Can Quantum Computers Break Security of Bitcoin?

Can Quantum Computers Break Security of Bitcoin?

TL;DR

• Main risk: Bitcoin’s digital signatures (ECDSA/Schnorr on secp256k1) could be broken by a sufficiently powerful quantum computer running Shor’s algorithm—letting an attacker derive private keys from exposed public keys. (Chaincode)
• Hashing (SHA-256/RIPEMD-160): Grover’s algorithm only gives a quadratic speedup, reducing 256-bit security to ~128-bit—still astronomically hard at meaningful scales. Proof-of-Work would adapt via difficulty. (NIST)
• Exposure today: An estimated ~25% of BTC (P2PK and reused P2PKH outputs with revealed public keys) is theoretically vulnerable if a large quantum computer existed. (Deloitte)
• Timelines: We don’t have a “cryptanalytically relevant quantum computer” yet; credible estimates put the requirements in millions of error-corrected qubits for fast breaks. Standards bodies have already finalized post-quantum cryptography (PQC) algorithms to migrate toward. (The Verge)
• Mitigations: Move funds to addresses that haven’t revealed their public keys, avoid address reuse, and support future soft-forks enabling quantum-resistant signature schemes (e.g., hash-based or lattice-based). (Deloitte)

---

Why Bitcoin’s Security Works Today

Bitcoin’s security rests on two families of cryptography:

1. Digital Signatures (Ownership):
   Bitcoin uses ECDSA (and since 2021, Schnorr via Taproot) over the secp256k1 elliptic curve. Your wallet signs transactions; nodes verify those signatures to ensure you’re the rightful spender. Both ECDSA and Schnorr rely on the hardness of the elliptic curve discrete logarithm problem (ECDLP). (Chaincode)
2. Cryptographic Hashes (Integrity & Mining):
   Bitcoin relies on SHA-256 (and RIPEMD-160 in address construction). Miners solve Proof-of-Work by hashing; blocks and transactions are linked by hash references, making history tamper-evident. Grover’s algorithm would, in theory, reduce brute-force search from 2²⁵⁶ to 2¹²⁸ tries—but that’s still beyond any plausible near-term machine. (NIST)

---

Where Quantum Computers Threaten Bitcoin

1) Shor’s Algorithm vs. ECDSA/Schnorr

Shor’s algorithm can solve the discrete logarithm problem in polynomial time on a sufficiently large, fault-tolerant quantum computer. In Bitcoin terms: once a public key is visible on-chain, Shor’s could, in principle, derive the private key—allowing theft of the associated coins. Schnorr signatures don’t help here; both ECDSA and Schnorr use the same curve family and are equally vulnerable to Shor’s in the large-scale limit. (Chaincode)

How many qubits would that take? Estimates vary based on architecture and error correction assumptions, but contemporary analyses imply thousands of logical qubits (and millions of physical qubits) are needed to break strong ECC quickly—well beyond anything available today. (NYDIG)

2) Grover’s Algorithm vs. SHA-256

Grover’s algorithm speeds up unstructured search, effectively halving the exponent: a 256-bit hash offers ~128-bit security against a quantum adversary. That’s still massive. Furthermore, Proof-of-Work’s difficulty adjusts, so even a quantum advantage for miners wouldn’t “break” Bitcoin’s consensus—it would just change the competitive landscape (ASICs vs. hypothetical quantum miners), with the protocol re-targeting difficulty every 2016 blocks. (NIST)

---

How Much Bitcoin Is Actually at Risk?

The real-world risk depends on whether the public key is already exposed:

• Old P2PK outputs (used heavily in Bitcoin’s early years) and
• Reused P2PKH addresses (where spending reveals the pubkey)

…are vulnerable if an attacker gains access to a sufficiently powerful quantum computer. Several analyses (including Deloitte) have estimated that ~25% of total BTC supply—roughly ~4–6 million BTC—sits in such outputs, making them candidates for a “Q-day” drain. (Deloitte)

Recent developer discussions even floated policy ideas to freeze or steer vulnerable UTXOs toward safer spend paths should a credible quantum threat emerge—illustrating how seriously core contributors take the scenario. (CoinDesk)

Important nuance: Coins in never-spent P2PKH/P2TR outputs (where the pubkey is still hidden behind a hash) are significantly safer in the short term because the attacker would have to break the hash (Grover’s regime), not recover a key via Shor. The biggest practical danger would likely be rushing to drain addresses that have already exposed their public keys as soon as a quantum machine becomes viable. (Deloitte)

---

Timelines: Are We Close to “Q-Day”?

Despite dramatic headlines, engineers and standards bodies don’t think we’re at the cliff’s edge:

• Google’s 2024 Willow chip announced impressive milestones, but 105 physical qubits is not remotely enough to break modern cryptography; credible estimates still point to millions of physical qubits for near-instant ECC breaks. (The Verge)
• Meanwhile, NIST finalized the first three PQC standards in August 2024 (FIPS 203, 204, 205)—a clear sign the world is preparing to migrate long before such a computer exists. (NIST Computer Security Resource Center)

Bottom line: not today, and likely not for years—but prudent systems (including Bitcoin) should prepare.

---

Practical Attack Paths—and How to Lower Your Risk Now

1) Address Reuse Is Your Enemy

If you reuse addresses or hold coins in legacy P2PK or reused P2PKH outputs, your public key is exposed once you spend. In a quantum-capable future, attackers could derive the private key and race your spend, enabling theft. Best practice: Always move funds once and avoid reuse; keep coins at addresses where the pubkey hasn’t been revealed yet. (Deloitte)

2) Spend-Timing (Broadcast Racing)

If a quantum attacker exists, they could watch the mempool and attempt to extract private keys from transactions revealing a public key, then front-run with a conflicting spend. This is one reason to prefer output types and spend paths that minimize pubkey exposure and consider time-locked / script-hardened spends during a migration period. (Bitcoin Optech)

3) Supply-Wide Migration Risk

Moving millions of vulnerable coins in a hurry could be chaotic. Encouraging gradual, voluntary migration now—from P2PK/reused P2PKH to safer address types and, eventually, quantum-resistant addresses—reduces the risk of a crisis later. Some analyses suggest large subsets (e.g., legacy coinbase P2PK outputs) could be moved in a relatively short number of blocks if necessary. (River)

---

What a Quantum-Resistant Bitcoin Might Look Like

1) Standards to the Rescue: Post-Quantum Cryptography (PQC)

In August 2024, NIST published the first PQC standards:

• FIPS 203 (ML-KEM / Kyber) — key encapsulation
• FIPS 204 (ML-DSA / Dilithium) — digital signatures
• FIPS 205 (SPHINCS+) — hash-based signatures (stateless)

These algorithms are designed to resist Shor’s and Grover’s attacks, providing safe building blocks for wallets, protocols, and applications. (NIST Computer Security Resource Center)

2) What Could Bitcoin Adopt?

Bitcoin is conservative by design, but it can evolve via soft-forks (as seen with Taproot). Developers and researchers are exploring:

• Hash-based signatures (e.g., Lamport, XMSS, SPHINCS+) that are quantum-safe today; these often have larger signatures and one-time/limited-use constraints but are simple and robust. (BitMEX Blog)
• Lattice-based signatures (e.g., Dilithium/ML-DSA), with efficient verification and strong security proofs under worst-case lattice assumptions. (NIST Computer Security Resource Center)
• Migration patterns like commit-delay-reveal or hybrid scripts that allow spending via both classical and PQC paths during a transition period, tucked neatly behind Taproot trees. (Chaincode)

There’s even an active proposal culture (e.g., discussions around quantum-resistant address types and BIP-level changes) to make “moving to PQC” a gradual, opt-in process—first for the most vulnerable UTXOs, then for the broader ecosystem. (Bitcoin Optech)

---

Mining & Network Security Under Quantum Pressure

Even if a quantum miner had an advantage on hashing (via Grover-style search), it wouldn’t invalidate Bitcoin:

• Difficulty adjusts every ~2 weeks, keeping block intervals at ~10 minutes on average.
• A quantum-equipped miner becomes just a more powerful miner; the network retargets.
• The true systemic issue is signature forgery (ownership), not mining—because mining is designed to adapt. (NIST)

---

So…Could Quantum Computers Break Bitcoin?

**Yes, in principle—specifically the signature layer—**but not with any machine that exists today. The credible path to a “Bitcoin break” requires fault-tolerant, error-corrected quantum computers with thousands of logical qubits (millions of physical qubits) capable of running Shor’s at scale within transaction-race time windows. That’s a big technological leap still over the horizon, and industry/governments are already laying the groundwork to migrate critical systems to PQC well before that day. (The Verge)

---

What You Can Do Now (User-Level Checklist)

1. Don’t reuse addresses. Use fresh addresses for incoming funds. (Deloitte)
2. Consolidate away from legacy P2PK and reused P2PKH outputs when feasible. (Deloitte)
3. Watch wallet vendors for PQC roadmaps (hybrid ECDSA+PQC, Taproot-hidden PQC paths). (NIST Computer Security Resource Center)
4. Follow Core dev guidance and BIPs on quantum-resistant address types and migration practices. (Bitcoin Optech)
5. Plan governance/ops: exchanges, custodians, and treasuries should draft migration playbooks (key rotation windows, mempool policies, spend batching, fee strategies) to avoid chaos during a future cutover. (Chaincode)

---

FAQs

Is Taproot/Schnorr quantum-safe?
No. Schnorr uses the same secp256k1 curve family—excellent classically, but vulnerable to Shor’s in the large-scale limit. (Chaincode)

Could a quantum computer forge blocks or rewrite history?
Hashes are affected only quadratically by Grover’s algorithm. Difficulty would adjust, and honest hashpower could still compete. The existential threat is signature forgery, not hashing. (NIST)

How many coins are at risk if Q-day arrived tomorrow?
Analyses suggest ~25% of supply (old P2PK and reused P2PKH outputs) has exposed pubkeys and is thus most vulnerable. The rest—where pubkeys aren’t revealed—are safer in the near term. (Deloitte)

Are there quantum-safe blockchains already?
Some projects experiment with hash-based or lattice-based signatures by default, but none match Bitcoin’s network effects/liquidity. For Bitcoin, the more credible path is a gradual PQC upgrade via soft-forks and wallet migrations. (NIST Computer Security Resource Center)

---

Conclusion

A sufficiently powerful quantum computer could break Bitcoin’s signature layer by exploiting exposed public keys. But we’re not there yet—and the ecosystem has time to prepare. The smartest path is boring and incremental: discourage address reuse, help vulnerable UTXOs migrate early, and adopt PQC-capable address types and scripts through well-tested soft-forks. With standards like FIPS 203/204/205 now finalized, the tools are on the shelf; it’s about engineering the smoothest possible transition before the need becomes urgent. (NIST Computer Security Resource Center)

---

References

• NIST Post-Quantum Standards (FIPS 203/204/205), Aug 13, 2024. (NIST Computer Security Resource Center)
• Chaincode Labs: Bitcoin and Quantum Computing: Current Status and Research Directions (technical overview of mitigation patterns and scripts). (Chaincode)
• Deloitte: Analysis of quantum-vulnerable BTC in P2PK and reused P2PKH. (Deloitte)
• River Financial Learn: Practical notes on vulnerable address types and migration considerations. (River)
• Grover’s impact on SHA-256 security (quadratic speedup; still huge search space). (NIST)
• Google “Willow” coverage: current devices cannot break modern crypto; multi-million-qubit regime needed. (The Verge)
• Bitcoin Optech: Quantum-resistance topic hub; podcast on introducing new signature algos via soft-fork. (Bitcoin Optech)
• BitMEX Research: Lamport signatures primer (hash-based, quantum-safe). (BitMEX Blog)

---