Post-Quantum Cryptography and Bitcoin: How the Quantum Threat Is Reshaping Protocol Security

Bitcoin's security rests on the hardness of the elliptic curve discrete logarithm problem. Every signature produced by Schnorr or ECDSA on the secp256k1 curve assumes that no computer can efficiently reverse a public key back to its private key. Quantum computers running Shor's algorithm would break that assumption. While no machine today can do this at cryptographic scale, research published in March 2026 shows the required hardware is closer than previously estimated: potentially under 500,000 physical qubits, a 20x reduction from the 20 million projected in 2019.

The question is no longer whether post-quantum cryptography (PQC) will come to Bitcoin, but how it gets there: through soft forks, hard forks, Layer 2 protocols, or some combination. This article examines the specific vulnerabilities, the NIST standards now available, the proposals already on the table, and the engineering tradeoffs that make this migration uniquely difficult for Bitcoin.

How Shor's Algorithm Breaks Bitcoin Signatures

Bitcoin uses the secp256k1 elliptic curve for both ECDSA (legacy and SegWit addresses) and Schnorr signatures (Taproot addresses). Both schemes derive public keys from private keys using elliptic curve point multiplication: a one-way function that classical computers cannot efficiently invert.

Shor's algorithm solves the elliptic curve discrete logarithm problem (ECDLP) in polynomial time on a quantum computer. Given a public key P = k * G, it recovers the private key k. This applies equally to ECDSA and Schnorr because both rely on the same underlying curve and the same hardness assumption.

The practical question is how many qubits this requires. The estimates have been dropping rapidly:

• Roetteler et al. (2017): approximately 2,330 logical qubits for secp256k1
• Gidney and Ekerå (2019): roughly 20 million physical qubits on a superconducting architecture
• Google Quantum AI (March 2026): under 500,000 physical qubits, using improved error correction and circuit optimization
• Cain et al. (March 2026): as few as 10,000 reconfigurable atomic qubits using high-rate quantum error-correcting codes, with approximately 26,000 physical qubits completing the computation in days

Why the numbers keep shrinking: Advances in quantum error correction, not just raw qubit counts, drive these reductions. Better error-correcting codes mean fewer physical qubits per logical qubit. Google's Willow chip (December 2024) demonstrated exponential error reduction with 105 qubits, validating the theoretical models that underpin these lower estimates.

How Much Bitcoin Is Already Exposed?

Not all Bitcoin addresses are equally vulnerable. The critical distinction is whether the public key is visible on-chain. When a public key has been exposed, an attacker with a sufficiently powerful quantum computer can derive the private key directly.

Sources of Public Key Exposure

Early Bitcoin transactions used Pay-to-Public-Key (P2PK) outputs, where the full public key sits in the scriptPubKey. This includes Satoshi Nakamoto's estimated 1.1 million BTC. Later address formats like P2PKH hash the public key, but the key is revealed the first time funds are spent from the address. Any subsequent address reuse leaves remaining funds vulnerable. P2TR (Taproot) addresses expose the public key in key-path spends by design, because BIP 340 Schnorr signatures use x-only public keys directly.

Scale of Exposure

Multiple independent analyses converge on similar figures. Deloitte estimated approximately 4 million BTC (roughly 25% of circulating supply) in P2PK or reused P2PKH addresses. A Chaincode Labs paper from 2025 provided a broader range of 4 to 10 million BTC when including all vulnerability categories. Glassnode's 2026 analysis found 6.04 million BTC (30.2% of issued supply, worth approximately $469 billion) with exposed public keys on-chain, broken into 1.92 million BTC from structural exposure (P2PK outputs) and 4.12 million BTC from operational exposure (address reuse).

These figures illustrate why post-quantum migration cannot be optional. Even if every active user migrates to quantum-resistant addresses, the coins in dormant P2PK outputs (including lost coins) remain vulnerable indefinitely.

The Harvest-Now-Decrypt-Later Threat

The most immediate concern is not a future quantum computer breaking keys in real time: it is the "harvest now, decrypt later" (HNDL) strategy. State-level adversaries and well-resourced attackers can collect exposed public keys from Bitcoin's public blockchain today, then derive private keys once a cryptographically relevant quantum computer (CRQC) becomes available.

The Federal Reserve published a paper in 2025 specifically addressing this threat for distributed ledger networks. Its key finding: even if blockchain networks successfully deploy PQC mitigations for future security, data privacy of previously recorded transactions remains vulnerable because the blockchain is immutable. UK NCSC and Five Eyes partner agencies have warned that state actors are already conducting data collection campaigns for future quantum exploitation.

For Bitcoin, this is especially dangerous because the "harvest" phase requires zero effort. The blockchain is public. Every exposed public key is already accessible to anyone running a full node. Unlike encrypted communications where HNDL requires intercepting ciphertext in transit, Bitcoin's HNDL threat involves public keys that are already broadcast in plaintext on an immutable ledger.

When Will Quantum Computers Break ECDSA?

No quantum computer today can run Shor's algorithm at cryptographically relevant scale. The largest publicly known quantum processors have roughly 1,500 qubits, far short of the hundreds of thousands or millions needed. But the timeline estimates are compressing.

Expert Consensus

The NSA's 2022 guidance estimated a CRQC could arrive between 2030 and 2035. NIST has set 2035 as the deadline for federal agencies to complete PQC migration, per National Security Memorandum-10 (NSM-10). The Global Risk Institute's 2024 Quantum Threat Timeline found most specialists expect CRQCs in the 2030s, with the probability of one existing by 2035 exceeding 50%.

Hardware Progress

Google's Willow chip (December 2024) achieved 105 qubits with exponential error reduction. IBM's Condor reached 1,121 qubits in December 2023 and targets a large-scale fault-tolerant quantum computer by 2029. Microsoft unveiled Majorana 1 (February 2025): the first chip powered by topological qubits, designed to scale to 1 million qubits on a single chip, though its claims remain debated in the physics community.

In April 2026, Project Eleven awarded its Q-Day Prize (1 BTC) to Giancarlo Lelli for breaking a 15-bit elliptic curve key on publicly accessible quantum hardware: a 512-fold improvement over the prior 6-bit break in September 2025. This is still far from Bitcoin's 256-bit security, but the pace of improvement is significant.

The key takeaway: While a CRQC likely remains 5 to 10 years away, the migration itself will take years to coordinate across Bitcoin's decentralized ecosystem. Starting after the threat materializes means starting too late.

NIST Post-Quantum Standards

On August 13, 2024, NIST finalized its first three post-quantum cryptographic standards after an eight-year evaluation process. A fourth is in draft. These standards define the signature schemes that Bitcoin would need to adopt.

The Finalized Standards

FIPS 204: ML-DSA (formerly CRYSTALS-Dilithium) is the primary digital signature standard. It is lattice-based, relying on the hardness of the Module Learning With Errors problem. ML-DSA offers three parameter sets at increasing security levels. Its signatures are compact relative to hash-based alternatives but still dramatically larger than ECDSA or Schnorr.

FIPS 205: SLH-DSA (formerly SPHINCS+) is a hash-based digital signature standard. Its security relies only on the properties of hash functions, making it the most conservative choice: no exotic mathematical assumptions that might be broken by future cryptanalysis. The tradeoff is size. Even the smallest SLH-DSA variant produces signatures of 7,856 bytes.

FIPS 203: ML-KEM (formerly CRYSTALS-Kyber) is a key encapsulation mechanism for encryption, less directly relevant to Bitcoin signatures but important for protocols that use key exchange.

The Draft Standard

FIPS 206: FN-DSA (formerly Falcon) entered its initial public draft in September 2025, with finalization expected in late 2026 or early 2027. FN-DSA uses NTRU lattices and produces the most compact post-quantum signatures available: 666 bytes at its lowest security level. This makes it particularly interesting for blockchain applications where transaction size directly affects throughput and fees.

Signature Size: The Core Engineering Problem

Bitcoin transactions are priced by weight (measured in virtual bytes). Larger signatures mean higher fees, fewer transactions per block, and reduced throughput. This is the central tension in Bitcoin's PQC migration: every post-quantum scheme produces signatures that are 10x to 460x larger than what Bitcoin uses today.

A standard Bitcoin block is 4 million weight units. A typical Schnorr transaction (1-input, 2-output) weighs around 560 weight units, allowing roughly 7,000 transactions per block. Replace the 64-byte Schnorr signature with a 2,420-byte ML-DSA-44 signature and the transaction weight roughly quadruples, cutting per-block capacity to under 2,000 transactions. With SLH-DSA, capacity drops further still.

FN-DSA-512 (666 bytes) is the most viable candidate for on-chain use, but it remains in draft status and carries implementation complexity: Falcon's Gaussian sampling requires constant-time implementation to avoid side-channel attacks, which is notoriously difficult to get right.

BIP-360 and BIP-361: Bitcoin's Migration Proposals

Two Bitcoin Improvement Proposals address post-quantum migration directly. Neither has reached activation, but both define the design space for how Bitcoin might adapt.

BIP-360: Pay-to-Merkle-Root (P2MR)

BIP-360, authored by Hunter Beast, Ethan Heilman, and Isabel Foxen Duke, was merged into the Bitcoin BIP repository on February 10, 2026. It proposes a new output type via a soft fork that preserves BIP 341 Taproot-style script trees while removing the quantum-vulnerable key-path spend. Instead of committing to a tweaked internal key (which exposes the public key), P2MR commits to the 32-byte Merkle root of the script tree only.

BIP-360 addresses "long exposure" attacks: cases where public keys are visible on-chain before a transaction is broadcast. It does not solve "short exposure" attacks, where a quantum computer derives a private key from a public key within the time between transaction broadcast and confirmation (roughly 10 minutes). A separate soft fork would be needed to introduce actual PQC signature verification.

BIP-361: Legacy Signature Sunset

BIP-361, drafted by Jameson Lopp in April 2026, defines a three-phase migration and deprecation schedule:

• Phase A (~3 years after activation): prohibit new BTC sent to legacy address types; users must migrate to quantum-resistant addresses
• Phase B (~5 years after activation): fully deprecate ECDSA and Schnorr signatures; remaining BTC in vulnerable addresses is effectively frozen
• Phase C: a relief mechanism allowing legitimate owners to recover frozen funds using zero-knowledge proofs of key ownership

BIP-361 is highly contentious. Freezing coins, even temporarily, conflicts with Bitcoin's core principle of permissionless ownership. Critics argue this sets a precedent for protocol-level asset seizure. Proponents counter that without deprecation timelines, the ecosystem will never coordinate migration, and quantum-vulnerable coins become a systemic risk.

BTQ Technologies: Quantum-Safe Testnet

BTQ Technologies launched the "Bitcoin Quantum" testnet in January 2026, replacing ECDSA with ML-DSA (FIPS 204) signatures. By March 2026, the V3 testnet had deployed BIP-360 support and surpassed 50 miners, 200,000+ blocks, and over 100 open-source contributors. BTQ targets a mainnet launch with migration tools in Q2 2026, followed by exchange and custody integrations.

Bitcoin's Governance Challenge

Upgrading Bitcoin's cryptography is unlike upgrading any other software. There is no CEO to mandate migration, no central authority to set deadlines, and the last major protocol upgrade (Taproot, activated November 2021) took years of community debate. A post-quantum hard fork would be the most contentious change in Bitcoin's history.

The challenge is compounded by the size problem. Adding PQC signatures likely requires either increasing the block size (a historically polarizing topic), accepting dramatically reduced throughput, or developing novel compression techniques. Each option has vocal opponents.

Ethereum has taken a different approach. In February 2026, Vitalik Buterin published a four-year roadmap targeting quantum resistance at Layer 1, including replacing BLS signatures with leanXMSS for validators and proposing EIP-8141 for flexible wallet signature algorithms. Bitcoin lacks this kind of centralized roadmap coordination, which is both its strength (no single point of capture) and its weakness (slow adaptation).

In April 2026, Coinbase's Quantum Advisory Council published a 51-page position paper with Scott Aaronson, Dan Boneh, and others, concluding that a CRQC will eventually be built and that the industry must begin migrating now. Coinbase plans "quantum-proof" custody services for institutional clients by late 2026.

How Layer 2 Protocols Can Move First

Layer 2 protocols have a structural advantage in the PQC transition: they can upgrade their off-chain signature schemes without requiring a Bitcoin consensus change. This makes them natural proving grounds for post-quantum cryptography before the base layer is ready.

FROST and the Threshold Signature Challenge

FROST threshold signatures present a unique migration challenge. FROST relies on the Schnorr signature scheme and the discrete logarithm assumption: the exact mathematical hardness that quantum computers break. There is no straightforward way to swap in a lattice-based scheme because the algebraic structures are fundamentally different. The "one-more discrete logarithm" assumption underlying FROST has no known lattice analog.

In March 2026, researchers published Hermine: the first lattice-based threshold signature scheme providing the full FROST feature set, including partially non-interactive signing, identifiable abort, and proactive security. Built on the Raccoon signature scheme, Hermine uses Vandermonde secret sharing and supports committees of up to 64 signers. Its signatures are approximately 11 to 15 KB: larger than single-signer PQC schemes, but functional for off-chain use where size constraints are less binding.

Spark's Position

Spark uses FROST threshold signatures between users and its operator set (the Spark Entity). Because Spark transfers happen off-chain, with only UTXOs anchored on Bitcoin L1, the protocol could adopt a post-quantum threshold scheme like Hermine for its off-chain signing without waiting for Bitcoin to add PQC opcodes.

The migration path differs meaningfully from single-key wallets. A standard wallet needs only to replace its ECDSA or Schnorr key pair with a PQC key pair. A threshold system like Spark must replace the distributed key generation, the signing protocol, and the key refresh mechanism: all while maintaining the 1-of-n security guarantee. The existence of Hermine and similar research (such as TALUS, a threshold ML-DSA scheme with one-round online signing) suggests this is feasible, but the tooling is still pre-production.

Quip Network demonstrated a complementary approach in April 2026: a post-quantum Bitcoin wallet using WOTS+ (Winternitz One-Time Signatures) on a smart contract layer, narrowing the quantum attack window to approximately 2 blocks (~20 minutes) without any base-layer fork.

What a Post-Quantum Bitcoin Looks Like

The most likely path forward involves multiple concurrent strategies rather than a single migration event.

Near-Term (2026-2028)

• BIP-360 (P2MR) activation to eliminate public key exposure in new outputs
• Layer 2 protocols experimenting with PQC signatures off-chain
• Wallet providers implementing address hygiene: avoiding address reuse, preferring hash-committed output types
• Exchange migration of exposed custody addresses (currently highly variable: 5% exposed at Coinbase vs. 85% at Binance per Glassnode)

Medium-Term (2028-2032)

• Soft fork adding PQC signature verification opcodes to Bitcoin Script
• FN-DSA finalization (likely by 2027) providing a compact PQC option for on-chain use
• Hybrid signature schemes: transactions carrying both classical and PQC signatures during the transition period
• Debate on block size adjustments to accommodate larger signatures

Long-Term (2032+)

• Potential deprecation of classical signature types (per BIP-361 or similar)
• Resolution of dormant P2PK outputs: community consensus on whether and how to handle quantum-vulnerable coins whose keys are lost
• Second-generation PQC schemes optimized for blockchain use cases

The uncomfortable question: Approximately 1.7 million BTC in old P2PK outputs (including Satoshi's estimated holdings) cannot be migrated because the private keys are likely lost. The community will eventually face a decision: allow these coins to become quantum bounties, or freeze them preemptively. Neither option has clear consensus.

Practical Steps for Bitcoin Holders Today

While CRQCs are not yet operational, the following practices reduce exposure to future quantum attacks:

• Never reuse addresses: each spend exposes the public key; fresh addresses keep keys behind hash protection until spent
• Move funds from P2PK or legacy reused addresses to fresh P2WPKH or P2TR addresses
• Monitor BIP-360 and PQC soft fork proposals for activation timelines
• Consider cold storage solutions with multisig configurations, which require breaking multiple keys simultaneously

For developers building on Bitcoin, the Spark SDK documentation provides resources on integrating with a Layer 2 that can evolve its cryptographic primitives independently of base-layer consensus changes. Exploring how FROST signatures work and how MuSig2 multisignatures relate to the broader PQC migration is a practical starting point for understanding what changes are coming.

Conclusion

Post-quantum cryptography is not a theoretical concern for a distant future. NIST has finalized standards. Research shows qubit requirements dropping faster than expected. Over 6 million BTC already has exposed public keys. The Federal Reserve is publishing papers on blockchain quantum risk. BIPs are being drafted and debated.

Bitcoin's decentralized governance makes it slower to adapt than centrally coordinated systems, but it also makes the adaptation more durable once achieved. The migration will likely happen in layers: applications and Layer 2 protocols first, then the base layer. The signature size problem is real and has no easy solution, but candidates like FN-DSA and threshold schemes like Hermine suggest the tooling is catching up to the threat.

The window for proactive preparation is open now. Once a CRQC exists, the 6+ million BTC with exposed public keys becomes a target with a concrete timeline. The question is whether Bitcoin's community can coordinate the most complex protocol upgrade in its history before that window closes.

This article is for educational purposes only. It does not constitute financial or investment advice. Bitcoin and Layer 2 protocols involve technical and financial risk. Always do your own research and understand the tradeoffs before using any protocol.