Post-quantum cryptography (PQC) refers to cryptographic algorithms designed to resist attacks from both classical and future large-scale quantum computers (often called Cryptographically Relevant Quantum Computers or CRQCs). Bitcoin currently relies on ECDSA (Elliptic Curve Digital Signature Algorithm) using the secp256k1 curve for transaction signatures and ownership control. This is vulnerable to Shor's algorithm, which could efficiently solve the discrete logarithm problem underlying elliptic curve cryptography on a sufficiently powerful quantum computer.
The Quantum Threat to Bitcoin#
Public keys are the main target. In many Bitcoin transactions (especially pre-Taproot or certain spends), exposing a public key allows a quantum adversary to derive the private key.
Once a public key is revealed (e.g., when spending from an address), there's a window for a quantum computer to forge signatures and steal funds.
The blockchain history itself and SHA-256-based Proof-of-Work are generally considered more resistant (Grover's algorithm provides only quadratic speedup for hashing, not a practical break).
Estimates for "Q-Day" (when this becomes feasible) vary, but recent analyses (including from Google researchers) suggest it could happen sooner than previously thought, potentially with fewer resources, though still likely years away (e.g., late 2020s to 2030s).
Bitcoin does not natively use PQC today. Protection comes from ongoing research, proposals, and community-driven upgrades.
How PQC Would Protect Bitcoin
PQC replaces or augments vulnerable primitives with algorithms based on hard problems that quantum computers (using Shor's or similar) are not known to solve efficiently. Common categories include:
Lattice-based (e.g., ML-DSA/Dilithium, Falcon) — Rely on learning with errors (LWE) or similar problems.
Hash-based (e.g., SPHINCS+/SLH-DSA, XMSS) — Security reduces to the collision-resistance or preimage resistance of hash functions (like SHA-256, which Bitcoin already trusts). These are conservative and well-understood.
Others like code-based or multivariate, but hash- and lattice-based are most discussed for Bitcoin.
Key mechanisms in proposals:
New Output Types — BIP 360 (Pay-to-Merkle-Root or P2MR/P2QRH variants) introduces quantum-resistant address schemes. It removes the "key path" that exposes public keys on-chain (similar to Taproot but without the vulnerable internal key). Users can spend via script paths that support PQC signatures. This protects new transactions and addresses immediately upon adoption.
Post-Quantum Signatures — Integrate schemes like SPHINCS+ (hash-based, NIST-standardized) or ML-DSA into the script system. Signatures would be larger (hundreds to thousands of bytes vs. ~70 bytes for ECDSA), impacting fees and block space, so optimizations and hybrid approaches are explored.
Hybrid and Migration Strategies — Combine old (ECDSA) and new signatures for backward compatibility during transition. Proposals like BIP 361 outline phased sunsetting of legacy outputs, potentially freezing un-migrated coins after a deadline to force migration.
Other Defenses:
Commit/Reveal schemes to hide public keys longer in the mempool.
Encouraging users to move funds from exposed (e.g., legacy P2PKH) addresses to new quantum-safe ones.
Wallets and services adding PQC support proactively.
Current Status (as of 2026)
BIP 360 is a formal proposal and has been implemented in experimental/testnet forks (e.g., by BTQ Technologies). It's a foundational step but not yet activated on mainnet.
Discussions around SPHINCS+ and other schemes continue in Bitcoin dev communities. Full migration would likely require soft forks and could take years due to Bitcoin's conservative governance.
Forks and alternative projects (e.g., Quantum Resistant Ledger, custom Bitcoin forks) have already implemented PQC.
No immediate threat exists today, but "harvest now, decrypt later" attacks mean long-term data (like unspent outputs) should migrate proactively.
In summary, PQC protects Bitcoin by swapping out quantum-vulnerable math (elliptic curves) for quantum-resistant alternatives, primarily through new address types, signature schemes, and careful migration plans. This ensures that even if a quantum computer breaks ECDSA, new and migrated funds remain secure. The process emphasizes crypto-agility—Bitcoin's decentralized nature allows upgrades, but it requires broad consensus. Users can help by moving to modern, Taproot/P2MR-style addresses now and staying informed on proposals.