A post by Udi Wertheimer a few weeks ago made headlines across crypto media with a stark claim: The Lightning Network is “helplessly broken” in a post-quantum world, and its developers can’t do anything about it. The headline traveled quickly. For companies that have built real payment infrastructure on Lightning or are evaluating it, the implications were unsettling.
It deserves a measured response.
Wertheimer is a respected Bitcoin developer, and his underlying concern is legitimate: Quantum computers, if they ever become sufficiently powerful, pose a real long-term challenge to the cryptographic systems that Bitcoin and Lightning rely on. That part is true and the Bitcoin development community is already seriously working on it. But the framing of Lightning as “helplessly broken” obscures more than it reveals, and companies making infrastructure decisions deserve a clearer picture.
What Wertheimer got right
Lightning channels require participants to share public keys with their counterparty when opening a payment channel. In a world where cryptographically relevant quantum computers (CRQCs) exist, an attacker who obtains these public keys could theoretically use Shor’s algorithm to derive the corresponding private key and from there steal money.
This is a real structural property of how Lightning works. What the headline leaves out
The threat is far more specific and far more conditional than “your Lightning balance could be stolen.”
First, the channels themselves are protected by a hash while they are open. Funding transactions use P2WSH (Pay-to-Witness-Script-Hash), meaning the raw public keys inside the 2-of-2 multisig arrangement are hidden on-chain as long as the channel remains open. Lightning payments are also hash-based, routed through Hashed Time-Lock Contracts (HTLCs), which rely on hash preimage discovery rather than exposed public keys. A quantum attacker passively viewing the blockchain cannot see the keys they need.
The realistic attack window is much narrower: a force-close. When a channel is closed and a commit transaction is issued on-chain, the lock script becomes publicly visible for the first time, including local_delayedpubkey, a default elliptic curve public key. By design, the node issuing it cannot immediately claim its funds: a CSV (CheckSequenceVerify) timelock, typically 144 blocks (about 24 hours), must first expire.
In a post-quantum scenario, an attacker viewing the mempool could see that a commit transaction is confirming, extract the now-exposed public key, run Shor’s algorithm to derive the private key, and attempt to use the output before the timelock expires. HTLC exits at force-close create additional windows, some as short as 40 blocks, around six to seven hours.
This is a real and specific vulnerability. But it’s a timed race against an attacker who must actively solve one of the hardest mathematical problems in existence, within a fixed window, for each output they want to steal. It’s not a passive, silent drain on every Lightning wallet simultaneously.
The quantum hardware reality check
Here’s the part that rarely makes the headlines: Cryptographically relevant quantum computers don’t exist today, and the gap between where we are and where we should be is huge.
Breaking Bitcoin’s elliptic curve cryptography requires solving the discrete logarithm of a 256-bit key, an approximately 78-digit number, using millions of stable, error-correcting logic qubits running over an extended period of time. The largest number ever calculated using Shor’s algorithm on actual quantum hardware is 21 (3 × 7), achieved in 2012 with significant classical post-processing assistants. The latest record is a hybrid quantum-classical factoring of a 90-bit RSA number, impressive progress but still about 2⁸³ times less than what it would actually take to break Bitcoin.
Google’s quantum research is real and worth seeing. The timelines discussed by serious researchers range from optimistic estimates for the late 2020s to more conservative projections for the 2030s or beyond. None of that is “your Lightning balance is at risk today.”
The development community is not sitting still
Wertheimer’s framing that Lightning developers are “helpless” is also out of step with what’s actually happening. Since December alone, the Bitcoin development community has produced more than five serious post-quantum proposals: SHRINCS (324-byte stateful hash-based signatures), SHRIMPS (2.5 KB signatures across multiple devices, about three times smaller than the NIST standard), BIP-360, Blockstream’s hash-based signatures for OP_CSXIN, OP_SXIN, and OP_SXIN STARK-based opcodes in tapscript.
The correct framing is not that Lightning is broken and beyond repair. It’s that Lightning, like all of Bitcoin, and like most of the Internet’s cryptographic infrastructure, requires a base-layer upgrade to become quantum-resistant, and that work is underway.
What it means for companies building on Lightning today
Lightning processes real payment volume for real businesses today, iGaming platforms, crypto exchanges, neobanks and payment service providers moving money globally for fractions of a cent with instant finality. The question companies should be asking is not whether to abandon Lightning based on a theoretical future threat, but whether the teams building Lightning infrastructure are aware of what’s coming and planning accordingly.
The answer, based on the amount and quality of post-quantum research happening in the Bitcoin development community right now, is yes.
The lightning network is not helplessly broken. It faces the same long-term cryptographic challenge as the entire digital financial system, and it has a development community actively working to solve it. It’s a different story than the headline told.
