Quantum-proofing your Bitcoin

Human-level AI was said to be 40 years away in 2015. A decade later GPT 5.2 achieved 93% accuracy at GPQA against 75% for PhD experts.

Quantum computers are now said to be 10 to 15 years away. It doesn’t hurt to prepare for it.

Intro

People agree to give Bitcoin value based on the principle that others will do the same. This is the case because they have good reason to believe that the 21 million supply will not change, and their coins won’t be taken from them. This belief is backed by a source code implementing these simple principles. We trust that this code won’t need a lot of changes, but if it’s necessary, game theory will cause players to change the rules in order to preserve their private property.¹

The current implementation of Bitcoin relies on guarantees from two crypto primitives:

• Hashes (used to commit to an information)
• Elliptic curves (used to prove who you are)

What breaks

With a quantum computer, using the best known algorithms, we can expect to halve the security of hashes. Down to 80 and 128 bits for SHA256 and HASH160 respectively. This is still pretty safe. The computing power needed to break 80 bits costs around half a million dollars of today’s hashrate, and is around 300 trillion times easier than breaking 128 bits security.

As for elliptic curves, unfortunately, they would be effectively broken. Knowing your public key, an attacker could recover your private key in polynomial time (without significant computation). Fortunately, depending on the type of address you use (I will provide recommendations at the end) you only reveal your public key when you spend your coins. If you don’t reuse the same address, you are not vulnerable.

Predictions

3 scenarios are possible:

1. Quantum computer doesn’t happen. You are safe.
2. Bitcoin updates before it happens.
3. It happens before Bitcoin has time to update.

The latter is the most interesting, as we can do something about it, and given the slowness of Bitcoin updates, it seems plausible. In this case:

• Not all addresses, but some will be vulnerable to an attack.
• Spending your bitcoins will immediately make them vulnerable

Because some addresses will be more vulnerable than others, and the blockchain is public, we should have some clues as to what is happening. Bitcoin will lose value, because of panic, lost Bitcoins (those from Satoshi) returning to the market as well as a justified loss of confidence (you can no longer spend your Bitcoins safely).

If we apply the principle of game theory, the remaining players will then agree to preserve what remains; this will involve 3 potential measures:

• Implementing a quantum proof alternative to elliptic curve
• An escape hatch for existing addresses²
• Freezing vulnerable addresses

The last measure is controversial. Some Bitcoiners will argue against freezing funds. Others will say that the alternative of letting them be stolen is no more appealing. As @RenaudDUBOIS10 pointed out, even if your private key can be found by a quantum computer, it cannot find your seed. A hypothetical advanced escape hatch requiring your 12 words may allow you to claim your vulnerable bitcoins after the freeze.

Nevertheless, I’m pretty confident about the first two, as they are simple and align the interests of all the people who give Bitcoin its value.

Your move

The good news is that quantum computing is not an existential threat to Bitcoin, rather a somewhat annoying security update that will require manual intervention from holders.

A few things you can do today, in rough order of priority:

• First, make sure your coins are safe from current threats: hardware wallet, multisig, proper seed backup. Quantum risk is irrelevant if you get phished tomorrow.
• Second, stop reusing addresses. Your public key is only exposed when you spend, so a fresh address for every transaction keeps you behind the holy hash wall.
• Third, use hash-based address types (no Taproot for long-term storage). P2WSH (Pay-to-Witness-Script-Hash) is ideal as it uses full SHA-256, giving you 128 bits of post-quantum security rather than the 80 bits of HASH160-based formats.
• Fourth, use the standards (like bip32 seeds). The solution that will be adopted has be the simplest one that saves the most people.

If you want a single setup that checks all these boxes: Sparrow Wallet using hardware wallets in a multisig policy with P2WSH script type. Deposit only, if you need to spend, send the change to a fresh multisig with new keys.

Finally, if rumors of a quantum break start circulating, don’t panic. Wait for an escape hatch. Moving your coins is what would make them vulnerable.

Footnotes

1. This happened in 2010 when a value overflow bug allowing to create billions of Bitcoins was exploited, everyone agreed to rollback to a previous version of the chain with a new rule to fix this bug. ↩

2. A quantum-resistant zero-knowledge proof, like zk starks, would allow you to prove ownership of the private key associated to an address without revealing the public key. This would be highly inefficient compared to a dedicated quantum algorithm, hence cost way more fee, but would allow to safely migrate to a modern alternative. ↩