Satoshi's $140B in qubits: Quantum computers just got a 9-minute window to rob Bitcoin

Quantum computers capable of breaking Bitcoin don't exist yet. But developers are already building defenses, and for good reason. This week, Google published research suggesting a sufficiently powerful quantum machine could crack Bitcoin's core cryptography in under nine minutes — one minute faster than the average block settlement time. Some analysts believe this threat could become reality by 2029.

Stakes are enormous: roughly 6.5 million bitcoin, worth hundreds of billions of dollars, sit in addresses a quantum computer could directly target. Some of those coins belong to Bitcoin's pseudonymous creator, Satoshi Nakamoto. Beyond the money, a compromise would gut Bitcoin's core tenets — "trust the code" and "sound money."

Here's how the attack works and what's being proposed to stop it.

Two ways a quantum machine could attack Bitcoin

Bitcoin's security relies on a one-way mathematical relationship. When you create a wallet, a private key generates a public key. Spending bitcoin requires proving ownership of the private key without revealing it — you use it to generate a cryptographic signature the network verifies. Modern computers would take billions of years to reverse-engineer a private key from a public key using elliptic curve cryptography (ECDSA).

But a future quantum computer could derive your private key from your public key and drain your funds.

Your public key gets exposed two ways: from idle coins onchain (long-exposure attack) or from transactions waiting in the mempool (short-exposure attack).

P2PK addresses used by Satoshi and early miners, plus Taproot (P2TR) addresses activated in 2021, are vulnerable to long-exposure attacks. These addresses don't need to move to expose their public keys — the exposure already happened and anyone can see them. Roughly 1.7 million BTC sits in old P2PK addresses, including Satoshi's coins.

Short-exposure attacks target the mempool. While unconfirmed transactions wait there, your public key and signature are visible to the entire network. A quantum computer could watch, derive your private key during that brief window, and strike before the transaction confirms.

Initiatives under consideration

BIP 360: Removing public key exposure Every Taproot address permanently exposes a public key onchain — a permanent target for a future quantum attacker. BIP 360 introduces a new output type called Pay-to-Merkle-Root (P2MR) that removes the public key permanently. No public key means nothing for a quantum computer to reverse-engineer. Lightning payments, multi-signature setups and other features remain intact.

The catch: this protects only new coins going forward. The 1.7 million BTC already exposed needs separate solutions.

SPHINCS+ / SLH-DSA: Hash-based post-quantum signatures SPHINCS+ is a post-quantum signature scheme built on hash functions, immune to the quantum risks threatening ECDSA. NIST standardized it in August 2024 as FIPS 205 (SLH-DSA).

The tradeoff: size. Current Bitcoin signatures are 64 bytes. SLH-DSA signatures are 8KB or more. This would dramatically increase block space demand and transaction fees. Proposals like SHRIMPS and SHRINCS aim to reduce signature sizes while keeping post-quantum security.

Tadge Dryja's Commit/Reveal Scheme: An emergency brake for the mempool This soft fork, suggested by Lightning Network co-creator Tadge Dryja, protects mempool transactions from quantum attackers by splitting transactions into two phases: Commit and Reveal.

First, you publish a sealed fingerprint — just a hash revealing nothing about the transaction. The blockchain timestamps it permanently. Later, when you broadcast the actual transaction, your public key becomes visible. A quantum computer could derive your private key and try to forge a competing transaction. But that forged transaction gets rejected immediately. The network checks: does this spend have a prior on-chain commitment? Yours does. The attacker's doesn't.

The downside: higher costs from splitting transactions into two phases. It's described as an interim bridge while longer-term solutions develop.

Hourglass V2: Slowing the bleeding of old coins Proposed by developer Hunter Beast, Hourglass V2 targets the roughly 1.7 million BTC in older, already-exposed addresses. The proposal accepts these coins could be stolen and seeks to slow the damage by limiting sales to one bitcoin per block — preventing catastrophic overnight mass liquidation that could crater the market.

It's controversial: even this limited restriction violates the principle that no external party can ever interfere with your right to spend your coins.

Conclusion

These proposals aren't activated yet. Bitcoin's decentralized governance — spanning developers, miners and node operators — means any upgrade will take time. But the steady flow of proposals predating this week's Google report suggests the issue has long been on developers' radar, which may help temper market concerns.