{"id":136956,"date":"2026-02-20T16:13:35","date_gmt":"2026-02-20T16:13:35","guid":{"rendered":"https:\/\/mycryptomania.com\/?p=136956"},"modified":"2026-02-20T16:13:35","modified_gmt":"2026-02-20T16:13:35","slug":"can-bitcoin-handle-the-threat-from-quantum-computing","status":"publish","type":"post","link":"https:\/\/mycryptomania.com\/?p=136956","title":{"rendered":"Can Bitcoin Handle the Threat from Quantum Computing?"},"content":{"rendered":"

Quantum computing has recently become one of the biggest open questions in Bitcoin, particularly for institutions<\/a>. Not because a breakthrough is considered imminent, but because long-horizon tail risks matter.\u00a0<\/p>\n

If quantum machines ever reached the right scale, they could theoretically target the cryptography upon which Bitcoin relies, raising uncomfortable questions not only about security but what happens to long-dormant coins if key recovery ever becomes feasible.<\/p>\n

What\u2019s changed isn\u2019t the underlying risk model \u2014 it\u2019s that the ecosystem is now starting to treat it as an engineering and governance problem, not just a thought experiment. That includes everything from emphasising basic wallet hygiene to longer-range upgrade paths like BIP 360.<\/a><\/p>\n

Before any of that, though, it\u2019s worth being clear on what quantum actually threatens \u2014 and how.<\/p>\n

What Quantum Changes: Shor vs. Grover<\/h2>\n

Bitcoin ownership relies on digital signatures \u2014 ECDSA<\/a> historically, with Taproot supporting Schnorr signatures<\/a> (BIP340<\/a>). Both rely on the same elliptic curve, secp256k1.<\/a><\/p>\n

Private keys generate public keys through elliptic-curve mathematics. Reversing that relationship \u2014 deriving a private key from a public key \u2014 is considered infeasible for classical computers. A fault-tolerant quantum computer capable of running Shor\u2019s algorithm<\/a> at cryptographically relevant scale, however, could theoretically solve the elliptic-curve discrete logarithm problem,<\/a> allowing an attacker to forge valid signatures and steal funds.<\/p>\n

Of secondary concern is Grover\u2019s algorithm<\/a>. It doesn\u2019t \u201cbreak\u201d SHA-256<\/a>, but it could reduce the work needed to find a valid proof-of-work output, potentially altering mining economics and introducing centralisation concerns \u2014 though only if a quantum miner can outpace today\u2019s ASICs, an engineering feat well beyond running Grover itself.<\/p>\n

Shor-related concerns are therefore considered more urgent because they target Bitcoin\u2019s ownership layer in a more immediate sense in the event of any meaningful quantum breakthrough.<\/p>\n

Exposure Profiles: Long vs. Short<\/h2>\n

Shor is only relevant, however, once a public key becomes visible on-chain.<\/p>\n

Coins vulnerable to long exposure are those whose public keys are visible when a UTXO is created or remain visible for extended periods. These include early Bitcoin P2PK (pay-to-public-key)<\/a> outputs, reused addresses that tie funds to keys revealed during earlier spends, and Taproot (P2TR)<\/a> outputs, which commit to a (tweaked) public key in the UTXO itself.<\/p>\n

In these cases, public keys are visible well before any spend, representing a \u201charvest now, attack later\u201d threat if quantum capability matures.<\/p>\n

Modern wallet outputs such as P2PKH (legacy) and P2WPKH (SegWit) use hashed-pubkey constructions that only reveal the public key once the output is spent. The exposure window here is far shorter \u2014 and less practical at scale \u2014 requiring an attacker to derive the private key and broadcast a conflicting spend within the few blocks needed for the legitimate transaction to confirm.<\/p>\n

Estimates of how many coins are exposed vary. Some analyses claim that 20\u201350% of supply<\/a> could be vulnerable under broad threat assumptions. Others argue this conflates theoretical exposure with practical exploitability, especially where risk is limited to short \u201cmempool race\u201d windows or where exposed coins are dispersed across many smaller UTXOs. One widely cited report<\/a> places the concentrated, materially exposed subset closer to ~10,200 BTC.<\/p>\n

The key takeaway is that the threat is real but not uniform \u2014 and the attack surface, in practice, narrower than it sounds.<\/p>\n

The Fault-Tolerance Bottleneck<\/h2>\n

All of the above presupposes fault-tolerant quantum computers operating at cryptographically relevant scale.<\/p>\n

Breaking Bitcoin\u2019s elliptic-curve signatures would likely require millions of physical qubits operating with sufficient error correction to yield the stable logical qubits such attacks depend on. One recent report<\/a> suggests this could require machines roughly 100,000\u00d7 more powerful than those publicly known today.<\/p>\n

Views on when \u2014 or even whether \u2014 this will happen vary, with many serious discussions clustering in the mid-2030s to mid-2040s. What is less disputed is that if meaningful capability ever materialises, any response will need to have been coordinated well in advance.<\/p>\n

Migration and Post-Quantum Standards<\/h2>\n

The main challenge to any response lies in how Bitcoin transitions to something resilient to quantum threats under throughput limits, uneven incentives and contentious governance trade-offs.<\/p>\n

In 2024, NIST finalised post-quantum standards<\/a> including lattice-based<\/a> ML-DSA (Dilithium) and SLH-DSA (SPHINCS+), anchoring the candidate set large systems are converging on.<\/p>\n

For Bitcoin, any migration would likely be staged: introducing new, safer output types and wallet defaults, and potentially a transition period involving hybrid spends that require classical and post-quantum proofs. Trade-offs are unavoidable \u2014 post-quantum signatures tend to be larger and heavier to verify, increasing bandwidth and validation costs.<\/p>\n

There are multiple plausible directions beyond any single proposal, including new post-quantum-capable output types, hybrid signature policies during transition, and wallet-default shifts designed to reduce long-lived public-key exposure over time. A soft fork is the most likely mechanism for introducing new output types. A hard fork is possible, but it is a messy solution risking chain splits if stakeholders disagree.<\/p>\n

BIP 360: P2MR as Incremental Hardening<\/h2>\n

BIP 360 \u2014 recently merged<\/a> into the BIPs repository \u2014 is the most concrete attempt yet to translate \u201cquantum readiness\u201d into an incremental, Bitcoin-native proposal. It introduces a new output type, Pay-to-Merkle-Root (P2MR), designed to operate similarly to Taproot but with key-path spending removed.<\/p>\n

Specifically, it aims to reduce reliance on long-lived embedded public keys most at risk from \u201charvest now, attack later,\u201d without forcing Bitcoin to immediately select and deploy heavyweight post-quantum signature schemes.<\/p>\n

Conceptually, P2MR is \u201cTaproot-like script trees, but no key-path.\u201d Spends must reveal a script path and a Merkle proof, which is less compact than a Taproot key-path spend. The trade-off is larger witnesses in exchange for reducing a long-exposure pattern threatened by Shor.<\/p>\n

BIP 360 frames P2MR as foundational rather than final. It directly addresses long-exposure patterns, while mempool-race scenarios and the broader shift to post-quantum signatures would require separate follow-on work.<\/p>\n

Crucially, the proposal also surfaces an issue any credible migration plan must reckon with: even with opt-in upgrades and changing wallet defaults, a meaningful portion of the UTXO set may remain on legacy outputs for a very long time. Dormant holdings, lost keys, institutional custody constraints, and simple inertia create UTXOs that may never voluntarily move.<\/p>\n

If cryptographically relevant quantum capability ever arrives, some long-exposed coins whose owners are unreachable could, in principle, be swept by whoever can derive their keys.\u00a0 Even if that is \u201cjust\u201d theft rather than protocol failure, the consequences could be severe: it would undermine confidence, trigger emergency policy responses, and \u2014 in the case of large dormant clusters \u2014 raise fears of sudden supply becoming liquid. Proposals to freeze or otherwise treat unmigrated coins differently, however, raise politically explosive questions about immutability, neutrality, and property rights.<\/p>\n

Proposals to freeze or otherwise treat unmigrated coins differently, however, raise politically explosive questions about immutability, neutrality, and property rights.<\/p>\n

The risk of deadlock is why planning early matters, even if timelines remain uncertain.<\/p>\n

Risks, Reality and Readiness<\/h2>\n

Quantum is a real, long-horizon challenge for Bitcoin. It isn\u2019t, however, an existential cliff edge. The risk is uneven, tied to specific exposure profiles and subject to hardware timelines that remain genuinely uncertain. Importantly, it\u2019s not arriving into a vacuum: developers are already sketching credible migration paths: the kind of long-range planning that matters as much to institutions as it does to anyone holding Bitcoin for the long term.<\/p>\n

The hardest part for now is coordination. Any transition will be slow \u2014 potentially taking years<\/a> \u2014 contested and complicated by coins that never move. But Bitcoin is conservative by design, and that conservatism is a feature, making staged, opt-in change possible without forcing everyone onto a single rushed deadline. Taproot is a recent reminder that meaningful upgrades can ship when the case is clear and incentives align.<\/p>\n

Taken together, that points to the only posture that really makes sense for now: as with everything, preparation beats panic \u2014 and Bitcoin still has time to prepare.<\/p>\n

<\/span><\/p>\n

The post Can Bitcoin Handle the Threat from Quantum Computing?<\/a> appeared first on Bitfinex blog<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"

Quantum computing has recently become one of the biggest open questions in Bitcoin, particularly for institutions. Not because a breakthrough is considered imminent, but because long-horizon tail risks matter.\u00a0 If quantum machines ever reached the right scale, they could theoretically target the cryptography upon which Bitcoin relies, raising uncomfortable questions not only about security but […]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-136956","post","type-post","status-publish","format-standard","hentry","category-interesting"],"_links":{"self":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts\/136956"}],"collection":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=136956"}],"version-history":[{"count":0,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts\/136956\/revisions"}],"wp:attachment":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=136956"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=136956"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=136956"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}