Bitcoin's quantum threat: the proposals aiming to protect $1.3 trillion in BTC

What quantum computers could do to Bitcoin

Quantum computers capable of breaking Bitcoin's cryptography do not exist today. Developers are already working on defences, however, as the threat is no longer purely theoretical. Google published research this week suggesting a sufficiently powerful quantum machine could crack Bitcoin's core cryptographic layer in under nine minutes, less time than it takes the network to confirm a single block. Some analysts place a realistic timeline for such a machine at 2029.

The stakes are considerable. Around 6.5 million bitcoin tokens, worth hundreds of billions of dollars at current prices, sit in wallet addresses that a quantum attacker could directly target. A portion of those coins belong to Bitcoin's pseudonymous creator, Satoshi Nakamoto. Beyond the financial exposure, a successful attack would undermine the foundational principles of the network: that the code is trustworthy and that the supply is fixed.

Two attack vectors on Bitcoin's cryptography

Bitcoin's security rests on a one-way mathematical relationship. Wallet creation produces a private key, from which a public key is derived. Spending bitcoin requires the holder to prove ownership by generating a cryptographic signature, without revealing the private key itself. Modern classical computers would take billions of years to reverse-engineer that relationship using elliptic curve cryptography, specifically the Elliptic Curve Digital Signature Algorithm (ECDSA). A sufficiently powerful quantum computer changes that calculation entirely, deriving the private key from the public key and enabling theft of the associated coins.

Two routes expose the public key to such an attack. The first applies to coins sitting idle on-chain. Pay-to-public-key (P2PK) addresses, used by Satoshi and early miners, and Taproot (P2TR), the address format activated in 2021, both expose the public key permanently on the blockchain without the coins ever needing to move. Roughly 1.7 million BTC sits in old P2PK addresses. The second attack vector targets the mempool, the pool of unconfirmed transactions awaiting inclusion in a block. During that window, the public key and signature are visible to the entire network. A quantum machine could derive the private key from that data, though it would need to act before the transaction is confirmed and buried under subsequent blocks.

Bitcoin quantum security proposals under consideration

BIP 360: removing the public key from the chain

Bitcoin Improvement Proposal 360 addresses the long-exposure attack by introducing a new output type called Pay-to-Merkle-Root (P2MR). Under the current Taproot format, every new address permanently embeds a public key on-chain, visible to anyone including a future quantum attacker. BIP 360 removes that exposure entirely. A quantum computer studying the chain would find no public key to work from. Lightning payments, multi-signature setups, and other Bitcoin features would remain unchanged. The proposal protects coins created after its adoption, however. The 1.7 million BTC already sitting in exposed addresses requires separate treatment.

SPHINCS+ and SLH-DSA: post-quantum signature schemes

SPHINCS+ is a post-quantum signature scheme built on hash functions rather than elliptic curve cryptography. Hash-based designs are not considered vulnerable to Shor's algorithm, the quantum method that threatens ECDSA. The scheme was standardised by the National Institute of Standards and Technology in August 2024 as FIPS 205 (SLH-DSA) after an extended public review process. The tradeoff is size. Current Bitcoin signatures run to 64 bytes; SLH-DSA signatures run to 8 kilobytes or more. Adopting SLH-DSA at that scale would substantially increase demand for block space and push transaction fees higher.

Two follow-on proposals, SHRIMPS and SHRINCS, have been introduced to reduce signature sizes without sacrificing post-quantum security. Both build on SPHINCS+ and aim to retain its security guarantees in a more compact form suited to on-chain use.

Tadge Dryja's commit-reveal scheme: mempool protection

This soft fork proposal, put forward by Lightning Network co-creator Tadge Dryja, targets the short-exposure attack. It separates transaction execution into two phases. In the commit phase, the sender publishes a sealed hash of their intention on-chain, revealing nothing about the transaction itself. The blockchain timestamps that fingerprint permanently. In the reveal phase, the actual transaction is broadcast, making the public key visible. A quantum attacker watching the mempool could then attempt to derive the private key and forge a competing transaction.

The forged transaction would fail. The network checks whether any spend has a prior on-chain commitment registered. The legitimate transaction does; the forged one does not. The attacker's transaction, assembled after the reveal, has no matching fingerprint. The cost of this mechanism is that every transaction requires two separate on-chain steps, raising fees. Dryja describes the scheme as an interim measure while the community develops longer-term quantum defences.

Hourglass V2: slowing withdrawal from exposed addresses

Proposed by developer Hunter Beast, Hourglass V2 takes a different approach to the 1.7 million BTC sitting in already-exposed addresses. The proposal accepts that a sufficiently advanced quantum computer could steal these coins and focuses instead on limiting the pace of any such theft to one bitcoin per block. The intent is to prevent a sudden, catastrophic liquidation that would collapse the market overnight. Critics within the Bitcoin community consider the proposal a violation of a core principle: that no external party can restrict a holder's right to spend their own coins. That tension has made the proposal contentious.

Industry impact

None of these proposals have been activated. Bitcoin's governance model, which distributes decision-making authority across developers, miners, and node operators, means any protocol change requires broad consensus and typically takes years to materialise. The timeline for a quantum computer capable of executing these attacks remains uncertain, and some researchers put 2029 estimates at the aggressive end of a wide range.

The volume of active proposals predates Google's research by some margin, which indicates developers have treated quantum risk as a long-horizon planning problem rather than an emergency. That preparation may help contain market reactions as the subject attracts broader attention. For Bitcoin holders with coins in older P2PK addresses, the clearest near-term action is migration to a newer address format, a step none of the proposals in circulation can take on their behalf.