About 6.26 Million BTC at Risk of Quantum Computer Hacking

Cryptographically relevant quantum computers (CRQC) may appear as early as 2030, posing a threat to the theft of up to 10 million BTC, with approximately 6.26 million BTC being critically vulnerable. In response, the Bitcoin community is exploring options to counter this potential threat.

According to a Chaincode report, CRQCs in the near future could break the cryptographic foundations of Bitcoin. The most vulnerable funds are those with reused addresses and those with exposed public keys, such as P2PK, P2MS, and Taproot (P2TR). Potentially between 4 and 10 million BTC are at risk, including institutional holdings, old addresses, and presumably lost coins.

Meanwhile, the quantum threat to mining is less acute due to limitations of Grover’s algorithm and the lack of efficient parallelism. However, there’s a risk of mining centralization and network instability if dominant quantum miners emerge.

As a response, the Bitcoin community is discussing the implementation of post-quantum cryptography (PQC) using algorithms like SPHINCS+, FALCON, and CRYSTALS-Dilithium. The leading proposals include:

1. BIP-360 (P2QRH), a hybrid model using hashes of PQC keys instead of public keys to reduce vulnerability.
2. BIP-347 (OP_CAT), supporting Lamport signatures by reintroducing the previously disabled OP_CAT opcode.
3. OP_SPHINCS, adding a dedicated opcode for SPHINCS signatures.

All these solutions remain in early stages and would require at least one or two soft forks .

The report outlines two implementation strategies:

1. Short-term (~2 years): research, minimal protection implementation, and migration of vulnerable UTXOs.
2. Long-term (~7 years): a complete architectural overhaul with large-scale migration and optimized PQC schemes.

In the best case, migrating 190 million UTXOs could take around 76 days at full block capacity, but realistic estimates at 25% capacity range from 305 to 568 days.

One major unresolved question is what to do with vulnerable funds whose owners are unreachable. Two possible scenarios:

1. Burn — make the funds permanently inaccessible, protecting the network from theft.
2. Steal — take no action, adhering to the principle of non-intervention but risking mass thefts.

Supporters of burning emphasize protecting property rights and preventing arbitrary wealth redistribution, while opponents see it as a confiscation act.

In 2024, Massimiliano Sala, Full Professor at the Department of Mathematics at the University of Trento, published a report noting that all blockchain networks using public key cryptography will be potentially vulnerable to quantum computers capable of breaking them by brute-force mathematical methods.