Bitcoin developers are sleepwalking towards collapse
Why Bitcoiners should care about quantum computing, in simple terms
There’s a huge amount of noise about the quantum risk to Bitcoin lately. I’ve made my case in a long article, but most people haven’t read it, and are only getting brief snippets of the debate from X. So I’ve condensed my views into one short article. I’m not going to be packing this article full of references and detail. If you want that, see my full series on quantum risk.
The security of Bitcoin – as in the difficulty of reverse engineering a private key from a public key – relies on elliptic curve cryptography. Quantum computing (QC) is known to theoretically break this, thanks to an algorithm invented in the 90s by Peter Shor. Satoshi was aware of this when they invented Bitcoin, and proposed upgrading if QC ever became sufficiently powerful. For a quantum computer to actually deploy the algorithm it would need 1-2 thousand so-called “logical qubits”, or a few hundred thousand to a million or so “physical qubits”. For context, the best quantum computers today max out at around 1k physical qubits and a few dozen logical qubits. So we are still approximately three orders of magnitude away from this capability. While this may seem remote, noted quantum theorist and academic Scott Aaronson calls it merely a “staggeringly hard” engineering problem, rather than something requiring new fundamental physics discoveries. To put it another way, with quantum we are in the equivalent of nuclear fission in 1939 – known to be possible with no theoretical roadblocks remaining, but still requiring an enormous engineering lift. To extend the analogy, because of the enormous strategic utility of a QC, the early owners of this technology may obscure their capabilities, or wait to reveal that they have it. Due to the incentives at play, quantum computing could emerge abruptly, with no warning. This is bad news for Bitcoiners who think that they will have plenty of notice and time to prepare. And as we have seen with AI – and the level of surprise in the AI community when the scaling law was developed and LLMs became powerful – nonlinearities can and do happen in technology. I am not willing to wager the future of Bitcoin on the mere hope that quantum development doesn’t surprise to the upside.
The odds of a quantum break in the next decade are unknowable. However, 2025 was the most active year in quantum computing history. Technologically, this year saw breakthroughs in “fidelity” – how often the qubit does what it’s meant to do – at IONQ and MIT. Quantum error correction, which catches and resolves errors introduced by physical qubits to create pristine logical qubits, started to meaningfully work in 2025. Because these errors tend to grow with the size of quantum computers, getting error correction to work at scale was the big development in QC. Google and Quantinuum had strong results in error correction this year.
At least $6b was raised by quantum startups this year, the most in history by a large margin. One of these startups, PsiQuantum, raised $1b to build a million-qubit machine – possible, they think, with current technology. A number of firms building quantum computers explicitly project being able to build a functional, scaled quantum computer by the late 2020s or the mid 2030s. The average expert on Metaculus anticipates the arrival of a QC around 2033.
The US government’s official standards-setting body, NIST, has asked government agencies to deprecate the use of quantum-vulnerable cryptographic schemes like ECC256 by 2030, and end all reliance on them by 2035. Other major powers like the EU and UK are operating on similar timelines. These are dates that should motivate Bitcoiners to action today, as I’ll explain.
If a sufficiently powerful “cryptographically-relevant QC” were to be built, it could threaten Bitcoin by enabling an attacker to steal private keys from exposed public keys. Not all coins are currently exposed (some public keys are in hashed addresses, and SHA-256 is not considered quantum-vulnerable), but 6.7m BTC are vulnerable at the time of writing – $604 billion worth. Additionally, in the short window between when coins are spent, and included in a block, a sufficiently powerful QC could in theory reverse-engineer the private key and redirect the expenditure. This applies to coins in any sort of address, hashed or not.
In theory, Bitcoin could soft fork and adopt a “post-quantum” (PQ) signature scheme. Some proposed quantum-resistant cryptographic signatures do exist. Leaving aside the technical problems, like massively higher data requirements (requiring larger blocks, or reduced throughput), the main issue will be settling on a specific post-quantum scheme, organizing a soft fork, and laboriously moving over each one of the over tens of millions of addresses with a balance. It’s risky to adopt new cryptography, which is another problem. We don’t want to panic and move to PQ crypto which we later find out is breakable even by classical computers. Stripping out the cryptography at the core of the Bitcoin system is a huge task, and must be done delicately. And if you recall how difficult it was for Bitcoiners to collectively agree and implement the (relatively uncontroversial) SegWit and Taproot soft forks, you will understand that Bitcoin does not move nimbly.
A post-quantum fork (or rather, forks, because it would likely require a few) to Bitcoin would be substantially more invasive and complex than any prior update to the protocol. The cryptography is the core of the protocol and ripping it out forces changes to virtually everything about the system, and the way users interact with it too. It stands to reason that such a fork would need even longer to be debated, developed and tested than SegWit (two years from proposal to activation) or Taproot (three years).
Actually getting Bitcoin into a non-vulnerable state, post-fork, would be even harder. Coins in quantum-vulnerable addresses would have to be rotated and sent to new quantum-resistant address types. Eventually, all address types would have to be deprecated and rotated. Even if every Bitcoiner were aware of this and had ready access to their wallets and keys, this transition would take months in the best case. More realistically, you’d want to give Bitcoiners several years’ notice to rotate their coins.
And it gets worse. Some coins are lost or abandoned. A huge number of these – 1.7m BTC – belong to Satoshi and other early miners in old address types called “pay to public key”. If these coins truly are lost, they cannot be moved to safety in a post-quantum address type. These are like ancient gold coins laying on the sea floor in a shipwreck, thought unretrievable – until someone built a better submarine. So the Bitcoin community must decide what is to be done with them. Freeze them, and engage in a kind of institutionalized theft, or let them go, and allow an unknown and possibly hostile quantum agent to become the largest Bitcoin holder. Neither option is good, and there’s no consensus in the community at present. The Bitcoin community has never voted to freeze or immobilize anyone’s coins, no matter how odious. In fact, this kind of collective theft (even if done for a good reason) was precisely why many Bitcoiners disparaged Ethereum in the early days. By doing this, Bitcoiners would show that they are no better than their hated rivals. It would also signal to future holders that collective confiscation in times of emergency is an option on the table. Burning the coins would set a dangerous precedent. So the fate of the abandoned p2pk coins has to be litigated, and a solution (like a fork to freeze or requisition them) must also be implemented and deployed. This is not trivial and would be completely unprecedented in Bitcoin history.
If you’re keeping count, you’ll realize that the required mitigation timeline likely extends to the better part of a decade. We need time to discuss strategies, settle our differences, agree on a roadmap for both the protocol and the vulnerable coins, write the code, test the cryptography, and actually perform the migration. This means that even if the day of quantum reckoning (or “Q-day” as it’s called) arrives a decade from now, we have to start preparing today. An early or unexpected Q-day would be catastrophic. We would have to make a snap decision about whether to freeze vulnerable coins or not, panic-implement a post-quantum signature scheme, hope that scheme is secure, and hope that confidence in the system recovers. Chaincode, a major Bitcoin development firm, estimates that even “short term” contingency measures would take two years. Changing Bitcoin is like steering an aircraft carrier.
A panicked reaction to an abrupt break, rather than the break itself, could destroy Bitcoin. Competing views of whether the vulnerable coins should be destroyed or claimed might cause forks, like we saw in the blocksize wars. Competing forks vying for the Bitcoin name may have just about worked in 2017 when Bitcoin was much less mature and the stakes were lower, but that kind of scenario today would cause the big institutional sources of capital Bitcoin relies on to lose faith in the protocol. Quantum pierces Bitcoin’s promise of inviolability. No wonder that most Bitcoiners are so fearful to even acknowledge it. They know that admitting that there’s a risk is to cast doubt on Bitcoin’s central narrative of incorruptibility. From the capital allocator’s perspective, you don’t want to have a tail risk on your ultimate rainy-day store of value asset. So Bitcoiners have chosen to play a massive prisoner’s dilemma game where they all keep quiet and don’t snitch. But they didn’t bank on the emergence of a few intellectually honest Bitcoiners who were willing to tell the world an unpopular truth – even if it’s to our own detriment.
Some Bitcoiners think US law will prevent anyone in possession of a CRQC from using it against Bitcoin. But reducing Bitcoin’s guarantees to a mere hope that adversaries follow legal rules is small comfort. We can’t trust that the early stewards of quantum technology will be benevolent. Though they won’t publicly acknowledge it, there’s a reason major quantum companies are coyly sniffing around Bitcoin conferences: there’s a multi-hundred billion dollar bounty waiting for them if they can build the hardware to claim it. China is devoting massive state resources to quantum computing, and they have no allegiance to Bitcoin or US law. And it’s not out of the question that the US government might preemptively requisition vulnerable Bitcoins if they believe China is imminently about to.
If you’re following my reasoning, it becomes evident that we should be preparing today. Expert and government consensus suggests that quantum could be a problem sometime between 2030 and 2035, which, given readiness timelines, means we have to start preparing today. The possible damage from a quantum break which we are not prepared for would be catastrophic – a total loss of confidence in the system. So the expected value of quantum risk to Bitcoin today is significantly negative. To investors or developers that ignore the threat, I would ask, what is the probability of a complete wipeout you are willing to take? 10%? 5%? 1%? People buy insurance against unlikely events if the potential losses are catastrophic. Even if the risk of a dangerous flood is only 1% in any given year, you’re probably buying flood insurance, and you are glad that you did. And the truth is, insuring against quantum risk would be “cheap”, because developers are mostly engaged in pointless navel gazing. The main developer priority over the last decade has been the lightning-based scaling model, which has simply been a failure. Internecine debates over filters and whether Bitcoin should carry arbitrary data have captured developer attention. Only two updates to the Bitcoin protocol have occurred in the last decade. Although they will, the developers cannot plausibly claim they are too busy with important business to focus on this growing existential threat.
What is the Bitcoin community doing about it? Very little, unfortunately. There have been a smattering of efforts to explore post-quantum signature schemes and some early mitigation ideas but very little in the way of actual concrete proposals. The only listed Bitcoin Improvement Proposal (BIP), BIP360, is led by a relative outsider rather than one of Bitcoin’s high priests whose assent is typically required for a major update. And all BIP360 actually does at this stage is undo a major error committed by Bitcoin developers, which was to introduce the quantum-vulnerable Taproot address type in 2021. They did this despite the lead developer Pieter Wuille openly admitting at the time that Taproot addresses were exposed to quantum risk. Even as of 2025, Wuille maintains that there is “no urgency” to quantum-proof Bitcoin.
What annoys me most about this is how uncharacteristically indifferent Bitcoin developers are to the creeping risk of quantum computing. Ordinarily, Bitcoin development culture is maximally paranoid, almost to the point of farce. Developers minimize dependencies on third party libraries – at great cost to themselves – out of a fear that they might introduce a bug. Bitcoin famously rejected industry-standard elliptic curve stacks and avoided OpenSSL’s ECC implementation, instead standardizing on secp256k1 and maintaining its own bespoke code. And this is just one example. Many of you will remember how even modest increases to the block size were debated for years as potential existential threats, with developers warning that a few extra megabytes could fracture the network or compromise decentralization. The system’s scripting language was deliberately crippled – not for lack of imagination, but out of fear of denial of service attacks and emergent behavior. Each of these choices is borderline ideological, grounded in a culture of extreme self-reliance, resistance to present and future threats, and general paranoia. Yet incredibly, now that Bitcoin is facing the total obsolescence of modern public key cryptography, the developer reaction is complacency.
When confronted with the risks posed by quantum computing, Bitcoiners often respond that the threat applies equally to all financial technology (and any other system that relies on encryption). The implication is that the world would be ending anyway, so it’s not worth worrying about. But aside from this being nonsensical (obviously, we would still want Bitcoin to work, particularly in a chaotic situation), it’s not true. Q-day, assuming it happens at a time when governments and major financial institutions are generally prepared, will look at lot like Y2K, in that it will be a non-event due to adequate preparation. Post-quantum signatures exist and can be trivially implemented by any centralized authority. It’s mainly blockchains, with their governance inertia and difficulty upgrading, where there is a problem. Cloudflare already protects a majority of its traffic with post-quantum encryption. AWS has already deployed post-quantum cryptography across key services. NordVPN already offers post-quantum browsing. While infrastructural upgrades can be painful, all financial institutions, software companies and governments are highly centralized and can simply mandate an upgrade. (There is a small category of systems that cannot upgrade, like devices with burned-in hardware and no ability to update. But this refers to super long-lived hardware that should probably be phased out anyway. Satellites are one exception to this, and they are poorly positioned for Q-day as well.)
Decentralized blockchains like Bitcoin cannot update themselves with the agility of a centralized database operator. Bitcoin has only pushed through two updates since 2017 and even those came after enormous rancor and infighting. Additionally, because a huge fraction of the vulnerable coins are held in abandoned addresses, and the owners of those addresses simply cannot be compelled to move their coins, even if Bitcoin does upgrade to post-quantum signatures, it still faces the risk that 1.7m coins are abruptly seized by a quantum attacker. Not only would Bitcoin have to upgrade in an orderly and timely manner, but Bitcoiners would have to collectively agree to burn these 1.7m coins in order to defuse this risk – something completely unprecedented in Bitcoin history.
Bitcoin is also more vulnerable than other blockchains. It has more presumed lost or abandoned coins as a share of supply. Ethereum does face some of the same risks, but its account abstraction and smart contract capabilities mean that with a bit of trickery, Ethereum can implement PQ signatures without even a fork. A post-quantum fork would ultimately be required, but it’s much likelier to happen with Ethereum’s governance process which vastly more active. Ethereum also benefits from the existence of a leader who acknowledges the quantum threat and has already made proposals to deal with it. Solana, another competitor, has already begun testing post-quantum signatures. Layer twos like Starkware tout quantum resistance as a core value proposition. Bitcoiners will chafe at these comparisons, but it’s a very real possibility that Bitcoin is the only blockchain left exposed on Q-day.
So here’s the ugly truth. Few are the Bitcoiners who will admit it. Blockchains are uniquely vulnerable to quantum computing compared to other systems that rely on public key cryptography, and Bitcoin is uniquely vulnerable among blockchains. Quantum computing has moved from a remote theoretical possibility to merely an engineering challenge, and it could be here in a decade or less. If so, Bitcoiners need to start preparing today.
Thanks for the write up Nic. One suggestion I have, is I strongly encourage us to deliberately separate the conversation around PQ sigs/addresses and the lost coins.
There is no world where I see consensus forming to freeze p2pk, and including it as part of the discussion just creates roadblocks. It riles up many, which halts conversation about giving PQ choices to the rest.
These are two separate and discrete issues. First we must give people the option to move to post QC schemes. Status quo here is tremendous damage if we do nothing AND QC emerges.
The tertiary issue is what we do with the coins. Status quo is law of the jungle, which the market would eventually sort through, and the impacts are considerably less important long term.
Winner company of quantum break legally allowed to confiscate Satoshi's. They will want to help protect all others far in advance to protect their winnings