Blockstream CEO Adam Back has outlined a strategic, phased approach to upgrading Bitcoin's security against the potential threat of quantum computers. He advocates for a gradual rollout of post-quantum (PQ) cryptography, allowing users, exchanges, and custodians ample time to adapt safely as the quantum risk landscape evolves.
Back emphasized that Bitcoin's existing Taproot design, activated in 2021, already embeds quantum-ready features, countering what he describes as misconceptions from some quantum researchers. This inherent design reduces the immediate urgency for a rushed upgrade, enabling careful testing and implementation. The proposed phased path aims to protect the network without introducing unnecessary risk from untested cryptographic changes.
The urgency for such planning is underscored by recent research, including a report from Google suggesting a sufficiently powerful quantum computer could crack Bitcoin's core Elliptic Curve Digital Signature Algorithm (ECDSA) cryptography in under nine minutes. Some analysts project this threat could materialize by 2029. The stakes are immense, with approximately 6.5 million BTC—worth hundreds of billions of dollars—sitting in addresses directly vulnerable to a long-exposure quantum attack. This includes coins in old Pay-to-Public-Key (P2PK) addresses, potentially belonging to Satoshi Nakamoto, and newer Taproot (P2TR) addresses.
Several concrete proposals are under consideration by the Bitcoin developer community to mitigate these risks. BIP 360 proposes a new output type called Pay-to-Merkle-Root (P2MR) to permanently remove the public key from the blockchain, eliminating the target for quantum attacks on new coins. For post-quantum signatures, the standardized SPHINCS+ / SLH-DSA scheme is an option, though its large signature size (over 8KB) presents scalability challenges, leading to proposals like SHRIMPS and SHRINCS for more efficient alternatives.
Lightning Network co-creator Tadge Dryja has proposed a commit/reveal scheme as a soft fork to protect transactions in the mempool from short-exposure attacks by creating a two-phase process. For the already-exposed 1.7 million BTC in older addresses, developer Hunter Beast's Hourglass V2 proposal suggests limiting spending to one BTC per block to prevent a catastrophic market crash from a potential mass quantum theft event, though this idea is controversial within the community.
Back's commentary and the active development of these proposals indicate that quantum resistance has been a long-term consideration for Bitcoin developers. Any upgrade will require consensus across the decentralized network of developers, miners, and node operators, ensuring a measured transition as quantum computing capabilities advance.
