Quantum computers can’t decrypt Bitcoin but could forge signatures from exposed public keys, putting ~6.7m BTC at risk unless wallets migrate to post‑quantum paths before large fault‑tolerant machines arrive.
Summary
- Bitcoin stores no encrypted secrets on‑chain; the critical quantum threat is Shor‑enabled key recovery from exposed public keys, allowing authorization forgery on vulnerable UTXOs.
- Project Eleven’s Bitcoin Risq List estimates about 6.7m BTC in addresses meeting its public‑key exposure criteria, with Taproot changing but not eliminating the risk if quantum machines scale.
- Current estimates suggest ~2,330 logical qubits and millions of physical qubits are needed to break 256‑bit ECC, giving time for BIP‑level post‑quantum outputs (e.g., P2QRH) and NIST‑standard schemes to be integrated despite larger, fee‑heavier signatures.
Quantum computers pose a threat to Bitcoin (BTC) through potential exploitation of digital signatures rather than decryption of encrypted data, according to cryptocurrency security researchers and developers.
Quantum and Bitcoin, technology proof?
Bitcoin stores no encrypted secrets on its blockchain, making the widespread narrative of “quantum computers cracking Bitcoin encryption” technically inaccurate, according to Adam Back, a longtime Bitcoin developer and inventor of Hashcash. The cryptocurrency’s security relies on digital signatures and hash-based commitments rather than ciphertext.
“Bitcoin does not use encryption,” Back stated on social media platform X, adding that the terminology error serves as an indicator of misunderstanding the technology’s fundamentals.
The actual quantum risk involves authorization forgery, where a sufficiently powerful quantum computer running Shor’s algorithm could derive a private key from an on-chain public key and produce a valid signature for a competing transaction spend, according to technical documentation.
Bitcoin’s signature systems, ECDSA and Schnorr, prove control over a keypair. Public-key exposure represents the primary security concern, with vulnerability depending on what information appears on-chain. Many address formats commit to a hash of a public key, keeping the raw public key hidden until a transaction is spent.
Project Eleven, a cryptocurrency security research organization, maintains an open-source “Bitcoin Risq List” that tracks public key exposure at the script and address reuse level. The organization’s public tracker shows approximately 6.7 million BTC meeting its exposure criteria, according to its published methodology.
Taproot outputs, known as P2TR, include a 32-byte tweaked public key in the output program rather than a pubkey hash, as outlined in Bitcoin Improvement Proposal 341. This changes the exposure pattern in ways that would only matter if large fault-tolerant quantum machines become operational, according to Project Eleven’s documentation.
Research published in “Quantum resource estimates for computing elliptic curve discrete logarithms” by Roetteler and co-authors establishes an upper bound of at most 9n + 2⌈log2(n)⌉ + 10 logical qubits needed to compute an elliptic-curve discrete logarithm over an n-bit prime field. For n = 256, this equates to approximately 2,330 logical qubits.
A 2023 estimate by Litinski places a 256-bit elliptic-curve private-key computation at approximately 50 million Toffoli gates. Under those assumptions, a modular approach could compute one key in roughly 10 minutes using about 6.9 million physical qubits. A summary on Schneier on Security cited estimates clustering around 13 million physical qubits to break encryption within one day, with approximately 317 million physical qubits needed to target a one-hour window.
Grover’s algorithm, which provides a square-root speedup for brute-force search, represents the quantum threat to hashing functions. NIST research indicates that for SHA-256 preimages, the target remains on the order of 2^128 work after applying Grover’s algorithm, which does not compare to an elliptic-curve cryptography discrete-log break.
Post-quantum signatures typically measure in kilobytes rather than tens of bytes, affecting transaction weight economics and wallet user experience, according to technical specifications.
NIST has standardized post-quantum primitives including ML-KEM (FIPS 203) as part of broader migration planning. Within the Bitcoin ecosystem, BIP 360 proposes a “Pay to Quantum Resistant Hash” output type, while qbip.org advocates for a legacy-signature sunset to force migration incentives.
IBM discussed progress on error-correction components in a recent statement to Reuters, reiterating a development path toward a fault-tolerant quantum system around 2029. The company also reported that a key quantum error-correction algorithm can run on conventional AMD chips, according to a separate Reuters report.
The measurable factors include the proportion of the UTXO set with exposed public keys, changes in wallet behavior responding to that exposure, and the network’s adoption speed for quantum-resistant spending paths while maintaining validation and fee-market constraints, according to Project Eleven’s analysis.
