The chaos around Bitcoin and quantum computers: what we really should be worried about

The general consensus is that quantum computers pose a direct threat to Bitcoin encryption. Nothing could be further from the truth. The issue lies in terminology and a misunderstanding of network security mechanics. Bitcoin does not store encrypted secrets on the blockchain—that is the key difference.

Where the real danger lies

Ownership of Bitcoin is enforced through digital signatures (ECDSA and Schnorr) and commitments based on hash functions, not encryption. If a quantum computer were capable of running Shor’s algorithm against Bitcoin’s elliptic curve cryptography, it could do one thing: derive the private key from the public key revealed on the blockchain.

This means a potential authorization forgery—this is the real threat. An attacker would not “decrypt” anything. Instead, they would use Shor’s algorithm to go from the public key to the private key, then generate a valid signature for a conflicting spend.

Adam Back, a longtime Bitcoin developer and creator of Hashcash, summarized this eloquently: “Bitcoin does not use encryption. Anyone can see every transaction on the public ledger—nothing is encrypted.”

Public key exposure: a security bottleneck

Bitcoin security boils down to one question: is the public key visible on the blockchain? Many address formats commit to a hash of the public key—raw public keys do not appear on the network until funds are spent. This narrows the window of opportunity for a potential attacker.

However, other script types reveal the public key earlier. Reusing an address can turn a one-time exposure into a permanent target. Project Eleven, through its “Bitcoin Risq List,” maps exactly where public keys are already accessible to someone with a Shor’s algorithm.

Data shows that approximately 6.7 million BTC meet the criteria for public key exposure. This is a measurable figure that can be tracked today.

Numbers that matter

On the computational side, the key difference involves logical and physical qubits. Theory states that calculating the discrete logarithm for 256-bit ECC keys requires about 2,330 logical qubits.

Converting this into a fault-tolerant machine is where costs explode. An estimate from 2023 suggests:

• ~6.9 million physical qubits for 10-minute key recovery
• ~13 million physical qubits for 1-day recovery
• ~317 million physical qubits for targeting a one-hour window

These numbers show that we are not talking about yesterday’s technology—this is infrastructure that is still materializing.

Taproot changes the game for the future

Taproot (P2TR) outputs contain a 32-byte modified public key directly in the code, instead of its hash. This does not create vulnerabilities today, but it changes what is exposed by default if key recovery ever becomes practical.

Taproot signifies a change in exposure patterns, but it is a change that can be managed through wallet and protocol architectural choices.

The challenge is migration, not catastrophe

NIST has already standardized post-quantum primitives such as ML-KEM (FIPS 203). In Bitcoin, BIP 360 proposes “Pay to Quantum Resistant Hash,” and qbip.org argues for retiring older signatures to incentivize migration.

IBM recently reported progress in error correction components and a pathway toward a fault-tolerant system around 2029. This indicates that developing quantum systems are accompanied by an evolving defense network.

The real challenge lies in throughput, storage, fees, and coordinating migration. Post-quantum signatures are kilobytes in size, not tens of bytes, which changes transaction economics. This is an infrastructural undertaking, not an emergency.

Therefore: Bitcoin is not threatened by encryption breaking because it never truly relied on it. Measurable factors include the proportion of UTXOs with exposed keys, the adoption rate of post-quantum spending paths, and how quickly the network adapts to the changed landscape.