Quantum computers could eventually break classical cryptography. This article explores the risks quantum computing poses to Bitcoin, how many coins are vulnerable, realistic timelines for attacks, and how the network can transition to post-quantum security.

Introduction

Bitcoin was designed to operate in an adversarial environment. From its inception, the system has assumed that attackers would be motivated, well-funded, and persistent. It has survived over a decade of constant scrutiny precisely because its cryptographic foundations were chosen conservatively and implemented with care. However, Bitcoin’s security assumptions rest on the limits of classical computation. A new paradigm—quantum computing—challenges those assumptions at a fundamental level.

Quantum computing promises to solve certain problems far more efficiently than classical computers. While today’s quantum machines remain experimental and error-prone, continued investment by governments and corporations has accelerated progress. If cryptographically relevant quantum computers eventually become practical, they could undermine widely used public-key cryptographic systems, including those that secure Bitcoin.

Bitcoin relies on elliptic-curve cryptography to protect ownership. Private keys authorize spending, while public keys are revealed during transactions. Under classical computing assumptions, deriving a private key from a public key is computationally infeasible. Quantum algorithms change this equation. In a future where sufficiently powerful quantum machines exist, attackers could derive private keys from exposed public keys and steal funds without permission.

This possibility has sparked debate within the Bitcoin community. Some dismiss the threat as distant speculation. Others argue that preparation must begin long before quantum attacks become feasible. Organizations such as the Human Rights Foundation emphasize that Bitcoin’s role extends beyond finance; it is a tool for activists, dissidents, and people living under authoritarian regimes. For them, a failure to prepare for quantum threats is not merely a technical oversight but a moral failure.

This article examines the quantum threat in depth. It explains how quantum computing differs from classical computing, how Bitcoin’s cryptography could be affected, how many coins are vulnerable, and what timelines experts consider plausible. It also explores the ethical dilemmas posed by vulnerable coins, the technical challenges of post-quantum cryptography, and the governance hurdles involved in upgrading Bitcoin. Finally, it argues that proactive preparation is essential to preserving Bitcoin’s neutrality, security, and humanitarian value.

Foundations of Bitcoin’s Cryptographic Security

Bitcoin’s security model is built on several cryptographic primitives. Hash functions ensure immutability and proof-of-work. Digital signatures ensure ownership and authorization. While quantum computing affects both areas, public-key cryptography is the most immediate concern.

Public and Private Keys

Every bitcoin is controlled by a private key. The private key is a randomly generated number known only to its owner. From this private key, a public key is derived using elliptic-curve mathematics. Bitcoin uses the secp256k1 elliptic curve, chosen for efficiency and strong security properties.

The public key can be shared freely. Bitcoin addresses are derived from public keys through hashing and encoding. Importantly, in most modern transactions, the public key is not revealed until the moment a coin is spent. This design choice already provides a measure of protection against future cryptographic threats.

Digital Signatures

When a user spends bitcoin, they create a digital signature using their private key. The network verifies this signature using the corresponding public key. As long as deriving the private key from the public key is computationally infeasible, ownership remains secure.

Under classical assumptions, breaking elliptic-curve cryptography would require astronomical amounts of computing power. Even with specialized hardware, the task would take longer than the age of the universe. This is why elliptic-curve signatures are widely used across the internet, not just in Bitcoin.

Why Bitcoin Chose Elliptic Curves

Elliptic-curve cryptography offers strong security with relatively small key sizes. Smaller keys mean smaller signatures, lower bandwidth usage, and faster verification. These properties were especially important in Bitcoin’s early years, when bandwidth and storage were more constrained.

However, elliptic-curve cryptography’s security relies on the difficulty of the discrete logarithm problem. Quantum algorithms directly target this problem, making elliptic-curve systems vulnerable in a future with sufficiently powerful quantum computers.

What Makes Quantum Computing Different

Quantum computing is not simply a faster version of classical computing. It is based on fundamentally different principles that allow it to solve specific problems more efficiently.

Qubits and Superposition

Classical computers process information using bits that are either zero or one. Quantum computers use qubits, which can exist in a superposition of states. This allows quantum machines to evaluate many possibilities simultaneously under certain conditions.

Entanglement and Parallelism

Qubits can be entangled, meaning the state of one qubit is linked to the state of another. Entanglement enables forms of parallelism that have no classical analogue. While quantum computers cannot solve all problems faster, they excel at specific mathematical tasks.

Shor’s Algorithm

The most relevant quantum algorithm for Bitcoin is Shor’s algorithm. It allows a quantum computer to factor large numbers and solve discrete logarithms efficiently. This directly threatens RSA and elliptic-curve cryptography.

In practical terms, a sufficiently powerful quantum computer running Shor’s algorithm could derive a private key from a public key in a time frame short enough to steal funds.

Grover’s Algorithm

Another quantum algorithm, Grover’s algorithm, affects hash functions by providing a quadratic speedup for brute-force searches. While this impacts Bitcoin’s proof-of-work and hashing mechanisms, it does not break them outright. Hash sizes can be increased or difficulty adjusted to compensate.

The more immediate existential threat lies in public-key cryptography, not hashing.

Cryptographically Relevant Quantum Computers

Not all quantum computers pose a threat to Bitcoin. Researchers distinguish between experimental machines and cryptographically relevant quantum computers.

What Makes a Quantum Computer Relevant

A cryptographically relevant quantum computer must have enough logical qubits, low error rates, and sufficient coherence time to run Shor’s algorithm at scale. This requires error correction, which dramatically increases resource requirements.

Current State of Quantum Hardware

Today’s quantum machines have dozens to hundreds of noisy qubits. They are valuable for research but far from capable of breaking real-world cryptography. Error rates remain high, and maintaining coherence is extremely challenging.

Investment and Progress

Despite these limitations, investment in quantum computing has accelerated. Governments view quantum technology as strategically important. Major corporations are competing to achieve breakthroughs. While timelines are uncertain, progress has been steady.

Plausible Timelines

Some researchers estimate that cryptographically relevant quantum computers could emerge within a decade. Others argue it may take several decades. The uncertainty itself is a risk. Bitcoin’s conservative culture favors preparation long before a threat materializes.

How Quantum Attacks Could Target Bitcoin

Quantum attacks against Bitcoin would not be uniform. Different coins and transaction patterns present different levels of vulnerability.

Long-Range Attacks on Exposed Public Keys

Early Bitcoin address formats exposed public keys directly. Coins locked in these addresses have public keys permanently visible on the blockchain. If a quantum attacker can derive private keys from public keys, these coins could be stolen without warning.

A significant number of early coins fall into this category. Many are believed to be lost, but some may still be controlled by early adopters.

Short-Range Attacks During Transactions

Modern Bitcoin addresses typically hide public keys until a coin is spent. However, when a transaction is broadcast, the public key becomes visible. A quantum attacker with sufficient speed could, in theory, derive the private key and create a competing transaction before confirmation.

This type of attack requires extremely fast quantum computation and favorable network conditions, making it more challenging than long-range attacks. Nonetheless, it represents a potential vulnerability.

Mempool Exploitation

Unconfirmed transactions sit in the mempool before being included in a block. This window of time could be exploited by a quantum attacker targeting high-value transactions. Mitigations such as faster confirmation times or quantum-safe address types could reduce this risk.

How Many Bitcoin Are at Risk

Estimating the number of vulnerable coins is critical for understanding the scale of the problem.

Early Address Formats

A substantial number of bitcoins are locked in early address formats that expose public keys. Estimates suggest that approximately 1.72 million bitcoin fall into this category. These coins are highly vulnerable to long-range quantum attacks.

Reusable Addresses and Poor Practices

Beyond early addresses, many users reused addresses or revealed public keys through repeated transactions. These coins are also vulnerable if public keys are already exposed on-chain.

Coins That Can Still Be Secured

An additional several million bitcoin are potentially vulnerable but can still be protected by moving them to quantum-safe addresses once available. Estimates place this number at approximately 4.49 million bitcoin.

Economic Implications

At current valuations, the total value of vulnerable coins represents hundreds of billions of dollars. A successful quantum attack could destabilize markets, undermine trust, and trigger widespread panic.

Burn or Steal: A Moral and Technical Dilemma

If quantum attacks become feasible before Bitcoin upgrades, the community faces a difficult choice regarding vulnerable coins.

Allowing Theft

One option is to allow quantum attackers to steal vulnerable coins. This approach preserves Bitcoin’s neutrality and avoids subjective intervention. However, it rewards attackers and punishes early adopters, many of whom contributed to Bitcoin’s early success.

Allowing theft could also damage trust in the system and undermine Bitcoin’s reputation as a secure store of value.

Burning Vulnerable Coins

Another proposal is to render vulnerable coins unspendable through a protocol change. This would prevent theft but effectively confiscates coins, even if their owners are still alive and active.

Burning coins reduces total supply, benefiting remaining holders. However, it introduces subjective decisions into the protocol and undermines Bitcoin’s principle of neutrality.

Fungibility Concerns

Either approach risks harming fungibility. If some coins are treated differently based on address type or age, Bitcoin’s uniformity as money is compromised.

The Case for Proactive Migration

The best solution is to avoid the dilemma entirely by upgrading Bitcoin before quantum attacks become feasible. Proactive migration allows users to move funds voluntarily, preserving property rights and minimizing disruption.

Post-Quantum Cryptography

Transitioning Bitcoin to post-quantum security requires adopting new cryptographic primitives resistant to quantum attacks.

Hash-Based Signatures

Hash-based signatures rely on the security of hash functions rather than number-theoretic problems. They are well-studied and highly conservative. However, they often produce large signatures and may be inefficient for frequent use.

Lattice-Based Cryptography

Lattice-based schemes are among the most promising post-quantum options. They offer relatively compact signatures and efficient verification. However, they are newer and less battle-tested than traditional schemes.

Multivariate and Code-Based Schemes

Other post-quantum approaches include multivariate polynomial and code-based cryptography. Each has trade-offs in terms of security assumptions, efficiency, and implementation complexity.

Standardization Efforts

Global standardization bodies are evaluating post-quantum algorithms. Bitcoin developers are closely monitoring these efforts to avoid premature adoption of schemes that may later prove insecure.

Upgrading Bitcoin

Even if suitable post-quantum schemes exist, upgrading Bitcoin is not trivial.

Soft Fork vs Hard Fork

Ideally, post-quantum upgrades would be implemented as soft forks to maintain backward compatibility. This requires careful design to ensure old nodes remain compatible.

Hard forks introduce greater risk and social friction, making them undesirable for such a critical change.

Address Migration

New address types would need to be introduced. Users would need education and incentives to move funds. Exchanges, wallets, and infrastructure providers would need to update their systems.

Signature Size and Blockchain Growth

Post-quantum signatures are often larger than elliptic-curve signatures. This could increase blockchain size and bandwidth requirements. Engineers must balance security with scalability.

Coordination Challenges

Bitcoin has no central authority. Consensus emerges through rough agreement among developers, miners, businesses, and users. Achieving alignment on a major cryptographic change will require years of discussion and testing.

Human Rights Implications

Bitcoin is more than a speculative asset. For millions of people, it is a financial lifeline.

Activists and Dissidents

In authoritarian regimes, Bitcoin allows activists to receive funds without censorship. A quantum failure could expose these individuals to severe consequences.

Nonprofits and Aid Organizations

Humanitarian organizations increasingly rely on Bitcoin to operate in hostile environments. Quantum insecurity could disrupt aid flows and endanger lives.

Financial Inclusion

In regions with unstable currencies or limited banking access, Bitcoin provides an alternative. Preserving its security is essential to maintaining trust among vulnerable populations.

Moral Responsibility

Preparing for quantum threats is not just about protecting wealth. It is about safeguarding freedom, speech, and human dignity in an increasingly digital world.

Education, Communication, and Timing

Preparation must extend beyond code.

Clear communication is essential to avoid unnecessary panic while ensuring users understand the importance of migration when the time comes. Ideally, quantum-safe address types would be introduced years in advance, allowing gradual adoption. Wallet software will play a critical role through sensible defaults, warnings, and automated tools.

Bitcoin’s Long-Term Resilience

Bitcoin has survived numerous existential threats. Each time, careful engineering and conservative decision-making prevailed.

Past upgrades demonstrate that Bitcoin can evolve without compromising its core principles. Post-quantum security can follow the same path. Bitcoin’s reluctance to change quickly is often criticized, but in this context, it ensures that changes are thoroughly vetted.

Bitcoin was designed with a long time horizon. Preparing for quantum threats aligns with its vision of durability across generations.

Conclusion

Quantum computers are not an immediate threat to Bitcoin, but they represent a foreseeable challenge that cannot be ignored. Millions of bitcoin are potentially vulnerable, and the economic and humanitarian stakes are enormous. While cryptographically relevant quantum computers may still be years away, upgrading a global, decentralized system takes time.

The good news is that solutions exist. Post-quantum cryptography is advancing, and Bitcoin’s flexible scripting system allows for gradual evolution. By preparing early, educating users, and coordinating globally, the Bitcoin community can navigate the transition without sacrificing its core values.

Bitcoin was built to operate without trust in any single authority. Preparing it for the post-quantum era ensures that it remains a tool of freedom and resilience for generations to come.

Shout out to BullishBTC.com for shining a light on the quantum frontier.

References (APA Style)

Bennett, C. H., & DiVincenzo, D. P. (2000). Quantum information and computation. Nature, 404(6775), 247–255.

Bernstein, D. J., Buchmann, J., & Dahmen, E. (Eds.). (2009). Post-quantum cryptography. Springer.

Boneh, D., & Shoup, V. (2020). A graduate course in applied cryptography. Draft version.

Human Rights Foundation. (2023). Bitcoin, quantum computing, and human rights. HRF Reports.

Mosca, M. (2018). Cybersecurity in an era with quantum computers. IEEE Security & Privacy, 16(5), 38–41.

Nakamoto, S. (2008). Bitcoin: A peer-to-peer electronic cash system.

National Institute of Standards and Technology. (2023). Post-quantum cryptography standardization.

Shor, P. W. (1997). Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Journal on Computing, 26(5), 1484–1509.

Taproot Activation Working Group. (2021). Taproot and Schnorr deployment overview.