About a quarter of all Bitcoin is exposed to the risk of a quantum attack bound to public keys that have been revealed on blockchain. But if so much of the supply is vulnerable, is it raising a deeper concern: Is confidence in Bitcoin’s entire security model in danger?
Imagine waking up, checking your phone, and your Bitcoin balance is zero. Not only your cold storage, your exchange also balances. Away. Over the night, millions of UTXOs are drained in a silent, coordinated attack.
It sounds extreme, but this kind of event would be more than just theft. It would be a direct attack on Bitcoin’s value, a public signal that its core cryptography is no longer safe. An actor at the state level may try something similar, not only to steal coins, but to ruin confidence and deliberately cause chaos.
Not every striker would act so loudly. A more self -incentivized can take the opposite approach. With access to a quantum computer, they could calmly target older UTXOs and drain coins from forgotten or inactive wallets. Their goal would be to siphon off as much as possible before the rest of the world intervenes.
But whether the attack is high or quiet, fast or slow, the end result is more or less the same. The assumptions that Secure Bitcoin is no longer right in a world after quantity. The math that secured Bitcoin from the beginning could be broken at any time by a machine that none of us have seen yet, but we know it is theoretically possible.
Which quantum computers actually break
A quantum computer is not just a faster version of computers we have today. It is a basic other type of machine. For most tasks, it would not be much faster than a regular computer. But for very specific problems, it would be powerful enough to break a lot.
Bitcoin’s digital signatures today, including Schnorr and ECDSA, are dependent on something called Discreet logarithm problem. Think of it as a kind of mathematical one -way street. It is easy to go one direction but extremely difficult to go back. You can take a private key and generate a public key or signature, but to do the opposite and get the private key from the public key is practically impossible. And that is why you can share your public key on blockchain safely because it is impossible for someone to turn it over and derive your corresponding private key.
But with a large enough quantum computer, that assumption breaks. Using Shors algorithmA quantum attack could solve the discreet logarithm problem. And the “one -way” no longer lasts. Given any public key on blockchain, an attacker can derive his corresponding private key.
Hard choices, big trade -offs
There are no perfect solutions here. Any plan to defend Bitcoin against these quantum attacks involves some major compromises. Some are technical. Some are social. All of them are hard.
One option is to introduce a new kind of output type that only uses signatures after quantity. Instead of relying on discreet logarithms that quantum computers can break, you would lock coins using quantum -proof signature schemes from the start. Anyone who sends funds to this address knows that they choose stronger, future -proof security.
A large trade -off here is size. Most post-quantum signatures are huge, often measured in kilobytes instead of bytes. This means that signatures after quantity can be 40-600 times larger than the current Bitcoin signatures. If an ECDSA/Schnorr signature fits inside a text message, a post-quantum signature may be as large as a small digital photo. They cost more to send out and more to store on blockchain. HD -cartoon books, multiSIG setups and even basic key management become more complex or may not even work at all. Performing threshold signatures with quantity after quantity is still an open research problem.
A related proposal to go fully post-quantum comes from Jameson Lopp suggesting a fixed 4-year migration window. After the introduction of signatures after quantity, give the Bitcoin ecosystem for a few years to rotate for quantum-proof output. Then, coins that have not been moved are treated as lost. An aggressive approach, but it sets a clear time and gives the network time to adapt before any crisis hits.
Until the threat becomes more real, we prefer to rely on the cryptography we already trust. But if we all agree that Bitcoin needs a plan, what will be?
Nobody wants to hurry in chance Bitcoin with unknown assumptions. Instead of pushing in something completely new, Bitcoin may already have a built -in starting point. Taproot!
Taproots hidden security after quantity
Taproot, introduced in 2021, is mostly known to improve privacy and efficiency. What many users do not realize is that it can also be the basis for a smoother transition to a world after quantity.
Each taproot output contains an originally hidden set of alternative consumption conditions. These alternative script paths are never revealed unless used. Right now, most taproot coins are used using Schnorr- signatures, but these hidden paths can be used for almost anything. It includes post-quantum (PQ) signature control.
The idea that Taproots’s internal structure could withstand quantum attacks goes back to Matt Corallo, who first propagated it. And recently, Tim Ruffing of Blockstream Research published a paper showing that this approach is actually safe: Fallback -Paths inside Taproot can remain confidence in, even though Schnor and ECDSA are broken.
This opens the door to a simple but powerful upgrade path.
Step 1: Add Post-Quantum Opcodes
The first step is to introduce support to signatures after quantity in Bitcoin script. This could be done by adding new opcodes that allow taproot scripts to verify PQ signatures using algorithms that are currently standardized and evaluated.
In this way, users could start creating Taprot outputs with two consumer paths:
- The key-path will still use fast, effective schnorritns signatures for daily use.
- The script path would contain a post-quantum reflection that was only revealed if necessary.
Nothing changes in the short term. Coins behave the same. However, if a quantum threat is displayed, the backfall is already in place.
Step 2: Turn the Killing Contact
Later, if a large quantum computer is developed and the risk becomes real, Bitcoin can disable Schnorr and ECDSA expenses.
This killing contact would protect the network by preventing coins from vulnerable output from being stolen. As long as users have moved their coins to upgraded taprot outputs that include post-quantity backbacks, these coins would remain safe and useful.
The transition will inevitably cause some friction, but hopefully it would be less disturbing than a last minute. And thanks to Taproots hidden script paths, most of this work could happen quietly in advance.
Prepping without panic
There is no countdown watch for the quantum threat. We have no idea when this breakthrough in quantum calculation will happen. It can be a decade away or it can be much closer. No one knows.
None of this is simple. There are still open questions about which post-quantum algorithms we need, how to make them effective enough for Bitcoin, and how to maintain core functions such as threshold multisig and key drainage. But the most important thing is to start. Ideal not after the first cryptographically relevant quantum computer has been built, but now, while the system is still safe and upgrades paths are still available.
By enabling post-quantum signature support in Bitcoin script today, we give users time to prepare. Education can be done gradually without panic. And users can begin to migrate coins at their own pace. If we wait too long we lose that luxury. Upgrades performed under stress rarely go smoothly.
Tim Ruffing’s work establishes a possible path forward. A plan that already uses tools that Bitcoin already has. Read his full paper to understand how this works detailed.
This is a guest post of Kiara Bickers from Blockstream. Opinions that are expressed are entirely their own and do not necessarily reflect those from BTC Inc or Bitcoin magazine.