Bitcoin's path to quantum resistance

Understanding the quantum threat timeline and the cryptographic upgrades needed to protect Bitcoin for generations to come.

Quantum threat timeline

Current
Bitcoin is safe

Today's quantum computers have fewer than 1,500 qubits. Breaking Bitcoin's ECDSA would require millions of stable, error-corrected qubits.

2030-2035
Monitoring period

Quantum computing advances may reach a point where proactive upgrades become necessary. Early adopters should begin migrating to quantum-safe addresses.

2035+
Upgrade deadline

Cryptographically relevant quantum computers may emerge. Bitcoin must have quantum-resistant signatures deployed before this point.

Cryptographic vulnerabilities

ECDSA signatures

High risk

Bitcoin uses the secp256k1 elliptic curve for transaction signatures. Shor's algorithm on a quantum computer could derive private keys from exposed public keys.

SHA-256 mining

Moderate risk

Grover's algorithm could theoretically halve SHA-256's security to 128 bits. This remains computationally secure but may require difficulty adjustments.

Reused addresses

Critical risk

Addresses that have been used for outgoing transactions expose their public keys. An estimated 4+ million BTC sit in addresses with exposed public keys.

Proposed solutions

Lattice-based signatures

NIST-approved algorithms like CRYSTALS-Dilithium offer strong security but significantly larger signature sizes (2.5KB vs 64 bytes).

NIST approved
Hash-based signatures

SPHINCS+ relies only on hash function security. More conservative choice but with larger signatures (~8KB) and slower verification.

NIST approved
Hybrid signatures

Combine classical ECDSA with post-quantum signatures during transition. Provides backwards compatibility while adding quantum protection.

Recommended approach
Soft fork upgrade path

New signature schemes could be introduced via Taproot-style soft forks, allowing gradual adoption without breaking existing wallets.

BIP in development

What Is The Quantum Threat To Bitcoin?

Quantum computers operate fundamentally differently from classical computers. Using quantum bits (qubits) that can exist in multiple states simultaneously, they can solve certain mathematical problems exponentially faster than any classical computer.

Bitcoin's security relies on the elliptic curve digital signature algorithm (ECDSA), which assumes that deriving a private key from a public key is computationally infeasible. A sufficiently powerful quantum computer running Shor's algorithm could break this assumption, potentially allowing an attacker to forge signatures and steal funds.

When Will Quantum Computers Threaten Bitcoin?

Estimates vary widely, but most cryptography experts believe cryptographically relevant quantum computers (CRQCs) are 10-20 years away. Current quantum computers have around 1,000-1,500 noisy qubits, while breaking Bitcoin's ECDSA would require millions of stable, error-corrected qubits.

However, the "harvest now, decrypt later" threat means that encrypted data captured today could be decrypted in the future. For Bitcoin, transactions with exposed public keys are already vulnerable in this sense—the only protection is migrating those funds to new, quantum-safe addresses before quantum computers arrive.

Which Bitcoin Addresses Are Most At Risk?

The level of quantum vulnerability depends on address type and usage patterns:

  • Highest risk: P2PK addresses (early Bitcoin) that directly expose the public key
  • High risk: Any address that has been used for outgoing transactions, which reveals the public key
  • Lower risk: Unused addresses only expose a hash of the public key, adding an additional layer of protection
  • Best practice: Never reuse addresses and migrate to quantum-safe addresses once available

How Can Bitcoin Become Quantum Resistant?

The Bitcoin community is actively researching post-quantum cryptography solutions. The most promising approaches involve replacing or augmenting ECDSA with quantum-resistant signature schemes that have been standardized by NIST.

A transition would likely occur through a soft fork, similar to how Taproot was deployed. Users would migrate their funds to new address types supporting quantum-resistant signatures, while old address types would continue to work during a transition period.

The main challenge is signature size—post-quantum signatures are significantly larger than ECDSA signatures, which could impact blockchain scalability. Ongoing research focuses on optimizing these algorithms and developing Bitcoin-specific implementations.