– What measures can be taken to protect Bitcoin from future quantum computing advancements?
Adam Back: Why Bitcoin Is Safe From Quantum Threats for the Next 20-40 Years
Introduction: Quantum FUD vs. Bitcoin’s Real-World Security
Quantum computing is often used to spark fear about Bitcoin’s cryptography. Adam Back-cypherpunk, Hashcash inventor, and Blockstream CEO-has long argued that Bitcoin is secure against quantum attacks for decades, not months. His reasoning lines up with the current state of quantum hardware, the math behind Shor’s and Grover’s algorithms, and Bitcoin’s upgrade path. Here’s a concise, technical walkthrough for crypto-native readers.
2025 Reality Check: Quantum Computers Can’t Break Bitcoin Signatures
– No one has demonstrated a quantum computer capable of running Shor’s algorithm at the scale needed to break 256-bit elliptic curve cryptography (ECC) used by Bitcoin (secp256k1, ECDSA/Schnorr).
– Breaking ECC-256 would require millions of high-fidelity, error-corrected logical qubits and long, reliable runtimes. Current devices have noisy physical qubits; error-corrected logical qubits at meaningful scale do not yet exist.
– Even aggressive roadmaps don’t project practical cryptanalysis of ECC within the next couple of decades, barring unexpected breakthroughs.
Short summary of quantum impact by primitive:
| Primitive in Bitcoin | Main Algorithm | Quantum Impact | 2025 Risk |
|---|---|---|---|
| Digital signatures | secp256k1 ECDSA / Schnorr | Shor’s breaks ECC with enough error-corrected qubits | Impractical (decades away) |
| Hashing (addresses, PoW) | SHA-256, RIPEMD-160 | Grover’s gives only sqrt speedup | Safe; difficulty adjusts |
Why Adam Back Says Bitcoin Is Safe for 20-40 Years
1) Bitcoin hides most public keys until spending
– P2PKH and P2WPKH lock coins to a hash of the public key; the actual pubkey is only revealed when you spend.
– A quantum attacker would have to:
1) See your pubkey when you broadcast a spend, and
2) Run Shor’s algorithm fast enough to derive the private key before your transaction confirms.
– Because Shor-scale machines don’t exist and block inclusion is fast, this attack path is currently infeasible.
Note: Taproot (P2TR) outputs include an x-only pubkey in the output itself (not a hash). That increases theoretical exposure of long-lived UTXOs if Shor-scale quantum appears suddenly. Today it’s still safe because the machine needed does not exist.
2) Hash functions remain robust under Grover’s algorithm
– Grover’s provides a quadratic speedup, effectively halving bit security. SHA-256 still offers ~128-bit security against preimage attacks under Grover, which remains far beyond feasible search.
– For mining, a quadratic speedup would only tilt efficiency; the network’s difficulty retargeting neutralizes persistent advantage.
3) Migration paths are well-understood
– Bitcoin can soft fork to quantum-resistant signatures (hash-based like SPHINCS+ or lattice-based like Dilithium) when warranted.
– NIST has standardized post-quantum cryptography (e.g., ML-DSA/Dilithium, SLH-DSA/SPHINCS+, ML-KEM/Kyber), providing vetted candidates.
– A graceful migration path gives users ample time to move funds to new outputs before practical threats arise.
What Would a Real Quantum Threat Look Like?
Watch for these concrete signals (none exist today at meaningful scale):
– Publication and replication of a full-stack, error-corrected Shor implementation solving 256-bit ECC in practice.
– Credible demonstrations of thousands of high-fidelity logical qubits and sustained low error rates with fast gate times.
– End-to-end cryptanalytic runs on smaller curves that extrapolate convincingly to secp256k1.
Until then, “quantum doom soon” is speculation, not engineering reality.
Best Practices for Holders and Builders
For holders:
– Avoid address reuse; spend UTXOs once, then move to fresh addresses.
– Favor P2WPKH if you’re ultra-conservative about pubkey exposure duration. Taproot is still safe today, but it displays the pubkey in the output.
– Keep wallet software updated to adopt any future soft-fork PQC outputs when they become available.
For businesses and devs:
– Abstract key types in wallet infrastructure to support future PQC migrations.
– Monitor BIPs exploring PQC schemes (hash-based signatures are simple, auditable, and conservative for first deployments).
– Consider hybrid constructions (e.g., dual-signature paths: current ECC + PQC) during transition periods to minimize operational risk.
Common Misconceptions, Debunked
– “Quantum will break Bitcoin mining.” Incorrect. Grover yields only a sqrt speedup; difficulty adjusts. No catastrophic edge.
– “All coins are exposed.” Incorrect. Most outputs today still hide the pubkey until spend (P2PKH/P2WPKH). Taproot shows the pubkey up front, but Shor-scale machines aren’t real.
– “We can’t upgrade in time.” Unlikely. A staged, opt-in soft fork with long grace periods is consistent with how Bitcoin has rolled out upgrades historically.
The Adam Back Takeaway
Adam Back’s 20-40 year horizon reflects three pillars:
1) Shor-capable, error-corrected quantum computers remain far from reality.
2) Bitcoin’s design already limits exposure and shrugs off Grover-level effects.
3) The ecosystem can migrate to standardized post-quantum signatures when it’s actually needed.
Conclusion: Stay Technical, Stay Calm
Quantum computing is real science, but the leap from lab demos to breaking Bitcoin’s signatures is enormous. In 2025, no team is close to the error-corrected scale required to threaten secp256k1. Bitcoin’s use of hashed addresses, its fast settlement, difficulty adjustment, and its ability to soft fork to PQC give it a long runway. As Adam Back has emphasized, the prudent posture is readiness without hype: monitor credible breakthroughs, keep software upgradeable, and plan for a measured migration when the signals-not the headlines-say it’s time.
