Quantum attacks on Bitcoin, and how to protect against them

This academic paper is the reference most discussions of quantum risk start from. It analyzes bitcoin's two cryptographic pillars and finds that they face very different exposure.

The authors argue that SHA-256 proof-of-work mining is relatively resistant to near-term quantum speedup, largely because specialized ASIC miners are extremely fast compared with the projected clock speeds of early quantum machines. By contrast, they find the elliptic-curve signature scheme that authorizes spending is far more exposed, and could in principle be broken by a sufficiently capable quantum computer.

The paper is also careful about timelines: its often-quoted "as early as 2027" figure is presented as the most optimistic bound, not a prediction. It closes by reviewing candidate post-quantum signature schemes against the efficiency constraints a blockchain imposes.

It remains a frequently cited, neutral framing of the quantum-versus-bitcoin question rather than an advocacy piece.