Bitcoin must upgrade or fall victim to quantum computing in 5 years

[d5000]

Could Bitcoin be vulnerable then to 51% attacks and stuff if people have quantum rigs?

Depends who "people" are. If only malicious miners have quantum rigs, then yes. But incentives work in the direction that eventually every miner will have quantum rigs in this case, it simply becomes a new hardware generation.

In addition, there may be a noticeable difficulty jump in this case, but the first Grover-capable quantum miners will have relatively slow machines, just like with conventional hardware. And thus they wouldn't be able to dominate mining forever.

A recent paper by a quantum computing firm has "found out" (take that with a grain of salt;)) that hardware costs would be even more relevant in the case of quantum mining, and electricity consumption in contrast could become less important. That would hint that mining could become even more centralized on the big mining companies, and home/small-scale mining would more or less die -- until quantum computers become cheaper, then the battleground becomes leveled again. If there's no technology even faster than quantum computing ...

There's also a "last resort" option: one could request a Proof of Stake during some time (via hard fork, like in the case of Ethereum's "Merge") if really the situation becomes very unstable, e.g. if North Korea was the only actor with Grover-capable quantum computers and the rest of the world (including private companies) wouldn't have access to this tech. That's however a quite unlikely scenario, and in the case it happens, probably only for a relatively short time.

[Mia Chloe]

Does it mean back to cash carried in bags and placed in vaults with no online security?
we would have more to worry about than btc.

On a honest note, if you come to think of it, hackers or the bad guys per say out there aren't really looking for the fall of bitcoin rather what they are looking for is ways to steal and accumulate Bitcoins as much as they can. I bet you 9 out of 10 hackers will pick stealing bitcoins over crumbling the network , it's basically the same reason even when the 51% rule exists, literally almost no one is aiming to use it against the network rather they want to use that hashrate as an opportunity to make far more profit instead.

[philipma1957]

Does it mean back to cash carried in bags and placed in vaults with no online security?
we would have more to worry about than btc.

On a honest note, if you come to think of it, hackers or the bad guys per say out there aren't really looking for the fall of bitcoin rather what they are looking for is ways to steal and accumulate Bitcoins as much as they can. I bet you 9 out of 10 hackers will pick stealing bitcoins over crumbling the network , it's basically the same reason even when the 51% rule exists, literally almost no one is aiming to use it against the network rather they want to use that hashrate as an opportunity to make far more profit instead.

Yeah well if sha-256 fails due to a badass computer one could simple square it
so sha - 65536


 the square would be impossible  to solve quickly


my fear would not be a fast computer my fear is a new math yet to be invented which would be more dangerous as it could over come the sha - 65536

[Mia Chloe]

the square would be impossible  to solve quickly
my fear would not be a fast computer my fear is a new math yet to be invented which would be more dangerous as it could over come the sha - 65536

So far, I'll like to put it out best this way, quantum computing is more like a myth partially based on the current technological advancement in the world generally. I've read articles on quantum computing and what it could achieve come it's full implementation and the theories are straight up "badass' but implementing it is the problem. And just like you mentioned solutions will definitely come up to fix vulnerabilities that quantum computing could pose threats to.

[DiscoJoker]

Honestly, I can't feel comfortable with this excessive confidence in predictions about when quantum computing will become a real threat to Bitcoin.

It's always the same narrative: "it's still far away," "we don't know when," "it's not a concern yet"... but the key point is that real technological progress, especially in private, corporate, or state environments is not necessarily made public. Relying solely on what's published in academic papers or announced by public companies is naive, especially when we're talking about global financial security.

I'm not saying the quantum apocalypse will happen tomorrow, but I also don't think it's wise to live as if it's impossible in the coming years. If your wealth depends on the assumption that no one is making significant progress behind closed doors, that's already a serious vulnerability.

That's why, besides maintaining a critical stance, I'm already investing in projects that were built from the ground up with quantum resistance. Not only do they have solid potential, but they also offer strategic protection: if this problem ever becomes real, I won't be relying on luck or emergency updates. I’ll already be protected.

I prefer to work with safety margins, not bets on the unknown.

[d5000]

I'm not saying the quantum apocalypse will happen tomorrow, but I also don't think it's wise to live as if it's impossible in the coming years. If your wealth depends on the assumption that no one is making significant progress behind closed doors, that's already a serious vulnerability.

You are probably trying to promote some shitcoin judging from the second part of the post, but I concede you the benefit of the doubt for now and answer, also to prevent newbies getting scared from your post.

What you forget is that there is a way to protect your coins already: Do not reuse your addresses. Above all if they're meant for cold storage.

As I wrote above, there's discussion in the mailing list, there has been a draft BIP already, and at least some of the Bitcoin developers are open for changes. But if the current research on post-quantum cryptography is simply not mature enough, then it doesn't make sense to hurry up just because there's a 0,001% probability of someone stealing some old P2PK coins in the next 10 years.

A hack of a single Satoshi-era address, or two or three, in the next 10 years would not be the apocalypse, it would be a hack like any other. If that happens, then it's really time to upgrade, but that's some time away still.

The technology evolution needed between the scenario "crack a P2PK key from Satoshi's era in 1 year" and "crack a key in 10 minutes while the transaction is in the mempool" is huge. And only if this happens, the strategy of not reusing addresses isn't enough anymore and Bitcoin needs to upgrade.

[philipma1957]

I'm not saying the quantum apocalypse will happen tomorrow, but I also don't think it's wise to live as if it's impossible in the coming years. If your wealth depends on the assumption that no one is making significant progress behind closed doors, that's already a serious vulnerability.

You are probably trying to promote some shitcoin judging from the second part of the post, but I concede you the benefit of the doubt for now and answer, also to prevent newbies getting scared from your post.

What you forget is that there is a way to protect your coins already: Do not reuse your addresses. Above all if they're meant for cold storage.

As I wrote above, there's discussion in the mailing list, there has been a draft BIP already, and at least some of the Bitcoin developers are open for changes. But if the current research on post-quantum cryptography is simply not mature enough, then it doesn't make sense to hurry up just because there's a 0,001% probability of someone stealing some old P2PK coins in the next 10 years.

A hack of a single Satoshi-era address, or two or three, in the next 10 years would not be the apocalypse, it would be a hack like any other. If that happens, then it's really time to upgrade, but that's some time away still.

The technology evolution needed between the scenario "crack a P2PK key from Satoshi's era in 1 year" and "crack a key in 10 minutes while the transaction is in the mempool" is huge. And only if this happens, the strategy of not reusing addresses isn't enough anymore and Bitcoin needs to upgrade.

if I could crack btc sha-256

 I likely could crack crypto  used for banks.

so all crypto would be at issue.

as I understand it quantum is not the right math to do this.  But I am only fair at math.

[DiscoJoker]

I'm not saying the quantum apocalypse will happen tomorrow, but I also don't think it's wise to live as if it's impossible in the coming years. If your wealth depends on the assumption that no one is making significant progress behind closed doors, that's already a serious vulnerability.

You are probably trying to promote some shitcoin judging from the second part of the post, but I concede you the benefit of the doubt for now and answer, also to prevent newbies getting scared from your post.

What you forget is that there is a way to protect your coins already: Do not reuse your addresses. Above all if they're meant for cold storage.

As I wrote above, there's discussion in the mailing list, there has been a draft BIP already, and at least some of the Bitcoin developers are open for changes. But if the current research on post-quantum cryptography is simply not mature enough, then it doesn't make sense to hurry up just because there's a 0,001% probability of someone stealing some old P2PK coins in the next 10 years.

A hack of a single Satoshi-era address, or two or three, in the next 10 years would not be the apocalypse, it would be a hack like any other. If that happens, then it's really time to upgrade, but that's some time away still.

The technology evolution needed between the scenario "crack a P2PK key from Satoshi's era in 1 year" and "crack a key in 10 minutes while the transaction is in the mempool" is huge. And only if this happens, the strategy of not reusing addresses isn't enough anymore and Bitcoin needs to upgrade.

You’re right in saying that not reusing addresses mitigates much of the current risk, especially for those still holding untouched cold wallets. But that only holds true while the public key hasn’t been revealed. Once a transaction is made and the pubkey is on-chain (as happens with any spent P2PKH, P2SH, multisig, Lightning, etc.), the address becomes a permanent target. At that point, “not reusing” is no longer sufficient.

People also tend to underestimate the time window during which a transaction sits in the mempool. Even new and seemingly “secure” addresses may have their public key exposed during that short gap between signing and confirmation. In a scenario where a quantum-capable actor can act within that timeframe, good key hygiene beforehand won’t matter, the risk becomes immediate.

As for the tech evolution: the jump from “breaking an old P2PK key in a year” to “doing it in 10 minutes” seems big, but progress in quantum computing is exponential, not linear. When that threshold is crossed, the security breach becomes retroactive, every already-exposed address will be compromised. That includes legacy multisig outputs, contracts, sidechains, and bridges. It’s literally a ticking time bomb already written into the blockchain.

And about the idea that “if it happens, we’ll just update”: it’s important to remember that Bitcoin is conservative by design. No change is trivial. Updating the user base, finalizing BIPs, ensuring backward compatibility - all while under the pressure of a live attack - would be chaotic. Having a transition plan ready is essential. Waiting to react is the real risk.

So this isn’t alarmism, it’s simply acknowledging that Bitcoin’s current cryptographic foundations (elliptic curves, ECDSA, etc.) have an expiration date in the face of quantum computing.

[PrivacyG]

It's always the same narrative: "it's still far away," "we don't know when," "it's not a concern yet"... but the key point is that real technological progress, especially in private, corporate, or state environments is not necessarily made public. Relying solely on what's published in academic papers or announced by public companies is naive, especially when we're talking about global financial security.

Then we should start worrying and stressing out REALLY bad because what if the actual technological progress out there in the private enviroment is technology that is over 1000 times better than the Quantum Computing we know of?

I'm not saying the quantum apocalypse will happen tomorrow, but I also don't think it's wise to live as if it's impossible in the coming years. If your wealth depends on the assumption that no one is making significant progress behind closed doors, that's already a serious vulnerability.

I prefer to work with safety margins, not bets on the unknown.

But nobody says this should not be considered or should not be worked on.  It is worked on already but right now, Quantum Computing still does not pose a big risk to Bitcoin due to it still being SO far away even from becoming available to the end user.

I prefer safety margins too, but to me right now the priority safety margin that should be considered is whether a big change to Bitcoin that involves protection against Quantum Computing is capable of haltering the progress Bitcoin has had so far.  In my view, this is closer to Google finding a better name to rebrand itself to.  Competitors may pop up with a better brand name and a better logo, but this does not mean Google HAS to rebrand itself.  It is more dangerous to its business than quickly finding a more modern name with little research and experimentation.

If you were here when Bitcoin split into Bitcoin and Bitcoin Cash, you would know how divided the community was.  It still is, even today.  This was also not the only time we had the community divided.  I definitely do not want this scenario to repeat itself.

Other projects may be Quantum resistant, but if they fail they are yet another drop in the ocean of shitcoins and failed projects.  Bitcoin is the biggest of all, of course it needs more time to adapt and it needs a lot more time before a big change is deployed.  And in my opinion, it is for the better of it and its future.

[d5000]

if I could crack btc sha-256

 I likely could crack crypto  used for banks.

SHA256 isn't the biggest problem. Grover's algorithm can speed up brute force attacks but even with quantum computers it would still take a very long time to find a collission for keys with correct entropy.
You probably mean ECDSA though , which can be "cracked" using Shor's algorithm if the public key is exposed.

Just in another discussion I mentioned that Bitcoin indeed should be prepared a bit earlier than banks. Banks can update the software relatively fast, they often use cloud banking platforms today, so a centralized update providing post quantum cryptography would take at most a couple of days up to weeks. In the bank use case, it would also not be problematic to provide several algorithms (e.g. FALCON and SPHINCS+) at once, as storage size is not so much an issue, and if vulnerabilities are found they can kept secret and the algo can be changed to another one.

Bitcoin's problem is its slowness: it takes a lot of time to move all coins to post-quantum cryptography. Thus, to ensure a gradual update, the necessary algorithms should be provided when it could be estimated that in the next 3-5 years a quantum threat could emerge, even if the probability isn't that high (let's say 5%).

There are however also emergency measures which could be taken if the threat comes earlier than expected. For example, it could be an idea to temporarily increase the block size to allow people to transfer the coins to post-quantum addresses. Only in the most extreme worst case scenario (out of nowhere a quantum attacker is able to attack addresses "on the fly" in <10 minutes while they spend coins and reveal the public key) Bitcoin would run into real difficulties. Of course it shouldn't be relied upon.

Once a transaction is made and the pubkey is on-chain (as happens with any spent P2PKH, P2SH, multisig, Lightning, etc.), the address becomes a permanent target. At that point, “not reusing” is no longer sufficient.

"Not reusing" means that if you make a transaction, you transact all coins to other addresses, including the "change" which will be transferred to a change address, just like most Bitcoin clients do it by default. So the scenario you're trying to install here doesn't make sense. Not reusing means not reusing.

As for the tech evolution: the jump from “breaking an old P2PK key in a year” to “doing it in 10 minutes” seems big, but progress in quantum computing is exponential, not linear.

"Exponential" doesn't mean "fast". If quantum computers now have 1000 qubits (most have less), and the progress is 5% per year, you have still way more than 100 years until you get to a million qubits. With 10%, you have 70 years., and even with 20% increase per year (which would be incredibly fast!) you still have almost 40 years.

That includes legacy multisig outputs, contracts, sidechains, and bridges.

Only if they use so outdated protocols that they have to re-use addresses.

Having a transition plan ready is essential.

I agree here, see above. But the post-quantum cryptosystems should also be mature. If you're not ChatGPT, then please read @achow101's post about that issue and provide solid arguments why it's better to deploy untested cryptography NOW instead of waiting let's say 3-5 times more, to be able to make a better decision.

[NotATether]

Correct me if I am wrong but if Bitcoin is broken through by quantum computing in 5 years then there are much, MUCH more important things to worry about.  Such as the internet itself becoming entirely vulnerable.  This means servers, websites, databases, every thing that is not airgapped but linked to the outside world in a way or another may become vulnerable and compromised.

TLS certificates will be fucked, and so will all the websites using TLS1.3 and lower with conventional algorithms.

MITM attacks will be rampant.

Considering that the significant percentage of websites still run on outdated software and are basically abandoned by their webmasters, it does not give me much confidence.

This is far more important than Bitcoin.

By the time quantum computing arrives in the hands of normal people like us, the internet will be ready to be protected against it.  Including Bitcoin.

Well most people will have already moved their coins out of vulnerable addresses, but address crackers will clean out the rest, just like what happened with brainwallets.

[tdk2]

please be aware of this report summary from Bitcoin Optech, with link to the original source:

https://bitcoinops.org/en/newsletters/2025/06/06/#quantum-computing-report

for a discussion of the state of quantum technology, potential risks for Bitcoin, and, most important, some practical recommendations.

I think the most important piece is to immediately begin a discussion about how a general consensus should be reached on how to implement a quantum-fix when it becomes necessary.
It wouldn't help if there are technical proposals available, but a prolonged civil war about how to implement would delay them, possibly beyond a real quantum attack.
Remember the blocksize and segwit discussions? QT could make a lot of progress in the amount of time it took to resolve these issues...

Recommendation of the authors is:
within 2 years, develop a technically sound short-term fix, and reach agreement within the whole ecosystem on how to implement it quickly in case QT progress makes it necessary.
within 7 years, have a quantum-resistant Bitcoin fully developed and deployed (they expect a possible quantum threat between 2030 and 2035)

While one can debate the author's timeline assessments, I think it makes a lot of sense to at least begin to prepare the way to implementation right now.

[DiscoJoker]

please be aware of this report summary from Bitcoin Optech, with link to the original source:

https://bitcoinops.org/en/newsletters/2025/06/06/#quantum-computing-report

for a discussion of the state of quantum technology, potential risks for Bitcoin, and, most important, some practical recommendations.

I think the most important piece is to immediately begin a discussion about how a general consensus should be reached on how to implement a quantum-fix when it becomes necessary.
It wouldn't help if there are technical proposals available, but a prolonged civil war about how to implement would delay them, possibly beyond a real quantum attack.
Remember the blocksize and segwit discussions? QT could make a lot of progress in the amount of time it took to resolve these issues...

Recommendation of the authors is:
within 2 years, develop a technically sound short-term fix, and reach agreement within the whole ecosystem on how to implement it quickly in case QT progress makes it necessary.
within 7 years, have a quantum-resistant Bitcoin fully developed and deployed (they expect a possible quantum threat between 2030 and 2035)

While one can debate the author's timeline assessments, I think it makes a lot of sense to at least begin to prepare the way to implementation right now.

Thanks for the link, it’s definitely a good read and brings up some important points. But it actually reinforces what I pointed out: we’re still in the realm of recommendations, calls for discussion, and hope for a future consensus. In other words, no concrete official plan has been adopted so far.

Many still act as if the future will never arrive, relying on public estimates of 5 to 10 years before quantum becomes a real threat. But that’s just what we’re allowed to see. The truth is, companies and government agencies have been developing quantum computing behind closed doors for decades. What gets published is just the tip of the iceberg.

Assuming we still have all that time might be a dangerous illusion.

[Cricktor]

The truth is, companies and government agencies have been developing quantum computing behind closed doors for decades. What gets published is just the tip of the iceberg.

You make this claim based on what exactly? Your gutt fealing? Tin-foil hat conspiracy theories? Something more serious?

My intend is not to make fun of you, but really understand how you come to such a statement. What do you know that we or rather I don't? Please, elaborate!

[d5000]

I've looked a bit into the July Bitcoin Optech newsletter and there's a lot of things going on lately.

For example, there's a proposal (with code) to implement Winternitz signatures (which are quantum resistant) with OP_CAT. OP_CAT has still not been added to the Bitcoin code, but it's a relatively popular feature request and thus it could be added in one of the next versions. That could mean that quantum resistance would be achieved faster than expected.

Tadge Dryja (one of the LN inventors) has also proposed a scheme to prevent quantum hackers from stealing coins by double spending transactions where public keys were revealed. It would be a soft fork and it seems while it needs a quantum resistant algorithm, it could be posted in an OP_RETURN output. That would be huge: If this works and gets implemented, it looks almost like the missing part in the puzzle for strategies you can use already today to secure your coins from future QC attacks. Basically if you don't reuse addresses and use this strategy you would not be vulnerable to any quantum computer attacks at all even in a distant future, with the exception of Grover's algorithm (which is much more far away than a Shor algorithm ECDSA exploit and if it really becomes an issue, it could be basically repelled using SHA512 instead of SHA256).

That there are so many options discussed is very healthy and confirms my impression that the devs are correct in not implementing something like BIP360 "in a hurry".

[alidereje]

Quantum computing is definitely a threat worth preparing for, but I believe the 5-year timeline might be exaggerated. Even if powerful quantum computers emerge sooner, Bitcoin’s network can still adapt by upgrading its cryptography. The community has already discussed post-quantum algorithms, so it’s just a matter of implementing them when the time is right. Being proactive is key, but I don’t think panic is necessary yet. What post-quantum solutions do you think would be most feasible for Bitcoin to adopt?

[QuantumPenisJamesonLopp]

In order for a quantum-computer to pose danger to Bitcoin it would require to have between 100000 - 1million logical qubits!
This kind of quantum-computers not going to exist for the next 20 years for sure.
Anyone else who claim otherwise is an idiot like this guy called Jameson Lopp: https://bitcointalk.org/index.php?topic=5550298.60

The idiot proposed to BAN all Bitcoin transactions permanently that are not "quantum-resistant" 5 years after activation of his and other "corporate fuckers" BIP.

[tromp]

In order for a quantum-computer to pose danger to Bitcoin it would require to have between 100000 - 1million logical qubits!

https://eprint.iacr.org/2021/967.pdf shows that 2330 logical qubits suffice.

[QuantumPenisJamesonLopp]

In order for a quantum-computer to pose danger to Bitcoin it would require to have between 100000 - 1million logical qubits!

https://eprint.iacr.org/2021/967.pdf shows that 2330 logical qubits suffice.

My bad, you're right. They are physical qubits.

Breaking Bitcoin's ECDSA requires ~2,300+ logical qubits (or millions of physical qubits), placing practical attacks decades away.

Requirement to break ECDSA:

Logical Qubits:~2,330–2,619
Physical Qubits (1-hour): 317 million
Physical Qubits (1-day): 13 million

Cointelegraph's recent article wrongly states the following:

Did you know? Hardware studies suggest that breaking a Bitcoin wallet’s ECDSA key within one hour would (optimistically) require around 13 million logical qubits (or more than 300 million physical qubits, depending on error correction regimes).

Regardless, today and in the next few decades (min 10, max 20 years) there will be no danger to Bitcoin. Anyone who pushing for "quantum-resistant" Bitcoin today is only cares about selling you "super secure Bitcoin wallets" so they can grab your Bitcoins. Not kidding. See for example this: https://bitcointalk.org/index.php?topic=5550298.msg65666459#msg65666459 Corporations who selling Bitcoin wallets are pushing to ban all non-quantum transactions in Bitcoin in the "next 5 years". Be aware!

[goldkingcoiner]

This thread again?

5 more years meme has been around since 25 years. Quantum computing is still immature, overhyped, and needs physics defying hardware before even rivaling classical systems. No algorithm is going to fix the noise issue which is ultimately a boundary of physics. So unless we are hoping to discover new physics in the next 5 years, I do not see any danger to Bitcoin. Noise isn't just an engineering challenge, it's a physics limit.

No, that is not quite correct. One danger I do see:  Quantum FUD as a soft attack vector, used in social engineering to leverage consensus.

Quantum computing was and is nothing but a hype. I don't care about new algorithms which beat out the old ones.