6 Key Takeaways
1
1.72 million bitcoin (~$188 billion) in very early address types thought to be potentially dormant or lost will be highly vulnerable to long-range quantum attacks.
2
An additional 4.49 million bitcoin (~$495 billion) are vulnerable to long-range quantum attacks, but owners would be able to secure them by moving them to quantum-secure address types.
3
4
5
6
Background
Bitcoin is a powerful tool for safeguarding human rights, promoting financial freedom, and resisting authoritarian control. Tyrannical governments frequently manipulate and surveil their currencies, and they seek to silence their critics by confiscating property and freezing bank accounts. Dissidents, human rights defenders, journalists, and non-profit organizations operating under dictatorship face enormous obstacles just to receive donations and pay their bills. HRF’s Financial Freedom program supports the expansion of Bitcoin as a tool for activists facing financial repression: money that dictators can’t stop.
Quantum threats to Bitcoin’s classical cryptography are still years away. However, if CRQCs emerge before Bitcoin’s cryptographic foundations are upgraded, activists who rely on Bitcoin for secure donations, private savings, and uncensored transactions would find their privacy and safety compromised and dictators might find ways to steal or stop their money.
Making Bitcoin use quantum-proof poses political and social challenges. Bitcoin is not like a standard software system: its decentralization means that any upgrade requires coordination and consensus among a diverse and divided user base. After undergoing scientific peer review and extensive testing, any change to Bitcoin’s cryptographic signature schemes will also require widespread education for users, developers, node operators, and miners. The Bitcoin community must also consider the 1.72 million bitcoin held in early addresses that will be most vulnerable to attacks from CRQCs. Proposed changes to the base protocol have already sparked huge debates in Bitcoin’s history over trade-offs between performance, privacy, and backward compatibility.
The Current State of Quantum Computing
Quantum computers exist today, but they remain years away from achieving the scale, stability, and precision required to threaten Bitcoin’s cryptography. Even with recent breakthroughs in quantum computing, experts remain divided over whether CRQCs with the capabilities to break Bitcoin’s security will ever emerge. While some Bitcoin experts emphasize that incremental quantum breakthroughs on the road to CRQCs will provide time to implement solutions, some quantum computing pioneers have cautioned that sudden advances could accelerate the timeline to make necessary upgrades to Bitcoin.
At this year’s Presidio Bitcoin Quantum Summit, a convening of quantum physicists, Bitcoin Core developers, cryptographers, wallet engineers, miners, and open-source educators provided insight into the evolving views on CRQCs among experts throughout the community.
At the outset of the summit, 25% of attendees were unsure whether CRQCs would ever pose a meaningful threat, according to an event poll. But after two days of intensive discussion, the share of attendees who remained uncertain dropped to just 8%. The share of respondents who believed CRQCs would arrive in the next 5 to 20 years jumped by 20%, from 49% to 69%. These shifting perspectives reflect a growing consensus that while the timing and feasibility of quantum attacks remains uncertain, the threat deserves proactive and serious consideration today.
Source: Presidio Bitcoin
Bitcoin’s Quantum Threat Vectors
Not all bitcoin will be equally vulnerable to quantum attacks from a CRQC. Quantum threats to Bitcoin fall into two main categories: long-range and short-range attacks, which each exploit different weaknesses in the exposure of public keys.
Long-Range Attacks
In a long-range attack, a quantum adversary targets bitcoin whose public keys are stored in older address types or in re-used addresses. This would include any user who has continued to use an address from which they have previously sent bitcoin, or anyone who has received coins at a taproot address (also known as pay-to-taproot, or P2TR), an address type that increases privacy for complex Bitcoin transactions. Approximately 6.51 million bitcoin (worth more than $718 billion), representing almost a third of the total current bitcoin supply) is vulnerable to long-range attacks.
Because long-range quantum attacks exploit already-revealed public keys, the only way to secure vulnerable coins is to proactively move them to quantum-safe addresses.
Active users with funds in older or reused addresses can move their bitcoin to a new, quantum-safe address and protect their funds by never sharing or re-using that public key. While this migration will necessitate extensive technical development and user education, the solution is technically feasible, and will secure the majority (4.49 million) of the estimated bitcoin at risk.
But for the remaining 1.72 million bitcoin ($188 billion), for which owners’ private keys are thought to be no longer accessible, no such migration would occur. These dormant coins, many dating back to Bitcoin’s earliest days, would be left exposed in a post-quantum world. Satoshi’s estimated 1.1 million BTC (worth over $130 billion), for example, reside in pay-to-public-key (P2PK) addresses with exposed public keys.
This has raised profound political questions: should Bitcoin users take steps to “burn” these coins, which would prevent anyone, including thieves, from using them, or leave the funds untouched and unprotected from quantum attackers? This burn or steal debate cuts to the heart of Bitcoin’s values, raising concerns around decentralization, individual sovereignty, immutability, and property rights.
Short-Range Attacks
Short-range quantum attacks would exploit Bitcoin transactions rather than addresses containing old or dormant coins. Attackers would exploit the brief window between the broadcast and confirmation of a Bitcoin transaction. When a user spends bitcoin, the transaction reveals the public key associated with the address. Under classical cryptographic assumptions, this is safe, but in a quantum world, a CRQC could intercept an unconfirmed transaction, derive the corresponding private key from the exposed public key in real time, and broadcast a conflicting transaction that redirects the funds to an address controlled by the attacker.
All Bitcoin will be vulnerable to short-range attacks during transactions until Bitcoin introduces a post-quantum cryptographic signature scheme. Attackers will likely prioritize long-range attacks due to the quantity of vulnerable bitcoin, the higher likelihood of long-range attack success, and the lower chances of public discovery of long-range attacks.
Infrastructural Risks
Modern Bitcoin infrastructure introduces another underappreciated quantum vulnerability. Most popular self-custodial and multi-signature Bitcoin wallets, wallet companion software, and accounting and portfolio trackers store a user’s public keys to be able to calculate balances and to generate and recover a user’s wallets. Many users rely on third-party apps to view their balances. But if these companies are hacked, attackers could potentially steal users’ funds in a CRQC world. As such, developers have proposed a number of upgrades to protect users against quantum attacks.
Preparing Bitcoin for the Quantum Era
Quantum-Resistant Signature Schemes
Integrating quantum-resistant signature schemes represents the only durable solution to CRQC attacks on Bitcoin.
There are two distinct proven quantum-resistant signature schemes: lattice-based signature schemes (including CRYSTALS-Dilithium 44 and FALCON 512) and hash-based signature schemes (including SPHINCS+, XMSS, and Lamport.)
Lattice-based signatures are more compact than hash-based signatures, more easily supporting features useful to human rights defenders like multisig, key aggregation and deterministic key derivation. However, they introduce new cryptographic assumptions that must be carefully vetted.
Hash-based signatures, on the other hand, are the most mature post-quantum option. However, their larger signature sizes introduce technical challenges and make features like key aggregation and standard multisig more complex to implement.
The smallest lattice-based signatures are roughly 10 times larger than current standard signatures, while the most compact hash-based signatures are 38 times larger. Dramatic size increases in quantum-resistant signatures would significantly reduce the number of transactions per block, decreasing Bitcoin’s throughput and increasing the storage and bandwidth demands on full nodes. In addition to imposing a substantial technical burden on node runners, any effort to increase blocksize or adjust the witness discount to accommodate larger signatures is likely to divide the Bitcoin community. Introducing larger quantum-resistant signatures will not just be an engineering task; it will require navigating intense debates over decentralization, security, and the limits of protocol change.
Bitcoin Improvement Proposal (BIP) 360, a current quantum-resistant proposal, is signature scheme-agnostic. It makes taproot addresses more quantum-resistant and provides a flexible framework to accommodate a variety of post-quantum algorithms. Other quantum-resistant BIPs are sure to come.
Source: Bitcoin and Quantum Computing: Current Status and Future Directions by Chaincode
Upgrades to Bitcoin Education and Design
Upgrading Bitcoin to withstand quantum threats is as much a human challenge as a cryptographic one. Any successful soft fork integrating quantum-resistant signature schemes will necessitate user education, thoughtful user interface design, and coordination across a global ecosystem that includes users, developers, hardware manufacturers, node operators, and civil society. For Bitcoin to remain a reliable tool for human rights and financial freedom in the quantum era, its upgrades must be inclusive, accessible, and resilient.
Wallets and user interfaces are tightly bound to the current elliptic curve cryptographic model and may not be compatible with post-quantum schemes. Quantum-resistant algorithms would likely introduce much larger signature sizes, slower signing speeds, and more complex verification paths. These are not minor tweaks; they fundamentally change how Bitcoin wallets must operate, significantly increasing the technical burden for existing wallets and nodes. Hardware wallets must adapt to slower computations and bulkier keys while preserving the seamless and secure experience users expect. This necessitates an entirely new approach to hierarchical key derivation, backups, and recovery. Accounting platforms, custody providers, and financial institutions will need to retool their systems. Multisig coordination, watch-only setups, and automated transaction workflows will also need to be reevaluated in light of new signature semantics. Developers will also face the difficult task of balancing system complexity and security with usability.
The need for education about quantum threats to Bitcoin is even more pressing. Many Bitcoin users remain unaware that their coins may eventually be vulnerable to long-range quantum attacks due to public key exposure. This includes coins protected by legacy Pay to Public Key (P2PK) scripts and coins at reused addresses. Encouraging users to migrate to quantum-safe outputs, especially when the threat remains abstract, will be difficult. Because Bitcoin has no central authority to enforce upgrades, every soft fork depends on voluntary adoption, consensus, and grassroots coordination. Introducing signature schemes that increase transaction sizes by 10 times or more will trigger debates about block space, throughput, and scalability. Proposals to increase block size or adjust the witness discount to accommodate quantum-resistant signatures will likely be met with resistance on both technical and ideological grounds.
Previous improvements to the Bitcoin network have taken years to reach widespread adoption, even for upgrades like SegWit that decreased transaction fees. Convincing a diverse, global user base to take coordinated action to prepare for a still-hypothetical quantum future will be even harder.
To succeed, a quantum-resilient soft fork must be socially durable as well as technically correct. Upgrades must provide clear benefits, usable defaults, and migration tools that reduce the cognitive and operational burden on everyday users. Changes must be designed with the understanding that consensus is slow, fragile, and precious. Above all, a soft fork must remain faithful to Bitcoin’s underlying principles: privacy, decentralization, and freedom from coercion. Anything less risks the financial freedom of the dissidents and human rights defenders who need Bitcoin the most.
Burn, Steal, Hourglass
To protect the “quantum-vulnerable” 1.72 million dormant bitcoin from long-range attack, some in the Bitcoin community advocate for a “burn” – a proactive intervention to preserve Bitcoin’s legitimacy. These proposals would render quantum-vulnerable bitcoin unspendable after a migration window. Advocates for this approach argue that such action would protect Bitcoin’s monetary integrity, prevent destabilizing wealth redistribution, and reinforce the principle that possession through cryptographic theft is not valid ownership. Some express concerns that the theft of millions of bitcoin could undermine the value of the currency, affecting all holders of the currency, not only those whose bitcoin is stolen.
On the other side, critics of the “burn” position warn that freezing funds would undermine one of Bitcoin’s foundational guarantees: that no one can arbitrarily prevent others from spending their funds. For opponents of the “burn” proposal, censorship resistance is paramount. Hunter Beast, author of the quantum-resistant proposal BIP 360, argued that “a lot of these coins, these lost coins, are unclaimed property.” Lightning developer Olaoluwa Osuntokun said such a proposal “breaks a fundamental tenet of Bitcoin. We must resist groups trying to coordinate to effectively redistribute wealth.”
A middle ground has emerged between these polarized positions. Rather than immediately burning vulnerable bitcoin or allowing them to be swept by the first actor to develop a CRQC, an “Hourglass” proposal suggests introducing a protocol rule that limits how fast bitcoin can be spent. This mechanism could slow the bleeding, offer miners incentives in the form of high fees from competing CRQCs bidding to steal the same coins, and buy the network time in the event of a real long-range attack. Yet even this compromise is controversial: its critics argue that the hourglass approach normalizes theft and redistribution of stolen coins to miners via fees, runs counter to Bitcoin’s stateless model, and opens the door to future governance intrusions.
At the Presidio Bitcoin Quantum Summit, attendees’ views on what to do with quantum-vulnerable coins remained split even after days of rigorous expert discussions. As shown in the post-summit poll results, support for the “burn” approach declined from 45% to 38%, while the percentage of participants preferring to “do nothing” rose from 22% to 29%. Support for the “hourglass” mechanism remained static at 33%. Speakers’ closing remarks also acknowledged the difficult choices ahead. As Lightning Network pioneer Tadge Dryja put it, “Who wants to be the person to push the button to merge the code to steal Satoshi’s coins?”
Source: Presidio Bitcoin
Maintaining Financial Freedom in a Quantum World
If Bitcoin is to remain a tool for freedom, it must remain secure in the face of emerging challenges. Addressing any quantum threat to Bitcoin will require years of sustained research, development, coordination, and public education. HRF, through its Bitcoin Development Fund and Financial Freedom program, is uniquely positioned to support efforts to ensure that Bitcoin remains a tool for dissidents, human rights defenders, and individuals facing financial repression.
HRF will explore funding research into quantum-resistant cryptographic signature schemes suitable for Bitcoin. This includes research evaluating trade-offs between scalability, UX, and network impact, experimental implementations of lattice- and hash-based schemes, development of migration tooling and testnets, and new BIPs.
There are no easy answers to the “burn or steal” debate, Hourglass-style proposals, or quantum-proof signature schemes. What HRF can do is explore funding research into making Bitcoin quantum-safe for human rights activists and others. Moving forward, we will be accepting proposals in this area at the Bitcoin Development Fund and seeking to cover the topic in our newsletters, events, and future research pieces.
