A sufficiently powerful quantum computer capable of breaking the Bitcoin blockchain does not exist yet. However, developers have already started discussing a wave of upgrades aimed at building a defensive layer against this potential threat—and there is solid reason for that, because this risk is no longer just a pure hypothesis.
This week, researchers at Google published a study showing that a sufficiently powerful quantum computer could break Bitcoin’s core cryptography in less than 9 minutes—faster by 1 minute than the average confirmation time of a Bitcoin block. Some analysts believe such a threat could become reality in 2029.
The risk is enormous: About 6.5 million bitcoins, worth hundreds of billions of dollars, are sitting in addresses that a quantum computer could target directly. Some of that belongs to Satoshi Nakamoto, the anonymous founder of Bitcoin. In addition, if compromised, this would undermine Bitcoin’s core principles—“trust the code” and “sound money.”
Below is how this threat works, along with the proposals being considered to mitigate it.
Two ways a quantum machine can attack Bitcoin
First, understand the vulnerability before getting into the proposals.
Bitcoin security is built on a one-way mathematical relationship. When you create a wallet, a private key and some secrets are generated; from that, the public key can be derived.
To spend bitcoin, you must prove ownership of the private key—not by disclosing it, but by using it to create a cryptographic signature that the network can verify.
This system is secure because modern computers would need billions of years to break the elliptic curve cryptography—specifically, the elliptic curve digital signature algorithm (ECDSA)—to derive the private key from the public key. As a result, the blockchain is considered nearly impossible to compromise in a computational sense.
But a future quantum computer could turn this one-way path into a two-way one by deriving the private key from the public key and then draining your funds.
Public keys are exposed in two ways: From coins resting on-chain (a long-term exposure attack) or from coins that are moving, or transactions waiting in the transaction mempool (a short-term exposure attack).
Pay-to-Public-Key (P2PK) addresses—used by Satoshi and the earliest miners—along with Taproot (P2TR), the address format enabled in 2021, are both vulnerable to long-term exposure attacks. Coins in these addresses do not need to move to expose the public key; the exposure has already happened and anyone in the world can read it, including a quantum attacker in the future. About 1.7 million BTC are in old P2PK addresses, including Satoshi’s coins.
Short-term exposure attacks involve the mempool—“the waiting room” for transactions that have not yet been confirmed. While the transaction sits there waiting to be included in a block, both your public key and your signature are visible to the entire network.
A quantum computer could access that data, but it only has a very short window—before the transaction is confirmed and buried under the next blocks—to derive the corresponding private key and act.
Initiatives
BIP 360: Remove public keys
As mentioned above, every new Bitcoin address created with Taproot today permanently exposes the public key on-chain, giving a future quantum computer a target that never goes away.
Bitcoin Improvement Proposal (BIP) 360 removes public keys that are permanently embedded on-chain and shown to everyone by introducing a new type of output called Pay-to-Merkle-Root (P2MR).
Remember that the quantum computer will study the public key, reverse the exact shape of the private key, and generate a working copy. If we remove the public key, the attacker will have nothing to latch onto. Meanwhile, everything else—including Lightning payments, multisignature setup, and other Bitcoin features—stays the same.
However, if implemented, this proposal would only protect coins that are new in the future. The 1.7 million BTC that are currently in exposed-key addresses is a separate issue, which will be handled by other proposals below.
SPHINCS+ / SLH-DSA: Hash-based post-quantum signatures
SPHINCS+ is a post-quantum signature scheme built on hash functions, designed to avoid the quantum risks that elliptic curve cryptography—used by Bitcoin—faces. While Shor’s algorithm threatens ECDSA, hash-based designs like SPHINCS+ are not considered to be similarly vulnerable.
This scheme was standardized by the U.S. National Institute of Standards and Technology (NIST) in August 2024 under the name FIPS 205 (SLH-DSA) after years of public review.
In exchange for a higher security layer is a larger size. While today’s Bitcoin signatures are only 64 bytes, SLH-DSA signatures are 8 kilobytes (KB) or larger. Therefore, if SLH-DSA is applied, block space demand would increase significantly and transaction fees would also be higher.
That’s why proposals such as SHRIMPS (another hash-based post-quantum signature scheme) and SHRINCS were introduced to reduce signature size without sacrificing post-quantum security. Both are built on SPHINCS+ but aim to keep its security guarantees in a more practical form, saving more space for the blockchain.
Tadge Dryja’s Commit/Reveal system: Emergency brakes for the mempool
This proposal, a soft fork put forward by Lightning Network co-founder Tadge Dryja, aims to protect transactions in the mempool from a future quantum attacker. It does so by splitting transaction execution into two phases: Commit and Reveal.
Imagine telling your counterpart that you’ll send them an email, and then actually sending the email. The first part is the commit phase, and the act of sending the email is the reveal phase.
On the blockchain, that means first you publish a sealed fingerprint of your intent—just a hash, revealing nothing about the transaction. The blockchain will timestamp that fingerprint forever. Then, when you broadcast the actual transaction, the public key will be revealed—and yes, a quantum computer monitoring the network could derive the private key from that and create a competing transaction to steal your funds.
But that fraudulent transaction will be rejected immediately. The network checks: does this spending transaction have a prior commitment recorded on-chain? Your transaction does. The attacker’s does not—they just created it minutes earlier. The fingerprint registered in advance is your alibi.
The problem is that the cost will increase because the transaction is split into two stages. So, it’s considered an interim bridge—practical enough to deploy while the community continues building quantum defenses.
Hourglass V2: Slow down the selling pace of old coins
Proposed by developer Hunter Beast, Hourglass V2 targets a quantum vulnerability related to about 1.7 million BTC sitting in old addresses that have been publicly exposed.
This proposal acknowledges that those coins could be stolen in a future quantum attack and seeks to slow the loss process by limiting sales to one bitcoin per block, to avoid an overnight wave of mass liquidation that could cause the market to collapse.
A similar analogy is mass withdrawals: you can’t stop everyone from withdrawing funds, but you can limit the withdrawal rate so the system doesn’t collapse overnight. This proposal is controversial because even such a minimal restriction is seen by some in the Bitcoin community as violating the principle that no one is allowed to interfere with your right to spend your coins.
Conclusion
These proposals have not yet been activated, and Bitcoin’s decentralized governance mechanism—covering developers, miners, and node operators—means any upgrades need time to become real.
That said, the steady wave of proposals appearing ahead of Google’s report this week shows the issue has been on developers’ radar for a long time, which could help ease market concerns.
