Sure! Here’s a rewritten version of the content while keeping the HTML tags intact:
While quantum computers are not capable of decrypting Bitcoin, they could potentially forge signatures using exposed public keys, placing approximately 6.7 million BTC at risk unless wallets transition to post-quantum solutions before fault-tolerant machines become a reality.
Summary
- Bitcoin does not hold encrypted secrets on-chain; the primary quantum threat lies in Shor-enabled key recovery from exposed public keys, which allows for forgery of authorizations on susceptible UTXOs.
- According to Project Eleven’s Bitcoin Risq List, around 6.7 million BTC is stored in addresses that meet its public-key exposure criteria; even with Taproot, the risk persists rather than being fully mitigated as quantum computing advances.
- Current projections indicate that approximately 2,330 logical qubits along with millions of physical qubits are essential to compromise 256-bit ECC, allowing sufficient time for BIP-level post-quantum solutions (e.g., P2QRH) and NIST-standard systems to be integrated, despite increased signature sizes and fees.
Researchers and developers in cryptocurrency warn that quantum computers threaten Bitcoin (BTC) through the potential misuse of digital signatures rather than the decryption of any encrypted content.
Examining Quantum’s Impact on Bitcoin’s Technology
Since Bitcoin does not store encrypted secrets on its blockchain, the common claim that “quantum computers can crack Bitcoin encryption” is fundamentally flawed, as noted by Adam Back, a veteran Bitcoin developer and the creator of Hashcash. The cryptocurrency’s security hinges on digital signatures and hash commitments instead of ciphertext.
“Bitcoin does not utilize encryption,” Back communicated on the social media platform X, pointing out that such terminological errors reflect a misunderstanding of the technology’s core principles.
The genuine quantum threat is authorization forgery, wherein a sufficiently advanced quantum computer executing Shor’s algorithm could deduce a private key from an on-chain public key and generate a valid signature for a conflicting transaction, as per technical documents.
The signature systems employed by Bitcoin, namely ECDSA and Schnorr, verify control over a keypair. The primary concern for security lies in public-key exposure and its correlation with the information that becomes visible on-chain. Many address formats securely commit to a hash of a public key, concealing the raw public key until spent in a transaction.
Project Eleven, a research organization focused on cryptocurrency security, offers an open-source “Bitcoin Risq List” that monitors public key exposure at the script and address reuse level. Their public tracker indicates that approximately 6.7 million BTC meet their exposure criteria based on their published methodology.
Outputs from Taproot, known as P2TR, incorporate a 32-byte tweaked public key within the output program, moving away from a simple pubkey hash, as specified in Bitcoin Improvement Proposal 341. This alteration modifies the exposure pattern in ways that become significant only if large fault-tolerant quantum machines are developed, according to Project Eleven’s documentation.
Research from “Quantum resource estimates for computing elliptic curve discrete logarithms” by Roetteler and colleagues specifies that a maximum of 9n + 2⌈log2(n)⌉ + 10 logical qubits is necessary to compute an elliptic-curve discrete logarithm over an n-bit prime field. For n = 256, this translates to about 2,330 logical qubits.
A 2023 estimate from Litinski suggests that computing a 256-bit elliptic-curve private key could require around 50 million Toffoli gates. Given these assumptions, a modular approach could accomplish the computation in about 10 minutes using approximately 6.9 million physical qubits. A summary from Schneier on Security indicated that estimates cluster around 13 million physical qubits to break encryption within one day, with roughly 317 million physical qubits required for a one-hour window attack.
Grover’s algorithm introduces a square-root speedup for brute-force searches, illustrating the quantum threat to hashing functions. Research by NIST indicates that for SHA-256 preimages, the required work remains on the order of 2^128 even after applying Grover’s algorithm, which is significantly less daunting than breaking elliptic-curve cryptography’s discrete-log.
Post-quantum signatures tend to be measured in kilobytes as opposed to the tens of bytes typical of current signatures, impacting the economics of transaction size and the overall user experience for wallets, as outlined in technical specifications.
NIST has begun standardizing post-quantum primitives, such as ML-KEM (FIPS 203), as part of a comprehensive migration strategy. Within the Bitcoin community, BIP 360 introduces a “Pay to Quantum Resistant Hash” output type, while qbip.org promotes a sunset for legacy signatures to encourage migration.
IBM has discussed advancements in error-correction components in a recent statement to Reuters, reaffirming a forecast for the emergence of a fault-tolerant quantum system around 2029. The company added that a significant quantum error-correction algorithm is capable of functioning on standard AMD chips, according to a separate Reuters report.
Key measurable factors include the proportion of the UTXO set with visible public keys, changes in wallet behaviors in response to such exposure, and the speed at which the network adopts quantum-resistant payment paths while ensuring validation and fee economics, according to Project Eleven’s analysis.
Feel free to ask if you need any more modifications!
