Quantum computers cannot decrypt Bitcoin, but they can forge signatures of disclosed keys, putting approximately 6.7 million BTC at risk unless wallets migrate to post-quantum paths before large fault-tolerant machines arrive.
Summary
- Bitcoin does not store encrypted secrets on-chain; The critical quantum threat is Shor’s enabled key recovery of exposed public keys forgery of authorization about vulnerable UTXOs.
- Project Eleven’s Bitcoin Risq List estimates approximately 6.7 million BTC in addresses that meet public-key exposure criteria, with Taproot changing but not eliminating risk as quantum machines scale.
- Current estimates indicate that approximately 2,330 logical qubits and millions of physical qubits are required to break 256-bit ECC, giving time for BIP-level post-quantum outputs (e.g. P2QRH) and NIST standard schemes to integrate despite larger, more expensive signatures.
Quantum computers pose a threat to Bitcoin (BTC) through potential exploitation of digital signatures rather than decrypting encrypted data, according to cryptocurrency security researchers and developers.
Quantum and Bitcoin, technology-proof?
Bitcoin does not store encrypted secrets on its blockchain, making the widely held narrative of “quantum computers cracking Bitcoin encryption” technically inaccurate, according to Adam Back, a longtime Bitcoin developer and inventor of Hashcash. The security of the cryptocurrency relies on digital signatures and hash-based commitments rather than ciphertext.
“Bitcoin does not use encryption,” Back stated on social media platform X, adding that the terminology error serves as an indicator of misunderstanding the basics of the technology.
The actual quantum risk involves spoofing authorizations, where a sufficiently powerful quantum computer running Shor’s algorithm could derive a private key from a public key on the chain and produce a valid signature for a competing transaction spend, according to the technical documentation.
Bitcoin’s signature systems, ECDSA and Schnorr, prove control over a key pair. Exposure to public keys represents the main security concern, with vulnerability depending on what information appears on the chain. Many address formats use a hash of a public key, which keeps the raw public key hidden until a transaction is issued.
Project Eleven, a cryptocurrency security research organization, maintains an open-source ‘Bitcoin Risq List’ that tracks public key exposure at the script level and addresses reuse level. The organization’s public tracker shows that approximately 6.7 million BTC meets the exposure criteria, according to the published methodology.
Taproot output, known as P2TR, includes a 32-byte custom public key in the output program instead of a pubkey hash, as outlined in Bitcoin Improvement Proposal 341. This changes the exposure pattern in ways that will only matter if large fault-tolerant quantum machines become operational, according to Project Eleven documentation.
Research published in “Quantum resource estimates for computing elliptic curve discrete logarithms” by Roetteler and co-authors establishes an upper limit of up to 9n + 2⌈log2(n)⌉ + 10 logical qubits needed to compute an elliptic curve discrete logarithm over an n-bit prime field. For n = 256 this amounts to approximately 2,330 logical qubits.
A 2023 estimate from Litinski places a 256-bit elliptic curve private key calculation on approximately 50 million Toffoli gates. Under these assumptions, a modular approach could compute one key in about 10 minutes using about 6.9 million physical qubits. A summary from Schneier on Security cites estimates that approximately 13 million physical qubits are clustered to break encryption in one day, while approximately 317 million physical qubits are needed to target in a one-hour time frame.
Grover’s algorithm, which provides a square root speedup for brute force searching, represents the quantum threat to hash functions. NIST research indicates that the target for SHA-256 preimages remains on the order of 2^128 work after applying Grover’s algorithm, which cannot be compared to a discrete log break in elliptic curve cryptography.
Post-quantum signatures typically measure kilobytes instead of tens of bytes, which according to the technical specifications affects wallet transaction weight and user experience.
NIST has standardized post-quantum primitives, including ML-KEM (FIPS 203), as part of broader migration planning. Within the Bitcoin ecosystem, BIP 360 proposes a ‘Pay to Quantum Resistant Hash’ output type, while qbip.org advocates sunsetting old signatures to enforce migration incentives.
IBM discussed progress on error correction components in a recent statement to Reuters, reiterating a development path to an error-tolerant quantum system around 2029. The company also reported that a key quantum error correction algorithm can run on conventional AMD chips, according to a separate Reuters report.
The measurable factors include the share of the UTXO set of exposed keys, changes in portfolio behavior in response to that exposure, and the network’s speed of adoption for quantum-resilient spending paths while maintaining validation and cost market constraints, according to Project Eleven’s analysis.
