The Quantum Threat to Bitcoin
SHOR'S ALGORITHM
A sufficiently powerful quantum computer running Shor's algorithm can solve the Elliptic Curve Discrete Logarithm Problem (ECDLP) in polynomial time. This means it could derive any private key from its public key -- breaking ECDSA and Schnorr signatures entirely.
VULNERABLE
ECDSA signatures (secp256k1)
Schnorr signatures (BIP-340)
Exposed public keys (P2PK, reused P2PKH/P2WPKH)
Any UTXO where the public key is known
Schnorr signatures (BIP-340)
Exposed public keys (P2PK, reused P2PKH/P2WPKH)
Any UTXO where the public key is known
SAFE
SHA-256 (Grover only halves security: 256 → 128-bit)
RIPEMD-160 (hash-locked addresses)
HASH160-protected UTXOs (pubkey not yet revealed)
Mining proof-of-work
RIPEMD-160 (hash-locked addresses)
HASH160-protected UTXOs (pubkey not yet revealed)
Mining proof-of-work
~4M
BTC IN EXPOSED UTXOS
~20%
OF SUPPLY VULNERABLE
~1.1M
SATOSHI'S COINS (P2PK)
TWO ATTACK TYPES
Long-exposure attack: Derive keys from already-exposed public keys (P2PK outputs, address reuse). Attacker has unlimited time. Short-exposure attack: Extract key from a broadcast transaction's witness before it confirms. Requires extreme speed -- minutes, not days.
BIP-360: Pay to Merkle Root
THE EVOLUTION
BIP-360 went through three name changes reflecting its expanding scope:
P2QRH Pay-to-Quantum-Resistant-Hash -- original, narrowly focused on post-quantumP2TSH Pay-to-Tapscript-Hash -- broadened to general script commitmentsP2MR Pay-to-Merkle-Root -- final form, emphasizing the core mechanism
MERKLE ROOT
↓ ↓
BRANCH
BRANCH
↓ ↓ ↓ ↓
LEAF: SCRIPT A
LEAF: SCRIPT B
LEAF: SCRIPT C
LEAF: SCRIPT D
Each leaf is a tapscript spending condition (currently Schnorr; PQ algorithms via future BIPs)
HOW IT WORKS
Outputs commit to a Merkle root of a script tree (SegWit v2,
bc1z addresses). Structurally identical to Taproot's script tree, but with no key-path spend. Only the spent leaf script, its Merkle proof, and a compact control block are revealed on-chain.VS TAPROOT
Taproot uses a key-path + script-path model. P2MR has no key-path spending -- all spending goes through script leaves. This removes the exposed public key from the output, making it quantum-safe by default.
SCOPE & FUTURE PQ INTEGRATION
BIP-360 defines only the output type -- it does not introduce any new opcodes or PQ signature algorithms. Leaf scripts currently use existing tapscript opcodes (
OP_CHECKSIG with Schnorr). Future companion BIPs can add PQ signature opcodes via the OP_SUCCESSx upgrade path already built into tapscript, without changing the P2MR output structure.Algorithmic Agility Framework
ETHAN HEILMAN'S PROPOSAL (FEB 2026)
Quoting RFC 7696: "Protocol designers need to assume that advances in computing power will eventually make any algorithm obsolete."
Heilman's goal: Bitcoin should enable self-custody for a human lifetime (~75 years). Someone should be able to bury an HD seed in a coffee can and dig it up in 75 years -- even if Schnorr has been broken.
Heilman's goal: Bitcoin should enable self-custody for a human lifetime (~75 years). Someone should be able to bury an HD seed in a coffee can and dig it up in 75 years -- even if Schnorr has been broken.
THE DSA1 / DSA2 DESIGN
Leaf 1 (DSA1): <SCHNORR_PUBKEY> CHECKSIG_DSA1 — everyday signatures
Leaf 2 (DSA2): <SLH_DSA_PUBKEY> CHECKSIG_DSA2 — emergency backup only
User normally spends via Leaf 1 (Schnorr — fast, cheap, ~64 bytes).
If Schnorr breaks, user switches to Leaf 2 (SLH-DSA) to migrate funds.
Attacker cannot learn the SLH-DSA pubkey — it's hidden in the Merkle tree.
Leaf 2 (DSA2): <SLH_DSA_PUBKEY> CHECKSIG_DSA2 — emergency backup only
User normally spends via Leaf 1 (Schnorr — fast, cheap, ~64 bytes).
If Schnorr breaks, user switches to Leaf 2 (SLH-DSA) to migrate funds.
Attacker cannot learn the SLH-DSA pubkey — it's hidden in the Merkle tree.
WHY SLH-DSA AS BACKUP?
Hash-based security -- relies only on hash functions, "most likely secure long term"
Different assumptions -- ECDLP (Schnorr) and hash preimage (SLH-DSA) unlikely to break simultaneously
NIST standard (FIPS 205) -- ecosystem of HSMs, hardware acceleration, library support
Different assumptions -- ECDLP (Schnorr) and hash preimage (SLH-DSA) unlikely to break simultaneously
NIST standard (FIPS 205) -- ecosystem of HSMs, hardware acceleration, library support
TRADE-OFFS
~10 vbytes extra -- P2MR is ~37 witness bytes larger than P2TR (modest cost)
SLH-DSA sigs are ~8 KB -- expensive, but only used for emergency migrations
No key-path spending -- all P2MR spends go through script leaves
SLH-DSA sigs are ~8 KB -- expensive, but only used for emergency migrations
No key-path spending -- all P2MR spends go through script leaves
THE COFFEE-CAN SCENARIO
Even if DSA3 (a hasty replacement for Schnorr) is also broken, the buried seed is still safe — because DSA2 (SLH-DSA) is unbroken. When the seed is dug up, DSA2 can migrate funds to DSA3+DSA2. This buys time for non-hash-based PQ algorithms (ML-DSA, FALCON) to mature before being deployed as a new everyday algorithm.
Mitigating the Quantum Freeze
BITMEX RESEARCH: AN OPTIMISTIC OUTLOOK
BitMex Research (Feb 2026) analyzed recovery methods for coins frozen by a quantum threat. Their key finding: "almost every quasi frozen coin" can be recovered via four proposed methods. The article focuses not on the damage of a freeze, but on how to get coins back.
~20M
BTC NEEDING RECOVERY
1.7M
BTC IN P2PK (8.6%)
~18M
BTC WITH 3+ RECOVERY PATHS
1. COMMITMENT RECOVERY
Two-tx process: publish a hash commitment in
OP_RETURN, wait 100 blocks, then reveal the private key. Quantum safe because private key is proven before any signature hits the chain. Single use — the private key is exposed on-chain.
2. SEED PHRASE COMMITMENT
Same two-tx structure, but commits the BIP-39 seed phrase instead. SHA-512 derivation is quantum safe. Works even with address reuse and Taproot outputs. Trade-off: the seed phrase is exposed on-chain after reveal.
3. PRE-QDAY COMMITMENT
For P2PK outputs (1.7M BTC). Must happen before QDay. BitMex notes it's "pretty pointless" since funds could just be swept to safe addresses instead — but it enables a "plausible deniability" scenario (e.g. Satoshi). Can use a Merkle root to cover thousands of outputs in one tx.
4. ZKP SEED PHRASE (STARK)
The most innovative method: a zero-knowledge proof that proves seed knowledge without revealing it. Single tx, no pre-QDay action needed, reusable, and fully preserves privacy. Limitation: not everyone uses BIP-39 seed phrases.
WHAT REMAINS UNRECOVERABLE?
"Only in scenarios when both a seed phrase wasn't used and the public key was exposed when the coins were received, would the coins be potentially totally unrecoverable." — P2PK outputs without seed phrases and without pre-QDay commitments are the only truly lost case.
Where We Stand
2024
NIST finalizes ML-DSA, ML-KEM, SLH-DSA -- first round of post-quantum standards published (FIPS 203, 204, 205). BIP-360 development begins as P2QRH.
2025
BIP-360 evolves through P2QRH → P2TSH → P2MR. Heilman proposes algorithmic agility framework on bitcoin-dev. Active discussion of quantum preparedness strategies.
2026 (Now)
BIP-360 PR #1670 finalized. Community debate on timeline urgency, migration strategies, and whether to pursue a soft fork activation path. No consensus on activation yet.
2030s?
Cryptographically Relevant Quantum Computer (CRQC) -- most estimates place a Shor-capable machine at 2030-2040, though pessimistic estimates say as early as late 2020s. Uncertainty is the core problem.
KEY TAKEAWAY
Bitcoin's quantum defense strategy is defense in depth: BIP-360 provides the output format, algorithmic agility provides the cryptographic flexibility, and freeze planning provides the emergency backstop. The biggest risk isn't that quantum computers arrive -- it's that we aren't ready when they do.