Bitcoin Security in the Quantum Era: Distinguishing Between Fiction and Actual Threat

The widespread media narrative about “breaking Bitcoin encryption with quantum computers” contains a fundamental conceptual error. Bitcoin does not rely on encrypting data stored in the blockchain at all. The blockchain functions as a public ledger where every transaction, amount, and address are visible to everyone. The real threat to focus on is not decryption but the potential forgery of digital signatures associated with the exposed public key.

Where the vulnerability truly lies: from encryption to signatures

Bitcoin signature systems—ECDSA and Schnorr—form the basis of control over funds. Coins are spent by generating a valid signature that the network accepts. In this architecture, exposing the public key becomes a critical weakness when a computer capable of running Shor’s algorithm appears.

If an attacker had a cryptographically significant quantum machine, they could:

• Derive the private key from the public key visible in the chain
• Generate a competing signature for another expenditure
• Take control of the funds

Limiting the exposure of the public key determines the scale of this risk. Many Bitcoin addresses hash the public key, revealing the raw key only at the moment of transaction. Other formats—such as pay-to-pubkey or some multisig—expose the key earlier. Reusing an address extends this window, turning a one-time exposure into a permanent target for a potential attacker.

Quantum threat in numbers: what is measurable today

Project Eleven publishes weekly scans of the chain, identifying UTXOs with exposed public keys. Their public tracker indicates about 6.7 million BTC meeting the criteria for quantum exposure.

From a computational perspective, according to Roettler and co-authors’ research, breaking the 256-bit elliptic curve discrete logarithm would require:

The difference between logical and physical qubits is fundamental. Converting a circuit into a machine capable of error correction at a low error rate—necessary for a practical attack—generates enormous scaling and time costs.

Taproot changes the landscape of exposure

Implementing Taproot (P2TR) alters the default key exposure pattern. Taproot outputs contain a 32-byte modified public key directly in the output script, instead of a hashed public key. This means that new expenditures will, by default, create a larger UTXO set with exposed keys when quantum technology becomes a practical threat.

However, security so far remains unchanged—exposure becomes a measurable, trackable variable that defines the extent of future risk.

From Grover to migration: the full spectrum of the quantum context

Hash functions like SHA-256 face a different kind of quantum attack. Grover’s algorithm offers a quadratic speedup for brute-force searches, not breaking the discrete logarithm like Shor. For preimages of SHA-256, the cost remains at 2^128 operations even after applying Grover—much less practically threatening than breaking ECDSA.

Narratives about quantum threats often lack a clear distinction between these algorithms. NIST has already standardized post-quantum primitives (ML-KEM, FIPS 203), and Bitcoin is developing solutions such as BIP 360 proposing “Pay to Quantum Resistant Hash.” The challenge lies in migration, not immediate collapse.

Why this is an infrastructural problem, not an apocalyptic scenario

According to recent Reuters reports, IBM is designing a path toward a fault-tolerant system around 2029. In this context, advances in error correction components suggest that a quantum breakthrough would be the result of years of development, not an unexpected attack.

The real issue boils down to three dimensions:

1. What portion of UTXOs has exposed public keys (detectable today)
2. How quickly wallets and protocols can adopt quantum-resistant expenditures
3. Whether the network can maintain throughput, security, and fee economics during the transition

Post-quantum signatures are several kilobytes in size instead of tens of bytes, changing the transaction weight calculus and user experience. Migration requires coordination, not desperate reprogramming.

The actual quantum risk is measurable, but primarily it is a matter of time and design—not a reason for panic about the changed security narrative landscape in cryptocurrencies.