-2035 as critical window
- Solutions exist but require coordination — Post-quantum cryptography is ready; implementation takes time
- Best practice today: don't reuse addresses — Limits your exposure even before quantum threats materialize
- Satoshi's coins are the elephant in the room — ~1M BTC in the most vulnerable address format
Related Research
Deep-dive analysis from TokenIntel Research