Bitcoin & Quantum Computing — Research Series by NVK

Expert predictions range from 2029 to “never,” with wide disagreement. Adam Back (Hashcash inventor) estimates 20-40 years. Craig Gidney (Google Quantum AI) gives a 10% chance of a cryptographically relevant quantum computer by 2030. A 26-expert survey suggests 28-49% probability within 10 years. Multiple serious physicists — Leonid Levin, Michel Dyakonov, Gil Kalai, Tim Palmer — argue fault-tolerant quantum computing at cryptographic scale may face fundamental physical barriers and could be impossible.

Every vendor roadmap has been revised backward. IBM dropped its million-qubit target. PsiQuantum missed its 2025 deadline. Google quietly walked back. The 3-5 year timelines driving public panic are not supported by current hardware trajectories.

Largely no. Bitcoin does not use encryption. It uses digital signatures. The blockchain is public by design — all transaction data is visible to everyone, always. There is nothing encrypted to harvest and decrypt later. The “harvest now, decrypt later” framing applies to encrypted communications (TLS, Signal, etc.), not to Bitcoin fund security.

As Adam Back puts it: “Encryption implies data is hidden and can be decrypted. Bitcoin's security model is based on signatures that prove ownership without exposing the private key.” There is a minor privacy nuance — a quantum computer could link identities to transactions by deriving public keys from old addresses — but that's a privacy concern, not a theft risk.

No, and it's thermodynamically impossible. Grover's algorithm provides only a quadratic speedup against hash functions like SHA-256 — not the exponential speedup Shor's provides against ECDSA. A 2025 paper titled Kardashev Scale Quantum Computing for Bitcoin Mining calculated that quantum mining at Bitcoin's real-world difficulty would require approximately 10²³ physical qubits and 10²⁵ watts of power — roughly 3% of the Sun's total energy output.

Humanity's total energy consumption is about 1.8 × 10¹³ watts. You would need to multiply that by a trillion to quantum-mine a single block. A $2,000 ASIC plugged into a wall outlet is 14,500x faster than the best theoretical quantum miner. Quantum mining is not a thing. Not now, not in 50 years, possibly not ever.

About 30-35% of the supply (roughly 6.26 million BTC per Chaincode Labs) has exposed public keys on-chain. The breakdown:

• Tier A (~1.7M BTC) — immediately vulnerable, old P2PK format with keys visible right now, including Satoshi's ~1.1M BTC
• Tier B (~5.2M BTC) — coins in reused addresses and Taproot key-path outputs; vulnerable but migratable
• Tier C — every transaction is briefly vulnerable during the ~10 minutes it sits in the mempool

The remaining 65-70% of coins sit in addresses that have never been spent from, where the public key is still hidden behind a hash. These are safe until the moment you spend from them. Modern Bitcoin address types (P2PKH, P2SH, SegWit) do not expose your public key until you spend.

Follow the money. The quantum computing industry has received over $40 billion in government funding globally plus billions in private capital, while generating under $1 billion in 2024 revenue. Rigetti trades at a price-to-sales ratio of 360:1. IonQ at 188:1. At the peak of the dot-com bubble, Amazon was 31:1.

Over five years, executives at IonQ, Rigetti, and D-Wave collectively sold $930 million in stock while buying only $4.3 million — a 216:1 sell-to-buy ratio. The industry has every incentive to keep the fear alive, because the fear is what justifies the funding. Per Greg Maxwell, at least two distinct fraud schemes are actively raising funds by promising to build quantum computers that will steal Bitcoin. For every investor they convince, 99 others are panicked into believing the threat is imminent. The FUD is a byproduct of the fundraising.

Because they were always aspirational marketing, not engineering forecasts. PsiQuantum promised 1M qubits by 2025 — nothing materialized. IBM promised 1M qubits by 2030 — now targets 100K by 2033, with monolithic scaling abandoned. Google quietly dropped its million-qubit target. D-Wave missed its 1,024-qubit promise by seven years. Google's “quantum supremacy” claim was disputed by IBM within days and simulated on a classical supercomputer within years. IBM's “quantum utility” was refuted by studies running the same experiment on a laptop. Nvidia's Jensen Huang said in January 2025 that useful QC was 15-30 years away, then walked it back two months later.

The industry rebrands every time reality catches up: quantum supremacy → quantum advantage → quantum utility → quantum readiness. Each rebrand is a retreat disguised as progress. DARPA's quantum program manager openly calls himself the “Chief Quantum Skeptic.”

Yes. At least 17 named researchers are actively building post-quantum defenses for Bitcoin, including Ethan Heilman (BIP-360), Jonas Nick (SHRINCS, SHRIMPS), Pieter Wuille, Tim Ruffing (formal proof that Taproot's script-path is post-quantum secure), Matt Corallo, conduition, jesseposner (PQ HD wallets), Olaoluwa Osuntokun (zk-STARK BIP-32 escape), Tadge Dryja, Greg Maxwell, Robin Linus (Binohash), and Avihu Levy (Quantum Safe Bitcoin).

There are 13 different proposals, 15+ active Delving Bitcoin threads, 20+ Bitcoin Optech newsletter issues covering the topic, a published BIP, a running testnet with Dilithium opcodes active, and real post-quantum transactions already on the Liquid sidechain. The “nobody is working on this” narrative is factually wrong.

BIP-360 (also called P2MR, previously P2QRH/P2TRH/P2TSH) is a soft-fork proposal by Ethan Heilman that introduces a new Bitcoin address type (bc1z) that removes the quantum-vulnerable key-path from Taproot. It's published in Draft status with a running testnet: BTQ Technologies v0.3.0, 50+ miners, 100,000+ blocks, five Dilithium post-quantum opcodes active.

The catch: BIP-360 is an address format, not a signature scheme. The actual post-quantum signature algorithms are deferred to follow-up BIPs. It's a shell that defines where post-quantum signatures will go, but doesn't yet say which ones. Critics, including Pieter Wuille, argue this means BIP-360 provides “false security” until the signature layer ships.

SHRINCS is a hash-based post-quantum signature scheme developed by Jonas Nick at Blockstream Research, optimized specifically for Bitcoin's constraints. It produces 324-byte signatures at NIST Level 1 security — only 5x larger than current Schnorr signatures (64 bytes) and 24x smaller than NIST's standard SLH-DSA (7,856 bytes). Stateful signing takes 3.7 seconds; verification is sub-millisecond. Real SHRINCS transactions already exist on the Liquid sidechain. Greg Maxwell calls the progress “pretty reasonable.”

The extension SHRIMPS supports multiple backup devices with ~2,500-byte signatures. The unsolved problem is state management: stateful signatures require the hardware wallet to reliably track which one-time keys it has used; fault injection, wallet duplication, and parallel signing race conditions remain open engineering challenges. Jonas Nick labels SHRINCS “work in progress,” not production-ready.

Partially, and it's more interesting than most people realize. Tim Ruffing — co-author of the Taproot BIP itself — published a formal proof in July 2025 (IACR ePrint 2025/1307) that Taproot's script-path spending is post-quantum secure in the Quantum Random Oracle Model, with a 2⁸¹ SHA-256 evaluation security bound.

However, 70-90% of existing P2TR outputs use BIP 86 construction with a provably unspendable script path — they have no fire escape to use. A new April 2026 proof-of-concept by Olaoluwa Osuntokun changes this picture: it's a zk-STARK proof that BIP-32 wallet owners can prove seed knowledge without revealing the seed, because BIP-32 hashes the seed through SHA-512 which is quantum-resistant. This shrinks the confiscation surface from “most Taproot users” to “non-HD wallets and genuinely lost seeds.” Proof generation: ~50 seconds on an M4 Max. Proof size: ~200KB with recursive composition.

QSB is a scheme published in April 2026 by Avihu Levy (StarkWare, co-author of ColliderScript) that achieves quantum-resistant Bitcoin transactions using only existing consensus rules — no soft fork, no new opcodes, no activation, no politics.

It uses a hash-to-signature puzzle: the script hashes a transaction-bound public key through RIPEMD-160 and interprets the 20-byte output as a DER-encoded ECDSA signature, which succeeds with probability ~2^-46. The spender grinds transaction parameters until the hash output happens to be valid DER. Security rests entirely on hash pre-image resistance, not elliptic curve hardness — Shor's algorithm provides zero advantage.

Cost: $75-$150 per transaction in GPU compute. Lineage: ColliderScript (2024, $50M/tx) → Binohash (Feb 2026, $50/tx) → QSB ($75-$150 for quantum safety). The catches: limited to legacy script (not SegWit or Taproot), non-standard transactions requiring miner-direct submission via services like Marathon's Slipstream, and the end-to-end pipeline has not yet been demonstrated on mainnet. Not practical for everyday use, but it proves Bitcoin's existing scripting language already contains the building blocks for quantum defense — no permission required.

Because no post-quantum adaptor signature construction exists, even in theory. Lightning Network — Bitcoin's primary scaling solution — depends on adaptor signatures to implement its payment channel model. Every other piece of the post-quantum toolkit is either solved or actively being worked on: basic signatures via SHRINCS, HD wallets (just solved in March 2026 via Raccoon-G), threshold signatures partial via FROST.

Adaptor signatures aren't “almost done” or “in progress.” The math for the critical subsystem hasn't started. This is the most significant unsolved problem in post-quantum Bitcoin, and if you work on Lightning, it is your problem.

No. Not today, probably not this decade. The quantum hardware required to break secp256k1 does not exist and is not on any credible roadmap within a 5-year window. The media headlines are not tracking engineering reality — they're tracking press releases from companies whose insiders are dumping stock.

That said, Bitcoin's cryptographic assumptions are load-bearing and should be diversified regardless of whether large-scale quantum computers ever exist. Defense-in-depth is the right framing, not panic. The actual, today-relevant worries are: stop reusing addresses, don't expose xpubs, keep long-term holdings in addresses you've never spent from, and use a good hardware wallet. The protocol-level upgrades will come, on Bitcoin time, the way they always do.

For holders:

• Stop reusing addresses. Every address should be used exactly once.
• Keep long-term cold storage in addresses you have never spent from. Your public key is still hidden behind a hash, so your quantum surface is zero until the moment you spend.
• Protect your xpub with the same care as a private key, because it leaks your address set.
• When bc1z addresses become available via BIP-360, use them.
• Use a quality hardware wallet. Ignore the headlines — the underlying papers are more interesting and far less scary.

For developers: Review jesseposner's PQ HD-wallet work. Fix the OP_STARK_VERIFY transaction-binding bug. Solve the state-management problem for stateful signatures — it's a career-making problem. Complete Avihu Levy's QSB pipeline and get the first quantum-safe Bitcoin transaction on-chain. If you work on Lightning, the adaptor signature gap is your problem and nobody else is solving it.

For institutions: Plan a 2-3 year key rotation window. Track the ECDLP challenge suite for empirical threat progression. Talk to your custodian about their quantum roadmap — if they don't have one, that's your answer.

NVK is the CEO of Coinkite, the company behind the Coldcard Bitcoin hardware wallet. This series is independent research grounded in primary sources: every Delving Bitcoin quantum thread (15+ threads), every Bitcoin Optech newsletter that mentioned quantum (issues #307-#399), the BIPs, academic papers from IACR ePrint and arXiv, mailing list debates, testnet reports from the BTQ Technologies deployment, and real SHRINCS transactions on the Liquid sidechain. Part 3 alone references 95+ individual research documents.

The research is compiled via llm-wiki, a personal LLM-compiled knowledge base, using parallel agentic research where multiple Claude agents hunt primary sources concurrently across different angles (academic, technical, applied, contrarian, historical). Every article is still hand-edited and every claim is verified against its primary source. The research is not affiliated with any quantum computing vendor — in fact, it's explicitly critical of the financial incentives driving the industry's fear narrative. See the About page for more.