Evaluating the Quantum Threat to Bitcoin

A common topic of discussion in the Bitcoin community is the potential threat that quantum computers may pose to Bitcoin. This issue is frequently raised by critics of Bitcoin, and sometimes it is used to dissuade people from converting their fiat paper into sound money. The purpose of this article is to provide an academically grounded explanation of how to evaluate the threat of quantum computing and its implications for Bitcoin.

In general, quantum computers do represent a legitimate threat to certain aspects of Bitcoin and should be taken seriously by anyone who owns bitcoin. Specifically, the primary risk is to Bitcoin wallets and the cryptographic signatures used to authorize transactions. However, quantum computers do not pose the same threat to Bitcoin’s network security. The integrity of the network, which is maintained through the distributed efforts of miners and node operators, is fundamentally different from the security of individual wallets and therefore requires a separate analysis.

The Different Cryptography Behind Bitcoin 

To begin, it is important to understand that Bitcoin uses different forms of cryptography for different parts of its infrastructure, and quantum computers pose different risks to each. Bitcoin wallets are built on public-key cryptography, the system that allows users to control bitcoin with a private key while sharing a corresponding public key with the rest of the network. Your seed phrase ultimately derives these private keys, which are used to create digital signatures that prove ownership of your bitcoin without revealing the private key itself. 

Historically, Bitcoin has used the Elliptic Curve Digital Signature Algorithm (ECDSA) for this purpose, while newer Taproot addresses use Schnorr signatures. Although these signature schemes differ in  design and efficiency, both rely on elliptic curve mathematics and would be vulnerable to a sufficiently powerful quantum computer running Shor’s algorithm.

Bitcoin mining, on the other hand, relies on an entirely different cryptographic primitive known as SHA-256 hashing. Hash functions serve a different purpose than digital signatures and are not vulnerable to Shor’s algorithm. While quantum computers may provide a theoretical speed advantage when searching for hash values, they do not compromise  SHA-256 in the same way they could  compromise elliptic curve cryptography. This distinction is critical: the primary long-term quantum risk to Bitcoin is the security of wallet signatures and private keys, not the security of Bitcoin’s proof-of-work mining system.

The Vulnerability of Public-Key Cryptography

The reason quantum computers pose a threat to Bitcoin wallets comes down to how public-key cryptography works. Under normal circumstances, it is computationally infeasible to derive a private key from a public key. This one-way mathematical relationship allows Bitcoin users to safely share public addresses while keeping control of their coins through a secret private key. 

However, Peter Shor demonstrated that a sufficiently powerful quantum computer could solve the discrete logarithm problems that underpin modern public-key cryptography, including elliptic curve systems (Shor 1995). Later work showed how this applies specifically to elliptic curve cryptography, including the type used by Bitcoin wallets (Proos and Zalka 2003). 

In practical terms, a cryptographically relevant quantum computer could potentially derive a private key from a publicly known key and use it to create valid signatures. This would allow an attacker to spend coins they do not own. 

Fortunately, this is a threat that can be managed. Bitcoin addresses do not always expose the underlying public key immediately. In many cases, the public key is revealed only when coins are spent from an address. For this reason, minimizing address reuse is generally considered a good security practice. The less frequently a public key is exposed on-chain, the smaller the potential attack surface should large-scale quantum computers eventually become available.

Adapting Bitcoin to a Post-Quantum World

The important takeaway is that the quantum threat is not an unsolved problem. If large-scale quantum computers become practical, Bitcoin users would likely need to migrate their funds to new address types secured by post-quantum signature schemes, much as the network has previously evolved from older address formats to SegWit and Taproot. The challenge is therefore not whether Bitcoin can adapt, but whether users migrate their coins to quantum-resistant wallets before quantum computers become capable of attacking existing signature systems.

Keeping the Threat in Perspective

It is also important to keep the quantum threat in perspective. While Shor’s algorithm demonstrates that Bitcoin’s signature schemes would be vulnerable to a sufficiently powerful quantum computer, current estimates suggest that the hardware required to perform such an attack remains far beyond what exists today (Aggarwal et al. 2018). Even optimistic forecasts for cryptographically relevant quantum computers place them years, and possibly decades, into the future. 

More importantly, the arrival of such systems is unlikely to be a surprise. Researchers, governments, and technology companies around the world are actively measuring progress in quantum computing, and the capabilities required to threaten Bitcoin are well understood.

Which Bitcoin Is Most at Risk?

If large-scale quantum computers do eventually become practical, some of the most vulnerable bitcoin would likely be older coins whose public keys have already been exposed on the blockchain for many years. This includes certain early Bitcoin outputs that reveal their public keys directly, such as the coins believed to belong to Satoshi Nakamoto. By contrast, many modern addresses provide an additional layer of protection because the public key is not revealed until coins are spent. 

While no one can predict exactly how a future quantum attack would unfold, the Bitcoin community would almost certainly receive advance warning through both developments in quantum computing and attempts to target the most exposed and valuable coins first. This would provide strong incentives for users to migrate their funds to quantum-resistant wallet standards long before the average holder faces a meaningful risk.

Practical Takeaways for Bitcoin Holders

The practical takeaway is simple: quantum computing is a real long-term issue, but it is not a reason to panic. Bitcoin holders should avoid keeping funds in addresses whose public keys have already been exposed, which means they should not store bitcoin in an address that has already been spent from. Users should stay informed as the Bitcoin ecosystem develops quantum-resistant wallet standards. 

When credible, well-reviewed quantum-resistant address types become available, users will have both the time and incentive to migrate. Until then, the core network remains secure. Bitcoin’s proof-of-work mining system is not the weak point in the quantum discussion. The responsible posture is to monitor developments, practice good wallet hygiene, and continue saving in bitcoin with confidence rather than fear.

 References

Aggarwal, Divesh, Gavin Brennen, Troy Lee, Miklos Santha, and Marco Tomamichel. 2018. “Quantum Attacks on Bitcoin, and How to Protect against Them.” Ledger 3 (October). https://doi.org/10.5195/ledger.2018.127.

Proos, John, and Christof Zalka. 2003. “Shor’s Discrete Logarithm Quantum Algorithm for Elliptic Curves.” arXiv [Quant-Ph]. arXiv. https://doi.org/10.48550/arXiv.quant-ph/0301141.

Shor, Peter W. 1995. “Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer.” arXiv [Quant-Ph]. arXiv. https://doi.org/10.48550/arXiv.quant-ph/9508027.

Postscript: Quantum Computing and the BIP-110 Discussion

Quantum Signature Bitcoin (QSB)

As an interesting aside, a current discussion within the Bitcoin community concerns how proposals such as BIP-110 could affect certain experimental approaches to quantum-resistant bitcoin custody. 

One such proposal, known as Quantum Signature Bitcoin (QSB), attempts to create quantum-resistant spending conditions without requiring a consensus change to Bitcoin itself. Rather than relying on elliptic curve signatures, which are vulnerable to Shor’s algorithm, QSB derives its security from cryptographic hashing. This shifts security away from the same public-key cryptography used by Bitcoin wallets and toward a type of cryptography more closely related to the SHA-256 hashing used in Bitcoin mining. As discussed earlier, quantum computers are believed to pose a much smaller threat to hashing functions than they do to elliptic curve signature schemes.

In simple terms, QSB works by embedding a large and highly specialized script directly into a Bitcoin transaction. Instead of proving ownership through a traditional ECDSA or Schnorr signature, the spender demonstrates knowledge of secret values that satisfy a series of cryptographic hash puzzles. This effectively shifts security away from the public-key cryptography that quantum computers are expected to break and toward hash-based cryptography, which is generally considered more resilient in a post-quantum world.

BIP-110 and Quantum Resistance

The reason BIP-110 enters the discussion is that QSB relies on unusually large and complex scripts that fit within Bitcoin’s current consensus rules but fall outside the design assumptions of standard modern address types. BIP-110 proposes stricter limits on script sizes and data pushes, which would prevent the creation of new QSB-style outputs after activation. As a result, supporters of QSB argue that proposals such as BIP-110 could unintentionally eliminate one potential path toward quantum-resistant bitcoin custody.

What the Debate Reveals

Regardless of one’s opinion on either proposal, the discussion itself illustrates an important point: Bitcoin developers are not ignoring the quantum challenge. Researchers are actively exploring multiple approaches to quantum-resistant wallets and transaction schemes.  Increasingly, the debate is less about whether Bitcoin can adapt to a post-quantum world and more about which solutions are most practical, secure, and compatible with Bitcoin’s long-term design goals.