The thing that supposedly sets Bitcoin apart from other cryptocurrencies is that it's deflationary and 'immutable', in that Satoshi is gone forever and any deviation of Bitcoin from his golden idea will result in undermining its essence. If Bitcoin can get quantum-attacked then, from a technical point of view, nothing will be lost. The Bitcoin core devs can issue a word-of-god statement stating that they'll roll back the chain to before the attack, and all is well. Then they'll change the cryptography. But at that point, is it still Bitcoin? Because you've undermined the immutability. If the core devs can just say "this core property of Bitcoin is now something completely different", who's to say that they won't change their minds about the deflationary nature in the future? All credibility will be lost. Now, if you accept that, is perhaps all credibility lost already? ...
> The Bitcoin core devs can issue a word-of-god statement stating that they'll roll back the chain to before the attack, and all is well. Then they'll change the cryptography.
That doesn't work, because once the signature scheme has been broken, nobody can prove that their coins are theirs. No roll back or word-of-god would help.
The only way to make bitcoin quantum-safe, is to introduce a quantum safe signature scheme, to encourage everyone to move their coins and to somehow accept that those who don't are not longer in control of their coins.
Bitcoin has had significant protocol upgrades before, including the highly divisive segwit. IMO immutability is a non-issue, there's plenty of evidence that Satoshi generally agreed that consensus via the longest chain (most PoW) wins.
Thus, upgrading the protocol/code to change the encryption to something quantum-resistant should be no more controversial a change than segwit. The community has already answered the "is it still Bitcoin". Yes it is, protocol and code is free to change given longest-chain consensus.
The problem will be what to do with legacy addresses. Never before have issued coins been forcibly deleted by a BIP. It could turn out that legacy addresses (including Satoshi's) that fail to have their coins moved after a deadline must be considered compromised and burned/destroyed. That has no precedent with bitcoin, although it does with ETH.
Anyone know if there's a way out that doesn't require this? Obviously there's no way to ensure all legacy address coins are moved by the deadline.
Bitcoin core devs do not make decisions for the distributed network. Yes they have outsized power but with the whole BIP110 thing going on now and Bitcoin Knots gaining adoption, I'm more confident now that sudden changes from the core devs will not be blindly accepted by all. That aside, it will be necessary to hard fork the chain from a point before a quantum attack, but there will be several proposals and the community will vote with their nodes.
No because you are not changing the ledger. You are changing the authentication mechanism for transactions. It's like adding a new supported password hash.
This was already pretty well hashed out (heh) during the 'core'/'cash' issue when there was an attempt to fork in an expanded the block size. Both chains still exist. Bitcoin operation is entirely up to the miners to determine the heaviest chain, and that's like two entities (the number of entities required is called the Nakamoto coefficient). It's not magic, but there is a huge cult built up around it by scammers, rubes, opportunists and speculators.
The mostly likely quantum attack on Bitcoin will be a catastrophic transfer of large wallets to burn addresses along with a massive short position. No need to worry about washing stolen coins when you can just enjoy your "well timed" legal short position's windfall.
Interesting, considering the extra liability / (stability) volatility that bitcoin options provide when making ROI and hashrate calculations, this can be a triple threat.
Like publicly destroying ivory /poppy stockpiles while simultaneously holding puts/futures on correlating pharmaceutical financial instruments.
1) Short markets in Bitcoin don't have unlimited depth, and the centralized ones are KYC'd so there's some risk there
2) What if it doesn't tank the price? One thing people have suggested is just burning all the vulnerable coins[1]; it reduces supply so maybe the price will... go up? The point is there's uncertainty.
One thing that is not addressed: say this quantum attack happens tomorrow and everyone agrees it was an attack, what would prevent the community (miners, node operators, and users) to hard fork the chain at a snapshot before the attack, patch the protocol, and call that Bitcoin? There would be loss of value of course, but it is not unrecoverable.
It’s worth remembering that Ethereum forked for much less (not even a bug in the protocol, but a bug in a private application running on the protocol) and nobody seems too upset about it a decade later.
> fork the chain at a snapshot before the attack, patch the protocol, and call that Bitcoin?
It won't work. The only way to authenticate who ones what coins is with signatures. If the signature algorithm is broken, you can't tell who the original owner is to move the coins to a safe signature algorithm.
You need to more to safer signature algorithm before the break, after the break it is game over.
> It’s worth remembering that Ethereum forked for much less
Ethereum could simply return the coins to the original owners. If the signature scheme is insecure, returning the coins just means the attacker can steal them again.
Even if Q-day means there is a way to deterministically retrieve any private key from a public key (is that what it means? or is the blast radius of q-day contained? This is a bit above my level of cryptography), I’m sure we could come up with something to minimize the damage. In the worst case, it might involve a claim process with an authority or consensus mechanism to prove who the rightful owner of the funds is and revert the unauthorized transactions on the new chain.
Yes, this is not ideal! But if the wallet conversion requires active participation, preemptive measures are also not ideal.
> How do you prove anything, after the key material is compromised?
It’s a blockchain, so the simplest would be chain of custody until the chain points undeniably at you. This is not a pure cryptographic device, some social intervention might be needed here.
In theory nothing prevents that but it would be so contentious that the backlash (e.g. 90% drawdown) may be even worse than just letting the hacks stand.
The Bitcoin “value overflow incident” on August 15, 2010 is probably the closest thing and that didn't affect the price much (though one BTC was around 8c at the time)
Letting the hack stand means the chain comes to a halt and all value is destroyed? Even if you’re a staunch bitcoin purist, I don’t think that’s the path you want to go on.
The chain wouldn't halt because mining won't be affected by quantum. If you see hacks happening you could race to move your coins into a PQ wallet before the hackers do. I'm assuming that PQ software will be available before the hacks. I agree that this is a very bad scenario.
"A CRQC is an existential threat to Bitcoin (you might believe this is very low-likehood). Your measurement of this threat should literally be:
(A) How likely you think it is a CRQC appears by a given time, multiplied by
(B) How likely it is you think Bitcoin will not successfully upgrade by that time."
It would interesting to survey people about their answers.
My off the cuff answer is:
2030: A=0.05, B=0.01
2035: A=0.50, B=0.001
2045: A=~1.0, B=~0.0
I reserve the right to change my mind on these answers at any point. This is not a serious prediction.
2045 A=~1.0 seems way off. CRQC is still a theoretical construct with hurdles to overcome. Yes, there is a significant risk that it will exist somewhere in the next decades, but there is also still a significant chance that it will be shown to be practically impossible.
That is not what I am hearing from people working on CRQC. A prediction of a CRQC with 10% by 2030 was made by own of the top experts in this field. 2045 used to be the pessimistic outlook by experts with a bunch of experts predicting earlier. Recent work has shown that CRQC is actual 20 times easier to built that previously thought, accelerating all timelines.
We are seeing significant progress in two different types of quantum computers, neutral atom and superconducting qubit.
No one really knows when it will happen, but the chance that it is practically impossible is held only by a small number of experts. Given what we have seen in 2026 has significantly shifted expectations.
I'm skeptical that B is fully possible. You can create a PQ fork of bitcoin but you cannot automatically bring vulnerable wallets along - and there are a lot of vulnerable wallets, especially from the early days. There's a catastrophe ahead for bitcoin with an apparent probability of 1.0. That's hard to account for in this scheme.
Karl Popper calls this a psychological probability(% chance I go to the gym today). This is different from objective probability (% chance a dice lands on 5).
In this case, it seems like we are rolling dice but no one is quiet sure if the dice are fair, how many sides it has and what numbers are written on the dice.
The only thing I am confident in is if it the bigger the fire, the faster the work. I want the Bitcoin community to start the work as early as possible so that it doesn't have to rush because rushing increases the chance of mistakes.
Somewhat ironic question, but as ETFs holdings of BTC continue to grow, is there a possibility that the custodians of those ETFs start to have a backup plan for ETF holders or create an alliance to push a fork forward? The management fee those companies generate is non-trivial, so they're incentivized to stay ahead of this.
Now, of course, the irony here would be traditional finance infrastructure winning out over decentralized, which could definitely deal a psychological blow to BTC's perceived value... but it's something I've been thinking about lately as this existential threat rises on the horizon.
Yes, if you read the fine print on the ETFs they tell you what they will do in case of a fork. Usually their custodian picks the "winning" chain at their discretion. There's a similar (although reversed) situation with stablecoins.
As was alluded to in the comments, my colleagues at Blockstream Research are doing some work on this with mechanisms called SHRINCS and SHRIMPS.
Of course, inventing and demonstrating a quantum-resistant signature mechanism isn't the same thing as deploying it in consensus or upgrading everyone's UTXOs to it, and it's fair to say that there are many steps in between!
This work is important, and I'm looking forward to forming an opinion on it. Maybe a future post! For those who are interested, this is what I'm aware of:
I think we still have a 3-4 years of escape window to reach the necessary qubit range of breaking the encryption. But China is unstoppable and advancing rapidly, So crypto community needs to upgrade to Post-Quantum Cryptography before the threshold breaks.
> Q: Stealing is illegal, so why would anyone use a CRQC to steal Bitcoin?
> A: If you truly believe this, you really should value Bitcoin at 0 – it has many unnecessary components with a lot of overhead, like proof-of-work and digital signatures.
Proof of work is still necessary for two reasons:
1) to fairly distribute all coins (it's not sufficient though, e.g. Bitcoin's halvings still concentrate wealth on early miners/adopters)
2) to provide objective proof for the true transaction history, anchored in energy expenditure.
Apparently bitcoin foundation is already working on SHRINCS and SHRIMPS. But whether they will forcibly revoke keys of satoshi and all early bitcoin whales or not is another question!
>Q: Stealing is illegal, so why would anyone use a CRQC to steal Bitcoin?
I've had this thought for awhile actually: how would reproducing some random number be legally "stealing" under any legal system in the world? Putting aside that cryptocurrencies have always been about "code decides" etc, that they're outside of the legal system entirely, but I'm struggling to see where there's any actual property interest here. Randomly generated numbers are not protected by IP in any way. There's no computer fraud act angle or the like here, nobody would be having so much as the slightest interaction with anyone else's private system. They'd merely be taking publicly available unprotected numbers and doing some math on them with their own quantum computer. Somebody else who has something related to those numbers is never deprived of them or interacted with in the slightest. There is nothing resembling "hacking", no flaws in the software exploited, all just math there from the start.
I can understand how suddenly a lot of proponents might wish to cling to and push the idea that it's "illegal" or "stealing", but doesn't appear to be any meat on dem bones. Maybe they hope to generate support to get laws passed banning it, though hard to see that working out either. As a practical matter seems like they're just going to have to agree on a transition to new version using PQE algorithms and try to convert over before it's too late?
Isn't your bank balance in a bank database also "just a number"? That number still exists if it goes up or down.
I understand that the bank's ownership of its computer means that hacking into it could be seen as (for example) a trespass. However, what if you somehow persuaded a bank employee to change someone's balance? The bank employee has some kind of authority to do this and the result is once again "just a number".
OK, what if you display some fraudulent information somewhere that leads a bank employee to decide to update a balance?
I don't want to entirely dismiss your intuition because after all there is lots of interest in not relying on legal systems to adjudicate issues related to cryptocurrency transactions. However, changing numbers and causing people or devices to change numbers is not inherently categorically exempt from being considered fraudulent. For that matter, computer fraud laws are often explicitly written to apply to unauthorized alteration of data, not just to unauthorized access to a specific device.
You might try to defend this by saying
* the ownership of cryptocurrency assets is defined as the ability to transfer them, and should not be further or separately interpreted apart from that ability, or
* deceiving a protocol is less obviously wrongful (or at least harder to define) than deceiving a person, or
* computer crime should require undermining someone's intent about the use of devices or data and that intent should be clearly manifested and meaningful, which it arguably isn't in a cryptocurrency system, or
* offline institutions create some kind of intelligible notion of ownership that's related to the non-digital world and this kind of ownership is what laws about theft or fraud aim to protect rather than any other kind of ownership without that non-digital nexus. (although this doesn't seem to be empirically true as ownership of, for example, domain names has been recognized as a form of property by courts since at least Kremen v. Cohen in 2003, even though it is just a matter of a database entry and has no offline existence)
These are interesting conceptual possibilities, but not necessarily persuasive for courts, law enforcement, or cryptocurrency end users.
Cryptocurrency gains are taxable in many (most?) countries. Clearly the governments see cryptocurrency as something more than just random numbers without meaning.
Likewise, when government agencies shut down dark net markets (DNMs), they will seize the cryptocurrency funds that the DNM had (from market fees etc., or even funds that belonged to customers and were in escrow etc. by the DNM) if they can (i.e. if they get access to the private keys of DNM owned wallets either by technical means or by convincing the operators of the DNM to hand over the keys). Again because the governments view cryptocurrencies as something more than just random numbers without meaning.
Speaking of seized funds. Let’s say that a government agency had seized a significant amount of bitcoin from a DNM and was transferring those funds to wallets under government agency control. Along comes some guy with a quantum computer and takes those funds for himself. Is the government agency just going to throw its hands in the air and say “oh well, he guessed the random number, nothing more we can do!” No, I think not.
The best bet would be to factor satoshi's keys, and then publish them on something like OEIS for some novel-math reason, and let someone else steal them for you.
I can't imagine that getting laws passed is going to help. The government can't just order a bank to restore funds, the way they can with regular currency. They could try forcing the culprit to return them, but it seems unlikely for the culprit to be in your jurisdiction.
I suppose we could pass laws to prevent them from ever spending the money in a country that they can control. Even then, they'd have to find ways around the funds being "laundered" through mixers.
That doesn't work, because once the signature scheme has been broken, nobody can prove that their coins are theirs. No roll back or word-of-god would help.
The only way to make bitcoin quantum-safe, is to introduce a quantum safe signature scheme, to encourage everyone to move their coins and to somehow accept that those who don't are not longer in control of their coins.
Thus, upgrading the protocol/code to change the encryption to something quantum-resistant should be no more controversial a change than segwit. The community has already answered the "is it still Bitcoin". Yes it is, protocol and code is free to change given longest-chain consensus.
The problem will be what to do with legacy addresses. Never before have issued coins been forcibly deleted by a BIP. It could turn out that legacy addresses (including Satoshi's) that fail to have their coins moved after a deadline must be considered compromised and burned/destroyed. That has no precedent with bitcoin, although it does with ETH.
Anyone know if there's a way out that doesn't require this? Obviously there's no way to ensure all legacy address coins are moved by the deadline.
Like publicly destroying ivory /poppy stockpiles while simultaneously holding puts/futures on correlating pharmaceutical financial instruments.
1) Short markets in Bitcoin don't have unlimited depth, and the centralized ones are KYC'd so there's some risk there 2) What if it doesn't tank the price? One thing people have suggested is just burning all the vulnerable coins[1]; it reduces supply so maybe the price will... go up? The point is there's uncertainty.
[1] https://x.com/lostbutlucky/status/2040878873731080681
It’s worth remembering that Ethereum forked for much less (not even a bug in the protocol, but a bug in a private application running on the protocol) and nobody seems too upset about it a decade later.
It won't work. The only way to authenticate who ones what coins is with signatures. If the signature algorithm is broken, you can't tell who the original owner is to move the coins to a safe signature algorithm.
You need to more to safer signature algorithm before the break, after the break it is game over.
> It’s worth remembering that Ethereum forked for much less
Ethereum could simply return the coins to the original owners. If the signature scheme is insecure, returning the coins just means the attacker can steal them again.
Existing wallets need to actively commit to some PQ signature mechanism, prior to Q-day.
Yes, this is not ideal! But if the wallet conversion requires active participation, preemptive measures are also not ideal.
That's exactly what it means. (Note also that under ECDSA you can retrieve a public key from a valid signature).
How do you prove anything, after the key material is compromised?
It’s a blockchain, so the simplest would be chain of custody until the chain points undeniably at you. This is not a pure cryptographic device, some social intervention might be needed here.
(A) How likely you think it is a CRQC appears by a given time, multiplied by (B) How likely it is you think Bitcoin will not successfully upgrade by that time."
It would interesting to survey people about their answers.
My off the cuff answer is:
2030: A=0.05, B=0.01
2035: A=0.50, B=0.001
2045: A=~1.0, B=~0.0
I reserve the right to change my mind on these answers at any point. This is not a serious prediction.
We are seeing significant progress in two different types of quantum computers, neutral atom and superconducting qubit.
No one really knows when it will happen, but the chance that it is practically impossible is held only by a small number of experts. Given what we have seen in 2026 has significantly shifted expectations.
The only thing I am confident in is if it the bigger the fire, the faster the work. I want the Bitcoin community to start the work as early as possible so that it doesn't have to rush because rushing increases the chance of mistakes.
Start early, don't rush.
Now, of course, the irony here would be traditional finance infrastructure winning out over decentralized, which could definitely deal a psychological blow to BTC's perceived value... but it's something I've been thinking about lately as this existential threat rises on the horizon.
Of course, inventing and demonstrating a quantum-resistant signature mechanism isn't the same thing as deploying it in consensus or upgrading everyone's UTXOs to it, and it's fair to say that there are many steps in between!
- Tim Ruffing proved that Taproot's commitment scheme was quantum-resilient: https://eprint.iacr.org/2025/1307
- Jonas Nick and Mikhail Kudinov have proposed SHRINCS: https://delvingbitcoin.org/t/shrincs-324-byte-stateful-post-... and SHRIMPS: https://x.com/n1ckler/status/2038695067754328095.
I suspect that the author is in a pretty drastic minority here.
> Q: Stealing is illegal, so why would anyone use a CRQC to steal Bitcoin?
> A: If you truly believe this, you really should value Bitcoin at 0 – it has many unnecessary components with a lot of overhead, like proof-of-work and digital signatures.
Proof of work is still necessary for two reasons:
1) to fairly distribute all coins (it's not sufficient though, e.g. Bitcoin's halvings still concentrate wealth on early miners/adopters)
2) to provide objective proof for the true transaction history, anchored in energy expenditure.
A related article on Bitcoin Core resistance to upgrading: https://murmurationstwo.substack.com/p/bitcoin-developers-ar...
Why do you need this if you are willing to trust other people not to steal coins or lie?
> 1) to fairly distribute all coins
Same question as above. If you don't care about perfidy, simply use the honor system for coin distribution.
If you do care about perfidy, then you should probably care about people breaking the law to steal your coins.
I've had this thought for awhile actually: how would reproducing some random number be legally "stealing" under any legal system in the world? Putting aside that cryptocurrencies have always been about "code decides" etc, that they're outside of the legal system entirely, but I'm struggling to see where there's any actual property interest here. Randomly generated numbers are not protected by IP in any way. There's no computer fraud act angle or the like here, nobody would be having so much as the slightest interaction with anyone else's private system. They'd merely be taking publicly available unprotected numbers and doing some math on them with their own quantum computer. Somebody else who has something related to those numbers is never deprived of them or interacted with in the slightest. There is nothing resembling "hacking", no flaws in the software exploited, all just math there from the start.
I can understand how suddenly a lot of proponents might wish to cling to and push the idea that it's "illegal" or "stealing", but doesn't appear to be any meat on dem bones. Maybe they hope to generate support to get laws passed banning it, though hard to see that working out either. As a practical matter seems like they're just going to have to agree on a transition to new version using PQE algorithms and try to convert over before it's too late?
I understand that the bank's ownership of its computer means that hacking into it could be seen as (for example) a trespass. However, what if you somehow persuaded a bank employee to change someone's balance? The bank employee has some kind of authority to do this and the result is once again "just a number".
OK, what if you display some fraudulent information somewhere that leads a bank employee to decide to update a balance?
I don't want to entirely dismiss your intuition because after all there is lots of interest in not relying on legal systems to adjudicate issues related to cryptocurrency transactions. However, changing numbers and causing people or devices to change numbers is not inherently categorically exempt from being considered fraudulent. For that matter, computer fraud laws are often explicitly written to apply to unauthorized alteration of data, not just to unauthorized access to a specific device.
You might try to defend this by saying
* the ownership of cryptocurrency assets is defined as the ability to transfer them, and should not be further or separately interpreted apart from that ability, or
* deceiving a protocol is less obviously wrongful (or at least harder to define) than deceiving a person, or
* computer crime should require undermining someone's intent about the use of devices or data and that intent should be clearly manifested and meaningful, which it arguably isn't in a cryptocurrency system, or
* offline institutions create some kind of intelligible notion of ownership that's related to the non-digital world and this kind of ownership is what laws about theft or fraud aim to protect rather than any other kind of ownership without that non-digital nexus. (although this doesn't seem to be empirically true as ownership of, for example, domain names has been recognized as a form of property by courts since at least Kremen v. Cohen in 2003, even though it is just a matter of a database entry and has no offline existence)
These are interesting conceptual possibilities, but not necessarily persuasive for courts, law enforcement, or cryptocurrency end users.
Likewise, when government agencies shut down dark net markets (DNMs), they will seize the cryptocurrency funds that the DNM had (from market fees etc., or even funds that belonged to customers and were in escrow etc. by the DNM) if they can (i.e. if they get access to the private keys of DNM owned wallets either by technical means or by convincing the operators of the DNM to hand over the keys). Again because the governments view cryptocurrencies as something more than just random numbers without meaning.
Speaking of seized funds. Let’s say that a government agency had seized a significant amount of bitcoin from a DNM and was transferring those funds to wallets under government agency control. Along comes some guy with a quantum computer and takes those funds for himself. Is the government agency just going to throw its hands in the air and say “oh well, he guessed the random number, nothing more we can do!” No, I think not.
The best bet would be to factor satoshi's keys, and then publish them on something like OEIS for some novel-math reason, and let someone else steal them for you.
I suppose we could pass laws to prevent them from ever spending the money in a country that they can control. Even then, they'd have to find ways around the funds being "laundered" through mixers.