Quantum alarm bells are ringing across Bitcoin — and not because a working quantum machine has already arrived, but because new research suggests it may be closer than many hoped. Recent Google findings indicate a sufficiently powerful quantum computer could crack Bitcoin’s core cryptography in under nine minutes — faster than the network’s average block time. Some analysts put a credible timeline on the risk as early as 2029. Given that millions of BTC sit in addresses already exposed, developers are racing to design practical defenses.
Why Bitcoin is vulnerable (briefly)
- Bitcoin security depends on a private key (secret) and a public key (derived from the private key). To spend coins you produce a signature with the private key; the network verifies it against the public key without revealing the secret.
- Classical computers would take billions of years to reverse-engineer the private key from a public key using elliptic curve cryptography (ECDSA / Schnorr). But quantum algorithms such as Shor’s could change that calculus.
- There are two exposure windows:
- Long-exposure: addresses that have their public keys already visible on-chain (e.g., early Pay-to-Public-Key (P2PK) addresses and some Taproot/P2TR outputs). Roughly 1.7 million BTC sit in old P2PK addresses, including coins attributed to Satoshi.
- Short-exposure: the mempool — unconfirmed transactions broadcast to the network reveal public keys and signatures briefly before being included in a block. A quantum attacker with enough speed could try to derive private keys during that small window.
What’s at stake
- Analysts estimate about 6.5 million BTC are in addresses a quantum computer could directly target, placing potentially hundreds of billions of dollars at risk and threatening Bitcoin’s core principles of “trust the code” and sound, censorship-resistant money.
Key proposals and technical defenses under discussion
Developers have several lines of defense, some meant for future-issued addresses, others to protect transactions in flight, and some to limit damage to already-exposed coins.
- BIP-360 / Pay-to-Merkle-Root (P2MR)
- What: New output type that avoids embedding a permanent public key on-chain by instead committing to a Merkle root. The public key is revealed only when spending.
- Why it helps: With no on-chain public key to study, long-exposure attacks have no fixed target.
- Caveat: It protects newly created addresses going forward; it doesn’t automatically safeguard coins already in exposed addresses. Lightning, multisig and other features can still work with this design.
- Hash-based post-quantum signatures: SPHINCS+ (SLH-DSA) and variants
- What: SPHINCS+ (standardized by NIST in August 2024 as FIPS 205 / SLH-DSA) is a signature scheme built on hash functions, believed resilient to quantum attacks that threaten elliptic-curve schemes.
- Trade-offs: SPHINCS+ signatures are roughly 8 kilobytes or more vs Bitcoin’s current ~64-byte signatures, dramatically increasing block-space usage and fees.
- Ongoing work: SHRIMPS and SHRINCS are follow-up proposals that aim to retain SPHINCS+’s post-quantum security while shrinking signature sizes to make adoption feasible for a blockchain.
- Commit-and-Reveal (mempool protection) — Tadge Dryja’s soft fork
- What: Split transaction spending into a two-phase process: first commit a hash (a sealed “intent”) on-chain; later reveal the actual spend including the public key.
- Why it helps: If a quantum attacker tries to forge a competing transaction during the mempool window, the network will reject it because it lacks a prior commitment. This defends against short-exposure attacks.
- Trade-offs: It effectively doubles transaction interaction and increases fees; treated as an interim, practical bridge rather than a final solution.
- Hourglass V2 (mitigating the existing-exposure risk)
- What: A proposal to throttle how quickly coins in known vulnerable addresses can be sold — for example, limiting spend to one BTC per block from those addresses.
- Rationale: Prevents a “bank run” style mass liquidation that could crash markets if many exposed coins are suddenly drained.
- Controversy: Critics argue it violates the principle that no one should be able to restrict your ability to spend your coins; limits on movement are politically and technically fraught.
Where things stand and what to expect
- None of these changes are activated. Bitcoin’s decentralized governance — involving developers, miners, exchanges, and node operators — makes upgrades deliberate and slow by design.
- The issue has been on developers’ radar for some time; the recent Google paper has accelerated public attention but not introduced fundamentally new ideas. Work on proposals like P2MR, hash-based signatures, mempool defenses and mitigation schemes predates the report.
- Adoption pathways will weigh security, complexity, cost (block-space and fees), and philosophical trade-offs about permissionless spending and market stability.
Bottom line
Quantum computers capable of instantly breaking Bitcoin’s cryptography aren’t yet a present-day reality, but credible research and timelines mean the community must act proactively. The debate is now about which combination of immediate, medium- and long-term changes will preserve Bitcoin’s security without sacrificing its core properties — and how to deploy them in a network designed to resist rushed or centralized changes.
Read more AI-generated news on: undefined/news
