Abstract
Key Points at a Glance
- ECDSA is the weak link: Bitcoin and Ethereum use elliptic curve signatures; Shor's algorithm breaks them.
- Exposed public keys = harvest targets: Addresses that have sent transactions already expose their public keys permanently on-chain.
- Satoshi's ~1 million BTC: Early coins on exposed addresses cannot migrate—a potential quantum windfall waiting to be claimed.
- The blockchain is a permanent record: Unlike TLS traffic, blockchain data is freely available forever—making harvest-now, decrypt-later trivially easy.
- Post-quantum hard forks are being explored: Both Ethereum and Bitcoin communities are researching PQC upgrades, but coordination is challenging.
How Crypto Signatures Work (and Why They're at Risk)
Every Bitcoin or Ethereum transaction requires a digital signature to prove ownership. When you send cryptocurrency, your wallet uses your private key to create a signature that anyone can verify using your public key. This is the same fundamental mechanism that secures TLS connections, emails, and software updates worldwide.
Bitcoin and Ethereum specifically use ECDSA (Elliptic Curve Digital Signature Algorithm) based on the secp256k1 curve. The security rests on the discrete logarithm problem: given a public key, it's computationally infeasible for classical computers to derive the private key.
⚠️ The Quantum Vulnerability
Shor's algorithm, running on a sufficiently powerful quantum computer, can solve the discrete logarithm problem efficiently. This means a quantum attacker could derive your private key from your public key—and then steal your funds.
For a deeper dive into how Shor's algorithm threatens elliptic curve cryptography and what this means for Bitcoin's future, watch this excellent technical explanation:
Video: How does Shor's algorithm break Bitcoin's elliptic curve cryptography
This vulnerability isn't unique to cryptocurrency—it affects all systems using RSA or elliptic curve cryptography. However, blockchain has a unique problem: the public, permanent nature of its transaction history creates a perfect harvest target.
The "Exposed Keys" Problem
Here's a critical nuance many people miss: your Bitcoin address is not your public key. A Bitcoin address is actually a hash of your public key (using SHA-256 and RIPEMD-160). This provides an extra layer of protection—until you spend from that address.
The moment you send a transaction, your public key becomes part of the blockchain's permanent, immutable record. Unlike a TLS session that disappears after the connection closes, blockchain transactions are stored forever—on thousands of nodes worldwide, in countless backups, and in public block explorers.
💡 Address Types and Quantum Risk
P2PKH (Legacy addresses starting with "1"): Public key exposed upon first spend.
P2WPKH (SegWit addresses starting with "bc1q"): Similar exposure pattern—protected until
spending.
P2PK (Pay-to-Public-Key): Used in early Bitcoin—public key exposed immediately. This is
the format Satoshi used.
The Lost Coins Dilemma—Satoshi's Quantum Windfall
Imagine this scenario: It's 2035. A nation-state or well-funded entity achieves a cryptographically relevant quantum computer (CRQC). They don't attack active users first—they go after the biggest, most defenseless target: Satoshi Nakamoto's estimated 1.1 million BTC.
🚨 The Unmovable Fortune
Satoshi's early mining rewards used P2PK format, meaning the public keys are directly exposed on the blockchain. These coins haven't moved since 2009-2010. Without access to the private keys, the legitimate owners cannot migrate these coins to quantum-safe addresses—ever. They remain "sitting ducks" on the blockchain.
Here's the cruel irony: while the original owner cannot move these coins, a quantum attacker can. By deriving the private key from the exposed public key, the attacker effectively "finds" what the owner lost—and claims the fortune.
At current prices, this represents over $80 billion in Bitcoin that could be claimed by the first quantum computer capable of breaking secp256k1. But Satoshi's coins are just the most famous example.
This creates a troubling economic incentive: the first entity to achieve quantum supremacy over ECDSA could claim billions in "abandoned" cryptocurrency. This isn't theft in the traditional sense—it's more like finding a vault whose combination has become trivially easy to guess.
Harvest-Now, Decrypt-Later—Blockchain Edition
We've discussed the harvest-now, decrypt-later (HNDL) threat in previous articles. The basic idea: adversaries capture encrypted data today and store it until quantum computers can break the encryption.
For most encryption (like TLS traffic), HNDL requires actively intercepting data streams—through BGP hijacks, compromised ISPs, or malicious proxies. But blockchain makes HNDL trivially easy:
- 💾 Publicly available: Every transaction is broadcast to the entire network and stored permanently.
- 🌍 Global replication: Thousands of nodes maintain complete copies of the blockchain.
- 📜 Historical completeness: Every transaction since January 2009 is preserved.
- 🔓 No harvesting required: Adversaries don't need to intercept—they just download the blockchain.
Any exposed public key from any transaction—ever—becomes a potential target. The attacker simply downloads the blockchain today, waits for quantum capabilities, then derives private keys from public keys at their leisure.
Timeline—When Does the Clock Stop?
How much time does the crypto community have? Expert opinions vary, but the trend is clear: timelines are compressing.
Resource estimates continue to improve. The landmark 2019 Gidney & Ekerå paper estimated breaking RSA-2048 would require approximately 20 million noisy qubits running for 8 hours. More recent research suggests algorithmic improvements could reduce this to several million qubits—still enormous by today's standards, but the trend is clear. Breaking secp256k1 (Bitcoin's curve) requires similar resources, as both rely on quantum algorithms solving related mathematical problems.
⏱️ The Real Deadline: Migration Time
Even if CRQC arrives in 2035, the blockchain community needs to migrate before that date. Coordinating a hard fork across millions of users, thousands of exchanges, and countless wallets takes years—not months. The practical deadline is much sooner than "Q-Day" itself.
The Path Forward—Post-Quantum Hard Forks
The good news: post-quantum cryptographic algorithms exist today. NIST finalized ML-KEM and ML-DSA standards in August 2024, and the blockchain community is actively researching migration paths.
Ethereum's Approach
Ethereum co-founder Vitalik Buterin has discussed quantum resistance as a priority. Research areas include:
- Account abstraction allowing users to choose their signature schemes
- zkSNARK-based signature aggregation for efficient post-quantum signatures
- Gradual migration through smart contract upgrades
Bitcoin's Challenge
Bitcoin's conservative upgrade philosophy makes post-quantum migration more complex:
- Soft fork vs. hard fork debates: Community consensus is historically difficult
- Signature size concerns: Post-quantum signatures (e.g., SPHINCS+) are much larger than ECDSA
- No forced migration: Users must actively move funds to new address types
📊 The Signature Size Problem
Current ECDSA signatures: ~71 bytes
ML-DSA-65 (Dilithium): ~3,300 bytes (46× larger)
SPHINCS+-128s: ~7,800 bytes (110× larger)
Larger signatures mean fewer transactions per block, higher fees, and slower confirmation times. This is a real engineering challenge for blockchain scalability.
What Can Holders Do Today?
While waiting for protocol-level upgrades, cryptocurrency holders can take steps to reduce their quantum risk:
- Never reuse addresses: Generate a fresh address for each transaction. Once you spend from an address, don't deposit more funds there.
- Use modern address formats: Both Legacy P2PKH (addresses starting with "1") and SegWit (bc1q...) hash your public key, keeping it hidden until you spend. Avoid P2PK format entirely. SegWit is recommended for other benefits like lower fees.
- Minimize time with exposed keys: If you must consolidate funds, do it in one transaction and move to a fresh address.
- Follow community proposals: Stay informed about BIPs (Bitcoin Improvement Proposals) related to post-quantum security.
- Understand the migration window: When PQC addresses become available, migrate funds promptly.
Conclusion: The Quantum Clock Is Ticking
The quantum threat to blockchain isn't hypothetical—it's a matter of when, not if. Billions of dollars in cryptocurrency sit on addresses with exposed public keys, permanently recorded on a globally replicated ledger that anyone can download.
Unlike traditional harvest-now-decrypt-later scenarios, blockchain HNDL requires no active attack—the data is already public. The first entity to achieve quantum supremacy over elliptic curves could claim not just Satoshi's legendary stash, but millions of Bitcoin from addresses that can never be migrated.
The path forward exists: post-quantum cryptographic standards are finalized, and both Bitcoin and Ethereum communities are researching migration strategies. But coordination takes time, and the quantum timeline keeps compressing.
The question isn't whether Bitcoin will survive quantum computing—it's whether the community will act fast enough to ensure it does.
Next Step
Want to understand the broader post-quantum cryptography landscape? Explore how organizations are preparing for the quantum transition:
Read: What is Harvest-Now, Decrypt-Later? →