Quantum computers capable of cracking the Bitcoin blockchain do not exist today. However, developers are already considering a wave of updates to build defenses against the potential threat, and rightly so, as the threat is no longer hypothetical.
This week, Google published research suggesting that a sufficiently powerful quantum computer could crack Bitcoin’s core cryptography in less than nine minutes, a minute faster than Bitcoin’s average block settlement time. Some analysts believe such a threat could become a reality in 2029.
The stakes are high: About 6.5 million bitcoin tokens, worth hundreds of billions of dollars, are in addresses that a quantum computer could target directly. Some of these coins belong to Bitcoin’s pseudonymous creator, Satoshi Nakamoto. Furthermore, the potential compromise would damage Bitcoin’s core principles: “trust the code” and “sound money.”
Here’s what the threat looks like, along with proposals being considered to mitigate it.
Two ways a quantum machine could attack Bitcoin
Let’s first understand the vulnerability before discussing the proposals.
Bitcoin security is based on a one-way mathematical relationship. When you create a wallet, a private key and secret number are generated, from which a public key is derived.
Spending bitcoin tokens requires proving ownership of a private key, not by revealing it, but by using it to generate a cryptographic signature that the network can verify.
This system is foolproof because it would take modern computers billions of years to break elliptic curve cryptography (specifically the elliptic curve digital signature algorithm (ECDSA)) to reverse engineer the private key from the public key. Therefore, the blockchain is said to be computationally uncompromising.
But a future quantum computer can change this one-way street into a two-way street by deriving its private key from the public key and depleting its coins.
The public key is exposed in two ways: from idle coins on the chain (the long exposure attack) or moving coins or transactions waiting in the memory pool (short exposure attack).
Payment Public Key (P2PK) addresses (used by Satoshi and early miners) and Taproot (P2TR), the current address format activated in 2021, are vulnerable to the long exposure attack. Coins at these addresses do not need to move to reveal their public keys; the exposure has already occurred and is readable by anyone on Earth, including a future quantum attacker. Approximately 1.7 million BTC are located in former P2PK addresses, including Satoshi coins.
Short exposure is tied to the mempool, the waiting room for unconfirmed transactions. While transactions sit there waiting to be included in a block, their public key and signature are visible to the entire network.
A quantum computer could access that data, but would only have a brief window (before the transaction is confirmed and buried under additional blocks) to derive the corresponding private key and act accordingly.
Initiatives
BIP 360: Public key deletion
As noted above, every new Bitcoin address created today with Taproot permanently exposes a public key on-chain, giving a future quantum computer a target that never goes away.
The Bitcoin (BIP) 360 Improvement Proposal removes the public key permanently embedded on the chain and visible to everyone by introducing a new output type called Pay-to-Merkle-Root (P2MR).
Remember that a quantum computer studies the public key, reverse engineers the exact form of the private key, and forges a working copy. If we remove the public key, the attack has nothing to work on. Meanwhile, everything else, including Lightning payments, multi-signature setups, and other Bitcoin features, remains the same.
However, if implemented, this proposal will protect only new coins in the future. The 1.7 million BTC already sitting in old exposed addresses is a separate issue, addressed in other proposals below.
SPHINCS+ / SLH-DSA: hash-based post-quantum signatures
SPHINCS+ is a post-quantum signature scheme based on hash functions, which avoids the quantum risks faced by the elliptic curve cryptography used by Bitcoin. While Shor’s algorithm threatens ECDSA, hash-based designs like SPHINCS+ are not considered equally vulnerable.
The scheme was standardized by the National Institute of Standards and Technology (NIST) in August 2024 as FIPS 205 (SLH-DSA) after years of public review.
The trade-off for safety is size. While current bitcoin signatures are 64 bytes in size, SLH-DSAs are 8 kilobytes (KB) or more in size. As such, the adoption of SLH-DSA would significantly increase demand for block space and increase transaction fees.
As a result, proposals such as SHRIMPS (another hash-based post-quantum signature scheme) and SHRINCS have already been introduced to reduce signature size without sacrificing post-quantum security. Both are based on SHPINCS+ and at the same time aim to retain their security guarantees in a more practical and space-efficient form, suitable for blockchain use.
Tadge Dryja’s compromise/revelation plan: an emergency brake for Mempool
This proposal, a soft fork suggested by Lightning Network co-creator Tadge Dryja, aims to protect transactions in the mempool from a future quantum attacker. It does this by separating the execution of the transaction into two phases: Confirm and Reveal.
Imagine informing a counterparty that you will send them an email and then sending them an email. The first is the confirmation phase and the second is the revelation phase.
On the blockchain, this means that you first publish a sealed fingerprint of your intent, just a hash, which reveals nothing about the transaction. The blockchain permanently timestamps that digital footprint. Later, when you broadcast the actual transaction, your public key becomes visible and yes, a quantum computer watching the network could derive your private key from it and spoof a competing transaction to steal your funds.
But that forged transaction is immediately rejected. The network verifies: does this expense have a prior commitment recorded in the chain? Yours does. Not the attacker, he created it a few moments ago. Your pre-registered fingerprint is your alibi.
The problem, however, is the increased cost because the transaction is divided into two phases. It is therefore described as an interim bridge, practical to deploy while the community works on building quantum defences.
Hourglass V2: Slowing down the spending of ancient coins
Proposed by developer Hunter Beast, Hourglass V2 targets the quantum vulnerability linked to approximately 1.7 million BTC stored at older, already exposed addresses.
The proposal accepts that these coins could be stolen in a future quantum attack and seeks to stem the bleeding by limiting sales to one bitcoin per block, to avoid a catastrophic overnight sell-off that could tank the market.
The analogy is a bank run: you can’t stop people from withdrawing money, but you can limit the pace of withdrawals to prevent the system from collapsing overnight. The proposal is controversial because some members of the Bitcoin community consider even this limited restriction to be a violation of the principle that no outside party can interfere with your right to spend your coins.
Conclusion
These proposals are not yet activated, and Bitcoin’s decentralized governance, which encompasses developers, miners, and node operators, means any updates will likely take time to materialize.
Still, the steady stream of proposals ahead of this week’s Google report suggests the issue has long been on developers’ radar, which may help temper market concerns.
