Introduction to Quantum Computing and Bitcoin
For years, the potential threat of quantum computing to cryptocurrencies, particularly Bitcoin, has been a topic of discussion. The narrative often follows a predictable pattern: researchers make a breakthrough, social media erupts with “Bitcoin is dead” predictions, and the news cycle continues. However, Adam Back, CEO of Blockstream, recently offered a more nuanced perspective on the issue. Back, whose Hashcash proof-of-work system predates Bitcoin, believes that Bitcoin is “probably not” vulnerable to a cryptographically relevant quantum computer in the next 20 to 40 years.
More importantly, Back emphasized that Bitcoin does not have to wait passively for that day. The National Institute of Standards and Technology (NIST) has already standardized quantum-safe signature schemes like SLH-DSA, which Bitcoin can adopt through soft fork upgrades long before a quantum machine poses a real threat. This transforms the quantum risk from an unsolvable catastrophe into a solvable engineering problem with a multi-decade runway.
The Technical Gap Between Theory and Reality
The actual vulnerability of Bitcoin lies not in its hash function, SHA-256, but in the ECDSA and Schnorr signatures on the secp256k1 elliptic curve, which prove ownership. A quantum computer running Shor’s algorithm could solve the discrete logarithm problem on secp256k1, deriving a private key from a public key and invalidating the entire ownership model. However, breaking a 256-bit elliptic curve requires between 1,600 and 2,500 logical, error-corrected qubits, each of which requires thousands of physical qubits to maintain coherence and correct errors.
An analysis based on the work of Martin Roetteler and other researchers calculates that breaking a 256-bit EC key within the narrow time window relevant to a Bitcoin transaction would require about 317 million physical qubits, given realistic error rates. Current quantum hardware stands far from this goal, with Caltech’s neutral atom system operating around 6,100 physical qubits, but these are noisy and have no error correction.
The Migration Roadmap Already Exists
Back’s comment that “Bitcoin can add something over time” points to concrete proposals already circulating among developers. BIP-360, titled “Pay to Quantum Resistance Hash,” defines new issuance types where the issuance conditions include both classical signatures and post-quantum signatures. A single UTXO becomes issuable in both schemes, allowing for gradual migration rather than a hard shutdown.
Jameson Lopp and other developers have been building on BIP-360 with a multi-year migration plan. First, add PQ-enabled address types via soft fork. Then gradually encourage or subsidize the movement of coins from vulnerable exits to PQ-protected exits, reserving some block space in each block specifically for these “rescue” moves. Similar transitions were already recommended in scientific papers from 2017.
The Post-Quantum Toolbox is Ready
NIST finalized the first wave of post-quantum standards in August 2024, including FIPS 203 ML-KEM for key encapsulation, FIPS 204 ML-DSA for grid-based digital signatures, and FIPS 205 SLH-DSA for stateless hash-based digital signatures. Bitcoin developers now have a menu of NIST-approved algorithms as well as reference implementations and libraries. Bitcoin-focused implementations already support BIP-360, suggesting that the post-quantum toolbox exists and continues to mature.
However, implementation is not without challenges. A 2025 study examining SLH-DSA noted its vulnerability to Rowhammer-style bug attacks and emphasized that while security relies on ordinary hash functions, implementations still need to be hardened. Post-quantum signatures also consume more resources than their classical counterparts, raising questions about transaction sizes and the economics of fees.
Why 2025 Won’t Be About Quantum
BlackRock’s iShares Bitcoin Trust (IBIT) amended its prospectus in May 2025 to include detailed disclosures on quantum computing risk, warning that a sufficiently advanced quantum computer could threaten Bitcoin’s cryptography. However, analysts recognized that this was a standard risk factor disclosure, boilerplate language alongside generic technology and regulatory risks, rather than a signal that BlackRock expected quantum attacks to be imminent.
A 2025 SSRN study found that news related to quantum computing triggers some rotation into explicitly quantum-resistant coins, but conventional cryptocurrencies are seeing only modest negative returns and volume spikes related to such news and no structural revaluation. The near-term threat lies more in investor sentiment than the technology of quantum computing itself.
Conclusion
Bitcoin’s quantum story isn’t really about whether a cryptographically relevant quantum computer comes to market in 2035 or 2045. Rather, it’s about whether the protocol’s governance can coordinate upgrades before that date becomes relevant. Any serious analysis comes to the same conclusion that now is the time to prepare precisely because migration is a decade away, not because the threat is imminent.
Read more about Adam Back’s thoughts on Bitcoin’s 20-year quantum runway and why it matters more than today’s headlines: https://cryptoslate.com/why-adam-backs-thinks-bitcoins-20-year-quantum-runway-matters-more-than-todays-headlines/
