About a quarter of all Bitcoins are at risk of quantum attacks tied to public keys revealed on the blockchain. However, if much of the supply is vulnerable, it raises deeper concerns. Is trust in the overall Bitcoin security model at risk?
Imagine waking up and checking your phone. Bitcoin balance is zero. Not only will your cold storage balance, but your replacements as well. It’s gone. Overnight millions of UTXOs were discharged in quiet, tuned attacks.
It sounds extreme, but this kind of event is more than just theft. This is a direct attack on Bitcoin’s value, and a general signal that its core encryption is no longer secure. State-level actors may try this kind of thing to not only steal coins, but to destroy trust and intentionally cause confusion.
Not all attackers act that loud. Those who are more self-proficient may take the opposite approach. By accessing quantum computers, they were able to quietly target old UTXOS and drain coins from forgotten and inactive wallets. Their goal is to suck up as much as possible before the rest of the world catches up.
But whether the attack is loud or quiet, fast or slow, the end result is more or less the same. The assumption of protecting Bitcoin is no longer true in the next quarter world. Mathematics that secured Bitcoin from the start can always be broken by machines that none of us have seen yet, but in theory it is possible.
Quantum computers that are actually broken
Quantum computers aren’t just the faster versions of the computers we have today. It’s a fundamentally different type of machine. For most tasks, it is not as fast as a regular computer. But because of a very specific problem, it is strong enough to break a lot.
Today’s digital signatures for Bitcoin, including Schnorr and ECDSA, are Discrete logarithmic problem. Think of it as a kind of mathematical one-way. It’s easy to go in one direction, but it’s very difficult to go back. You can take a private key and generate a public key or signature, but it is actually impossible to derive a private key from a public key. And this is why you can safely share your public key on blockchain. Because it is not feasible for anyone to reverse it and derive the corresponding private key.
But with enough quantum computers, that assumption is broken. use Shor’s algorithm,Quantum attackers can solve discrete logarithmic problems. And that “one-way” is no longer retained. Given the public key on the blockchain, an attacker can derive the corresponding private key.
Hard choices, big trade-offs
There’s no perfect solution here. Plans to protect Bitcoin against these quantum attacks include some major trade-offs. Some are technical. Some are social. They are all difficult.
One possibility is to introduce a new kind of output type that uses only post-canthom signatures. Instead of relying on discrete logarithms that can break the quantum computer, it locks the coins from the start using a quantum-safe signature scheme. Anyone who sends funds to that address knows that they are choosing more powerful, future-free security.
The big trade-off here is size. Most mass signatures are huge and are often measured in kilobytes instead of bytes. This means that the Post-Cantom signature could be 40-600 times larger than the current Bitcoin signature. If the ECDSA/Schnorr signature fits in a text message, the signature after quadrature measurements can be as large as a small digital photo. They cost a lot to broadcast and are expensive to store on the blockchain. HD wallets, multisig setups, and even basic key management can be more complicated or not working at all. Threshold signing using quarterly post-signatures remains an open research question.
Related proposals to go completely after Quantum come from Jameson Lopp, who proposed a 4-year fixed transition window. After the introduction of post-class signatures, it gives the Bitcoin ecosystem several years and rotates to quantum safe output. The coins that have not been moved are then treated as lost. It’s a proactive approach, but it sets clear deadlines and gives the network time to adapt before a crisis occurs.
Until the threat becomes more realistic, we prefer to resort to encryption we already trust. But what would it be if we all agreed that Bitcoin needs a plan?
No one wants to plunge into accidental Bitcoin on an unproven assumption. Rather than pushing something entirely new, Bitcoin may already have a built-in starting point. Taproot!
Taproot’s hidden four-class safety
Introduced in 2021, Taproot is primarily known for improving privacy and efficiency. What many users don’t realize is that it could be the basis for a smoother transition into the post-Quantum world.
All Taproot outputs contain a set of hidden alternative spending conditions first. These alternative script paths will not be revealed unless used. Currently, most Taproot coins are spent using Schnorr signatures, but those hidden paths can be used for almost all of them. This includes post-cantum (PQ) signature checks.
The idea that Taproot’s internal structure can withstand quantum attacks goes back to Matt Corallo, who first propagated it. And recently, Tim Ruffing from Blockstream Research published a paper showing that this approach is indeed safe. Even if Schnorr and ECDSA are broken, the fallback path within Taproot can remain trusted.
This opens the door to a simple but powerful upgrade path.
Step 1: Add the opcode after Quantum
The first step is to introduce support for post-quanthum signatures in Bitcoin scripts. This can be done by adding new opcodes that allow TapRoot scripts to verify PQ signatures using algorithms currently being standardized and evaluated.
This will allow users to start creating TapRoot output with two spending passes.
- KeyPath uses fast and efficient Schnorr signatures for daily use.
- The script path includes a fallback after mass and is revealed as needed.
In the short term, nothing will change. Coins behave the same way. However, if quantum threats arise, the fallback is already in place.
Step 2: Flip the kill switch
After that, when large quantum computers are developed and the risks become real, Bitcoin could potentially invalidate Schnorr and ECDSA spending.
This kill switch protects your network by preventing vulnerable output coins from being stolen. As long as users move coins and upgrade taproot output, including post-mass fallback, those coins will remain safe and spendable.
The transition causes inevitably friction, but hopefully it’s less destructive than last-minute scramble. And thanks to Taproot’s hidden script path, most of this work can occur quietly beforehand.
Prepare without panic
Quantum threats do not have a countdown clock. We don’t know when this breakthrough in quantum computing will occur. It could be ten years away, or it could be much closer. No one knows.
This is not easy. What post-clock algorithms should be used, how to make them efficient enough for Bitcoin, and how to preserve core features such as threshold multisig and key derivation are still publicly available. But the most important thing is to get started. Ideally, not after the initial encryption-related quantum computers have been built, but are still available now while the system is secure and upgraded.
Within today’s Bitcoin script, you will be able to provide users time to prepare by enabling post-Quantum signature support. Education can occur gradually without panic. Users can then start transferring coins at their own pace. If it’s too long, you lose that luxury. Upgrading done under stress rarely goes smoothly.
Tim Ruffin’s work sets a path that could move forward. Plans to use tools that Bitcoin already has. Read his full paper and understand how this works.
This is a guest post by Kiara Bickers of BlockStream. The opinions expressed are entirely unique and do not necessarily reflect the opinions of BTC Inc or Bitcoin Magazine.
This post Bitcoin quantum risk is real. One solution could start with Taproot, which first appeared in Bitcoin Magazine and was written by Kiara Bickers.
