THE QUANTUM INTELLIGENCER

Dispatches From All Possible Futures
Since 𓂀 t = 0

Bitcoin & Quantum Computing

A technical assessment of the quantum threat to Bitcoin — from ECDSA vulnerabilities to post-quantum migration proposals and what holders should understand today.

The Quantum Threat to Bitcoin

Bitcoin’s security rests on two cryptographic pillars: the SHA-256 hash function (used in mining and address derivation) and the Elliptic Curve Digital Signature Algorithm (ECDSA) using the secp256k1 curve (used to authorize transactions). A sufficiently powerful quantum computer would threaten the second pillar catastrophically while leaving the first largely intact.

The asymmetry matters. Grover’s algorithm provides only a quadratic speedup against hash functions — reducing SHA-256’s effective security from 256 bits to approximately 128 bits. This is still beyond any foreseeable attack. But Shor’s algorithm provides an exponential speedup against the elliptic curve discrete logarithm problem (ECDLP) that ECDSA relies on. A quantum computer with roughly 2,500 logical qubits could break secp256k1 in hours.

This means Bitcoin’s proof-of-work mining is not at quantum risk in any practical timeframe, but the ability to spend other people’s bitcoin — by deriving their private keys from exposed public keys — is a concrete future threat.

How ECDSA Becomes Vulnerable

To understand the vulnerability, we need to trace how Bitcoin transactions work. When you create a Bitcoin wallet, your software generates a random 256-bit private key, then derives a public key by multiplying the private key with the secp256k1 generator point. This multiplication is a one-way function on classical computers — easy to compute forward, infeasible to reverse.

Your Bitcoin address is typically a hash of your public key (in P2PKH and P2WPKH address types). This hash provides an extra layer of protection: even if someone could reverse the elliptic curve operation, they would first need to find the public key from the address hash, which Shor’s algorithm cannot do.

However, the public key is revealed when you spend bitcoin. Every Bitcoin transaction includes the sender’s public key in the transaction script to verify the ECDSA signature. Once a transaction is broadcast to the mempool (but before it is confirmed in a block), the public key is visible to everyone. A quantum-equipped adversary could theoretically extract the private key from the public key during this window and broadcast a competing transaction to steal the funds.

Worse, many bitcoin are stored at addresses where the public key is already exposed — either from previous spending transactions or from early Bitcoin addresses (before 2012) that used the Pay-to-Public-Key (P2PK) format, which stores the raw public key directly on-chain. Satoshi Nakamoto’s estimated 1.1 million bitcoin are in P2PK format, making them permanently exposed to a quantum attack without any additional transaction.

Shor’s Algorithm & Public Keys

Shor’s algorithm, published by Peter Shor in 1994, solves two related problems efficiently on a quantum computer: integer factorization and the discrete logarithm problem (including the elliptic curve variant). For Bitcoin, the relevant application is the elliptic curve discrete logarithm: given a public key Q = kG (where k is the private key and G is the generator point), find k.

On a classical computer, the best known algorithm for this (Pollard’s rho) requires approximately 2128 operations for secp256k1 — astronomically beyond reach. Shor’s algorithm reduces this to polynomial time, requiring roughly O(n³) quantum gate operations where n is the bit length of the key. For secp256k1’s 256-bit keys, this is practically feasible on a sufficiently large quantum computer.

The quantum resource requirement has been analyzed in detail. A 2021 study by Webber et al. estimated that breaking a 256-bit elliptic curve key would require approximately 2,330 logical qubits. However, each logical qubit requires thousands of physical qubits for error correction. At current error rates, this translates to millions of physical qubits — well beyond the approximately 1,000–1,500 physical qubits available in the largest quantum processors as of early 2025.

The gap between current capabilities and the threshold for breaking ECDSA is significant but closing. The question is not whether quantum computers will eventually break secp256k1, but when — and whether Bitcoin will have migrated by then.

Timeline Estimates

Predicting when quantum computers will break ECDSA is inherently uncertain, but serious estimates have converged on a range:

  • Optimistic (industry bulls): 2029–2035. Companies like IBM, Google, and PsiQuantum project fault-tolerant quantum computing within this decade. If error correction advances match roadmaps, cryptographically relevant quantum computers (CRQCs) could arrive by the early 2030s.
  • Consensus (research community): 2035–2045. Most academic researchers and government agencies estimate 10–20 years for a machine capable of running Shor’s algorithm at scale. The 2024 Global Risk Institute survey found that 50% of experts believe a CRQC is likely by 2040.
  • Conservative (skeptics): 2050+. Some researchers argue that error correction overhead is being underestimated and that practical CRQCs may require fundamental breakthroughs beyond incremental scaling.

For Bitcoin, the relevant consideration is not when CRQCs arrive, but when migration mustbegin. Given that Bitcoin protocol changes require years of development, testing, consensus-building, and activation — and that the network carries hundreds of billions of dollars in value — the prudent window for starting migration is now, regardless of which timeline estimate you favor.

Post-Quantum Bitcoin Proposals

Several proposals have been developed to make Bitcoin quantum-resistant:

BIP-360: QuBit — Pay to Quantum Resistant Hash (P2QRH)

BIP-360, authored by Hunter Beast, proposes a new address type that uses post-quantum signature algorithms. The proposal introduces a P2QRH (Pay to Quantum Resistant Hash) output type, following the same pattern as P2PKH and P2WPKH but with quantum-resistant keys. It supports multiple PQC signature schemes including FALCON, SPHINCS+, and lattice-based options, allowing the network to adapt as the PQC landscape matures.

Hash-Based Emergency Migration

Several proposals focus on using Lamport or Winternitz one-time signatures — which rely only on hash functions — as an emergency measure if quantum threats materialize faster than expected. These signatures are large (kilobytes per signature) but could be deployed quickly because they require no new cryptographic assumptions. The idea is to commit hash-based public keys into Bitcoin transactions now, creating a fallback path that could be activated via a soft fork if needed.

OP_CAT and Covenant-Based Approaches

The proposed OP_CAT opcode re-enablement would allow arbitrary signature verification in Bitcoin Script, potentially enabling post-quantum signature schemes without a dedicated new opcode. Combined with other proposed covenant opcodes, this could provide a flexible framework for PQC integration. However, the Bitcoin community remains cautious about Script extensions, and consensus for OP_CAT activation is not assured.

Signature Size Challenge

The primary technical challenge for all proposals is signature size. ECDSA signatures are approximately 72 bytes. Post-quantum alternatives are dramatically larger: FALCON signatures are around 666 bytes, ML-DSA signatures around 2.4 KB, and SPHINCS+ signatures range from 7 KB to 49 KB. This increase impacts block space, transaction fees, and network bandwidth. Most proposals address this through witness discount extensions or new transaction formats, but the trade-off between security and scalability remains a core design tension.

Migration Challenges

Bitcoin’s decentralized governance makes protocol changes uniquely difficult compared to centralized systems. Several challenges complicate the PQC transition:

  • Consensus activation: Any protocol change requires broad agreement among miners, node operators, developers, and users. The Taproot upgrade (a comparatively simple change) took years from proposal to activation. A PQC migration is far more complex.
  • Lost coins and keys: An estimated 3–4 million bitcoin are in wallets where the owner has lost their private keys. These coins cannot be migrated to quantum-resistant addresses. A quantum attacker could potentially claim them, creating supply shock and market chaos.
  • Exposed public keys: Approximately 5–10 million bitcoin sit at addresses with already-exposed public keys (from P2PK outputs or address reuse). These funds need priority migration but many wallet owners may be inactive.
  • Hardware wallet updates: Millions of hardware wallets (Ledger, Trezor, Coldcard) would need firmware updates to support PQC signature schemes. Users who don’t update remain vulnerable.
  • Backwards compatibility: Any migration must maintain the ability to verify the entire historical blockchain. Old ECDSA transactions must remain valid even after PQC addresses become standard.

The most contentious question is whether to freeze or burn quantum-vulnerable coins after a deadline. Some proposals suggest that after a migration grace period, coins at exposed P2PK addresses could be locked to prevent quantum theft. This raises profound questions about Bitcoin’s property rights guarantees and would likely face intense community opposition.

What You Can Do Now

While the quantum threat to Bitcoin is not imminent, prudent holders and developers can take steps today:

  • Never reuse addresses: Use a new receiving address for every transaction. An unused address (where only the hash of the public key is on-chain) is protected against quantum attacks until you spend from it.
  • Avoid P2PK outputs: If you hold bitcoin in very old P2PK addresses (pre-2012), consider migrating to modern P2WPKH (SegWit) addresses.
  • Use Taproot (P2TR) addresses: While still based on elliptic curves (using Schnorr signatures), Taproot provides the most modern transaction format and will likely be the easiest to extend with PQC support.
  • Follow BIP-360 and related proposals: Stay informed about the Bitcoin community’s PQC development efforts. The Bitcoin development mailing list and Bitcoin Optech newsletter cover these proposals in detail.
  • Maintain operational security: Quantum computing does not change the importance of private key security, backup procedures, and wallet hygiene. These remain the primary risks for most holders.

The bottom line: Bitcoin’s quantum vulnerability is real but not imminent. The community has time to execute a careful migration, and proposals are actively being developed. The greatest risk is complacency — waiting too long to begin a transition that will take years to complete.

Further Reading

  • BIP-360 (QuBit) — Pay to Quantum Resistant Hash proposal by Hunter Beast
  • Webber et al. (2022), “The impact of hardware specifications on reaching quantum advantage in the fault tolerant regime”
  • Bitcoin Optech Newsletter — Ongoing coverage of PQC proposals and Script upgrades
  • Deloitte (2022), “Quantum computers could crack Bitcoin’s encryption by 2030” — Risk assessment methodology
  • Global Risk Institute Quantum Threat Timeline Reports — Annual expert surveys on CRQC timelines

Latest Dispatches

22 February 2026

Bottom Line Up Front: While IonQ has not yet developed a quantum computer capable of breaking cryptographic algorithms, its rapid technical and fina

20 February 2026

Amidst the feverish pace of modern commerce, where telegraphic impulses and mechanical reckonings assail the delicate sensorium, a new scourge emerg

20 February 2026

Non-Trivial Zero-Knowledge Arguments Imply One-Way Functions Under Worst-Case Hardness In Plain English: This research tackles a fundamental questi

20 February 2026

Proving the Quantum Security of the Fischlin Transform: Straight-Line Extractability in the Quantum Random Oracle Model In Plain English: This rese

20 February 2026

SRAM Power-On Randomness as a Lightweight, Thermally Robust Source of Gaussian Noise for Post-Quantum Cryptography In Plain English: This paper tac

Browse all dispatches in the Archives →
← Back to Guides