What really threatens Bitcoin in the quantum era: Between fear and reality

What is a Quantum Computer and Why Should Bitcoin Be Concerned?

Before we discuss Bitcoin’s future, it’s important to understand what the actual threat entails. Quantum computers are machines operating on fundamentally different principles than traditional computers. Instead of bits (0 or 1), they use qubits, which can be simultaneously 0 and 1, potentially giving them astronomically high computational power. For Bitcoin, the most dangerous is Shor’s algorithm, which in theory could derive private keys from public keys in polynomial time.

Why is this a threat? Bitcoin secures transactions using a digital scheme based on ECDSA and Schnorr signatures on the secp256k1 curve. Currently, it is mathematically impossible to compute a private key from a public key — this is the foundation of the network’s security. However, a sufficiently powerful quantum computer could break this defense. Scientists estimate that about 2000 to 4000 logical qubits operating almost flawlessly are needed. Modern quantum devices operate with dozens of qubits and are far from this threshold.

Security Window: Does Bitcoin Have Enough Time?

Here comes the first dose of reassurance. Estimates suggest that quantum computers capable of posing a real threat to Bitcoin are at least a decade away. This theoretically gives the network enough time to prepare. NIST has already approved defensive standards: ML-DSA (Dilithium) and SLH-DSA (SPHINCS+) have been published as FIPS 204 and 205, and FN-DSA (Falcon) is awaiting approval as FIPS 206. These schemes are currently practically resistant to quantum attacks.

In theory, Bitcoin could implement new output types (outputs) or hybrid signatures integrating post-quantum algorithms. Teams like Bitcoin Optech are already experimenting with signature aggregation and Taproot-based constructions. Performance studies suggest that even SLH-DSA could be run in the network with parameters comparable to today’s loads. The scenario where Bitcoin adapts to the quantum threat is not technically impossible.

Migration Cost: The Hidden Price of Security

However, the story of technical possibilities doesn’t tell the whole truth. Transitioning to post-quantum signatures has real economic consequences. Research published in the Journal of British Blockchain Association indicates that achieving quantum security involves reducing block capacity — estimates suggest about halving it. Current post-quantum signatures are physically larger and require more computational power to verify.

This, in turn, means increased operational costs for nodes. Transaction fees will tend to rise because each signature will take more space in the limited block size. This isn’t a catastrophe, but it isn’t a transparent benefit either — it’s a trade-off between quantum security and current efficiency.

The Key Revelation Problem: 1.7 Million Bitcoins at Risk

Here, the issue becomes more alarming. Vulnerability to quantum attacks is not evenly distributed among all Bitcoins. It depends on the type of address and whether the public key is already visible on the blockchain.

Early pay-to-public-key outputs place the raw public key directly on-chain — thus protected only by ECDSA security, nothing more. Standard P2PKH and SegWit P2WPKH addresses hide the key behind a hash until the coins are spent, at which point the key becomes visible. Newer Taproot P2TR outputs encode the public key from the first day, meaning these UTXOs are vulnerable even before they are spent.

Chain data analysis shows a frightening picture: about 25% of all Bitcoins are already in outputs with publicly revealed keys. More precisely — estimates indicate around 1.7 million BTC from the “Satoshi era” remain in old P2PK outputs, plus hundreds of thousands more in newer Taproot outputs with visible keys. Some of these coins are historically considered “lost,” but in reality, they are floating assets that, if sufficient quantum power appears, could become prey for the first attacker.

Coins that never revealed the public key (single-use P2PKH or P2WPKH) are in a much better position. They are protected by hashed addresses, against which Grover’s algorithm only provides quadratic speedup — a threat that can be neutralized by adjusting security parameters.

Supply Scenarios: Almost All Lead to Chaos

Michael Saylor claims that “security increases, supply decreases.” This oversimplification ignores the complexity of real scenarios.

The first scenario is “shrinking supply through abandonment.” Owners of coins in vulnerable outputs who never migrate could effectively become a blockade — coins marked as illegal or blacklisted by network convention. This could indeed reduce the effective circulating supply.

The second scenario is “distortion of supply through theft.” A quantum attacker with the right machine could methodically drain exposed wallets. This wouldn’t be “burning” coins but transferring them to a wallet controlled by the attacker — with no bullish implications for valuation.

The third scenario is “panic before physics.” Speculation about upcoming quantum threats could trigger preemptive sell-offs, chain splits, or mass capital migration. This scenario might be more dangerous than the technology itself.

None of these paths guarantees a clean reduction in circulating supply that would be bullish. They could as easily lead to chaotic valuation changes, contentious forks, and waves of attacks on older wallets.

Coordination Challenge: Physics Is a Lesser Problem

The good news is that Bitcoin’s proof-of-work based on SHA-256 is relatively resistant to quantum attacks. Grover’s algorithm only offers quadratic speedup, which can be compensated by increasing mining difficulty. The most critical threat remains digital signature schemes.

But here arises a problem beyond mathematics. Bitcoin has no central authority to enforce updates. Any post-quantum migration would require overwhelming consensus among developers, miners, exchanges, and large holders. This coordination must happen before quantum computers capable of real attacks appear.

Recent analyses from venture capital circles emphasize that management and timing pose greater risks than mathematics itself. The Bitcoin community has historically struggled with simple upgrades. Post-quantum transition would be the most ambitious change in the network’s history.

Subtle Mempool Attacks

One often overlooked detail in discussions concerns the mempool — the space where transactions wait to be mined. When someone sends coins from an address with a hashed key, their public key is revealed during this process. In a scenario with a quantum attacker, a “sign-and-steal” attack could occur: a quantum observer waits in the mempool, quickly regenerates the private key, and broadcasts a competing transaction with a higher fee.

This isn’t an easy attack, but it’s a possibility that traditional risk analysis often ignores.

Summary: Conditional Optimism

Bitcoin could strengthen itself in the quantum era. The network can implement new signatures, protect vulnerable outputs, and emerge with enhanced cryptographic guarantees. But Saylor’s assumption — that everything will go smoothly, that “lost coins will remain frozen,” and that “supply will decrease” — is more a bet on perfect coordination than on physics.

Reality is more complex. About 1.7 million Bitcoins are already in vulnerable outputs. Migration will be costly, politically challenging, and require unprecedented coordination. Bitcoin could emerge stronger from this, but only if developers and large holders react early, and the network avoids panic or mass theft.

Confidence is moderate. Engineering is feasible. But social coordination remains uncertain.