The real quantum threat facing Bitcoin: not cracking encryption, but forging signatures

The claim that “quantum computers will crack Bitcoin encryption” is widely circulated in the industry, but this statement itself is problematic. Bitcoin does not rely on traditional encryption mechanisms to protect assets. The real quantum risk is not in decrypting ciphertext, but in using Shor’s algorithm to derive private keys from public keys, thereby forging digital signatures.

Clarifying Conceptual Misunderstandings: Bitcoin Uses Digital Signatures, Not Encryption

There are no encrypted secrets stored on the blockchain. Ownership of Bitcoin is guaranteed through digital signatures and hash commitments, not ciphertext. This is a key distinction that has been overlooked in the industry for a long time.

Adam Back, a senior Bitcoin developer and inventor of Hashcash, bluntly pointed out on social media: “People spreading quantum panic need to pay attention: Bitcoin does not use encryption. Learn the basics, or you’ll expose your ignorance.” He further added: “Encryption is about hiding information, only accessible to those holding the key. Bitcoin does not do this. The blockchain is a public ledger; everyone can see every transaction, amount, and address. Nothing is encrypted.”

The genuine quantum threat is whether an attacker can use Shor’s algorithm to recover a private key from a public key, and then create valid conflicting transactions. This is entirely different from “cracking encryption.”

Public Key Exposure Is the Real Attack Surface for Bitcoin

Bitcoin uses ECDSA and Schnorr signature schemes to verify control over key pairs. In this model, funds are moved by creating signatures recognized as valid by the network. Therefore, public key exposure becomes a critical risk point.

Many address formats use the hash of the public key, meaning the public key itself is not exposed until the transaction spends. This narrows the window for an attacker to compute the private key with Shor’s algorithm. However, some script types expose the public key in advance, and address reuse can turn a one-time exposure into a persistent target.

Project Eleven’s open-source “Bitcoin Risk List” tracks these exposures. The project regularly scans and identifies approximately 67 million BTC at addresses where the public key has been exposed—assets that pose a potential threat to attackers capable of running Shor’s algorithm.

Physical Qubits: From Theoretical Threats to Practical Destruction

On a technical level, there is a huge gap between theory and reality. Breaking 256-bit elliptic curve encryption requires roughly 2,330 logical qubits (an upper estimate). But this is only half the story.

The key physical qubit count is far larger. According to Litinski 2023 estimates, implementing the recovery of a 256-bit elliptic curve private key with physical qubits would require about 6.9 million physical qubits, with an operation time of around 10 minutes. To complete such a calculation within a day, the estimate is about 13 million physical qubits. An even more aggressive goal—completing it within an hour—would require approximately 317 million physical qubits.

The enormous number of physical qubits reflects current technological realities: translating from abstract algorithm requirements to practical hardware involves exponential resource growth. The overhead introduced by quantum error correction and fault-tolerance mechanisms is the real bottleneck.

Timing Factors Determine the Severity of the Threat

The practicality of quantum computing depends on execution time. If private key recovery can be completed within the block generation time (about 10 minutes), an attacker would compete by spending the public output, rather than rewriting the historical consensus. This fundamentally changes risk assessment.

Discussions about hash destruction are often confused. The true quantum leverage is Grover’s algorithm, which provides a quadratic speedup for brute-force search, not an exponential attack on discrete logarithms. NIST’s studies on the actual costs of Grover-style attacks show that error correction overhead and system-level considerations keep the cost of cracking SHA-256 at around 2^128 operations—far less feasible than breaking ECC discrete logarithms.

Countermeasures: Protocol Upgrades and Long-term Migration Planning

Outside of Bitcoin, NIST has standardized post-quantum primitives such as ML-KEM (FIPS 203) as part of broader migration plans. Within the Bitcoin ecosystem, proposals like BIP 360 (which suggests “Pay to Quantum-Resistant Hash” output types) have been introduced, and qbip.org advocates gradually deprecating old signatures to stimulate migration.

Recent enterprise roadmaps indicate why this is viewed as an infrastructure challenge rather than an immediate emergency. IBM’s recent reports discuss advances in quantum error correction components and confirm that fault-tolerant systems could be feasible around 2029. Other reports mention that IBM’s key quantum error correction algorithms can run on standard AMD chips, indicating progress in hardware ecosystems.

Measurable Metrics Rather Than Time Predictions

Seeing “quantum computers will crack Bitcoin” as both a conceptual error and a mechanistic misunderstanding is crucial. The truly important measurable indicators include: what proportion of assets in the UTXO set have exposed public keys; how wallet behaviors respond to such exposures; how quickly quantum-resistant payment paths can be implemented on the network, while maintaining verification constraints and fee market balance.

Project Eleven’s tracking shows that approximately 6.7 million BTC are in “quantum vulnerable” addresses. With Taproot adoption, these figures will evolve with new transaction types. The key point is that these numbers can be measured now, without predicting the timeline of quantum technology. Bitcoin’s challenge is in migration management, not an immediate catastrophe.