Together with the team at the bitcoin mixer Mixer.Money<\/a>, we examine how developers are preparing for \u201cQ Day\u201d\u2014a possible moment in the future when the first cryptocurrency could become vulnerable to quantum attacks.<\/p>\n Bitcoin\u2019s protocol uses public-key cryptography to make transactions. When a new wallet is created, it generates a mathematically linked pair of keys\u2014public and private. The private key must be kept secret; the public key is visible to all. This enables digital signatures created with the private key, which anyone can verify using the corresponding public key.<\/p>\n The security of this pairing rests on a one-way function<\/a>: a public key is easily derived from a private key, but not the other way round. In 1994, however, the mathematician Peter Shor published a quantum algorithm<\/a> capable of breaking this assumption. Any organisation with a cryptoanalytically relevant quantum computer (CRQC) could use it to derive a private key from its public counterpart.<\/p>\n Accordingly, the author of BIP-360<\/a>, writing under the pseudonym Hunter Beast, stresses that preventing public keys from appearing on-chain is a crucial step toward quantum safety.<\/p>\n Back in 2019 the bitcoin developer Pieter Wuille estimated that around 37%<\/a> of supply could be at risk because public keys are revealed on-chain\u2014either coins were received directly to public keys or addresses were reused.<\/p>\n In early versions of the software, coins could be received in two ways:<\/p>\n As long as no spend has been made from a P2PKH address, its public key does not appear on-chain. It becomes known only when the owner spends from it.<\/p>\n After a spend, it is best practice not to reuse the address. Modern wallets are configured to generate a new address for every transaction\u2014primarily for privacy rather than quantum resistance.<\/p>\n Even so, in 2024 ordinary users, exchanges and custodians still hold hundreds of thousands of bitcoins on reused addresses.<\/p>\n Hunter Beast distinguishes two types of quantum attack:<\/p>\n The latter becomes possible because the public key is revealed when coins are spent. Pulling this off would require powerful CRQCs because it must be done within a brief window. In the early stages of CRQC development, long-range attacks\u2014where the public key is known in advance\u2014are more plausible.<\/p>\n Short-range attacks target any transaction in the mempool, whereas long-range attacks focus on:<\/p>\n The table below informs bitcoin users whether their coins are vulnerable to a long-range attack:<\/p>\n Notably, the last major bitcoin upgrade\u2014Taproot (P2TR)\u2014sparked a debate<\/a> in 2021 precisely because of quantum vulnerability concerns for this address type. At the time, Blockstream co-founder and bitcoin developer Mark Friedenbach published \u201cWhy I\u2019m against Taproot\u201d<\/a>, expressing reservations about activating the upgrade amid progress in quantum computing.<\/p>\n In an interview<\/a> with Unchained, Hunter Beast explained the Taproot vulnerability:<\/p>\n \n\u201cUnfortunately, Taproot contains an onchain short version of the public key\u2014the x-coordinate of the elliptic-curve point. That information is sufficient to recover the full public key.\u201d<\/em><\/cite><\/p><\/blockquote>\n Coinbase<\/span> transactions paying to public keys (P2PK) continue up to block #200,000. Most of them hold 50 BTC<\/span>.<\/p>\n Hunter Beast calls these coins \u201cSatoshi\u2019s shield.\u201d In his view, any address with a balance below 50 BTC is uneconomic to attack.<\/p>\n \n\u201cFor this reason, those who want to be prepared for a quantum emergency are advised to store no more than 50 BTC on a single unused Native SegWit address (P2WPKH, bc1q). This assumes the attacker is financially motivated and not, say, a state actor intent on undermining confidence in bitcoin,\u201d he argues.<\/em><\/cite><\/p><\/blockquote>\n BIP-360 could become the first proposal under QuBit\u2014a soft fork to make bitcoin resilient to quantum attacks.<\/p>\n \n\u201cA qubit is the fundamental unit of quantum computation, and the capital letter B stands for bitcoin. The name QuBit also somewhat rhymes with <\/em>SegWit<\/em>,\u201d the BIP-360 text notes.<\/em><\/cite><\/p><\/blockquote>\n The proposal introduces a new address type beginning with bc1r<\/span>. P2QRH would be implemented atop P2TR, combining classical Schnorr signatures with post-quantum cryptography.<\/p>\n \n\u201cSuch hybrid cryptography avoids lowering security should one of the signature algorithms prove vulnerable. The key difference between P2QRH and P2TR is that P2QRH encodes a hash of the public key. This is a significant departure from how Taproot works, but it is necessary to prevent public keys from being exposed on-chain,\u201d the author of BIP-360 argues.<\/em><\/cite><\/p><\/blockquote>\n P2QRH uses the HASH256<\/span> algorithm to hash the public key. This reduces the size of new outputs and boosts security by keeping public keys off-chain.<\/p>\n BIP-360 proposes introducing FALCON<\/a> signatures first. After that, SQIsign and other post-quantum algorithms\u2014SPHINCS+<\/a>, CRYSTALS-Dilithium<\/a>\u2014would be added. The specification<\/a> for SQIsign says it has the smallest total size among known post-quantum schemes.<\/p>\n FALCON is roughly four times larger than SQIsign\u2014and about 20 times the size of Schnorr signatures.<\/p>\n \n\u201cFALCON is a more conservative approach than SQIsign. Its use was recently approved by NIST<\/span>, which simplifies deployment thanks to the scientific community\u2019s consensus. Even so, SQIsign signatures are about five times larger than Schnorr signatures. This implies that, to maintain today\u2019s transaction throughput, the witness discount<\/span> likely needs to be increased in the QuBit soft fork. This will be specified in a future QuBit BIP,\u201d the proposal states.<\/cite><\/p><\/blockquote>\n Hash-based cryptosystems are more conservative and time-tested. Lattice-based cryptography<\/a> is comparatively new and introduces fresh security assumptions to bitcoin, but its signatures are smaller and may be seen by some as a reasonable alternative to hash-based schemes. SQIsign is far more compact, but it relies on a new form of cryptography<\/span> and, at the time of writing, had not been approved by NIST or the wider community.<\/p>\n According to BIP-360, including four cryptosystems is motivated by the need to support hybrid cryptography, especially for large outputs such as exchange cold-storage wallets. A new library akin to libsecp256k1<\/a> will be developed for adoption.<\/p>\n Hunter Beast allows that, after P2QRH is deployed, there may be demand for Pay to Quantum Secure (P2QS) addresses:<\/p>\n \n\u201cThere is a distinction between cryptography that is merely resistant to quantum attacks and cryptography that is secured using dedicated quantum hardware. P2QRH is quantum-resistant, whereas P2QS is quantum-secure. Signing would require specialised quantum hardware, but the public keys would remain verifiable by classical means. P2QS would require additional BIPs.\u201d<\/em><\/cite><\/p><\/blockquote>\n For now, quantum-cryptography hardware is not widely available, so quantum-resistant addresses may serve as an acceptable interim solution.<\/p>\n In October 2024, researchers at the University of Kent published an analysis<\/a> estimating the time required to move bitcoins to quantum-resistant addresses.<\/p>\n \n\u201cWe calculated a lower bound on the cumulative time needed for the above transition. It is 1,827.96 hours (or 76.16 days). We also show that the transition must be completed before quantum devices that break <\/em>ECDSA<\/em> appear, to ensure bitcoin\u2019s security,\u201d the paper states.<\/em><\/cite><\/p><\/blockquote>\n In his presentation<\/a> at Future of Bitcoin 2024, Casa\u2019s CTO Jameson Lopp calculated that migrating all UTXO<\/span>s would take at least 20,500 blocks (about 142 days).<\/p>\n \n\u201cBut it\u2019s far more likely to take longer, because that\u2019s the most optimistic scenario in which the bitcoin network is used exclusively for migration. Such expectations are, of course, unrealistic. The process could take years. We should be conservative and assume it may take many years,\u201d Lopp argues.<\/em><\/cite><\/p><\/blockquote>\n He concludes that even if the quantum threat seems distant, it is better to discuss it \u201csooner rather than later.\u201d<\/p>\n Over the years bitcoin has faced varied bouts of FUD: the spectre of a 51% attack, government bans, altcoin competition and, now, quantum computing. These concerns surface regularly, yet the first cryptocurrency has so far proved resilient.<\/p>\n \n\u201cAfter spot ETF approvals and BlackRock\u2019s educational videos on bitcoin, nobody is talking about bans anymore. Fears of a 51% attack were always overstated, and its impact on the network is extremely limited,\u201d note representatives of Mixer.Money<\/a>.<\/cite><\/p><\/blockquote>\n The quantum threat is deeper, but the proposed QuBit soft fork shows developers are well aware of it. Quantum resistance also features in Ethereum\u2019s roadmap<\/a>, from which the bitcoin community can glean useful lessons.<\/p>\n \n\u201cIt\u2019s worth noting, however, that Ethereum can execute a quantum transition with another hard fork. Bitcoin is more complex: there are no hard forks, and Satoshi\u2019s coins cannot simply be frozen\u2014doing so would undermine the first cryptocurrency\u2019s foundational principles,\u201d say the team at Mixer.Money<\/a>.<\/cite><\/p><\/blockquote>\n The fate of \u201cSatoshi\u2019s shield\u201d and other coins that do not move to quantum-resistant addresses remains unclear. The bitcoin developer Luke Dashjr suggests that, in future, they might be treated as akin to mining.<\/p>\nWhat the quantum threat entails<\/h2>\n
\n
![\"image2-374\"](\"https:\/\/forklog.com\/wp-content\/uploads\/image2-374-1024x212.png\")
\n
\n
![\"image1-608\"](\"https:\/\/forklog.com\/wp-content\/uploads\/image1-608-1024x396.png\")
Satoshi\u2019s shield<\/h2>\n
QuBit<\/h2>\n
The quantum transition<\/h2>\n
Conclusions<\/h2>\n