BitDevs Wiki

Topic

Quantum Computing & Bitcoin

Updated May 202624 sourcesActive

Quantum computers exploit the rules of quantum physics to solve certain math problems far faster than ordinary computers. Bitcoin relies on two kinds of cryptography that quantum machines treat very differently, so it helps to separate the threats rather than lump them together.

Two threats, not one

The first piece is mining, which repeatedly runs the SHA-256 hash function. A quantum technique called Grover's algorithm could speed up this kind of brute-force search, but only by roughly a square-root factor, which effectively halves the "security bits" rather than breaking the function. Because today's specialized mining chips (ASICs) are extraordinarily fast compared with the expected speed of early quantum hardware, researchers generally consider mining the less urgent concern. The foundational 2017 paper by Aggarwal, Brennen, Lee, Santha, and Tomamichel concluded that proof of work was "relatively resistant" to quantum speedup for at least the following decade,1 a view echoed by Bitcoin Optech's technical overview.2

The sharper risk is to signatures. When you spend bitcoin, you prove ownership using an elliptic-curve key pair (ECDSA or Schnorr, both built on the secp256k1 curve). A quantum algorithm called Shor's algorithm could, on a sufficiently powerful machine, derive the private key from a public key, letting an attacker forge a spend. The same 2017 paper warns that this signature scheme is much more at risk and could in principle be broken; its widely quoted "as early as 2027" figure was offered only as the most optimistic estimate, not a forecast.1

A machine capable of this is usually called a cryptographically relevant quantum computer (CRQC). None exists today, and the rest of this page turns on a single uncertain question: when, if ever, one will.

Hardware progress and the timeline

Quantum hardware is advancing, and the news that reaches headlines is real but easy to misread. In late 2024 Google announced Willow, a chip it presents as crossing an error-correction threshold — adding qubits reduced the error rate rather than raising it.3 That addresses a long-standing obstacle, but it is a vendor milestone on a research chip, not a machine that can run Shor's algorithm against bitcoin. The distance between the two is the whole debate.

Estimates for when a CRQC might arrive are wide and disputed. Recurring expert surveys put the odds at roughly even by the mid-2030s,4 while other researchers argue practical, fault-tolerant machines at the required scale may be much further off, or never reached. What has moved is the estimated cost of an attack: a 2026 Google Quantum AI whitepaper put the requirement at around 1,200 logical and fewer than 500,000 physical qubits — roughly a 20-fold reduction from earlier figures5 — and a separate neutral-atom study suggested the elliptic-curve problem might be solved on the order of days with tens of thousands of physical qubits.6 Chaincode Labs' broad survey of the threat reaches similar conclusions about direction while stressing the uncertainty.7

These are resource estimates for hardware that does not yet exist, dependent on assumptions about error rates and architecture; press summaries like "break bitcoin in minutes" collapse that distinction. The honest summary is that the timeline is uncertain and contested, and no single date should be treated as fact.

What is actually at risk

A crucial subtlety is which funds are exposed. The danger applies mainly to coins whose public key is already visible on the blockchain: reused addresses, some older output types such as pay-to-public-key (P2PK), and any transaction broadcast and waiting in the mempool, where the key is revealed before confirmation. Funds sitting at an unspent, hashed address are better shielded, because the public key has not been published yet.102 This is why "don't reuse addresses" is sometimes cited as partial, near-term hygiene.

How much is exposed? One detailed accounting puts roughly 6.5 million BTC — about a third of supply — at addresses with visible public keys, with much of that (around 4.5 million) attributable to address reuse and to large custodial holdings concentrated in reused addresses.8 Among the very oldest coins, an on-chain estimate places about 1.72 million BTC in Satoshi-era P2PK outputs, which are among the most exposed of all.18 Because most of bitcoin's value sits in a relatively small number of outputs while most outputs hold little value,9 the at-risk set looks different depending on whether you count coins or count UTXOs.

Importantly, the threat is to keys, not to bitcoin's other rules. A quantum attacker who could forge signatures could steal exposed coins, but this does not by itself change the 21-million supply cap, the consensus rules, or monetary policy.

Mitigation: post-quantum signatures

On defense, the field is exploring post-quantum cryptography: signature schemes believed to resist quantum attacks. In 2024 the U.S. standards body NIST finalized three such standards — FIPS 203 (ML-KEM), 204 (ML-DSA), and 205 (SLH-DSA), approved on 13 August 2024.11 These are general-purpose building blocks, not bitcoin-specific, and they share a practical drawback: their signatures and keys are far larger than secp256k1's, which translates directly into higher fees and more block space.

Much of the bitcoin-specific research therefore focuses on hash-based signatures, whose security rests only on hash-function assumptions similar to those bitcoin already depends on. A 2025 academic paper compresses such signatures to roughly 324 bytes at a baseline security level, several times smaller than ML-DSA.12 Its SHRINCS construction pairs a stateful tree of one-time signatures with a stateless fallback, trading some size for safety if a wallet loses its state,13 while a later variant, SHRIMPS, grows to about 2.5 kB in exchange for safely sharing one key across multiple devices.14 None of these is a settled choice; they map out a size-versus-flexibility trade-off rather than resolving it.

Mitigation: new output types and live testing

Separately from the choice of algorithm, several proposals change how outputs are structured so keys are exposed less. The most discussed is BIP-360 (originally "P2QRH," now "Pay-to-Merkle-Root"), a draft by Hunter Beast, Ethan Heilman, and Isabel Foxen Duke. It proposes a Taproot-like output with no key-path spend, so no spendable public key is revealed while funds rest, and it deliberately defers the post-quantum algorithm choice to a separate future proposal.10 A different draft, Casey Rodarmor's P2Q, defines a SegWit version 3 output that is identical to Taproot today but that a future soft fork could later restrict to script-path-only spends if elliptic-curve cryptography were threatened.15

The cryptography is also being exercised in practice. In early 2026 Blockstream Research demonstrated SHRINCS signing on the Liquid sidechain using Simplicity smart contracts, broadcasting real transactions to show the scheme is implementable — while noting it covers signing only and runs on a sidechain, not bitcoin mainnet.16 Sidechains and test environments such as Anduro, and private-mempool services like MARA's Slipstream, are sometimes mentioned as places to trial such changes before any mainnet proposal. As of 2026 every one of these remains a draft or an experiment; none is scheduled for activation.

Could the network migrate in time?

Suppose a credible threat emerged and the network wanted to move funds to quantum-resistant outputs. Could it move fast enough? Presidio Bitcoin's synthesis report models this directly: dedicating roughly a quarter of block space to migration, it estimates about 90% of bitcoin's value could move within a few days and the large majority within a few weeks.17 That result leans on the fact that most value sits in relatively few outputs,9 and it is a model with explicit assumptions, not a settled fact.

The migration has an economic dimension too, not just a cryptographic one. Moving the oldest, most-exposed coins would put long-dormant supply into circulation; one on-chain analysis argues markets have historically absorbed comparable flows, though it frames this as interpretation rather than prediction.18

If a quantum computer arrives suddenly

Not every scenario is orderly. If a CRQC appeared with little warning, the question becomes emergency response. A developer-written "CRQC response playbook" works backward from that emergency, laying out detection, communication, and the hard choices around exposed funds as a contingency plan rather than a prediction.19 The sharpest of those choices is whether to freeze spends from vulnerable outputs — which would also strand coins whose owners hold only an exposed key. BitMEX Research has sketched recovery mechanisms, using hash commitments or zero-knowledge proofs, so legitimate owners could reclaim funds during such a freeze, while treating the freeze itself as a contingency to reason about, not a recommendation.20

Bitcoin has coordinated emergency fixes before. The 2010 value-overflow bug, which briefly created 184 billion BTC, was patched within hours;21 the March 2013 chain split was resolved when major pools downgraded to reconverge the network;22 and the 2018 inflation bug (CVE-2018-17144) was disclosed and fixed before anyone exploited it.23 Each shows rapid response is possible — but each happened on a smaller, more centralized network, with a single clear bug rather than a gradually arriving capability, so they are limited analogies rather than proof a quantum migration would go smoothly.

Coordination is the hard part

Across these scenarios, a recurring conclusion is that the binding constraint is coordination, not cryptography. Changing bitcoin's rules requires broad agreement among many independent participants with no central authority, and analyses of how bitcoin handles contentious upgrades show that process can be slow and divisive even when the technical path is clear.24 Attention is, at least, rising: Presidio's report tracks the bitcoin-dev mailing list and finds quantum-related messages grew from a small share of traffic to roughly half over 2024–2026.17

The threat is real and well understood in principle. Its timing, and the right response, are still being worked out in the open.

Sources

The raw material behind this summary. The numbers match the citations above.

  1. 1
    Quantum attacks on Bitcoin, and how to protect against them
    PaperDivesh Aggarwal, Gavin K. Brennen, Troy Lee, Miklos Santha, Marco Tomamichel2017
    View the original
  2. 2
    Quantum resistance (Bitcoin Optech Topics)
    ArticleBitcoin Optech2026
    View the original
  3. 3
    Meet Willow, our state-of-the-art quantum chip
    ArticleHartmut Neven (Google Quantum AI)2024
    View the original
  4. 4
    From around 2035, quantum computers will have a 50% probability of breaking current encryption
    ArticleMaurice Heymann and Sheikh Mahbub Habib (Continental)2024
    View the original
  5. 5
    Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations
    PaperGoogle Quantum AI (Ryan Babbush, Hartmut Neven, et al.)2026
    View the original
  6. 6
    Shor's algorithm is possible with as few as 10,000 reconfigurable atomic qubits
    PaperMadelyn Cain, Qian Xu, Robbie King, et al. (incl. John Preskill, Hsin-Yuan Huang, Dolev Bluvstein)2026
    View the original
  7. 7
    Bitcoin Post-Quantum
    ArticleAnthony Milton, Clara Shikhelman (Chaincode Labs)
    View the original
  8. 8
    Analysis of Quantum Vulnerable Bitcoin with Dr. Anthony Milton | Quantum Bitcoin Summit
    VideoPresidio Bitcoin (presenter: Anthony Milton)
    View the original
  9. 9
    UTXO Set Report
    Articleorangesurf (mempool.space research)2025
    View the original
  10. 10
    BIP-360: Pay-to-Merkle-Root (P2MR)
    BIPHunter Beast, Ethan Heilman, Isabel Foxen Duke2024
    View the original
  11. 11
    NIST finalizes post-quantum encryption standards (FIPS 203, 204, 205)
    ArticleNational Institute of Standards and Technology (NIST)2024
    View the original
  12. 12
    Hash-based Signature Schemes for Bitcoin
    PaperMikhail Kudinov, Jonas Nick
    View the original
  13. 13
    SHRINCS: 324-byte stateful post-quantum signatures with static backups
    ArticleJonas Nick (delvingbitcoin.org)2025
    View the original
  14. 14
    SHRIMPS: 2.5 KB post-quantum signatures across multiple stateful devices
    ArticleJonas Nick (delvingbitcoin.org)2026
    View the original
  15. 15
    P2Q: SegWit version 3 spending rules
    BIPCasey Rodarmor
    View the original
  16. 16
    Blockstream Research Demonstrates Quantum-Resistant Transaction Signing on Liquid Using Simplicity Smart Contracts
    ArticleBlockstream Research2026
    View the original
  17. 17
    Bitcoin's Quantum Readiness: Exposure, Mitigations, and Upgrade Paths
    ArticlePresidio Bitcoin
    View the original
  18. 18
    One Day, Satoshi's Coins Will Move
    ArticleJames Check (Checkonchain)2025
    View the original
  19. 19
    Bitcoin's CRQC Response Playbook
    ArticleAnthony Milton, Clara Shikhelman2025
    View the original
  20. 20
    Mitigating The Impact Of The Quantum Freeze
    ArticleBitMEX Research2026
    View the original
  21. 21
    Value overflow incident
    ArticleBitcoin Wiki
    View the original
  22. 22
    BIP 50: March 2013 Chain Fork Post-Mortem
    ArticleGavin Andresen (Bitcoin Wiki)
    View the original
  23. 23
    CVE-2018-17144 (Bitcoin Optech)
    ArticleBitcoin Optech
    View the original
  24. 24
    Analyzing Bitcoin Consensus: Risks in Protocol Upgrades
    ArticleBitcoin Consensus Analysis Project (BCAP)
    View the original