The Quantum Threat to Bitcoin: What's Actually at Risk and When
The quantum threat to Bitcoin is not a science-fiction scenario reserved for the distant future. It is a structural vulnerability already baked into Bitcoin's cryptographic foundations, affecting millions of UTXOs today. This article breaks down exactly which coins are exposed, why ECDSA fails against a sufficiently powerful quantum computer, what timeline analysts consider realistic, and what realistic migration paths exist, from proposed soft-forks to post-quantum signature schemes currently being standardised by NIST. No hype, no price speculation, just mechanism-level analysis.
Why Bitcoin's Cryptography Is Quantum-Vulnerable
Bitcoin relies on two core cryptographic primitives: SHA-256 for proof-of-work and block hashing, and Elliptic Curve Digital Signature Algorithm (ECDSA) on the secp256k1 curve for transaction authorisation. These two face very different quantum exposure levels.
SHA-256 and Grover's Algorithm
Grover's algorithm allows a quantum computer to search an unsorted database of N items in roughly √N operations instead of N. Applied to SHA-256, this effectively halves the security level from 256 bits to 128 bits. That is still computationally enormous. A 128-bit security level is considered adequate by most cryptographic standards through the foreseeable future, and mining would require quadratically more qubits than cracking signatures. In short, proof-of-work is inconvenienced by quantum computing, not broken.
ECDSA and Shor's Algorithm
The real danger is Shor's algorithm, published in 1994, which can solve the discrete logarithm problem on elliptic curves in polynomial time on a sufficiently large quantum computer. ECDSA security rests entirely on the hardness of deriving a private key from a public key. On a classical computer, this is computationally infeasible with 256-bit curves. On a cryptographically relevant quantum computer (CRQC), it is not.
If a public key is known, Shor's algorithm can, in principle, recover the corresponding private key, allowing an attacker to forge a valid signature and redirect any funds associated with that address.
The critical word is known. Bitcoin addresses are, in theory, hashed representations of public keys (via SHA-256 and RIPEMD-160). If a public key has never been broadcast, an attacker cannot apply Shor's algorithm to it. The vulnerability therefore splits cleanly along lines of key exposure.
---
Which Bitcoin Outputs Are Actually Exposed Right Now
Not all UTXOs carry equal quantum risk. The exposure level depends on the script type and address reuse history.
Pay-to-Public-Key (P2PK) Outputs
Early Bitcoin, including the genesis block and most coins mined by Satoshi Nakamoto, used the P2PK script type, which embeds the raw 65-byte uncompressed public key directly in the locking script. These outputs expose the public key without requiring a transaction to be broadcast. Any CRQC operator could begin computing the private key immediately, without waiting for the owner to spend.
Estimates vary, but researchers have identified roughly 1 to 1.7 million BTC sitting in P2PK outputs, a significant portion of which is attributable to early miners and is presumed dormant or lost. These represent the highest-priority quantum targets.
Reused P2PKH and P2WPKH Addresses
Pay-to-Public-Key-Hash (P2PKH) and its SegWit equivalent P2WPKH offer one layer of quantum protection: the public key is only revealed when the owner spends from the address. However, if a user has ever spent from an address and then received further funds to that same address (address reuse), the public key is now on-chain and the remaining balance is exposed.
Chain analysis studies suggest that 30 to 40% of all UTXOs are associated with addresses whose public keys are already public, either through prior spending or through the P2PK format.
Unspent Outputs With Exposed Keys: Summary Table
| Output Type | Public Key Exposed? | Quantum Risk Level | Estimated BTC at Risk |
|---|---|---|---|
| P2PK (legacy) | Yes, always | Critical | ~1–1.7M BTC |
| P2PKH, key already revealed via prior spend | Yes, if address reused | High | Hundreds of thousands of BTC |
| P2PKH, key never revealed | No | Low (pre-spend window) | Majority of current UTXOs |
| P2WPKH (SegWit), key never revealed | No | Low (pre-spend window) | Large share of recent UTXOs |
| P2TR (Taproot), key-path spend | Yes, on spend | Medium (time-of-spend window) | Growing share |
The "time-of-spend window" is an important nuance for all hashed address types. Even if the public key was not previously exposed, the moment a user broadcasts a transaction, the public key appears in the mempool. A CRQC fast enough to run Shor's algorithm in the time between broadcast and confirmation could intercept and replace the transaction. Current estimates suggest this window is between 10 minutes and one hour for Bitcoin. A CRQC capable of cracking secp256k1 in under 10 minutes would therefore threaten even previously unexposed keys at the moment of spending.
---
What Quantum Hardware Would Actually Be Required
This section matters for calibrating urgency. Cracking secp256k1 with Shor's algorithm is not a task for today's quantum hardware.
Current State of Quantum Computing
As of 2024-2025, the leading quantum processors from IBM, Google, and others operate in the range of 1,000 to 1,500 physical qubits, with error rates that require substantial classical error correction overhead. Estimates from academic research (Webber et al., 2022; Kim et al., 2023) suggest that breaking a 256-bit elliptic curve key within one hour would require approximately 317 million to 1 billion physical qubits when accounting for error correction via the surface code.
Current machines are roughly five to six orders of magnitude short of that requirement.
Realistic Timeline Scenarios
Analysts and cryptographers offer a range of estimates:
- Pessimistic scenario (10-15 years): If qubit counts scale at rates comparable to early transistor scaling, a CRQC could emerge by the mid-2030s to early 2040s. Government agencies such as CISA and NIST treat this as the planning horizon.
- Central scenario (15-25 years): Most academic cryptographers place practical ECDSA-breaking quantum computers in the 2040s to 2050s, accounting for engineering challenges beyond raw qubit counts, including coherence times, gate fidelity, and error correction overhead.
- Optimistic (for Bitcoin) scenario (30+ years): Engineering obstacles, particularly fault-tolerant logical qubit construction, may push practical CRQCs beyond 2050. Some researchers argue current hardware roadmaps do not support a near-term threat.
The key takeaway: the threat is not imminent, but "harvest now, decrypt later" attacks are already feasible. State-level actors can record encrypted blockchain data today and decrypt it once quantum hardware matures. For long-dormant wallets holding exposed keys, this is particularly relevant.
---
Proposed Migration Paths for Bitcoin
The Bitcoin ecosystem has several options for addressing quantum vulnerability. None is trivial; all require significant coordination or protocol changes.
Voluntary Migration to Quantum-Safe Addresses
The simplest short-term measure requires no protocol change: wallet developers and users can migrate funds from exposed P2PK and reused P2PKH addresses to freshly generated addresses that have never had their public keys revealed. This does not make Bitcoin quantum-safe permanently, but it removes the most immediate exposure by eliminating the "key already known" category of risk.
This approach depends entirely on user action and cannot help owners of lost or abandoned wallets with exposed keys.
Post-Quantum Signature Scheme Soft-Fork
The most discussed longer-term solution is integrating a post-quantum signature algorithm into Bitcoin via a soft-fork, allowing it to be activated without splitting the chain if a sufficient miner majority adopts it.
Candidate signature schemes from the NIST Post-Quantum Cryptography standardisation process include:
- CRYSTALS-Dilithium (ML-DSA): A lattice-based signature scheme. NIST finalised it as FIPS 204 in August 2024. Signature sizes are around 2.4 KB (Dilithium3), versus 71 bytes for ECDSA, representing a significant block space overhead.
- FALCON (FN-DSA): Also lattice-based, with smaller signatures (~666 bytes for FALCON-512) but more complex implementation requirements.
- SPHINCS+ (SLH-DSA): A hash-based scheme requiring no number-theoretic assumptions. Signatures are large (8–50 KB), making it impractical for Bitcoin's block size constraints without additional engineering.
The signature size problem is not trivial. A Bitcoin block can hold roughly 2,000 to 3,000 typical ECDSA transactions. Replacing ECDSA with Dilithium3 would reduce that to several hundred per block at current limits, raising fees and reducing throughput unless SegWit-style witness discounts or other block size adjustments accompany the upgrade.
Taproot and Script-Level Flexibility
Bitcoin's Taproot upgrade (BIP 341, activated November 2021) introduced Schnorr signatures and a more flexible scripting system (Tapscript). Importantly, Tapscript's `OP_SUCCESS` opcodes allow future soft-forks to introduce new signature verification opcodes without a hard fork. This means a new opcode such as `OP_CHECKDILITHIUMSIG` could theoretically be introduced via soft-fork, allowing users to opt into PQC signatures gradually.
Proposals along these lines have been discussed in Bitcoin development mailing lists, though none has reached the BIP proposal stage with significant developer consensus as of early 2025.
Burning or Freezing Exposed Legacy Coins
A more controversial proposal involves freezing or burning P2PK outputs above a certain age threshold, effectively confiscating Satoshi-era coins before a quantum attacker can claim them. This is contentious for obvious reasons: it violates Bitcoin's property rights ethos and requires a hard fork. Most serious proposals treat this as a measure of absolute last resort, if any, and it remains deeply unpopular in the Bitcoin developer community.
Hybrid Schemes
Some researchers advocate hybrid cryptographic schemes that combine an existing ECDSA signature with a PQC signature. A transaction would require both to be valid, meaning an attacker would need to break both systems simultaneously. This provides a conservative security upgrade without fully trusting the maturity of new PQC implementations, which may carry their own, as-yet-undiscovered classical vulnerabilities.
---
The Wider Ecosystem Response
Bitcoin is not the only network grappling with quantum risk. Ethereum, Solana, and virtually every blockchain using ECDSA or similar elliptic-curve schemes face the same structural exposure. The urgency of the migration question has accelerated industry activity.
NIST's finalisation of ML-DSA, FN-DSA, and SLH-DSA in August 2024 gave blockchain developers concrete, government-vetted targets to build against. Several projects are already implementing lattice-based cryptography at the wallet and protocol layer. BMIC.ai, for instance, has built post-quantum cryptographic protection using NIST PQC-aligned lattice-based schemes directly into its wallet infrastructure, positioning it as an early mover in quantum-resistant custody.
The broader point is that the migration away from ECDSA is an industry-wide engineering challenge, not a problem unique to Bitcoin, and the sooner protocol work begins, the more time there is for testing, debate, and safe deployment.
---
Key Takeaways
- Bitcoin's ECDSA-based signatures are vulnerable to Shor's algorithm running on a cryptographically relevant quantum computer, but such hardware does not yet exist.
- The most immediately at-risk funds are P2PK outputs (public key permanently exposed) and coins held at reused addresses. Estimates put 1 to 1.7 million BTC in P2PK outputs alone.
- Even non-exposed outputs face a mempool-interception risk if a CRQC fast enough to crack keys in under 10 minutes ever exists.
- Realistic timelines for a CRQC capable of breaking secp256k1 range from 15 to 30+ years, though government agencies recommend planning now.
- Viable migration paths include voluntary address migration, PQC soft-forks using NIST-standardised schemes (ML-DSA, FN-DSA), hybrid signature schemes, and Tapscript opcode extensions. All involve meaningful trade-offs in signature size, throughput, and ecosystem coordination.
- SHA-256 (used for proof-of-work) is significantly less vulnerable: Grover's algorithm halves its effective security but does not break it.
Frequently Asked Questions
Can a quantum computer hack Bitcoin right now?
No. Current quantum computers have between 1,000 and 1,500 physical qubits with high error rates. Breaking Bitcoin's secp256k1 elliptic curve with Shor's algorithm is estimated to require hundreds of millions of fault-tolerant logical qubits. That level of hardware does not exist and is not expected for at least 15 years under most analyst timelines, though planning should begin well in advance.
Which Bitcoin addresses are most at risk from a quantum attack?
Pay-to-Public-Key (P2PK) outputs are the highest risk because the raw public key is permanently exposed on-chain, allowing a quantum attacker to compute the private key without waiting for a spend. Reused P2PKH addresses, where the public key was revealed in a prior outgoing transaction, are also high risk. Fresh, never-spent P2PKH and P2WPKH addresses are comparatively safer but still vulnerable at the moment of spending.
What is the 'harvest now, decrypt later' threat?
State-level actors or well-resourced adversaries can record on-chain data today, including exposed public keys and transaction signatures, and store it until quantum hardware matures enough to break ECDSA. For wallets holding static, exposed P2PK outputs, this means the attack window has effectively already started, even if no practical CRQC exists yet.
What post-quantum signature schemes are being considered for Bitcoin?
The leading candidates are CRYSTALS-Dilithium (now ML-DSA, FIPS 204), FALCON (FN-DSA), and SPHINCS+ (SLH-DSA), all standardised by NIST in August 2024. ML-DSA and FN-DSA are lattice-based and offer the best balance of security and signature size for Bitcoin's block space constraints. SPHINCS+ uses only hash functions but produces very large signatures, making it less practical without significant engineering work.
Would fixing Bitcoin's quantum vulnerability require a hard fork?
Not necessarily. Bitcoin's Tapscript framework, introduced with Taproot in 2021, allows new signature verification opcodes to be added via soft-fork using OP_SUCCESS placeholders. A new opcode supporting a PQC signature scheme could in theory be deployed as a soft-fork, allowing gradual opt-in. However, the larger signature sizes of PQC schemes would still require careful block space management, potentially requiring additional protocol adjustments.
Does the quantum threat affect Bitcoin mining (proof-of-work)?
Only marginally. SHA-256, used in Bitcoin's proof-of-work, is vulnerable to Grover's algorithm, which reduces its effective security from 256 bits to 128 bits. A 128-bit security level is still considered very strong, and the hardware cost of applying Grover's algorithm to mining would be prohibitive compared to classical ASIC mining for the foreseeable future. The signature vulnerability via Shor's algorithm is the far more pressing concern.