{"id":24640,"date":"2025-06-11T17:14:06","date_gmt":"2025-06-11T14:14:06","guid":{"rendered":"https:\/\/forklog.com\/en\/chaincode-labs-sizes-up-the-quantum-threat-to-bitcoin\/"},"modified":"2025-06-11T17:14:06","modified_gmt":"2025-06-11T14:14:06","slug":"chaincode-labs-sizes-up-the-quantum-threat-to-bitcoin","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/chaincode-labs-sizes-up-the-quantum-threat-to-bitcoin\/","title":{"rendered":"Chaincode Labs sizes up the quantum threat to Bitcoin"},"content":{"rendered":"<p>Researchers at Chaincode Labs have published <a href=\"https:\/\/chaincode.com\/bitcoin-post-quantum.pdf\">a detailed report<\/a> on potential quantum-computing threats to Bitcoin. The 55-page document was prepared by Dr Anthony Milton and Clara Schickelmann in May 2025.<\/p>\n<h2 class=\"wp-block-heading\">How many bitcoins are at risk<\/h2>\n<p>The authors estimate that 20% to 50% of all bitcoins in circulation (4\u201310m BTC) are potentially vulnerable to attacks using cryptographically relevant quantum computers (CRQCs).<\/p>\n<p>The most precise estimate, from Project Eleven on 17 January 2025, <a href=\"https:\/\/www.projecteleven.com\/btc-at-risk\">points<\/a> to 6,262,905 BTC. The funds break down as follows:<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>Satoshi-era bitcoins<\/strong> \u2014 600,000 to 1.1m BTC remain on P2PK addresses with fully exposed public keys;<\/li>\n<li><strong>lost coins<\/strong> \u2014 2m to 3m BTC belong to users who have lost access to private keys. Not all are quantum\u2011vulnerable, but a significant share is at risk;<\/li>\n<li><strong>addresses with exposed keys<\/strong> \u2014 millions of bitcoins sit at addresses where public keys were revealed through reuse.<\/li>\n<\/ul>\n<p>The researchers draw particular attention to the concentration of funds at exchange addresses. Some hold hundreds of thousands of bitcoins, making them priority targets for potential quantum attacks.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>\u201cAs for assets with exposed public keys, many large holders, including exchanges and institutional custodians, have historically managed their cold storage by reusing addresses for operational simplicity. [\u2026]<\/em><\/p>\n<p><em>As a result, an economically prioritized list of targets for quantum attacks emerges: breaking into such addresses could deliver the maximum return for the effort invested,\u201d the report says.<\/em><\/p>\n<\/blockquote>\n<h2 class=\"wp-block-heading\">When to expect \u201cQ-Day\u201d<\/h2>\n<p>In 2024 the Global Risk Institute ran a <a href=\"https:\/\/globalriskinstitute.org\/publication\/2024-quantum-threat-timeline-report\/\">survey<\/a> of 32 leading academics. Almost a third (10 of 32) reckon the probability of a CRQC within the next ten years is 50% or higher.<\/p>\n<p>The authors point to government initiatives that underscore the seriousness of the threat:<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>United States.<\/strong> President Joe Biden\u2019s National Security Memorandum from May 2022 sets a goal to \u201cmitigate potential quantum risks by 2035.\u201d <span data-descr=\"US National Institute of Standards and Technology\" class=\"old_tooltip\">NIST<\/span> has set 2030 as the deadline to retire RSA\u20112048 and ECC\u2011256, with a full ban by 2035;<\/li>\n<li><strong>United Kingdom. <\/strong>The National Cyber Security Centre has issued a three\u2011phase migration plan: identify vulnerable systems by 2028; priority upgrades from 2028 to 2031; full migration from 2031 to 2035;<\/li>\n<li><strong>European Union. <\/strong><span data-descr=\"European Telecommunications Standards Institute\" class=\"old_tooltip\">ETSI<\/span> is coordinating an approach through its Quantum\u2011Safe Cryptography working group, though specific timelines are not yet set;<\/li>\n<li><strong>China. <\/strong>Instead of adopting NIST standards, in February 2025 China launched its own \u201cNext\u2011Generation Cryptographic Algorithms for Commercial Use\u201d programme through the Institute of Commercial Cryptography Standards. No public implementation timeline has been announced.<\/li>\n<\/ul>\n<p>The researchers also note accelerating progress in quantum computing. In December 2024 Google<a href=\"https:\/\/forklog.com\/en\/news\/googles-quantum-chip-sparks-bitcoin-security-concerns\"> unveiled<\/a> the Willow processor with 105 physical qubits, marking a key milestone in quantum error correction. Microsoft in February 2025<a href=\"https:\/\/forklog.com\/en\/news\/microsoft-unveils-majorana-1-quantum-computing-chip\"> introduced<\/a> Majorana 1 \u2014 the first quantum processor based on topological qubits.<\/p>\n<h2 class=\"wp-block-heading\">Two types of quantum attack<\/h2>\n<p>Quantum computers threaten Bitcoin by breaking elliptic\u2011curve cryptography via <a href=\"https:\/\/ru.wikipedia.org\/wiki\/%D0%90%D0%BB%D0%B3%D0%BE%D1%80%D0%B8%D1%82%D0%BC_%D0%A8%D0%BE%D1%80%D0%B0\">Shor\u2019s algorithm<\/a>. This algorithm can derive a private key from a public key in hours or days rather than the quadrillions of years required by classical computers.<\/p>\n<p>Long\u2011horizon attacks target three script types with known public keys:<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>Pay to Public Key (P2PK)<\/strong> \u2014 the oldest type, used for early mining rewards. It accounts for 0.025% of <span data-descr=\"Unspent transaction output\" class=\"old_tooltip\">UTXO<\/span> but holds 8.68% of the bitcoin supply;<\/li>\n<li><strong>Pay to MultiSig (P2MS)<\/strong> \u2014 \u201craw multisig,\u201d introduced in 2011. It covers 1.037% of UTXOs with roughly 57 BTC;<\/li>\n<li><strong>Pay to Taproot (P2TR)<\/strong> \u2014 introduced in 2021, it makes up 32.5% of UTXOs with 0.74% of supply (146,715 BTC).<\/li>\n<\/ul>\n<p>Short\u2011term attacks affect all transactions, but only within a narrow time window when a user\u2019s public key is exposed in the mempool prior to confirmation.<\/p>\n<h2 class=\"wp-block-heading\">Burn or leave<\/h2>\n<p>The fate of quantum\u2011vulnerable funds has already split the community into two camps.<\/p>\n<p>Advocates of \u201cburning,\u201d led by<a href=\"https:\/\/forklog.com\/en\/news\/jameson-lopp-proposes-burning-quantum-vulnerable-bitcoins\"> Jameson Lopp<\/a>, argue that removing vulnerable coins would preserve Bitcoin\u2019s integrity. In their view, allowing quantum computers to seize funds is akin to redistributing wealth from those who lost access to their bitcoins to those who win the technological race for quantum computers.<\/p>\n<p>Lopp likens the quantum vulnerability to a protocol\u2011level bug that should be fixed. Burning, he says, would provide certainty and limit market volatility.<\/p>\n<p>Opponents see burning as confiscation and a violation of coin\u2011holders\u2019 property rights. Bitcoin, they argue, was designed so users retain full sovereignty over their funds, with the ability to access them at any time.<\/p>\n<p>A change that renders certain UTXOs permanently unspendable would amount to third\u2011party interference \u2014 precisely what Bitcoin was created to resist. It would be de facto confiscation for owners who, for whatever reason, are unaware of the quantum threat or cannot move coins to quantum\u2011resistant addresses in time.<\/p>\n<p>Either path would affect the overall bitcoin supply (if coins are burned) or lead to a large redistribution of wealth (if \u201cquantum theft\u201d occurs). Legal questions also arise over developers\u2019 potential liability for any decision.<\/p>\n<h2 class=\"wp-block-heading\">Proposed solutions<\/h2>\n<p>Developers are weighing several approaches to quantum safety, each with its own advantages and trade\u2011offs.<\/p>\n<p><strong>OP_CAT in Tapscript (BIP\u2011347). <\/strong>Ethan Heilman and Armin Sabouri propose restoring the OP_CAT opcode, disabled by Satoshi in 2010. It would enable Lamport signatures that are resistant to quantum attacks.<\/p>\n<p><strong>QuBit (BIP\u2011360). <\/strong>A developer using the pseudonym Hunter Beast has presented the most worked\u2011through proposal after months of discussion. P2QRH introduces a new output type using the NIST\u2011approved FALCON algorithm, as well as CRYSTALS\u2011Dilithium and SPHINCS+.<\/p>\n<p><strong>Quantum\u2011safe Taproot scripts.<\/strong> Matt Corallo has proposed adding an OP_SPHINCS opcode to verify post\u2011quantum signatures. This would let wallets create Taproot outputs with a quantum\u2011safe spend path. Luke Dashjr noted that wallets could begin implementation as soon as the specification is finalised, without waiting for a soft\u2011fork activation.<\/p>\n<p><strong>Signature compression via STARKs<\/strong>. Ethan Heilman has proposed aggregating post\u2011quantum signatures into a single compact STARK proof. This could increase Bitcoin\u2019s throughput while improving privacy.<\/p>\n<h2 class=\"wp-block-heading\">Transition strategy<\/h2>\n<p>The authors suggest a two\u2011track approach, acknowledging uncertainty about the quantum timeline.<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>short\u2011term measures (two years)<\/strong> \u2014 build a minimally viable solution for emergency deployment;<\/li>\n<li><strong>long\u2011term plan (seven years)<\/strong> \u2014 design an optimal quantum\u2011resistant protocol. The timeline references the precedents of SegWit (8.5 years from concept to adoption) and Taproot (7.5 years).<\/li>\n<\/ul>\n<p>They estimate that migrating all UTXOs to quantum\u2011resistant addresses would take 76 to 568 days, depending on available block space.<\/p>\n<h2 class=\"wp-block-heading\">Mining appears safe<\/h2>\n<p>Quantum computers are unlikely to disrupt bitcoin mining in the foreseeable future owing to fundamental constraints.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>\u201cUnlike quantum attacks on digital signatures, quantum mining has to compete with classical mining. In the case of Bitcoin\u2019s elliptic\u2011curve\u2011based signatures, once quantum computers reach sufficient maturity, a single machine (a CRQC) will be able to compromise funds by breaking the cryptography used. Quantum mining, by contrast, would require a large number of fast quantum machines to match the performance of modern ASICs. Unlike classical mining, quantum mining parallelises poorly, which makes it far harder to scale and much less efficient in practice,\u201d the report says.<\/em><\/p>\n<\/blockquote>\n<h2 class=\"wp-block-heading\">What holders should do<\/h2>\n<p>The researchers recommend:<\/p>\n<ul class=\"wp-block-list\">\n<li>stop reusing addresses;<\/li>\n<li>move funds from vulnerable script types (P2PK, P2MS, P2TR) to more protected ones (P2PKH, P2SH, P2WPKH, P2WSH);<\/li>\n<li>exchanges should change their cold\u2011wallet management practices to minimise quantum risks.<\/li>\n<\/ul>\n<p>The report stresses that, while the quantum threat is not immediate, the window for preparation will narrow as technology advances. Proactive steps today are necessary for Bitcoin\u2019s long\u2011term survival.<\/p>\n<p>Earlier, Project Eleven <a href=\"https:\/\/forklog.com\/en\/news\/project-eleven-offers-1-btc-for-quantum-breach-of-bitcoin-cryptography\">offered<\/a> 1 BTC for a quantum break of Bitcoin\u2019s cryptography.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Researchers at Chaincode Labs have published a detailed report on potential quantum-computing threats to Bitcoin. The 55-page document was prepared by Dr Anthony Milton and Clara Schickelmann in May 2025. How many bitcoins are at risk The authors estimate that 20% to 50% of all bitcoins in circulation (4\u201310m BTC) are potentially vulnerable to attacks [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":24639,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[18,575,1360,1252],"class_list":["post-24640","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-bitcoin","tag-quantum-computers","tag-quantum-computing","tag-reports"],"aioseo_notices":[],"amp_enabled":true,"views":"337","promo_type":"","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/24640","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=24640"}],"version-history":[{"count":0,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/24640\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/24639"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=24640"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=24640"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=24640"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}