Quantum computers capable of breaking the Bitcoin blockchain do not exist today. However, developers are already considering a wave of upgrades to build defenses against the potential threat, and rightly so, as the threat is no longer hypothetical.
This week, Google published research suggesting that a sufficiently powerful quantum computer could crack Bitcoin’s core cryptography in under nine minutes — a minute faster than the average Bitcoin block settlement time. Some analysts believe that such a threat could become a reality in 2029.
The stakes are high: About 6.5 million bitcoin tokens, worth hundreds of billions of dollars, sit at addresses that a quantum computer can directly target. Some of these coins belong to Bitcoin’s pseudonymous creator, Satoshi Nakamoto. Moreover, the potential compromise would harm Bitcoin’s core principles – “trust the code” and “sound money”.
Here’s what the threat looks like, along with proposals being considered to mitigate it.
Two ways a quantum machine can attack Bitcoin
Let us first understand the vulnerability before discussing the suggestions.
Bitcoin’s security is built on a one-way mathematical relationship. When you create a wallet, a private key and a secret number are generated from which a public key is derived.
Using bitcoin tokens requires proof of ownership of a private key, not by revealing it, but by using it to generate a cryptographic signature that the network can verify.
This system is foolproof because modern computers would take billions of years to break elliptic curve cryptography—specifically the Elliptic Curve Digital Signature Algorithm (ECDSA)—to reverse engineer the private key from the public key. So blockchain is said to be computationally impossible to compromise.
But a future quantum computer could turn this one-way street into a two-way street by deriving your private key from the public key and draining your coins.
The public key is revealed in two ways: From coins sitting idle on the chain (the long exposure attack) or coins in motion or transactions waiting in the memory pool (short exposure attack).
Pay-to-public key (P2PK) addresses (used by Satoshi and early miners) and Taproot (P2TR), the current address format enabled in 2021, are vulnerable to the long exposure attack. Coins at these addresses do not need to move to reveal their public keys; the exposure has already happened and can be read by anyone on earth, including a future quantum attacker. About 1.7 million BTC is sitting on old P2PK addresses – including Satoshi’s coins.
The short exposure is linked to the mempool – the waiting room for unconfirmed transactions. While transactions sit there waiting to be included in a block, your public key and signature are visible to the entire network.
A quantum computer could access this data, but it would only have a short window—before the transaction is confirmed and buried under additional blocks—to derive the corresponding private key and act on it.
Initiatives
BIP 360: Removal of public key
As mentioned earlier, every new Bitcoin address created using Taproot today permanently exposes a public key on the chain, giving a future quantum computer a target that will never disappear.
Bitcoin Improvement Proposal (BIP) 360 removes the public key permanently embedded in the chain and visible to everyone by introducing a new output type called Pay-to-Merkle-Root (P2MR).
Remember that a quantum computer studies the public key, reverse-engineers the exact form of the private key, and forges a working copy. If we remove the public key, the attack has nothing to work from. Meanwhile, everything else, including Lightning payments, multi-signature setup and other Bitcoin features, will remain the same.
However, if implemented, this proposal only protects new coins going forward. The 1.7 million BTC already sitting in old exposed addresses is a separate issue, addressed by other proposals below.
SPHINCS+ / SLH-DSA: Hash-based post-quantum signatures
SPHINCS+ is a post-quantum signature scheme built on hash functions that avoids the quantum risks like elliptic curve cryptography used by Bitcoin. While Shor’s algorithm threatens ECDSA, hash-based designs like SPHINCS+ are not seen as similarly vulnerable.
The scheme was standardized by the National Institute of Standards and Technology (NIST) in August 2024 as FIPS 205 (SLH-DSA) after several years of public review.
The trade-off for safety is size. While current bitcoin signatures are 64 bytes, SLH-DSA is 8 kilobytes (KB) or more in size. As such, the adoption of SLH-DSA would significantly increase block demand for space and raise transaction fees.
As a result, proposals such as SHRIMPS (another hash-based post-quantum signature scheme) and SHRINCS have already been introduced to reduce signature sizes without sacrificing post-quantum security. Both build on SHPINCS+ while aiming to preserve its security guarantees in a more practical, space-efficient form suitable for blockchain use.
Tadge Dryja’s Commit/Reveal Scheme: An emergency brake for the Mempool
This proposal, a soft fork proposed by Lightning Network co-creator Tadge Dryja, aims to protect transactions in the mempool from a future quantum attacker. It does this by separating transaction execution into two phases: Commit and Reveal.
Imagine informing a counterparty that you want to email them, and then actually sending an email. The former is the commitment phase and the latter is the disclosure.
On the blockchain, this means that you first publish a sealed fingerprint of your intent—just a hash that reveals nothing about the transaction. Blockchain timestamps that fingerprint permanently. Later, when you issue the actual transaction, your public key becomes visible – and yes, a quantum computer watching the network can derive your private key from it and forge a competing transaction to steal your money.
But the forged transaction is immediately rejected. The network checks: Does this consumption have a prior commitment registered in the chain? Yours does. The attacker doesn’t – they created it a moment ago. Your pre-registered fingerprint is your alibi.
The problem, however, is the increased costs as a result of the transaction being split into two phases. So it’s described as a temporary bridge, handy to deploy while society works on building quantum defenses.
Hourglass V2: Slow down the consumption of old coins
Proposed by developer Hunter Beast, Hourglass V2 targets the quantum vulnerability linked to around 1.7 million BTC stored in older, already exposed addresses.
The proposal accepts that these coins could be stolen in a future quantum attack and seeks to stem the bleeding by limiting sales to one bitcoin per bitcoin. block to avoid a catastrophic mass liquidation overnight that could crater the market.
The analogy is a bank run: you can’t stop people from withdrawing, but you can limit the pace of withdrawals to prevent the system from collapsing overnight. The proposal is controversial because even this limited restriction is seen by some in the Bitcoin community as a violation of the principle that no outside party can ever interfere with your right to use your coins.
Conclusion
These proposals have yet to be activated, and Bitcoin’s decentralized governance spanning developers, miners and node operators means any upgrade will likely take time to materialize.
Still, the steady stream of suggestions preceding this week’s Google report suggests the issue has long been on developers’ radar, which may help quell market concerns.
