Currently, quantum computers that can breach the Bitcoin blockchain do not exist. Nonetheless, developers are proactively considering a range of upgrades to bolster defenses against this looming threat, which is becoming increasingly real.
This week, Google released findings indicating that a powerful enough quantum computer could potentially decrypt Bitcoin’s fundamental cryptography in less than nine minutes—one minute quicker than the average time for a Bitcoin block to settle. Analysts suggest that this risk may materialize as early as 2029.
The implications are significant: approximately 6.5 million bitcoin, valued in the hundreds of billions, are at risk from a quantum attack. Some of these coins belong to Satoshi Nakamoto, Bitcoin’s enigmatic creator. Such a breach could undermine Bitcoin’s foundational principles of “trust the code” and “sound money.”
Understanding the Quantum Threat
Bitcoin’s security relies on a one-way mathematical process. When a wallet is created, it generates a private key and a secret number, leading to the creation of a public key.
To use bitcoin, one must prove ownership of the private key without revealing it, instead forming a cryptographic signature verifiable by the network. This mechanism is robust, as modern computers would take billions of years to decipher elliptic curve cryptography, particularly the Elliptic Curve Digital Signature Algorithm (ECDSA), thus ensuring that hacking the blockchain is computationally impractical.
However, future quantum computers may reverse this dynamic, deriving private keys from public ones and allowing them to access your funds. Public keys become exposed in two scenarios: inactive coins on-chain (long-exposure) and active transactions in the mempool (short-exposure).
Proposed Solutions
BIP 360: Concealing Public Keys
As previously mentioned, Bitcoin addresses created under Taproot today expose public keys on-chain permanently, presenting a constant target for quantum attackers. Bitcoin Improvement Proposal (BIP) 360 seeks to resolve this by eliminating publicly visible keys through a new output type known as Pay-to-Merkle-Root (P2MR).
Since quantum computers could reverse-engineer public keys to create corresponding private keys, removing the visibility of public keys would nullify the attack vector. Nevertheless, this proposal would only protect new coins, leaving the approximately 1.7 million BTC in older exposed addresses vulnerable—a challenge addressed by subsequent proposals.
SPHINCS+ / SLH-DSA: Hash-Based Signatures
SPHINCS+ introduces a post-quantum signature methodology based on hash functions, circumventing the vulnerabilities endemic to elliptic curve cryptography. While ECDSA is susceptible to Shor’s algorithm, hash-based signatures are perceived as secure.
Emergency Measures for Mempool Security
Tadge Dryja’s proposal aims to enhance mempool security against quantum threats by segmenting transaction execution into two phases: Commit and Reveal.
Hourglass V2: Controlling Old Coin Transactions
Proposed by Hunter Beast, Hourglass V2 addresses the vulnerabilities relating to older exposed addresses by limiting sales to one bitcoin per block. This would prevent immediate mass liquidation that could destabilize the market, although some critics view this as an infringement on individual spending rights.
In Summary
The proposed upgrades have yet to be implemented, and Bitcoin’s decentralized governance means any changes will require time. Nonetheless, the consistent stream of proposals preceding Google’s recent findings suggests that developers have been aware of this looming issue for a while, which may help mitigate some market anxieties.
