The "broken encryption" myth: Why Bitcoin faces a quantum logarithm challenge, not an immediate encryption threat

For years, the narrative has been alarmist: “Quantum computers will break Bitcoin’s encryption.” But this popular claim contains a fundamental conceptual error. Bitcoin has never relied on encryption to protect its funds. What is truly under scrutiny are the digital signatures, and specifically, the possibility that quantum machines could solve the elliptic curve discrete logarithm problem much faster than classical computers.

The terminological confusion: Encryption vs. Digital Signatures

Bitcoin’s blockchain is a completely public ledger. There are no encrypted secrets stored on the chain, no hidden information protected by encryption. Every transaction, every address, every amount is visible to everyone.

Bitcoin uses digital signatures—specifically ECDSA and Schnorr—to demonstrate control over funds. When you make a transaction, you’re not decrypting anything; you’re producing a mathematical signature that proves you possess the private key associated with that address. This is a critical distinction that many commentators overlook.

Adam Back, Bitcoin developer and inventor of Hashcash, has been clear on this. On social media, he warned: “Bitcoin does not use encryption. Make sure you understand the basics or it will be obvious you don’t know what you’re talking about.” The confusion arises because people equate “cryptographic security” with “encryption,” when in fact they refer to entirely different mathematical problems.

The real attack vector: Exposure of public keys

If a sufficiently powerful quantum computer were to exist, its weapon would not be decrypting messages. It would be solving the elliptic curve discrete logarithm problem, allowing an attacker to derive a private key from an exposed public key on the chain.

Here’s the crucial detail: not all Bitcoin addresses expose their public keys in the same way.

Many Bitcoin addresses are only committed with a hash of the public key. The raw public key is not revealed until that output is spent. This creates a limited time window during which an attacker could compute the private key and publish a conflicting transaction.

Other script formats, however, expose the public key earlier. And if you reuse an address, that exposure becomes a permanent target. Project Eleven, an open-source analysis, precisely identifies and maps which outputs keep public keys visible and which are protected under hashes.

Measuring the risk: 6.7 million BTC potentially vulnerable

Although cryptographically relevant quantum computers do not yet exist, the risk is fully measurable today. Project Eleven runs automated weekly scans identifying all Bitcoin addresses with public keys exposed on the chain.

The result: approximately 6.7 million BTC meet the criteria for quantum exposure. This does not mean these funds are in danger today, but they are susceptible if quantum technology advances sufficiently.

To put the computational requirements into perspective: solving the 256-bit discrete logarithm used in Bitcoin(requires, according to academic estimates, around 2,330 logical qubits. The problem is that converting logical qubits into machines that perform error correction and execute deep circuits introduces a massive overhead of physical qubits.

Estimates vary depending on architecture:

• 10 minutes: approximately 6.9 million physical qubits
• 1 day: approximately 13 million physical qubits
• 1 hour: approximately 317 million physical qubits

IBM recently announced a roadmap toward a fault-tolerant system around 2029, though error correction components remain the main bottleneck.

Taproot changed the equation, but only for the future

The Taproot )P2TR( upgrade modified how public keys are exposed by default. Taproot outputs include a 32-byte public key directly in the output script, instead of a hash.

This does not create a quantum vulnerability today, but alters the exposure landscape if quantum-based key recovery becomes feasible. It means that the population of “quantum-vulnerable” addresses will continue to grow automatically with each new Taproot transaction unless quantum-resistant measures are implemented.

Grover’s algorithm: A secondary threat

While Shor’s algorithm targets the discrete logarithm )primary threat(, Grover’s algorithm offers a quadratic speedup for brute-force searches. Theoretically, this affects SHA-256 hashing.

However, the quantum overhead and error correction requirements make a Grover-style attack against SHA-256 orders of magnitude more costly than solving the elliptic curve logarithm. It is not an equivalent threat priority.

The levers are in the hands of users and protocols

Given the realistic timeline, the quantum risk is primarily a migration challenge, not an immediate emergency. The available levers are distributed across several levels:

At the user level:

• Avoid reusing addresses to reduce the permanent exposure window
• Use wallets that minimize public key exposure
• Migrate to quantum-resistant scripts when available

At the protocol level:

• BIP 360 proposes a new output type “Pay to Quantum Resistant Hash”
• Proposals like qbip.org advocate for retiring legacy signatures to incentivize migration
• The NIST standardization of post-quantum primitives )ML-KEM FIPS 203( provides building blocks

At the infrastructure level: Post-quantum signatures typically have sizes in the kilobytes, compared to current signatures of a few dozen bytes. This would change transaction weight economics and fees, but it is an engineering problem, not a security fundamental.

The realistic timeline: Infrastructure, not emergency

The key distinction is that Bitcoin is not under immediate quantum threat, but it cannot ignore the risk indefinitely. The elements that matter today are:

1. How much of the UTXO set has exposed public keys )measurable: 6.7M BTC(
2. How wallet behaviors evolve in response to that exposure
3. How quickly the network can adopt post-quantum standards without compromising validation and fee markets

Reframing “quantum computing breaks Bitcoin’s encryption” as “quantum computing could enable signature forgery if it occurs, which requires a managed protocol migration” is more accurate and useful.

Bitcoin has faced protocol changes before. This will be a planned technical migration, not a sudden security crisis. And unlike other systems, the exposure is fully traceable, quantifiable, and mitigable even today.