Contrary to popular belief, quantum computers do not “break” Bitcoin encryption. Instead, realistic threats will focus on the misuse of digital signatures associated with published public keys.
Quantum computers cannot decrypt Bitcoin because it does not store encrypted secrets on-chain.
Ownership is enforced through digital signatures and hash-based commitments, rather than cryptograms.
A key quantum risk is the risk of authorization forgery.
If cryptographically relevant quantum computers could run Scholl's algorithm on Bitcoin's elliptic curve cryptography, they could derive private keys from on-chain public keys and generate valid signatures for competing expenditures.
Much of the “quantum will break Bitcoin encryption” framework is a terminological error. Adam Back, long-time Bitcoin developer and inventor of HashCash, sums up X this way:
“Pro Tip for Quantum FUD Advocates. Bitcoin doesn't use encryption. It's all about getting the basics right.”
Another post made the same distinction more clearly, pointing out that a quantum attacker does not “decrypt” anything, but instead uses Scholl's algorithm to derive the private key from the exposed public key.
“Encryption refers to the act of hiding information so that only those who have the key can read it. Bitcoin does not do this. Blockchain is a public ledger, so anyone can see every transaction, every dollar amount, and every address. Nothing is encrypted.”
Why public key disclosure, not encryption, is Bitcoin's real security bottleneck
Bitcoin's signature systems, ECDSA and Schnorr, are used to prove control of key pairs.
In this model, coins are obtained by generating signatures that the network accepts.
That's why publishing the public key is so important.
Whether the output is published or not depends on what appears on-chain.
Many address formats commit to a hash of the public key, so the raw public key is not exposed until the transaction is complete.
This narrows the possibility for an attacker to calculate the private key and publish conflicting transactions.
Other script types can publish public keys early and address reuse can turn one-time publications into permanent targets.
Project Eleven's open source “Bitcoin Danger List” query defines risks at the script and reuse level.
This maps where the public keys of a potential Shor attacker are already available.
Why quantum risks are measurable today, even if not imminent
Taproot changes the exposure pattern in a way that will only become significant once large fault-tolerant machines emerge.
As described in BIP 341, the tap root output (P2TR) contains a 32-byte public key tailored to the output program, rather than a public key hash.
The Project 11 query document includes P2TR as a category for which public keys appear in the output, along with Pay-to-pubkey and some multisig forms.
Currently, it does not create any new vulnerabilities.
However, if keys can be recovered, what is published by default will change.
Because exposure is measurable, vulnerable pools can be tracked now without specifying a quantum timeline.
Project Eleven says it is publishing a “Bitcoin Risk List” concept that aims to perform weekly automated scans and cover all quantum-vulnerable addresses and their balances, details of which can be found in a methodology post.
its public tracker shows a headline figure of approximately 6.7 million BTC, which meets the following conditions: Its exposure standards.
| amount | An order of magnitude | sauce |
|---|---|---|
| BTC in “quantum vulnerable” addresses (public key exposed) | ~6.7 million BTC | project eleven |
| 256-bit prime field ECC discrete log logical qubit (upper bound) | ~2,330 logical qubits | Lotterer et al. |
| Physical qubit scale example associated with a 10-minute key recovery setup | ~6.9 million physical qubits | cast iron |
| Physical qubit scale reference associated with a one-day key recovery setup | ~13M physical qubits | Schneier talks about security |
Computationally, the key difference is between logical and physical qubits.
In the paper “Quantum Resource Estimation for Computing Elliptic Curve Discrete Logarithms,'' Roetteler and coauthors give an upper bound of up to 9n + 2⌈log2(n)⌉ + 10 logical qubits for computing elliptic curve discrete logarithms over n-bit prime fields.
For n = 256, there are approximately 2,330 logical qubits.
When translating this into error-corrected machines that can run deep circuits with low failure rates, the overhead and timing of physical qubits becomes important.
Architecture choices set a wide range of runtimes
Litinski estimates in 2023 that computing a 256-bit elliptic curve private key will require approximately 50 million Toffoli gates.
Under that assumption, the modular approach could compute one key in about 10 minutes using about 6.9 million physical qubits.
A related research summary from Schneier on Security estimates that approximately 13 million physical qubits are destroyed within a day.
The same line of estimation also quotes about 317 million physical qubits targeting a one-hour window, depending on timing and error rate assumptions.
In the case of Bitcoin operations, the closer levers are at the behavioral and protocol level.
Address reuse increases the risk, but wallet design can reduce the risk.
Project Eleven’s wallet analysis points out that once the public key is on-chain, future receipts sent to the same address will remain public.
If the key recovery falls within the blocking interval, the attackers will compete for spending from the exposed output rather than rewriting the consensus history.
Hashing is often incorporated into stories, and the quantum lever there is Grover's algorithm.
Grover provides square root acceleration of brute force searches rather than the discrete log break provided by Shor.
A NIST study on the actual cost of Grover-style attacks highlights that overhead and error correction form system-level costs.
In the idealized model, for the SHA-256 preimage, the target remains on the order of 2^128 jobs after Grover.
This is incomparable to ECC discrete log breaks.
This leaves signature migration constrained by bandwidth, storage, pricing, and throttling.
Post-quantum signatures are often kilobytes rather than the tens of bytes that users are accustomed to.
This changes the transaction weight economics and wallet UX.
Why quantum risk is a transition challenge, not an immediate threat
Outside of Bitcoin, NIST has standardized post-quantum primitives such as ML-KEM (FIPS 203) as part of a broader transition plan.
Inside Bitcoin, BIP 360 proposes a “Payment to Quantum-Proof Hash” output type.
On the other hand, qbip.org advocates for the deprecation of legacy signatures in order to enforce migration incentives and reduce the long tail of exposed keys.
Recent corporate roadmaps add context to why this topic is framed as infrastructure rather than emergency.
In a recent Reuters report, IBM discussed advances in error correction components and reiterated its path toward fault-tolerant systems around 2029.
Reuters also highlighted IBM's claim in a separate report that its key quantum error correction algorithm can also be run on traditional AMD chips.
In that framework, “Quantum Breaks Bitcoin Encryption” fails in terminology and mechanics.
The measurables are how exposed the UTXO set's public keys are, how wallet behavior changes in response to that exposure, and how quickly the network can adopt quantum-resistant spending paths while maintaining verification and fee market constraints.
