Developers and security researchers at ETHDenver recently examined how a breakthrough in quantum computing could affect Bitcoin’s security model, outlining the core risks to today’s cryptography and the practical steps needed to prepare.
Why Quantum Computing Matters for Bitcoin
Bitcoin relies on public-key cryptography for transaction authentication. Most coins are protected by signatures using the secp256k1 curve (ECDSA, and Schnorr via Taproot). A sufficiently powerful quantum computer running Shor’s algorithm could, in theory, derive a private key from a public key, enabling signature forgeries and unauthorized spends.
Hash functions used in Bitcoin addresses (SHA-256 and RIPEMD-160) are less susceptible to quantum speedups, facing at most a quadratic advantage via Grover’s algorithm. Because of this, unspent outputs that have never revealed a public key remain better protected: the public key is disclosed only when the coins are spent. By contrast, coins in outputs that already revealed a public key—such as older pay-to-public-key (P2PK) outputs or addresses with key reuse—would face elevated risk in a post-quantum world.
Immediate vs. Long-Term Risk
- Near term: There is no evidence of a quantum computer today capable of breaking Bitcoin’s elliptic-curve signatures. Most researchers view the risk as real but not imminent.
- Harvest-now, forge-later: Adversaries could archive transactions that reveal public keys and attempt to derive private keys if and when large-scale quantum machines become viable. This dynamic increases the importance of avoiding address reuse.
- Exposure varies: Outputs that have not revealed their public keys are safer in the medium term, while any funds tied to known public keys would be the first targets if practical quantum attacks emerged.
Paths to Mitigation
- Post-quantum signatures: The broader cryptography community, led in part by NIST’s post-quantum standardization program, has selected candidate schemes designed to resist quantum attacks. Adapting such algorithms to Bitcoin would require careful engineering to balance security, signature size, verification speed, and on-chain costs.
- Protocol upgrades: Introducing quantum-resistant signature types would likely require a soft fork and extensive ecosystem coordination across nodes, wallets, and exchanges, along with clear migration guidance for users.
- Wallet hygiene: Best practices—such as avoiding address reuse and promptly consolidating legacy outputs that expose public keys—can reduce exposure while longer-term solutions are developed.
- Testing and interoperability: Researchers are exploring testnets and proofs-of-concept to evaluate post-quantum constructions and their impact on bandwidth, block space, and verification times.
What to Watch Next
- Progress in post-quantum standardization and implementation benchmarks for candidate signature schemes.
- Community proposals and discussions that could crystallize into Bitcoin Improvement Proposals introducing quantum-resistant options.
- Guidance from wallet providers and custodians on address reuse, key management, and potential migration paths.
The ETHDenver discussions underscored a growing industry consensus: while quantum-capable attacks on Bitcoin do not appear imminent, proactive planning—combining better operational practices with research into post-quantum upgrades—will be essential to minimize future risks.