How feasible is migration to Quantum-Resistant Signatures in Bitcoin?

[MarryWithBTC]

The discussion around Bitcoin and quantum computing often swings between two extremes:

• It is dismissed as pure FUD (as some have argued).
• It is treated as an inevitable cryptographic apocalypse.

I’m not interested in either framing, i’m just looking for a technical answer.

My question: Is it accurate to call the quantum threat a “myth”?:  If sufficiently advanced quantum systems are developed in the future, could exposed public keys practically theoritically become vulnerable?

We know Bitcoin is not static (it’s still labeled beta, after all). So, signature schemes can be upgraded.

Now a second question follows:
If a large-scale quantum computer capable of breaking secp256k1 were eventually built, is migration to quantum-resistant cryptography technically feasible within Bitcoin’s consensus model?
In other words, my real concern is’nt whether quantum computers exist today. It is rather; if Bitcoin can adapt before such machines become practically usable.
Bitcoin’s history shows strong adaptability, but cryptographic transitions are not trivial. i would be interested in hearing technical perspectives on how realistic such a migration would be.

[NotFuzzyWarm]

Read some of the numerous existing threads about QC & BTC.You will find your questions have already been answered many many times...

[stwenhao]

Is it accurate to call the quantum threat a “myth”?

Currently? Yes. In the future? Nobody knows.

If sufficiently advanced quantum systems are developed in the future, could exposed public keys practically theoritically become vulnerable?

Theoretically? They can be broken, without any quantum computers at all. For each and every valid public key, there is one, and only one valid private key. In smaller curves, you can see it exactly, how public keys are turned into private keys. In bigger ones, it is exponentially harder, but during curve construction, the total number of keys is calculated, and is mathematically proven to be correct.

is migration to quantum-resistant cryptography technically feasible within Bitcoin’s consensus model?

Yes. You will have just a new address type, with a different cryptography. We already migrated from ECDSA to Schnorr signatures. Migration to "foobar signatures" can be done in exactly the same way. I said "foobar", because it is not yet sure, what exactly will be picked. There are some proposals, but nothing is set in stone yet.

if Bitcoin can adapt before such machines become practically usable

Technically? Yes. Socially and politically? Nobody knows. Even if new signatures would be deployed tomorrow, it is unknown, how long it would take for people to upgrade, and how many people will refuse to do so, for various reasons.

i would be interested in hearing technical perspectives on how realistic such a migration would be

Instead of "OP_1 <taproot_key>", you would have something like "OP_2 <quantum_key>", or something similar. And maybe that key will be hashed, when people will scream, that hashing with many collisions is more difficult to break than provably collisionless secp256k1. Or if these things would take too much space, when used, so they will be moved to inputs.

By the way, the main reason why Satoshi hashed public keys, was because of space. Public keys took 65 bytes in uncompressed form, then 32 bytes after SHA-256, and then 20 bytes after RIPEMD-160. Maybe quantum keys will also be hashed, just to make outputs smaller.

[BattleDog]

Also worth separating "quantum breaks Bitcoin" from "quantum breaks keys that are already exposed." A lot of UTXOs are still sitting behind a hash of a pubkey, so there's no pubkey on-chain until you spend. Those are in better shape in a Shor-doomsday timeline than anything that's already published a raw pubkey in the output script (old P2PK, and yes, Taproot outputs are literally a pubkey on-chain).

If you're trying to be rational-paranoid today, the lowest-effort move is boring: stop address reuse, keep long-term coins in hashed-pubkey outputs, and don't be the guy broadcasting the same pubkey to the world for a decade like it's a bumper sticker.