Headline: Bitcoin’s $1.3 trillion quantum problem — the upgrades aiming to future-proof the network
Quantum computers that can crack Bitcoin’s cryptography don’t exist yet. But developers are already racing to harden the network because the threat is moving from theoretical to plausible — and the stakes are enormous.
Why the alarm bells are ringing
- This week, Google published research showing a sufficiently powerful quantum computer could recover Bitcoin private keys from public keys in under nine minutes — roughly one minute faster than the average Bitcoin block time (~10 minutes). That shortfall matters: if an attacker can derive a private key faster than a transaction becomes permanently confirmed, they could hijack funds.
- Some analysts estimate such a quantum-capable machine could appear by 2029.
- Roughly 6.5 million BTC — worth hundreds of billions of dollars — sit in addresses that a quantum attacker could directly target. About 1.7 million BTC are in legacy Pay-to-Public-Key (P2PK) addresses, including coins tied to Satoshi Nakamoto.
How Bitcoin’s current cryptography becomes vulnerable
- Bitcoin uses elliptic curve cryptography (ECDSA/Schnorr) where a private key generates a public key; signatures prove ownership without revealing the private key. Classical computers would take billions of years to reverse this relationship.
- Quantum algorithms (notably Shor’s) could change that, allowing a future quantum computer to derive private keys from public keys and drain funds.
- Public keys can be exposed in two ways:
- Long-exposure: some addresses (like early P2PK outputs) already revealed public keys on-chain, creating permanent targets.
- Short-exposure: when a transaction sits in the mempool awaiting confirmation, its public key and signature are visible to the network for a short window. A fast quantum attacker could exploit that brief exposure.
Key proposals to limit the threat
Developers are advancing several approaches — some are immediate, others long-term — to reduce quantum risk without breaking Bitcoin’s functionality.
1) BIP-360: Pay-to-Merkle-Root (P2MR)
- What it does: Removes permanently exposed public keys from outputs by replacing them with Merkle-root-based commitments. An on-chain output no longer reveals a public key until it must be revealed to spend.
- Why it helps: If there’s no public key on-chain for an attacker to analyze, the long-exposure attack vanishes for new outputs.
- Limitations: Only protects coins created after activation. Existing exposed coins remain vulnerable.
2) Post-quantum signatures: SPHINCS+ / SLH-DSA and variants
- What it does: Replaces elliptic-curve signatures with hash-based schemes that are believed to resist quantum attacks (SPHINCS+ was standardized by NIST in August 2024 as FIPS 205 / SLH-DSA).
- Tradeoffs: SLH-DSA signatures are roughly 8 kilobytes (vs. ~64 bytes for current signatures), which would dramatically increase block space usage and fees.
- Ongoing work: SHRIMPS and SHRINCS are proposals aiming to shrink post-quantum signature sizes while retaining security, making adoption more practical for blockchain use.
3) Commit-Reveal (mempool protection)
- Proposed by Lightning co-creator Tadge Dryja as a soft-fork, this separates transactions into a commit phase (publish a hash/fingerprint) and a later reveal phase (publish the full transaction).
- How it defends: During the time a transaction’s public key is revealed, the network checks for a prior commitment. An attacker who forges a competing spend won’t have a matching pre-commitment and therefore will be rejected.
- Tradeoffs: Increased complexity and cost because each spend requires two on-chain steps. Seen as an interim bridge while stronger defenses are built.
4) Hourglass V2 (drain-mitigation for exposed coins)
- Proposed by developer Hunter Beast to limit damage from already-exposed addresses (the roughly 1.7M BTC in P2PK outputs).
- Mechanism: Restrict withdrawals from those vulnerable outputs to one bitcoin per block, slowing mass liquidation and preventing an overnight market collapse.
- Controversy: Critics argue any restriction on spending violates Bitcoin’s ethos that private keys equal unrestricted control.
What’s next — and how fast could fixes arrive?
- None of these proposals are activated. Bitcoin’s decentralized upgrade process — involving developers, miners, and node operators — means changes are likely to be cautious and gradual.
- Still, the community has been discussing quantum risks for years, and the Google paper has added urgency. A mix of short-term mitigations (like commit-reveal) and long-term transitions (post-quantum signatures and P2MR-style outputs) is the likeliest path.
- Bottom line: Quantum computers that can break Bitcoin aren’t here today, but the combination of exposed historical outputs, mempool vulnerability, and improving quantum research makes upgrades prudent. The race to quantum-proof Bitcoin is already underway — and it’s protecting more than technology; it’s defending hundreds of billions in value and Bitcoin’s core principles.
Read more AI-generated news on: undefined/news
