Quantum Vulnerability in Bitcoin: A Manageable Risk

Author | Christopher Bendiksen, CoinShares

Compiled by | GaryMa Wu Says Blockchain

Original link:

The future availability of practical quantum computers is not a zero-probability possibility, continuously sparking widespread discussions about their potential impact on the cryptographic security of Bitcoin. This is certainly healthy and a necessary precaution for a value storage system worth trillions of dollars. However, despite the theoretical challenges posed by this technology, the actual risks remain distant and can be addressed through direct means.

For institutional investors, understanding this issue requires distinguishing speculation (and unfortunately, a lot of self-interested hype and profit-seeking behavior) from evidence-based analysis. Bitcoin’s quantum vulnerability is not an imminent crisis but a foreseeable engineering consideration, and there is ample time to adapt.

Key Points Summary

Overview of Quantum Vulnerability: Shor’s algorithm could theoretically expose keys in ECDSA/Schnorr, while Grover’s algorithm weakens SHA-256; the threat is still distant, limited to about 1.7 million BTC in P2PK addresses (about 8% of total supply), with minimal potential to impact the market (see the last point below).

Security Framework: Relies on elliptic curves for authorization and hash functions for protection; quantum computing cannot change the supply cap of 21 million nor bypass proof-of-work. Modern P2PKH/P2SH hides public keys before spending; the claim of 25% vulnerability exaggerates the mitigatable temporary risks.

Timeline and Feasibility: To break secp256k1 within a feasible timeframe (<1 year) would require 10 to 100,000 times the current number of logical qubits; relevant quantum technology will need at least 10 years. Long-term attacks could be feasible within several years — potentially within a decade; short-term attacks (memory pool attacks) require <10 minutes of computation time — infeasible on any timescale outside of extreme long-term (decades).

Benefits of Radical Interventions (e.g., soft/hard forks for quantum-resistant formats or destroying coins): Strengthening the network in advance, guarding against unexpected technological breakthroughs, providing migration pathways, signaling adaptability, enhancing investor confidence.

Drawbacks of Radical Interventions: Unproven cryptographic technologies may introduce vulnerabilities; scarce development resources may be wasted on unproven or inefficient solutions, causing more changes; assuming dormant coins are lost could lead to forced or theft; threat to neutrality; eroding property rights, decentralization, immutability, and trust.

Market Impact: In reality, it may be limited to about 10,000 BTC, which could suddenly and unexpectedly enter the market if private keys are compromised; ultimately looking more like regular transactions; holders can voluntarily migrate; the remaining coins are distributed across 34,000 addresses, each with about 50 BTC, and even in the most optimistic technological breakthrough scenarios, it would take decades to steal.

Correctly analyzing this issue requires a deep and detailed understanding.

Bitcoin’s security framework relies on two core cryptographic elements: the Elliptic Curve Digital Signature Algorithm (ECDSA or Schnorr based on secp256k1) for transaction authorization, and hash functions like SHA-256 for mining and address protection. ECDSA generates an asymmetric key pair, and deriving a private key from a public key is computationally infeasible on classical computing systems. SHA-256 provides a one-way hash, which is also computationally infeasible to reverse. Quantum algorithms bring specific concerns. A common misunderstanding is that quantum computing would uniformly break cryptographic systems, but this is not the case. Below, we summarize the impact of practical quantum computers on common cryptographic functions.

Existing Cryptographic Types — Pre-Quantum and Post-Quantum:

The main issue currently faced is the 256-bit ECDSA (now Schnorr, but facing the same problem) signature algorithm used for authorizing Bitcoin transactions. Shor’s algorithm could theoretically solve the discrete logarithm problem underpinning elliptic curves, making it possible to derive the private key once the public key is exposed.

Grover’s algorithm reduces the effective security of symmetric hashes like SHA-256 from 256 bits to 128 bits, but due to the enormous computational demands, brute force attacks remain impractical, hence addresses protected by hashes remain secure. As for mining, quantum computers could theoretically become quite fast mining devices, but whether they are economically viable compared to ASICs is entirely unclear (and this point is irrelevant given Bitcoin’s built-in automatic difficulty adjustment mechanism). Importantly, quantum computing cannot change Bitcoin’s fixed supply cap of 21 million nor bypass the proof-of-work required for block validation.

Risk exposure is limited to addresses where public keys are visible, primarily traditional Pay-to-Public-Key (P2PK) outputs, which collectively hold about 1.6 million BTC, making up approximately 8% of the total supply. However, only 10,200 BTC are in UTXOs, which could cause any significant market disturbance if stolen by quantum computers. The remaining approximately 1.6 million BTC are distributed across 32,607 independent UTXOs of about 50 BTC each, and even under extreme optimistic assumptions regarding advances in quantum computing technology, it would take thousands of years to unlock.

Distribution and Quantity of Quantum Vulnerable Coins

More modern address formats, like Pay-to-Public-Key-Hash (P2PKH) or Pay-to-Script-Hash (P2SH), conceal public keys through hashes, keeping them secure until funds are spent. The claim of 25% vulnerability often includes temporally mitigated risks, such as exchanges reusing addresses, which can be easily alleviated through best practices; moreover, there will be several years of warning before technology truly becomes dangerous, leaving ample time for simple behavioral adjustments.

We are still quite far from the danger zone.

As of early 2026, the quantum threat is not imminent. To break secp256k1, a quantum system would need to possess millions of logical qubits — far beyond current capabilities. According to researchers, to reverse-engineer a public key in a day, an attacker would need a quantum computer with fault tolerance and error control capabilities, which has not yet been achieved and would require 13 million physical qubits — about 100,000 times the scale of the largest current quantum computers. To accomplish the same within an hour would require performance 3 million times greater than current quantum computers. Charles Guillemet, CTO of the cybersecurity company Ledger, told CoinShares: “To break current asymmetric encryption requires millions of qubits. Google’s current Willow computer has only 105 qubits. Moreover, maintaining a coherent system becomes exponentially more difficult with each additional qubit.” We have conducted a deeper analysis of the above content here.

Recent demonstrations, including those by Google, show progress but are still far from the scale needed to launch real-world attacks on Bitcoin.

Some estimates suggest that quantum computers related to cryptography (but not necessarily posing practical danger) may not emerge until the 2030s or later, with some analyses predicting 10–20 years.

Long-term risk exposure (like P2PK addresses) may then face attacks requiring years of computation time; while short-term risk exposure (like public keys visible in the memory pool during transactions) would require computation to complete in under 10 minutes.

Radical Interventions Have Pros and Cons

Proposals for addressing this issue through radical interventions, such as soft forks for quantum-resistant address formats without sufficient validation or technical maturity, or worse, destroying vulnerable coins through hard forks, require extreme caution. Such actions could not only inadvertently introduce critical vulnerabilities leading to technological disasters but may also undermine Bitcoin’s core principles of property rights and decentralization, eroding trust without necessity.

Introducing new address formats is extremely perilous and not advisable before the cryptography supporting its security has been fully understood and validated. We must recognize that we cannot determine whether post-quantum cryptography is provably effective until practical quantum computers become available. Furthermore, if we prematurely select a post-quantum address solution, we might allocate scarce development resources to solutions that ultimately prove inefficient, quickly outdated, or even completely flawed.

We fundamentally cannot determine whether these vulnerable coins are dormant or have been lost, as evidenced by occasional transfers from long-inactive addresses. Holders have ample opportunity to voluntarily migrate funds themselves, and as quantum capabilities continue to improve, unclaimed assets can transition naturally.

In the foreseeable future, the market-level impact seems limited. Only a small portion of vulnerable BTC, about 10,200 coins, are in certain P2PK categories, which could impact liquidity if compromised suddenly and rapidly. Such events are more likely to resemble regular large transactions rather than trigger systemic turmoil. More concerning is the maintenance of Bitcoin’s immutability and neutrality, which could be threatened by premature protocol changes.

Mitigating quantum risks for Bitcoin is technically feasible and would not be destructive. “Bitcoin can adopt post-quantum signatures. Schnorr signatures (a technical implementation from a prior upgrade) pave the way for more upgrades, allowing Bitcoin to continue defensive evolution,” said Dr. Adam Back, a cryptographer, to CoinShares. Quantum-resistant signatures can be introduced through soft forks, allowing for the seamless integration of new cryptographic standards. Some existing proposals, such as Bitcoin Improvement Proposals (BIPs), have already outlined this evolutionary path. Users can migrate funds to secure addresses based on their judgment while keeping an eye on developments in quantum technology — they could even use exposed legacy addresses as indicators of technological progress.

For institutional investors, the key insight is that quantum risks are manageable and there is ample time window for solutions. The architecture of Bitcoin itself possesses inherent resilience, capable of supporting forward-looking adaptations. As a sound currency in the digital age, Bitcoin deserves evaluation based on its fundamentals rather than exaggerated technological threats.