Quantum computers represent a fundamentally different model of computation. While today's quantum machines are far from threatening Bitcoin, the cryptographic assumptions underlying Bitcoin's security will eventually need to be updated. This chapter examines the two quantum algorithms relevant to Bitcoin, surveys the current state of quantum hardware, presents the post-quantum signature schemes standardized by NIST, and analyzes the migration strategies available to the network. Understanding this threat—and preparing for it—is a prerequisite for any multi-generational plan.
39.1 The Two Quantum Threats
Remark 39.1 (The Two Quantum Threats)
Quantum computers threaten Bitcoin in two distinct ways:
- Shor's Algorithm: Breaks ECDSA signatures (stealing coins)
- Grover's Algorithm: Weakens SHA-256 mining (theoretical)
The first threat is severe and requires eventual migration. The second is less concerning: difficulty adjustment compensates, and a larger hash output would restore the original margin (Remark 39.4).
39.2 Quantum Computing Fundamentals
Definition 39.1 (Qubit)
Classical computers use bits (0 or 1). Quantum computers use qubits. A qubit's state is a superposition
α|0⟩ + β|1⟩, with |α|² + |β|² = 1
that yields 0 or 1 on measurement with probabilities |α|² and |β|²; the constraint expresses that these probabilities sum to one.
Classical Bit:
├── State: 0 OR 1
├── Operations: AND, OR, NOT, XOR
└── Parallelism: Multiple physical bits
Quantum Qubit:
├── State: α|0⟩ + β|1⟩ (superposition)
├── |α|² + |β|² = 1 (probability constraint)
├── Operations: Quantum gates (Hadamard, CNOT, etc.)
├── Entanglement: Correlated qubits
└── State space: dimension 2ⁿ for n qubits
(amplitudes, not independently readable values)
Definition 39.2 (Quantum Gates)
Quantum algorithms are built from specialized operations on qubits:
Common Quantum Gates:
├── Hadamard (H): Creates superposition
│ H|0⟩ = (|0⟩ + |1⟩)/√2
│
├── Pauli-X: Quantum NOT gate
│ X|0⟩ = |1⟩, X|1⟩ = |0⟩
│
├── CNOT: Controlled NOT (entanglement)
│ |00⟩ → |00⟩, |01⟩ → |01⟩
│ |10⟩ → |11⟩, |11⟩ → |10⟩
│
└── Phase Gates: Rotate quantum state
Rz(θ): |0⟩ → e^(−iθ/2)|0⟩, |1⟩ → e^(+iθ/2)|1⟩
Remark 39.2 (Quantum Speedups for Cryptographic Problems)
Certain problems that are hard for classical computers become tractable for quantum computers:
| Problem | Classical Complexity | Quantum Complexity | Impact |
|---|---|---|---|
| Integer factorization | Sub-exponential | Polynomial (Shor) | Breaks RSA |
| Discrete logarithm | Sub-exponential | Polynomial (Shor) | Breaks ECDSA |
| Unstructured search | O(N) | O(√N) (Grover) | Halves hash security |
39.3 Shor's Algorithm: The ECDSA Threat
Definition 39.3 (Shor's Algorithm)
Shor's algorithm (Peter Shor, 1994) efficiently solves the discrete logarithm problem—the foundation of ECDSA security:
Given public key P = d × G, find private key d
Classically this requires about 2¹²⁸ operations for a 256-bit curve. Shor's algorithm reduces it to roughly 10¹² quantum gate operations, given a sufficiently large quantum computer. The algorithm proceeds in three stages:
Shor's Algorithm for Discrete Log: 1. Quantum Phase Estimation ├── Create superposition over pairs (a, b) ├── Apply controlled group operations └── Measure to learn the period 2. Period Finding ├── Find the period of f(a, b) = aG + bP ├── Uses Quantum Fourier Transform └── Polynomial time vs exponential classical 3. Extract Private Key ├── The period of f encodes d (since P = dG) ├── Compute d from the measured phase └── Verify: d × G = P ✓
Example 39.1 (Resource Requirements for 256-bit ECDSA)
Running Shor's algorithm against a 256-bit elliptic curve key requires:
Resource Requirements (256-bit ECDSA): ├── Qubits needed: ~2,330 logical qubits ├── With error correction: ~13,000,000+ physical qubits ├── Gate operations: ~10¹² └── Current state: ~1,000 noisy physical qubits
Definition 39.4 (Public-Key Exposure by Address Type)
Not all Bitcoin addresses are equally vulnerable to Shor's algorithm. An output is exposed exactly when its public key (rather than a hash of it) is visible on-chain:
| Address Type | Public Key Exposed? | Quantum Vulnerable? |
|---|---|---|
| P2PK (early) | Always (in scriptPubKey) | Yes - immediately |
| P2PKH (legacy) | After first spend | Yes - after spending |
| P2WPKH (SegWit) | After first spend | Yes - after spending |
| P2TR (Taproot) | Always (tweaked key in output) | Yes - immediately |
| Fresh addresses | Never (hash only) | Protected until spent |
Remark 39.3 (Satoshi's Coins)
Approximately 1 million BTC in early P2PK outputs (including Satoshi's presumed coins) have permanently exposed public keys. These are vulnerable to quantum attack regardless of address reuse practices.
Definition 39.5 (Transaction Race Attack)
Even "protected" addresses face risk during spending. In a transaction race attack, a quantum adversary extracts the public key from a broadcast transaction and races to compute the private key before the transaction confirms:
Transaction Race Attack: 1. Victim broadcasts transaction └── Public key now visible in mempool 2. Quantum attacker observes transaction └── Extracts public key from signature 3. Attacker computes private key └── Using Shor's algorithm (if fast enough) 4. Attacker signs competing transaction └── Sends coins to attacker's address 5. Race condition └── If quantum computation < block time, attacker wins Critical timing: ├── Average block time: 10 minutes ├── Required quantum speed: < 10 minutes └── Current Shor implementations: many hours on simulators
This attack requires not merely a cryptographically relevant quantum computer but one fast enough to compute discrete logs in under 10 minutes.
39.4 Grover's Algorithm: The Mining Threat
Definition 39.6 (Grover's Algorithm)
Grover's algorithm (Lov Grover, 1996) provides quadratic speedup for unstructured search via amplitude amplification:
Classical search: O(N) → Quantum search: O(√N)
For SHA-256 preimage search:
Classical: 2²⁵⁶ operations → Quantum: 2¹²⁸ operations
Mining with Grover's Algorithm: Classical Mining: ├── Goal: Find nonce where SHA256(block) < target ├── Expected operations: 2^difficulty └── Parallelizable: More ASICs = more hashes Quantum Mining: ├── Apply Grover to search for valid nonce ├── Expected operations: √(2^difficulty) = 2^(difficulty/2) ├── NOT parallelizable: √N × √N = N (no advantage) └── Coherence requirements: Extreme Practical Reality: ├── Grover requires coherent computation ├── Cannot simply add more qubits for speedup ├── One quantum computer = √N speedup ├── M quantum computers: only √M collective speedup (vs M× classically) └── ASICs likely remain competitive for mining
Proposition 39.1 (Grover Does Not Parallelize)
A Grover search over a space of size N requires about √N sequential coherent iterations. Distributing the search across M quantum machines reduces the running time only by a factor of √M, whereas M classical machines achieve a full M× speedup.
Proof.
Splitting the search space among M quantum machines gives each machine a space of size N/M, costing √(N/M) = √N/√M sequential coherent iterations—a collective speedup of only √M over a single machine. M classical ASICs, by contrast, partition the same work for a full M× speedup.
Remark 39.4 (Effective Security Levels)
Proposition 39.1 is the central reason Grover's algorithm does not give a quantum miner the kind of decisive advantage that Shor's algorithm gives a quantum signature forger:
- Quadratic, not exponential: 2¹²⁸ operations remain infeasible (cf. Chapter 2)
- Not parallelizable: a fleet of quantum machines cannot gain a classical-style advantage (Proposition 39.1); since mining is a throughput race rather than a one-shot break, quantum miners merely join the existing hardware arms race
- Difficulty adjustment: the network retargets to whatever total search rate is achieved, maintaining 10-minute blocks
Post-quantum, SHA-256 thus provides 128-bit security. Doubling the hash output (e.g., SHA-512) would restore the original margin; note that changing Bitcoin's proof-of-work or txid hash is a hard fork (Chapter 26).
39.5 The Current State of Quantum Computing
Example 39.2 (Quantum Hardware Landscape, mid-2026)
| Company/Lab | Qubits (Physical) | Technology | Error Rate |
|---|---|---|---|
| IBM Condor (2023) | 1,121 | Superconducting | ~0.1% |
| Google Willow (2024) | 105 | Superconducting | ~0.1% |
| IonQ Forte (2023) | 36 | Trapped ion | ~0.03% |
| Quantinuum H2 (2024) | 56 | Trapped ion | ~0.1% |
| Required for ECDSA | ~2,330 logical | Error-corrected | ~0.0001% |
Raw qubit counts overstate progress; error rates and error correction matter more. The most significant recent milestone is qualitative: in December 2024, Google's Willow chip (105 physical qubits) demonstrated a logical qubit whose error rate fell as the error-correcting code grew—the first below-threshold error-correction result. As of mid-2026, no announced machine approaches the roughly 2,330 error-corrected logical qubits that Example 39.3 shows an attack on 256-bit ECDSA would require.
Definition 39.7 (Logical Qubit)
Current quantum computers are "noisy"—qubits decohere and operations have errors. A logical qubit is an error-corrected qubit built from many physical qubits, allowing arbitrarily long computations. Useful cryptographic attacks require fault-tolerant quantum computers built from logical qubits.
Example 39.3 (Error-Correction Overhead)
Logical Qubit Construction: Physical qubits available: ~1,000 ├── Error rate: ~0.1-1% per operation ├── Coherence time: ~100 microseconds └── Operations possible: ~1,000 before decoherence Error Correction Overhead: ├── Requires 1,000-10,000 physical qubits per logical qubit ├── Surface code: Most promising approach ├── Need ~0.1% physical error rate minimum └── Better error rates = lower overhead For Breaking 256-bit ECDSA (Roetteler et al., 2017): ├── Logical qubits needed: ~2,330 ├── Physical qubits (optimistic): ~2,330,000 ├── Physical qubits (pessimistic): ~23,000,000 └── Current maximum: ~1,000 (noisy)
Remark 39.5 (Timeline Estimates)
Expert predictions for cryptographically relevant quantum computers vary widely:
| Source | Year | Prediction |
|---|---|---|
| NIST (2016) | 2030 | Assessed a cryptographically relevant machine as unlikely before 2030 |
| Google (2019) | 2029 | Projected that a million-qubit machine could be built by 2029 |
| IBM roadmap (2023) | 2033 | Targets 100,000 physical qubits by 2033 |
| Mosca (Definition 39.8) | Variable | Argues migration must begin well before the threat arrives |
| Skeptics such as Dyakonov (2018) | 2050+ | Argue that fundamental engineering barriers remain |
Definition 39.8 (Mosca's Inequality)
Let X = time to migrate cryptography, Y = time data must remain secure, and Z = time until the quantum threat arrives. Migration must begin now whenever
X + Y > Z
Remark 39.6 (Mosca's Inequality Applied to Bitcoin)
For Bitcoin: migration may take 5-10 years, and coins must be secure forever (so Y is effectively unbounded for stored value). If the quantum threat is 15-20 years away, migration should start soon.
39.6 Post-Quantum Cryptography
Definition 39.9 (NIST Post-Quantum Standards)
In 2024, NIST finalized the first post-quantum cryptographic standards:
| Algorithm | Type | Use Case | Key Size | Signature Size |
|---|---|---|---|---|
| ML-KEM (Kyber) | Lattice | Key encapsulation | ~1.5 KB | N/A |
| ML-DSA (Dilithium) | Lattice | Signatures | ~2.5 KB | ~4.6 KB |
| SLH-DSA (SPHINCS+) | Hash-based | Signatures | ~64 bytes | ~8-50 KB |
| ECDSA (current) | Elliptic curve | Signatures | 33 bytes | ~72 bytes |
Definition 39.10 (Lattice-Based Signatures)
Lattice-based cryptography rests on the hardness of lattice problems, for which no efficient quantum algorithm is known. It is the family most often proposed for Bitcoin, on signature-size and verification-speed grounds:
Lattice Problem (simplified): Given: Basis vectors of a high-dimensional lattice Find: Shortest vector in the lattice Classical: Exponential in dimension Quantum: Still exponential (no known efficient algorithm) ML-DSA (Dilithium) for Bitcoin: ├── Security: 128-256 bit post-quantum ├── Public key: 2,592 bytes (vs 33 bytes ECDSA) ├── Signature: 4,627 bytes (vs 72 bytes ECDSA) [ML-DSA-87] └── Verification: Fast, similar to ECDSA
Definition 39.11 (Hash-Based Signatures)
Hash-based signatures are the most conservative option—their security relies only on the security of the underlying hash function:
SPHINCS+ (SLH-DSA): ├── Based on: Merkle trees + hash chains ├── Security assumption: Hash function (SHA-256, SHAKE) ├── Advantages: │ ├── Minimal assumptions │ ├── Well-understood security │ └── No new mathematical assumptions ├── Disadvantages: │ ├── Large signatures (8-50 KB) │ └── Slower signing └── Bitcoin impact: ~100x larger transactions Lamport Signatures (simpler): ├── One-time use only ├── Signature: 8 KB for 256-bit security ├── Verification: Fast └── Can be committed in P2SH today
Example 39.4 (Comparing Post-Quantum Options for Bitcoin)
| Scheme | Transaction Size Impact | Security Confidence | Compatibility |
|---|---|---|---|
| ML-DSA | ~65x larger signatures (~25x at transaction level) | High (NIST standard) | Soft fork possible |
| SPHINCS+ | ~100-700x larger | Very high (hash only) | Soft fork possible |
| Lamport (committed) | ~100x larger | Very high | Usable today |
| STARK signatures | ~50-100x larger | High (hash + ZK) | Needs research |
39.7 Bitcoin Migration Strategies
Definition 39.12 (Post-Quantum SegWit, P2QRH)
The first migration strategy adds post-quantum signature schemes as new SegWit versions via a soft fork:
Post-Quantum SegWit: Version 0: P2WPKH, P2WSH (current) Version 1: P2TR (Taproot) Version 2-16: Available for future use Proposed P2QRH (Quantum Resistant Hash): ├── SegWit version 2 or higher ├── Commit to post-quantum public key hash ├── Reveal PQ signature in witness └── Backwards compatible soft fork Implementation: witness_v2 = OP_2 <32-byte PQ key hash> spending = <PQ signature> <PQ public key>
Definition 39.13 (Commit-Delay-Reveal)
The second strategy protects against transaction race attacks by separating the commitment to spend from the reveal of the (quantum-vulnerable) public key:
Commit-Delay-Reveal Protocol: 1. Commit Phase ├── User commits to spending intention ├── Hash of (destination, amount, nonce) └── No signature required (quantum-safe) 2. Delay Phase ├── Wait N blocks (e.g., 100) ├── Prevents race condition └── Attacker cannot predict destination 3. Reveal Phase ├── Provide pre-image of commitment ├── Include signature (may be broken) └── Commitment proves ownership Benefits: ├── Works with existing ECDSA ├── Quantum attacker cannot steal ├── Time lock provides protection └── Soft fork implementation possible
Definition 39.14 (Hybrid Signatures)
The third strategy combines classical and post-quantum signatures, so the construction is secure as long as either scheme remains secure:
Hybrid Signature Scheme:
signature = {
classical: ECDSA_sign(sk_ecdsa, message),
quantum: ML_DSA_sign(sk_mldsa, message)
}
verify(pk_ecdsa, pk_mldsa, message, signature):
return ECDSA_verify(pk_ecdsa, message, sig.classical)
AND ML_DSA_verify(pk_mldsa, message, sig.quantum)
Security:
├── Secure if EITHER scheme is secure
├── Protects against PQ scheme weaknesses
├── Larger signatures (acceptable trade-off)
└── Migration path to pure PQ later
Remark 39.7 (Emergency Migration)
The last resort, if the quantum threat materializes suddenly:
- Quantum attack demonstrated or imminent
- Freeze all ECDSA-based transactions
- Require PQ proof of key ownership
- Restrict the network to PQ-only signatures
- Coins without valid PQ proof may be frozen/burned
Note the classification: disabling ECDSA spends restricts the valid set and is therefore a soft fork (Definition 26.5), though a drastic one; schemes that reassign or recover frozen value would require more. Either way, the path is extremely disruptive and is what proactive migration is designed to avoid.
39.8 Scalability Implications
Example 39.5 (Transaction Size Explosion)
Post-quantum signatures are much larger than ECDSA:
- Current ECDSA transaction: ~250 bytes typical
- ML-DSA transaction: ~5,000-7,000 bytes
- SPHINCS+ transaction: ~10,000-50,000 bytes
- Capacity impact: 5-100x fewer transactions per block
Remark 39.8 (Mitigation Approaches)
Several approaches can offset the cost of larger signatures:
Dealing with Larger Signatures: 1. Signature Aggregation ├── Combine multiple signatures into one ├── Lattice schemes: Possible but complex └── Hash-based: Not naturally aggregatable 2. Block Size Increase (Witness Discount) ├── Already have SegWit witness discount ├── Could increase PQ witness discount └── Trade-off: Node requirements increase 3. Layer 2 Dominance ├── Most transactions on Lightning ├── PQ only for channel opens/closes └── Amortize PQ overhead across many payments 4. Batching and Covenants ├── Aggregate many users into one signature ├── Ark-style virtual UTXOs └── Covenant proposals (CTV) enable efficient batching 5. New Compact PQ Schemes ├── Research ongoing ├── STARKs may offer smaller proofs └── Trade-offs between size and security
39.9 The Lost Coins Problem
Remark 39.9 (Coins That Cannot Migrate)
Some Bitcoin cannot be moved to quantum-resistant addresses:
- Lost keys: ~3-4 million BTC estimated lost forever
- Satoshi's coins: ~1 million BTC unmoved since 2009-2010
- Dead holders: No heir has keys
- Forgotten wallets: Keys exist but owners unaware/unable
Quantum Threat to Unmoved Coins: P2PK outputs (exposed public keys): ├── Satoshi's ~1M BTC: Public key known ├── Other early miners: Public keys known ├── First to break ECDSA claims these └── No user-side defense; see the protocol options below P2PKH outputs (hash-protected): ├── Safe until spent ├── Migration window available ├── Proactive users can protect coins └── Inactive users at risk Controversial Question: ├── Should protocol protect unmigrated coins? ├── Options: │ ├── Do nothing (let quantum claim them) │ ├── Freeze exposed public keys │ ├── Burn unmigrated coins after deadline │ └── Quantum "tax" on retrieved coins └── No consensus on approach
Remark 39.10 (The Ethical Dimension)
If quantum computers can claim Satoshi's coins, ~1 million BTC returns to circulation. Whether such a claim constitutes theft of dormant property or the operation of the system as designed is contested; no community position exists.
39.10 Preparing Today
Remark 39.11 (Best Practices for Users)
- Never reuse addresses: Fresh addresses hide public keys
- Output-type choice is debated: Some analysts recommend hash-based output types over P2TR for long-term cold storage, since P2TR exposes the tweaked public key in the output; others respond that the protection is limited to the pre-spend period, since any key is exposed at spend time. The trade-off is unresolved
- Monitor quantum progress: Be ready to migrate when solutions deploy
Definition 39.15 (Committed Lamport Fallback)
A holder can be protected today by committing to a hash-based signature inside a P2SH script—a "commit now, reveal later" defense:
Committed Lamport Fallback: 1. A Lamport keypair is generated offline └── One-time use hash-based signature 2. A P2SH address commits to the script ├── Script: IF <lamport verify> ELSE <ECDSA> ENDIF └── Hidden until spending 3. If a quantum threat materializes ├── The holder spends via the Lamport path └── Quantum computers cannot break the hash commitment
Remark 39.12 (Practicality of the Lamport Fallback)
The construction of Definition 39.15 is intricate and is not exposed by current wallet software; in practice, most holders depend on wallet-level support, which does not yet exist.
For developers, preparation means researching post-quantum signature integration, implementing hybrid signature schemes, preparing wallet upgrade paths, and testing on signet/testnet.
Remark 39.13 (An Illustrative Timeline)
One plausible sequencing, for concreteness (the phase boundaries are illustrative, not predictions):
One Plausible Sequencing (illustrative): 2026-2028: Research Phase ├── Finalize PQ signature choice ├── Design soft fork proposal ├── Implement in Bitcoin Core (experimental) └── Community discussion and review 2028-2030: Testing Phase ├── Signet deployment ├── Wallet integration ├── Security audits └── BIP finalization 2030-2032: Activation ├── Soft fork activation ├── New PQ address types available ├── Migration begins └── Wallet support widespread 2032-2042: Migration Window ├── Users migrate to PQ addresses ├── Layer 2 upgrades ├── Exchange support └── Legacy addresses deprecated (social) 2042+: Post-Quantum Era ├── All active coins quantum-resistant ├── Legacy coins (Satoshi's etc.) at risk ├── Protocol decisions on unmoved coins └── Full PQ security achieved
Remark 39.14 (The 20-Year Window)
Most estimates give Bitcoin 15-25 years before quantum computers threaten ECDSA. This seems like ample time, but cryptographic migrations are slow: the MD5 and SHA-1 deprecations each took over a decade from demonstrated weakness to ecosystem removal.
39.11 Summary
- Shor's algorithm: if fault-tolerant quantum computers are built, it breaks ECDSA; on prevailing expert timelines, preparation is prudent
- Grover's algorithm halves effective hash security—doubling the hash output size would restore the margin (Remark 39.4)
- Timeline: Likely 15-25 years, but uncertain
- NIST standards (ML-DSA, SPHINCS+) provide ready alternatives
- Signatures will be larger—5-100x current size
- Soft fork migration is possible and least disruptive
- Users should avoid address reuse as basic protection
- Research and planning should begin now—migration takes years
The quantum threat to Bitcoin is real but not imminent. With proper preparation, Bitcoin can transition to quantum-resistant cryptography smoothly. The challenge is significant but has known technical paths.
Exercises
Exercise 39.1
A Lamport signature scheme for 256-bit messages uses two random 256-bit preimages per message bit. Compute the sizes of the private key, the public key (one 256-bit hash per preimage), and a signature (one revealed preimage per message bit). Verify that the signature size matches the 8 KB figure quoted in Definition 39.11.
Exercise 39.2
Consider a 1-input, 2-output transaction whose non-signature "skeleton" is 150 bytes. Using the ML-DSA-87 parameters from Definition 39.10 (public key 2,592 bytes, signature 4,627 bytes) and ECDSA (33-byte key, 72-byte signature), compute both total transaction sizes and their ratio. Compare your result with the "~25x at transaction level" and "~5,000-7,000 bytes" figures in Examples 39.4 and 39.5.
Exercise 39.3
Apply Mosca's inequality (Definition 39.8) with migration time X = 7 years and required security lifetime Y = 10 years. Is migration already overdue if the quantum threat arrives in Z = 18 years? What if Z = 15 years? By how many years?
Exercise 39.4
Suppose finding a valid block requires 2⁸⁰ expected hash evaluations. How many Grover iterations does a single quantum computer need? If the search space is split across 2¹⁰ quantum machines, how many iterations does each machine need, and how does this compare with the per-machine workload of 2¹⁰ classical ASICs? Explain how this supports Proposition 39.1.
Exercise 39.5
Grover's algorithm reduces SHA-256 preimage search to 2¹²⁸ sequential iterations (Definition 39.6). If a fault-tolerant quantum computer performs 10⁹ Grover iterations per second, how many years would the full search take? What does this say about Remark 39.4's claim that 2¹²⁸ operations remain infeasible?
Exercise 39.6
Using Example 39.3, compute the total physical qubit count needed to break 256-bit ECDSA at error-correction overheads of 1,000 and 10,000 physical qubits per logical qubit (2,330 logical qubits required). By what factor does each figure exceed IBM Condor's 1,121 physical qubits (Example 39.2)?