Can Bitcoin Handle the Threat from Quantum Computing? - Bitfinex blog
28320
wp-singular,post-template-default,single,single-post,postid-28320,single-format-standard,wp-theme-bridge,wp-child-theme-bridge-child,bridge-core-3.0.6,cookies-not-set,et_bloom,qode-page-transition-enabled,ajax_fade,page_not_loaded,,qode-title-hidden,qode_grid_1300,footer_responsive_adv,qode-content-sidebar-responsive,qode-smooth-scroll-enabled,qode-child-theme-ver-1.0.0,qode-theme-ver-30.8.8.3,qode-theme-bridge,qode_header_in_grid,qode-wpml-enabled,wpb-js-composer js-comp-ver-6.10.0,vc_responsive

20 Feb Can Bitcoin Handle the Threat from Quantum Computing?

Posted on 20 February, 2026 in Education by

Quantum computing has recently become one of the biggest open questions in Bitcoin, particularly for institutions. Not because a breakthrough is considered imminent, but because long-horizon tail risks matter. 

If quantum machines ever reached the right scale, they could theoretically target the cryptography upon which Bitcoin relies, raising uncomfortable questions not only about security but what happens to long-dormant coins if key recovery ever becomes feasible.

What’s changed isn’t the underlying risk model — it’s that the ecosystem is now starting to treat it as an engineering and governance problem, not just a thought experiment. That includes everything from emphasising basic wallet hygiene to longer-range upgrade paths like BIP 360.

Before any of that, though, it’s worth being clear on what quantum actually threatens — and how.

What Quantum Changes: Shor vs. Grover

Bitcoin ownership relies on digital signatures — ECDSA historically, with Taproot supporting Schnorr signatures (BIP340). Both rely on the same elliptic curve, secp256k1.

Private keys generate public keys through elliptic-curve mathematics. Reversing that relationship — deriving a private key from a public key — is considered infeasible for classical computers. A fault-tolerant quantum computer capable of running Shor’s algorithm at cryptographically relevant scale, however, could theoretically solve the elliptic-curve discrete logarithm problem, allowing an attacker to forge valid signatures and steal funds.

Of secondary concern is Grover’s algorithm. It doesn’t “break” SHA-256, but it could reduce the work needed to find a valid proof-of-work output, potentially altering mining economics and introducing centralisation concerns — though only if a quantum miner can outpace today’s ASICs, an engineering feat well beyond running Grover itself.

Shor-related concerns are therefore considered more urgent because they target Bitcoin’s ownership layer in a more immediate sense in the event of any meaningful quantum breakthrough.

Exposure Profiles: Long vs. Short

Shor is only relevant, however, once a public key becomes visible on-chain.

Coins vulnerable to long exposure are those whose public keys are visible when a UTXO is created or remain visible for extended periods. These include early Bitcoin P2PK (pay-to-public-key) outputs, reused addresses that tie funds to keys revealed during earlier spends, and Taproot (P2TR) outputs, which commit to a (tweaked) public key in the UTXO itself.

In these cases, public keys are visible well before any spend, representing a “harvest now, attack later” threat if quantum capability matures.

Modern wallet outputs such as P2PKH (legacy) and P2WPKH (SegWit) use hashed-pubkey constructions that only reveal the public key once the output is spent. The exposure window here is far shorter — and less practical at scale — requiring an attacker to derive the private key and broadcast a conflicting spend within the few blocks needed for the legitimate transaction to confirm.

Estimates of how many coins are exposed vary. Some analyses claim that 20–50% of supply could be vulnerable under broad threat assumptions. Others argue this conflates theoretical exposure with practical exploitability, especially where risk is limited to short “mempool race” windows or where exposed coins are dispersed across many smaller UTXOs. One widely cited report places the concentrated, materially exposed subset closer to ~10,200 BTC.

The key takeaway is that the threat is real but not uniform — and the attack surface, in practice, narrower than it sounds.

The Fault-Tolerance Bottleneck

All of the above presupposes fault-tolerant quantum computers operating at cryptographically relevant scale.

Breaking Bitcoin’s elliptic-curve signatures would likely require millions of physical qubits operating with sufficient error correction to yield the stable logical qubits such attacks depend on. One recent report suggests this could require machines roughly 100,000× more powerful than those publicly known today.

Views on when — or even whether — this will happen vary, with many serious discussions clustering in the mid-2030s to mid-2040s. What is less disputed is that if meaningful capability ever materialises, any response will need to have been coordinated well in advance.

Migration and Post-Quantum Standards

The main challenge to any response lies in how Bitcoin transitions to something resilient to quantum threats under throughput limits, uneven incentives and contentious governance trade-offs.

In 2024, NIST finalised post-quantum standards including lattice-based ML-DSA (Dilithium) and SLH-DSA (SPHINCS+), anchoring the candidate set large systems are converging on.

For Bitcoin, any migration would likely be staged: introducing new, safer output types and wallet defaults, and potentially a transition period involving hybrid spends that require classical and post-quantum proofs. Trade-offs are unavoidable — post-quantum signatures tend to be larger and heavier to verify, increasing bandwidth and validation costs.

There are multiple plausible directions beyond any single proposal, including new post-quantum-capable output types, hybrid signature policies during transition, and wallet-default shifts designed to reduce long-lived public-key exposure over time. A soft fork is the most likely mechanism for introducing new output types. A hard fork is possible, but it is a messy solution risking chain splits if stakeholders disagree.

BIP 360: P2MR as Incremental Hardening

BIP 360 — recently merged into the BIPs repository — is the most concrete attempt yet to translate “quantum readiness” into an incremental, Bitcoin-native proposal. It introduces a new output type, Pay-to-Merkle-Root (P2MR), designed to operate similarly to Taproot but with key-path spending removed.

Specifically, it aims to reduce reliance on long-lived embedded public keys most at risk from “harvest now, attack later,” without forcing Bitcoin to immediately select and deploy heavyweight post-quantum signature schemes.

Conceptually, P2MR is “Taproot-like script trees, but no key-path.” Spends must reveal a script path and a Merkle proof, which is less compact than a Taproot key-path spend. The trade-off is larger witnesses in exchange for reducing a long-exposure pattern threatened by Shor.

BIP 360 frames P2MR as foundational rather than final. It directly addresses long-exposure patterns, while mempool-race scenarios and the broader shift to post-quantum signatures would require separate follow-on work.

Crucially, the proposal also surfaces an issue any credible migration plan must reckon with: even with opt-in upgrades and changing wallet defaults, a meaningful portion of the UTXO set may remain on legacy outputs for a very long time. Dormant holdings, lost keys, institutional custody constraints, and simple inertia create UTXOs that may never voluntarily move.

If cryptographically relevant quantum capability ever arrives, some long-exposed coins whose owners are unreachable could, in principle, be swept by whoever can derive their keys.  Even if that is “just” theft rather than protocol failure, the consequences could be severe: it would undermine confidence, trigger emergency policy responses, and — in the case of large dormant clusters — raise fears of sudden supply becoming liquid. Proposals to freeze or otherwise treat unmigrated coins differently, however, raise politically explosive questions about immutability, neutrality, and property rights.

Proposals to freeze or otherwise treat unmigrated coins differently, however, raise politically explosive questions about immutability, neutrality, and property rights.

The risk of deadlock is why planning early matters, even if timelines remain uncertain.

Risks, Reality and Readiness

Quantum is a real, long-horizon challenge for Bitcoin. It isn’t, however, an existential cliff edge. The risk is uneven, tied to specific exposure profiles and subject to hardware timelines that remain genuinely uncertain. Importantly, it’s not arriving into a vacuum: developers are already sketching credible migration paths: the kind of long-range planning that matters as much to institutions as it does to anyone holding Bitcoin for the long term.

The hardest part for now is coordination. Any transition will be slow — potentially taking years — contested and complicated by coins that never move. But Bitcoin is conservative by design, and that conservatism is a feature, making staged, opt-in change possible without forcing everyone onto a single rushed deadline. Taproot is a recent reminder that meaningful upgrades can ship when the case is clear and incentives align.

Taken together, that points to the only posture that really makes sense for now: as with everything, preparation beats panic — and Bitcoin still has time to prepare.

Tags:
Print page
0 Likes