Introduction
As quantum computing advances from theoretical milestone to practical engineering, Bitcoin faces a critical vulnerability that could expose nearly a third of its total supply. The threat centers not on the network’s foundational hashing, but on its digital signature system, which future quantum machines could break using established algorithms. This has triggered a mobilization across the crypto industry, from protocol proposals like BIP 360 to corporate advisory boards, as developers race against an uncertain timeline to implement quantum-resistant solutions before powerful quantum computers become operational.
Key Points
- Shor's algorithm threatens Bitcoin's ECDSA signatures by enabling quantum computers to derive private keys from public keys, while SHA-256 hashing remains secure against quantum attacks.
- Recent quantum computing milestones like Google's Willow system demonstrate scaling progress, reducing estimated qubit requirements for breaking Bitcoin from 20 million to around 100,000.
- Migration to quantum-safe addresses faces governance challenges, including potential freezing of Satoshi's coins and achieving network consensus before quantum capability arrives.
The Signature Vulnerability: Shor's Algorithm vs. Bitcoin's Keys
The core quantum risk to Bitcoin, as detailed by BIP 360 co-author Hunter Beast and cybersecurity executive Alex Pruden, lies in its use of elliptic curve cryptography for digital signatures. While Bitcoin’s SHA-256 hashing algorithm is considered secure against quantum attacks for the foreseeable future—requiring a hypothetical quantum computer “bigger than the moon” to break using Grover’s algorithm—the signature scheme is far more fragile. Shor’s algorithm, developed by Peter Shor in 1994, enables a sufficiently powerful quantum computer to reverse-engineer a private key from its corresponding public key.
“Ownership in Bitcoin is entirely conferred by your ability to sign a digital signature,” explained Alex Pruden of Project Eleven during a panel at ETH Denver. “With Shor’s algorithm, just knowing your public key—the thing that’s supposed to be safe to share—is enough to reverse engineer your private key. That means I own your Bitcoin simply by knowing your public key.” This creates a direct attack vector that is distinct from breaking the blockchain’s proof-of-work. The urgency stems from the fact that public keys are exposed on the blockchain whenever coins are spent from a legacy “pay-to-public-key” address, a common practice in Bitcoin’s early years.
The Scale of Exposure and Shifting Quantum Timelines
The scale of the potential exposure is significant. According to Project Eleven’s “Bitcoin Risq List,” over 6.9 million BTC, worth approximately a third of the total supply, reside in addresses with exposed public keys. This includes around 1.7 million coins mined in Bitcoin’s infancy. “Basically, a third of the supply would be vulnerable to what we call a long exposure attack,” stated Hunter Beast. This vast pool of potentially vulnerable assets includes coins that may belong to Bitcoin’s enigmatic creator, Satoshi Nakamoto, which presents a unique governance challenge.
Estimates of the quantum computing power required to execute such an attack are rapidly evolving, underscoring the accelerating pace of the field. In 2021, researchers projected a need for roughly 20 million qubits to break Bitcoin’s cryptography. Last week, researchers at Iceberg Quantum suggested the threshold could be as low as 100,000 qubits. This shift is fueled by tangible progress, such as Google’s December 2024 announcement of its Willow quantum computer, which demonstrated below-threshold error correction—a key milestone for scaling quantum systems. “Until that point, people doubted whether quantum computing could ever scale, and Google demonstrated definitively that, yes, this can scale,” noted Pruden, pointing to work by Google and IBM.
The Race for Solutions and the Governance Hurdle
In response, the broader cryptocurrency industry is ramping up quantum planning. The Ethereum Foundation has formed a dedicated post-quantum security team, reflecting that Ethereum faces similar signature vulnerabilities. Cryptocurrency exchange Coinbase has convened an advisory board to study quantum risks, with CEO Brian Armstrong describing the issue as “solvable.” At the protocol level, proposals like BIP 360 aim to provide a technical roadmap for quantum-hardening the Bitcoin blockchain itself.
However, as BIP 360 co-author Isabel Foxen Duke emphasized, the problem extends beyond pure cryptography. “There are a lot of challenges with Bitcoin and quantum-hardening Bitcoin that have nothing to do with post-quantum cryptography,” she said. The most contentious issues are political and social. Migrating the network to quantum-safe addresses requires broad consensus, and some legacy coins may never move. Proposals to freeze ancient, vulnerable addresses—including those potentially belonging to Satoshi Nakamoto—are deeply controversial. “Getting consensus around something like that is going to be an incredibly difficult and politically challenging problem to solve,” Foxen Duke stated.
The stakes of failing to reach consensus before quantum capability arrives are existential. Foxen Duke warned of a catastrophic scenario: “If 4 million Bitcoin hit the market in a matter of hours once a quantum computer arises and somebody actually takes advantage of it, that’s a potentially Bitcoin‑project‑destroying event, regardless of whether or not we have post‑quantum cryptography.” The race is therefore twofold: a technical race to develop and deploy quantum-resistant cryptography, and a governance race to achieve the network-wide consensus necessary to implement it in time.
📎 Related coverage from: decrypt.co
