Bitcoin Quantum Threat Takes Center Stage at Ethereum Conference

In brief

• BIP 360 co-authors say Bitcoin signatures are the main quantum risk for the blockchain.
• About 30% of Bitcoin sits under exposed public keys.
• As quantum hardware thresholds fall, Bitcoin and Ethereum devs alike are ramping up quantum planning.

While this year’s Ethereum developer conference, ETH Denver, focused on building in a down market and empowering AI agents via blockchain, one panel examined whether Bitcoin’s cryptography can survive in a post-quantum world. Onstage this week, the focus on Bitcoin’s ability to survive the quantum computing threat was narrow, focusing on what could actually break first. According to Hunter Beast, co-author of BIP 360—a proposal that aims to solve the blockchain’s quantum conundrum—confusion often starts with Bitcoin’s hashing algorithm. “Hash algorithms like SHA-256 are actually believed to be very difficult for even the most ideal, biggest quantum computer we can imagine,” Beast said. “We theorize that we would need a quantum computer bigger than the moon to break 256-bit hash-based cryptography using Grover’s algorithm.” 

First developed by computer scientist Lov Grover in 1996, Grover’s algorithm, also known as the quantum search algorithm, speeds up brute-force search, reducing the effective security of hash functions such as Bitcoin’s SHA-256 hashing algorithm. “That’s not really what we’re worried about in the next five years,” Beast said. “What we’re worried about in the next five years are signatures, and that goes over with Shor’s.” Developed in 1994 by mathematician Peter Shor, Shor’s algorithm targets the mathematics behind public-key cryptography. Bitcoin relies on elliptic curve cryptography for digital signatures, and Shor’s algorithm can reverse-engineer private keys from public keys if a quantum computer is powerful enough. Alex Pruden, chief executive of blockchain cybersecurity firm Project Eleven, described what that would mean.

“Ownership in Bitcoin is entirely conferred by your ability to sign a digital signature,” Pruden said during the panel. “With Shor’s algorithm, just knowing your public key—the thing that’s supposed to be safe to share—is enough to reverse engineer your private key. That means I own your Bitcoin simply by knowing your public key.” Today’s machines cannot do that. However, Pruden pointed to recent technical milestones by Google, IBM, and others in quantum computing, which could portend further rapid developments ahead. “In December 2024, Google announced Willow, a quantum computer that demonstrated below‑threshold error correction,” Pruden said. “Until that point, people doubted whether quantum computing could ever scale, and Google demonstrated definitively that, yes, this can scale.” The discussion comes as the broader crypto industry increases preparations for the day when a practical quantum computer comes online. The Ethereum Foundation recently formed a post-quantum security team, and Coinbase convened an advisory board to study quantum risks to Bitcoin and other digital assets. Coinbase CEO Brian Armstrong has described the issue as “solvable,” even as researchers debate how urgent the threat is. Estimates of the hardware required to break Bitcoin’s signature scheme have shifted. As recently as 2021, researchers projected it would take roughly 20 million qubits to break Bitcoin’s cryptography. Last week, researchers at Iceberg Quantum suggested that the number could fall to around 100,000 qubits. Exposure already exists, according to Project Eleven, which tracks what it calls the “Bitcoin Risq List.” According to the list, over 6.9 million total coins are in addresses with exposed public keys, including 1.7 million coins mined during Bitcoin’s early years. “Basically, a third of the supply would be vulnerable to what we call a long exposure attack,” Beast said.

Isabel Foxen Duke, Beast’s co-author on BIP 360, said the problem is not purely technical. “There are a lot of challenges with Bitcoin and quantum-hardening Bitcoin that have nothing to do with post-quantum cryptography,” she said. Some older coins, Foxen-Duke, may never migrate to quantum-safe addresses, including those believed to belong to Bitcoin’s creator, Satoshi Nakamoto. “There are proposals out there to freeze Satoshi’s coins and all pay-to-public-key addresses completely,” she said. “I think those are the more controversial, more complicated, and in some ways more interesting questions, because getting consensus around something like that is going to be an incredibly difficult and politically challenging problem to solve.” However, she warned that if quantum capability arrives before consensus on migration, it would be catastrophic for the Bitcoin network. “If 4 million Bitcoin hit the market in a matter of hours once a quantum computer arises and somebody actually takes advantage of it, that’s a potentially Bitcoin‑project‑destroying event, regardless of whether or not we have post‑quantum cryptography,” Foxen Duke said.