This week, Google published a study suggesting that a sufficiently powerful quantum computer could crack the underlying cryptography of bitcoin in less than nine minutes – one minute faster than the average bitcoin block confirmation time. Some analysts believe such a threat could become a reality by 2029.
The stakes are high: About 6.5 million bitcoins, worth hundreds of billions of dollars, are on addresses that a quantum computer could directly attack. Some of those coins belong to bitcoin’s pseudonymous creator, Satoshi Nakamoto. In addition, the potential compromise would damage bitcoin’s core principles of “trust the code” and “sound money.”
Here’s what that threat looks like, as well as the proposals being considered to mitigate it.
Two ways a quantum machine could attack bitcoin
Let’s break down the vulnerability first before discussing suggestions.
Bitcoin’s security is based on a one-way math relationship. When a wallet is created, a private key and a secret number are generated, from which a public key is derived.
Spending bitcoin tokens requires proof of ownership of the private key, not revealing it, but using it to generate a cryptographic signature that the network can verify.
This system is secure because modern computers would take billions of years to crack elliptic curve cryptography – in particular the Elliptic Curve Digital Signature Algorithm (ECDSA) – in order to recover the private key from the public key. Thus, the blockchain is considered computationally infeasible to compromise.
However, in the future, a quantum computer could turn a one-way street into a two-way street by computing your private key from the public key and deducing your coins.
The public key is exposed in two ways: through coins sitting idle in the blockchain (long exposure attack), or through coins in motion or transactions waiting in the mempool (short exposure attack).
Public key paid addresses (P2PK) (used by Satoshi and early miners) and Taproot (P2TR), the current address format activated in 2021, are vulnerable to a long exposure attack. Coins at these addresses do not need to be moved to reveal their public keys; the disclosure has already occurred and is readable by anyone on Earth, including future quantum attackers. Approximately 1.7 million BTC are on old P2PK addresses – including Satoshi coins.
The short exposure is related to the mempool – a waiting room for unconfirmed transactions. While transactions are there waiting to be included in the blockchain, your public key and signature are visible to the entire network.
A quantum computer could access this data, but it would only have a short period of time – before the transaction is confirmed and submerged under additional blocks – to compute the appropriate private key and use it.
Initiatives
BIP 360: Public Key Removal
As noted earlier, every new bitcoin address created using Taproot today forever reveals the public key in the blockchain, giving the future quantum computer a permanent target.
The BIP 360 bitcoin improvement proposal eliminates the public key forever embedded in the blockchain and visible to all, introducing a new type of output called Pay-to-Merkle-Root (P2MR).
Recall that a quantum computer analyzes the public key, reconstructs the exact structure of the private key, and creates a working copy. If the public key is removed, the attack has no source data to work with. Meanwhile, everything else, including Lightning payments, multi-signature settings, and other bitcoin features, remains unchanged.
However, if implemented, the proposal would only protect new coins entering circulation. The 1.7 million BTC already in old vulnerable addresses presents a separate problem, which is addressed in the other proposals below.
SPHINCS+ / SLH-DSA: hash-based post-quantum signatures
SPHINCS+ is a hash-based post-quantum digital signature scheme that avoids the quantum risks inherent in the elliptic curve cryptography used in bitcoin. While Shor’s algorithm threatens ECDSA, hash-based constructs such as SPHINCS+ are not considered as vulnerable.
The scheme was standardized by the National Institute of Standards and Technology (NIST) in August 2024 as FIPS 205 (SLH-DSA) after years of public review.
The security tradeoff is size. While current bitcoin signatures are 64 bytes, SLH-DSA signatures are 8 kilobytes or more. Thus, the introduction of SLH-DSA will dramatically increase the demand for blockchain space and increase transaction fees.
As a result, proposals such as SHRIMPS (another hashing-based signature scheme that is resistant to quantum attacks) and SHRINCS have already been introduced to reduce the size of signatures without compromising post-quantum security. Both developments build on SHPINCS+ and seek to preserve its security guarantee in a more practical, compact form suitable for use on the blockchain.
Schema Commit/Reveal Tej Draya: Emergency Brake for Mempooling
This proposal, a soft fork proposed by Lightning Network co-author Tej Dryja, aims to protect transactions in the mempool from future quantum attacks. This is achieved by splitting the execution of a transaction into two stages: Commit and Reveal.
Imagine informing a counterparty that you will send them an email and then actually sending that email. The former is the Commit phase and the latter is the Reveal phase.
In blockchain, this means that you first publish an encrypted fingerprint of your intent – just a hash that reveals nothing about the transaction. The blockchain permanently records this time fingerprint. Later, when you broadcast the actual transaction, your public key becomes visible – and yes, a quantum computer monitoring the network could deduce your private key from it and spoof a competing transaction to steal your funds.
But that spoofed transaction is immediately rejected. The network checks: does this spending transaction have a prior commitment registered on the blockchain? You do. The attacker doesn’t – he created it just moments ago. Your pre-registered fingerprint is your alibi.
The problem, however, is the increased cost due to splitting the transaction into two phases. So this is described as an intermediate bridge, practical to implement while the community works to build quantum security.
Hourglass V2: Slowing down the consumption of old coins
Proposed by developer Hunter Beiste, Hourglass V2 targets a quantum vulnerability related to approximately 1.7 million BTC stored in old, already compromised addresses.
The proposal recognizes that these coins could be stolen in a future quantum attack, and suggests slowing the leakage by limiting sales to one bitcoin per block to avoid a catastrophic mass liquidation overnight that could crash the market.
The analogy is a banking panic: you can’t stop people from withdrawing funds, but you can limit the pace of withdrawals to prevent a sudden collapse of the system overnight. The proposal is controversial because even this restriction is perceived by some in the bitcoin community as a violation of the principle that no outside party can interfere with your right to spend your coins.
Conclusion
These proposals have yet to be activated, and Bitcoin’s decentralized governance spanning developers, miners, and node operators means that implementing any update will likely take time.
However, the steady stream of proposals that emerged before Google’s report published this week suggests that the issue has been on developers’ radar for a long time, which could help alleviate market fears, coindesk.com writes.
