The real quantum threat facing Bitcoin is not "decryption," but signature forgery: why we can measure this risk right now

Many people talk about the threat of quantum computers to Bitcoin, repeatedly saying the same thing — “Quantum computers will break Bitcoin’s encryption.” But this statement is fundamentally incorrect. In reality, Bitcoin doesn’t rely on encryption data that needs to be “broken.”

Why Bitcoin’s encryption isn’t the real issue

Ownership protection in Bitcoin isn’t achieved through encrypted text. Instead, it relies on digital signatures (ECDSA and Schnorr) and hash commitments to ensure security. The blockchain is a completely public ledger — every transaction, every amount, every address can be viewed by anyone. Nothing is hidden.

In other words, a quantum computer cannot break Bitcoin because there are no secrets on the blockchain that are encrypted. Adam Back, an early developer of Bitcoin and the inventor of Hashcash, straightforwardly pointed out on X: “Bitcoin does not use encryption. Learn the basics, or you’ll expose your ignorance.”

What is the real risk? If a cryptographically relevant quantum computer can run Shor’s algorithm, it could derive private keys from public keys on the blockchain, enabling the creation of valid conflicting transactions. This isn’t “breaking encryption,” but stealing validation rights.

Public key exposure: the true bottleneck of Bitcoin security

Bitcoin’s signature system requires users to prove control over a key pair by creating a signature — this is what makes a transaction valid. Therefore, when and how public keys are exposed becomes the core of the quantum threat.

Many address formats use the hash of the public key, meaning the public key itself is only revealed when a transaction occurs. This narrow window limits an attacker’s opportunity to compute the private key and publish conflicting transactions.

But not all output formats are like this. Some script types expose the public key earlier, and address reuse turns a one-time exposure into a continuous target.

Project Eleven’s open-source tool “Bitcoin Risq List” maps these scenarios, showing which bitcoins may already be exposed to attackers with Shor’s algorithm. According to their tracking, approximately 67 million BTC in addresses meet their risk criteria.

How Taproot changes exposure expectations

Taproot (P2TR addresses) changes the default way of exposure. According to BIP 341, Taproot outputs include a 32-byte tweak of the public key in the script, rather than the hash of the public key.

This doesn’t introduce new vulnerabilities today. But it does change what would be exposed if key recovery becomes possible. This is important because exposure is measurable — we can track potential vulnerable Bitcoin pools without guessing the timeline of quantum threats.

Project Eleven automatically scans weekly and publishes its “Bitcoin Risq List,” covering all addresses vulnerable to quantum attacks and their balances.

How much computational power is needed for the quantum threat?

From a computational perspective, the key difference lies in the gap between logical qubits and physical qubits.

Roetteler and colleagues determined in their research that calculating the discrete logarithm on a 256-bit elliptic curve requires no more than approximately 2,330 logical qubits (using the formula 9n + 2⌈log₂(n)⌉ + 10, where n=256).

However, converting this into a fault-tolerant, deep-calculation machine, the overhead of physical qubits becomes the main bottleneck. According to 2023 estimates by Litinski, calculating a 256-bit elliptic curve private key requires about 50 million Toffoli gates. Using a modular approach, this could be completed in about 10 minutes with roughly 6.9 million physical qubits.

Schneier on Security’s analysis estimates that 13 million physical qubits are needed to crack within a day, and about 317 million physical qubits for cracking within an hour (depending on assumptions about time and error rates).

Why timing is so important

Execution time determines the feasibility of an attack. If a quantum computer takes 10 minutes to recover a private key from a public key, and the average Bitcoin block time is 10 minutes, an attacker might compete for control over the exposed output. They don’t need to rewrite the consensus history.

There’s also the issue of hashing, often mentioned in this context. But the quantum leverage here is Grover’s algorithm, which provides a quadratic speedup for brute-force search, not Shor’s attack on discrete logarithms. NIST’s studies on Grover-based attacks show that the system-level cost reaches around 2^128 operations due to overhead and error correction. This is negligible compared to cracking ECC discrete logarithms.

Why adaptation means migration challenges, not imminent danger

Beyond Bitcoin, NIST has standardized post-quantum cryptography, such as ML-KEM (FIPS 203), as part of a broader migration plan. Within Bitcoin, BIP 360 proposes a new output type called “Pay to Quantum Resistant Hash.” Meanwhile, qbip.org advocates phasing out old signatures to facilitate migration and eliminate long-term public key exposure.

Recent enterprise roadmaps provide context, explaining why this is seen as an infrastructure challenge rather than an emergency. Reuters reports that IBM discussed progress in error correction components and confirmed that fault-tolerant systems are roughly on track for 2029.

In this light, the idea that “quantum computers will break Bitcoin encryption” is both a terminological misunderstanding and a mechanistic misjudgment.

The truly measurable indicators are: how much of the UTXO set has exposed public keys, how wallets respond to this exposure, and how quickly the network can deploy quantum-resistant spending methods while maintaining verification and fee market constraints.

When it comes to the future of quantum computers and Bitcoin, the conversation should focus on adaptation, not crisis.