Roughly a quarter of all Bitcoin is exposed to the risk of a quantum attack, tied to public keys that have been revealed on the blockchain. But if that much of the supply is vulnerable, it raises a deeper concern: is trust in Bitcoin’s entire security model at risk?
Imagine waking up, checking your phone, and your bitcoin balance is zero. Not just your cold storage, your exchange balances too. Gone. Overnight, millions of UTXOs drained in a silent, coordinated attack.
It sounds extreme, but this kind of event would be more than just theft. It would be a direct attack on Bitcoin’s value, a public signal that its core cryptography is no longer secure. A state-level actor might attempt something like this, not just to steal coins, but to destroy trust and deliberately cause chaos.
Not every attacker would act so loudly. A more self-incentivized one might take the opposite approach. With access to a quantum computer, they could quietly target older UTXOs, draining coins from forgotten or inactive wallets. Their goal would be to siphon off as much as possible before the rest of the world catches on.
But whether the attack is loud or quiet, fast or slow, the end result is more or less the same. The assumptions that secure Bitcoin are no longer true in a post-quantum world. The math that secured Bitcoin from its beginning could be broken at any point, by a machine none of us have seen yet, but we know is theoretically possible.
What Quantum Computers Actually Break
A quantum computer isn’t just a faster version of computers we have today. It’s a fundamentally different type of machine. For most tasks, it wouldn’t be much faster than a regular computer. But for very specific problems, it would be powerful enough to break a lot.
Bitcoin’s digital signatures today, including Schnorr and ECDSA, rely on something called the discrete logarithm problem. Think of it as a kind of mathematical one-way street. It’s easy to go one direction, but extremely hard to go back. You can take a private key and generate a public key or signature, but doing the reverse, deriving the private key from the public key, is practically impossible. And this is why you can share your public key on the blockchain safely, because it’s infeasible for anyone to reverse it and derive your corresponding private key.
But with a large enough quantum computer, that assumption breaks. Using Shor’s algorithm, a quantum attacker could solve the discrete logarithm problem. And that “one-wayness” no longer holds. Given any public key on the blockchain, an attacker can derive its corresponding private key.
Hard Choices, Big Trade-offs
There are no perfect solutions here. Any plan to defend Bitcoin against these quantum attacks involves some big trade-offs. Some are technical. Some are social. All of them are hard.
One possibility is to introduce a new kind of output type that uses only post-quantum signatures. Instead of relying on discrete logarithms, which quantum computers can break, you would lock coins using quantum-safe signature schemes from the beginning. Anyone sending funds to that address knows they are choosing stronger, future-proof security.
A big trade-off here is size. Most post-quantum signatures are huge, often measured in kilobytes instead of bytes. This means post-quantum signatures can be 40-600 times bigger than current Bitcoin signatures. If an ECDSA/Schnorr signature fits inside a text message, a post-quantum signature could be as large as a small digital photo. They cost more to broadcast, and more to store on the blockchain. HD wallets, multisig setups, and even basic key management, become more complex or may not even work at all. Doing threshold signatures with post-quantum signatures is still an open research problem.
A related proposal for going fully post-quantum comes from Jameson Lopp, who proposed a fixed 4-year migration window. After the introduction of post-quantum signatures, give the Bitcoin ecosystem a few years to rotate into quantum-safe outputs. After that, coins that have not been moved are treated as lost. An aggressive approach, but it sets a clear deadline and gives the network time to adapt before any crisis hits.
Until the threat becomes more real, we’d prefer to rely on the cryptography we already trust. But if we all agree that Bitcoin needs a plan, what is it going to be?
No one wants to rush into chance Bitcoin with unproven assumptions. Rather than pushing in something entirely new, Bitcoin might already have a built-in starting point. Taproot!
Taproot’s Hidden Post-Quantum Safety
Taproot, introduced in 2021, is mostly known for improving privacy and efficiency. What many users don’t realize is that it could also be the basis for a smoother transition into a post-quantum world.
Every Taproot output contains an initially hidden set of alternative spending conditions. These alternative script paths are never revealed unless used. Right now, most Taproot coins are spent using Schnorr signatures, but those hidden paths can be used for almost anything. That includes post-quantum (PQ) signature checks.
The idea that Taproot’s internal structure could withstand quantum attacks goes back to Matt Corallo, who first propagated it. And recently, Tim Ruffing of Blockstream Research published a paper showing that this approach is in fact secure: fallback paths inside Taproot can remain trusted, even if Schnorr and ECDSA are broken.
This opens the door to a simple but powerful upgrade path.
Step 1: Add Post-Quantum Opcodes
The first step is to introduce support for post-quantum signatures in Bitcoin Script. This could be done by adding new opcodes that allow Taproot scripts to verify PQ signatures, using algorithms currently being standardized and evaluated.
That way, users could start creating Taproot outputs with two spending paths:
- The key-path would still use fast, efficient Schnorr signatures for day-to-day use.
- The script-path would contain a post-quantum fallback, only revealed if needed.
Nothing changes in the short term. Coins behave the same. But if a quantum threat appears, the fallback is already in place.
Step 2: Flip the Kill Switch
Later, if a large quantum computer is developed and the risk becomes real, Bitcoin could disable Schnorr and ECDSA spending.
This kill switch would protect the network by preventing coins in vulnerable outputs from being stolen. As long as users have moved their coins to upgraded Taproot outputs that include post-quantum fallbacks, those coins would remain safe and spendable.
The transition will unavoidably cause some friction, but hopefully it would be less disruptive than a last-minute scramble. And thanks to Taproot’s hidden script paths, most of this work could happen quietly in advance.
Prepping Without Panic
There is no countdown clock to the quantum threat. We have no idea when this breakthrough in quantum computing will happen. It could be a decade away, or it could be much closer. No one knows.
None of this is simple. There are still open questions about which post-quantum algorithms we should use, how to make them efficient enough for Bitcoin, and how to preserve core features like threshold multisig and key derivation. But the most important thing is to start. Ideally not after the first cryptographically relevant quantum computer has been built, but now, while the system is still secure and upgrade paths are still available.
By enabling post-quantum signature support within Bitcoin Script today, we give users time to prepare. Education can happen gradually, without panic. And users can start to migrate coins at their own pace. If we wait too long, we lose that luxury. Upgrades done under stress rarely go smoothly.
Tim Ruffing’s work lays out a possible path forward. A plan that makes use of tools Bitcoin already has. Read his full paper to understand how this works in detail.
This is a guest post by Kiara Bickers from Blockstream. Opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc or Bitcoin Magazine.