Today, a quantum computer capable of breaking the Bitcoin blockchain does not exist. However, developers are already considering a wave of upgrades to build defenses against potential threats, which is natural since the threats are no longer hypothetical.
This week, Google released research showing that a sufficiently powerful quantum computer could crack Bitcoin’s core cryptography in nine minutes — a minute faster than the average Bitcoin block settlement time. Some analysts believe this threat could become a reality by 2029.
The stakes are high: Some 6.5 million Bitcoin tokens, worth hundreds of billions of dollars, sit at addresses that quantum computers can directly locate. Some of the coins belong to Bitcoin’s pseudonymous creator, Satoshi Nakamoto. Furthermore, potential compromises would undermine Bitcoin’s core principles of “trust in code” and “sound money.”
Below is a description of the threat, along with recommendations being considered to mitigate the threat.
Two ways quantum machines can attack Bitcoin
Before discussing the recommendations, let’s first understand the vulnerability.
Bitcoin’s security is based on a one-way mathematical relationship. When you create a wallet, a private key and secret number are generated, from which the public key is derived.
Spending Bitcoin tokens requires proving ownership of a private key, not by revealing it, but by using it to generate a cryptographic signature that the network can verify.
The system is foolproof because it would take billions of years for modern computers to crack elliptic curve cryptography—specifically the Elliptic Curve Digital Signature Algorithm (ECDSA)—to reverse engineer the private key from the public key. Therefore, blockchain is said to be computationally impossible to compromise.
But future quantum computers could turn this one-way street into a two-way street by deriving your private key from the public key and draining your coins.
Public keys are exposed in two ways: from coins idle on the chain (long-term exposure attack) or from coins in motion or transactions waiting in the mempool (short-term exposure attack).
Pay-to-Public Key (P2PK) addresses (used by Satoshi Nakamoto and early miners) and Taproot (P2TR) (the current address format activated in 2021) are vulnerable to long-term exposure attacks. Coins in these addresses do not need to move to expose their public keys; the exposure has already occurred and can be read by anyone on Earth, including future quantum attackers. Approximately 1.7 million BTC are held in old P2PK addresses, including Satoshi Nakamoto’s coins.
Short exposure is associated with the mempool (the waiting room for unconfirmed transactions). While a transaction is waiting to be included in a block, your public key and signature are visible to the entire network.
A quantum computer can access this data, but it only has a brief window to derive the corresponding private keys and operate on them before the transaction is confirmed and buried in an additional block.
measures
BIP 360: Delete public key
As mentioned before, every new Bitcoin address created using Taproot today permanently exposes the public key on the chain, giving future quantum computers a target that will never go away.
Bitcoin Improvement Proposal (BIP) 360 removes public keys that are permanently embedded on the chain and visible to everyone by introducing a new output type called Pay-to-Merkle-Root (P2MR).
Recall that quantum computers study public keys, reverse engineer the exact shape of private keys and forge working copies. If we delete the public key, the attack has no effect. Meanwhile, everything else, including Lightning payments, multi-signature settings and other Bitcoin features, remains unchanged.
However, if implemented, the proposal only protects future new coins. The 1.7 million BTC already in old exposed addresses is a separate issue, addressed by other proposals below.
SPHINCS+/SLH-DSA: Hash-based post-quantum signatures
SPHINCS+ is a post-quantum signature scheme built on hash functions that avoids the quantum risks faced by the elliptic curve cryptography used by Bitcoin. While Shor’s algorithm threatens ECDSA, hash-based designs like SPHINCS+ are not considered equally vulnerable.
After years of public review, the National Institute of Standards and Technology (NIST) standardized the program as FIPS 205 (SLH-DSA) in August 2024.
The price of security is size. Current Bitcoin signatures are 64 bytes, while SLH-DSA is 8 KB or larger. Therefore, adopting SLH-DSA will drastically increase block space requirements and increase transaction fees.
Therefore, proposals such as SHRIMPS (another hash-based post-quantum signature scheme) SHRINCS has been introduced to reduce signature size without sacrificing post-quantum security. Both build on SHPINCS+ while aiming to retain its security guarantees in a more practical and space-efficient form suitable for blockchain use.
Tadge Dryja’s Submission/Disclosure Plan: Mempool’s Emergency Brake
The proposal, a soft fork suggested by Lightning Network co-founder Tadge Dryja, aims to protect transactions in the mempool from future quantum attackers. It does this by dividing transaction execution into two phases: commit and reveal.
Imagine notifying a counterparty that you are going to send them an email, and then actually sending the email. The former is the submission phase and the latter is the revealing phase.
On a blockchain, this means you first publish a sealed fingerprint of your intent – just a hash, which doesn’t reveal anything about the transaction. The blockchain permanently timestamps the fingerprint. Then, when you broadcast the actual transaction, your public key becomes visible – and yes, a quantum computer monitoring the network can get your private key from it and fake a competing transaction to steal your funds.
But the fake transaction was immediately rejected. Network check: Does this payout have a prior commitment registered on-chain? Yours does. The attacker’s didn’t – they created it a while ago. Your pre-registered fingerprints are your alibi.
However, the problem is the increased cost due to the splitting of the transaction into two stages. As such, it has been described as a temporary bridge that can actually be deployed while the community works on building quantum defences.
Hourglass V2: Slow down the consumption of old coins
Proposed by developer Hunter Beast, Hourglass V2 targets quantum vulnerabilities associated with approximately 1.7 million BTC held in old, already exposed addresses.
The proposal acknowledges that these bitcoins could be stolen in a future quantum attack and attempts to slow losses by limiting sales to one bitcoin per block to avoid catastrophic overnight mass liquidations that could collapse the market.
Analogy to a bank run: You can’t stop people from withdrawing money, but you can limit the speed of withdrawals to prevent the system from collapsing overnight. The proposal is controversial because even this limited restriction is seen by some in the Bitcoin community as violating the principle that no outside party can interfere with your right to use Bitcoin.
in conclusion
The proposals have not yet been activated, and Bitcoin’s decentralized governance covers developers, miners and node operators, meaning any upgrades may take time to materialize.
Still, a steady stream of proposals ahead of this week’s Google report suggests the issue has long been on developers’ radar, which could help ease market concerns.