A post by Udi Wertheimer a few weeks ago made headlines in the crypto media with a stark claim: The Lightning Network is “irretrievably broken” in a post-quantum world, and its developers can’t do anything about it. The headline traveled fast. For companies that have built real payment infrastructure on Lightning or are evaluating it, the implications were troubling.
It deserves a measured response.
Wertheimer is a respected Bitcoin developer, and his underlying concern is legitimate: Quantum computers, if they ever become powerful enough, pose a real long-term challenge to the cryptographic systems that Bitcoin and Lightning depend on. That part is true and the Bitcoin development community is already seriously working on it. But framing Lightning as “hopelessly broken” obscures more than it reveals, and the companies making infrastructure decisions deserve a clearer picture.
What Wertheimer got right
Lightning channels require participants to share public keys with their counterparty when opening a payment channel. In a world where cryptographically relevant quantum computers (CRQCs) exist, an attacker who obtains those public keys could theoretically use Shor’s algorithm to derive the corresponding private key and, from there, steal funds.
This is an actual structural property of how Lightning works. What the headline omits
The threat is much more specific and much more conditional than “they may steal your Lightning balance.”
Firstly, the channels themselves are protected by a hash while they are open. Funding transactions use P2WSH (Pay-to-Witness-Script-Hash), which means that the raw public keys within the 2-of-2 multi-signature agreement are hidden on-chain as long as the channel remains open. Lightning payments are also hash-based and routed through HTLC (Hash Time Locking Contracts), which rely on the disclosure of hash previews rather than exposed public keys. A quantum attacker passively observing the blockchain cannot see the keys they would need.
The realistic attack window is much narrower: a forced closure. When a channel is closed and a commit transaction is broadcast on-chain, the blocking script becomes publicly visible for the first time, including local_delayedpubkey, a standard elliptic curve public key. By design, the transmitting node cannot claim its funds immediately: a CSV (CheckSequenceVerify) time lock must first expire, typically 144 blocks long (about 24 hours).
In a post-quantum scenario, an attacker observing the mempool could see a commit transaction being committed, extract the now exposed public key, run Shor’s algorithm to derive the private key, and attempt to spend the result before the time lock expires. Forced closing HTLC exits create additional windows, some as short as 40 blocks, approximately six to seven hours.
This is a real and specific vulnerability. But it’s a timed race against an attacker who must actively solve one of the hardest math problems there is, within a fixed window, for each individual result he wants to steal. It is not a passive, silent drain of all Lightning wallets simultaneously.
The Quantum Hardware Reality Check
Here’s the part that rarely makes headlines: cryptographically relevant quantum computers don’t exist today, and the gap between where we are and where we should be is huge.
Breaking Bitcoin’s elliptic curve cryptography requires solving the discrete logarithm in a 256-bit key, a number of approximately 78 digits, using millions of stable, error-correcting logical qubits that run over an extended period. The largest number ever factored using Shor’s algorithm on real quantum hardware is 21 (3 × 7), achieved in 2012 with significant aids from classical post-processing. The most recent record is a hybrid quantum-classical factorization of a 90-bit RSA number, impressive progress, but still about 2⁸³ times smaller than what would actually be needed to break Bitcoin.
Google’s quantum research is real and worth watching. The timelines discussed by Serious researchers range from optimistic estimates for the late 2020s to more conservative projections for the 2030s or beyond. None of that is “your Lightning balance is at risk today.”
The development community does not stand still
Wertheimer’s formulation that Lightning developers are “helpless” is also out of step with what is actually happening. Since December alone, the Bitcoin development community has produced more than five serious post-quantum proposals: SHRINCS (324-byte stateful hash-based signatures), SHRIMPS (2.5 KB signatures across multiple devices, about three times smaller than the NIST standard), BIP-360, Blockstream’s hash-based signatures document, and proposals for opcodes based on OP_SPHINCS, OP_XMSS, and STARK. in tapscript.
The correct framing is not that Lightning is broken and beyond repair. It’s that Lightning, like all Bitcoin, and like most of the Internet’s cryptographic infrastructure, requires a base layer upgrade to become quantum resistant, and that work is underway.
What this means for businesses relying on Lightning today
Lightning processes real payment volume for today’s real businesses, iGaming platforms, crypto exchanges, neobanks and payment service providers that move money globally at fractions of a cent with instant finality. The question companies should ask themselves is not whether to abandon Lightning based on a theoretical future threat, but whether the teams building Lightning infrastructure are paying attention to what’s coming and planning accordingly.
The answer, based on the volume and quality of post-quantum research being conducted in the Bitcoin development community right now, is yes.
The Lightning Network is not irremediably broken. It faces the same long-term crypto challenge as the entire digital financial system and has a development community actively working to address it. That’s a different story than the one the headline told.
