Threat to Bitcoin from quantum computers: Technical myth or real problem?

The widely circulated opinion that quantum computers pose a threat to Bitcoin encryption is based on a misunderstanding of the network architecture. In reality, Bitcoin’s security does not rely on encrypted secrets stored in the blockchain – references to this issue appear in many technical papers but rarely reach the broader public awareness. Instead, the real challenge concerns digital signatures and exposed public keys, which constitute the actual attack vector for the theoretical quantum threat.

Where does the real threat lie?

Confusing encryption with digital signature systems is the source of most misinformation about quantum-ready Bitcoin. The blockchain is a publicly accessible ledger – every transaction, amount, and address is visible to everyone. Nothing in this system is encrypted in the traditional sense.

Bitcoin’s security is based on two pillars: signature schemes (ECDSA and Schnorr) and hash functions (hashing). These mechanisms guarantee control over key pairs but do not protect information through encryption. If a sufficiently advanced quantum computer could run Shor’s algorithm, it could derive the private key from the public key revealed in the blockchain. This would be falsifying authorization, not decrypting.

Mapping the actual exposure: what do we know today?

Vulnerability does not appear uniformly across the entire network. Many address formats commit to hashing the public key – raw public keys remain hidden until a transaction is issued. This narrows the window of opportunity for a potential attacker.

Project Eleven conducts weekly scans and publishes the “Bitcoin Risq List” to track addresses with exposed public keys. Current estimates indicate about 6.7 million BTC are on addresses meeting the criteria for quantum exposure. This serves as a reference for the entire risk analysis.

Other script types, especially Taproot (P2TR), reveal a 32-byte modified public key directly in the output script. This changes the exposure profile but does not create a new vulnerability today – it will become critical only when cryptographically relevant machines appear.

Computational dimension of the problem: how many qubits are needed?

Research indicates clear, measurable targets. To compute the private key of a 256-bit elliptic curve, approximately 2330 logical qubits (reference: Roetteler et al.) are necessary. Transforming this into a practical machine requires millions of physical qubits due to error correction.

Estimates from 2023 suggest:

• ~6.9 million physical qubits for cracking the key in about 10 minutes (Litinski’s model)
• ~13 million physical qubits for breaking within a day
• ~317 million physical qubits for a one-hour window target

Architectural choices regarding time, error rates, and error correction implementation cause the actual cost to vary drastically.

Grover’s algorithm: less threatening than Shor’s

When it comes to hash functions, Grover’s algorithm appears. It provides only a quadratic speedup for brute-force searches, not the kind of discrete logarithm break achieved by Shor. For preimages of SHA-256, the target remains around 2^128 work – even after quantum optimization. This is not comparable to the threat to elliptic curves.

How can Bitcoin adapt?

Quantum risk is primarily a migration challenge, not a technical catastrophe. NIST has already standardized post-quantum primitives such as ML-KEM (FIPS 203). The Bitcoin community discusses proposals like BIP 360, proposing “Pay to Quantum Resistant Hash.”

Key migration constraints include bandwidth, storage, and transaction fees. Post-quantum signatures reach sizes of several kilobytes instead of tens of bytes. This changes transaction weight economics and user wallet experience.

Recent reports indicate that corporations like IBM estimate the path to a fault-tolerant system around 2029. This suggests a time window for adaptation spanning years, not months.

The true direction of preparedness

Elements that truly matter: what portion of the UTXO set has exposed public keys, how wallet behavior responds to this exposure, and how quickly the network can adopt quantum-resistant spending paths while maintaining validation and fee market stability.

Reusing addresses increases the window of exposure – future inflows to the same address remain exposed. Conversely, wallet designs can reduce risk through proper address management and early migration to post-quantum formats.

The threat from quantum computers to Bitcoin is not fiction, but its nature is decidedly different from what popular narratives suggest. It is not a matter of breaking encryption but requires coordinated evolution of the ecosystem, where reference for each decision should be based on measurable data regarding the current network exposure.