Quantum Threats to Bitcoin and Proposed Solutions

Currently, there are no quantum computers capable of breaching the Bitcoin blockchain. However, that’s not entirely unexpected. Developers are already brainstorming a series of upgrades to bolster defenses against potential threats, which are rapidly becoming a reality.

This week, Google released research indicating that a sufficiently powerful quantum computer could decrypt Bitcoin’s core encryption in under nine minutes—faster than the average time it takes for a Bitcoin block to settle. Some experts speculate that these threats could materialize by 2029.

The stakes are considerable. About 6.5 million Bitcoin tokens, amounting to hundreds of billions of dollars, are stored at addresses that could be directly attacked by quantum computers. Some of these coins even belong to Satoshi Nakamoto, Bitcoin’s enigmatic creator. If breaches occur, they could undermine Bitcoin’s foundational principles: “trust the code” and “sound money.”

Let’s delve into what this threat entails and the strategies under consideration to mitigate it.

Understanding Quantum Attacks on Bitcoin

Before we discuss any proposals, it’s essential to grasp the underlying vulnerabilities.

Bitcoin’s security hinges on a one-way mathematical relationship. When a wallet is created, a private key and a secret number are generated, which together give rise to a public key.

To utilize a Bitcoin token, one must demonstrate ownership of the private key by generating a cryptographic signature that the network can validate, without ever exposing the key itself.

This system is generally seen as foolproof because even modern computers would take billions of years to crack elliptic curve cryptography, notably the Elliptic Curve Digital Signature Algorithm (ECDSA), and reverse-engineer the private key from the public key. Hence, the blockchain is often viewed as computationally secure.

Yet, future quantum computers may flip this one-way relationship, potentially deriving the private key from the public key and stealing coins.

Public keys can be exposed in two ways: through idle coins on the blockchain (long exposure attack) or through transactions that are currently pending in the memory pool (short exposure attack).

Pay-to-public key (P2PK) addresses, used by Satoshi and early miners, along with the Taproot (P2TR) address format introduced in 2021, are especially vulnerable to long exposure attacks. Coins in these addresses do not need to be moved to reveal the public key; it has already been disclosed and accessible to anyone, including future quantum attackers. Approximately 1.7 million BTC, including Satoshi’s coins, are stored in old P2PK addresses.

Short exposure attacks target the mempool, where unconfirmed transactions are visible to everyone while awaiting block inclusion. A quantum computer could access this information but would only have a limited window to derive the corresponding private key before the transaction is confirmed and finalized in additional blocks.

Proposed Solutions

BIP 360: Remove Public Keys

As noted, every new Bitcoin address created using Taproot now leaves its public key permanently exposed on the blockchain, making it easy prey for future quantum computers.

The proposed Bitcoin Improvement Proposal (BIP) 360 suggests introducing a new output type called Pay-to-Merkle-Root (P2MR) to eliminate public keys that are permanently visible on-chain.

Essentially, a quantum computer could analyze the public key and reconstruct the private key. Removing the public key means there’s nothing for attackers to target. All other features, like Lightning payments and multi-signature settings, would remain unchanged.

However, this would only safeguard new coins. The 1.7 million BTC in older public addresses would still pose a risk, which requires different mitigation approaches outlined below.

SPHINCS+ / SLH-DSA: Hash-Based Post-Quantum Signature

SPHINCS+ is a post-quantum signature scheme based on hash functions, sidestepping the quantum vulnerabilities faced by the elliptic curve cryptography currently used in Bitcoin. While ECDSA is at risk from Shor’s algorithm, hash-based designs like SPHINCS+ are not deemed similarly threatened.

The scheme was standardized as FIPS 205 (SLH-DSA) by the National Institute of Standards and Technology (NIST) in August 2024, following extensive public review.

The trade-off for enhanced security comes in the form of size. Bitcoin signatures are currently 64 bytes, while SLH-DSA signatures are over 8 kilobytes. This would significantly increase demand for block space and transaction fees.

Consequently, proposals like SHRIMPS, another hash-based post-quantum signature scheme, aim to cut down signature sizes without compromising security. SHRINCS is already introduced to achieve a more efficient format suitable for blockchain applications.

Tadge Dryja’s Commit/Publish Scheme: Mempool Emergency Brake

This concept, proposed by Lightning Network co-creator Tadge Dryja, seeks to safeguard transactions in memory pools from quantum threats. It does this by splitting transaction execution into two phases: commit and publish.

Think of it as letting someone know you plan to send an email before actually sending it. The first part is the commit phase, and the later part is revealing your action.

On the blockchain, this means initially presenting a sealed hash of your intentions—offering no details about the transaction. The blockchain records this hash as a timestamp. Then, when you broadcast the actual transaction, your public key becomes visible. A quantum computer monitoring the network could potentially extract the private key and fabricate competing transactions to steal funds.

Yet, such a fraudulent transaction would likely be rejected. The network checks whether any prior commitments corresponding with that expenditure exist on-chain. Your earlier commitment substantiates your case, while the attacker would have none, having just fabricated it.

However, this two-stage process comes with increased costs, making it a temporary measure as the community works on long-term quantum defenses.

Hourglass V2: Slowing the Sale of Old Coins

Developer Hunter Beast proposed Hourglass V2 to address a quantum vulnerability concerning roughly 1.7 million BTC stored in old, publicly accessible addresses.

This proposal recognizes that future quantum attacks might target these coins and aims to slow potential losses by capping sales to one Bitcoin per block. This could prevent sudden mass liquidations that might crash the market.

It’s akin to a bank run; while you can’t stop withdrawals entirely, you can limit how rapidly they occur to avoid overnight collapse. However, this suggestion has sparked controversy among some in the Bitcoin community who view even a restricted limitation as a violation of the principle that external forces should not interfere with the use of coins.

Conclusion

These proposals have not yet been activated, and Bitcoin’s decentralized nature means that any upgrades will likely take some time to implement. Yet, the flurry of ideas surfacing in light of Google’s recent report indicates that developers have been contemplating this issue for a while, which may help alleviate market unease.