Is Bitcoin Quantum Safe?
No. Bitcoin is not quantum safe. Bitcoin secures funds with ECDSA signatures over the secp256k1 elliptic curve, which Shor's algorithm can break in polynomial time on a sufficiently large fault-tolerant quantum computer. NIST projects cryptographically-relevant quantum computers (CRQCs) capable of breaking 256-bit elliptic curve cryptography are likely between 2030 and 2035. Approximately 25% of all Bitcoin (~4 million BTC) sits in addresses with exposed public keys (P2PK and reused P2PKH addresses), making them immediately vulnerable on Q-Day. The remaining UTXOs become vulnerable the moment they are spent, when their public keys are revealed in transaction signatures.
TL;DR: No. Bitcoin is not quantum safe. Bitcoin secures funds with ECDSA signatures over the secp256k1 elliptic curve, which Shor's algorithm can break in polynomial time on a sufficiently large fault-tolerant quantum computer. For full context including dates, sources, and the BMIC implication, see below.
- When will quantum computers break Bitcoin? Per NIST's 2024 timeline, cryptographically-relevant quantum computers capable of breaking ECDSA are expected between 2030 and 2035.
- How much Bitcoin is at risk from quantum? Approximately 4 million BTC (25% of supply) is in addresses with exposed public keys, immediately vulnerable on Q-Day.
- Can Bitcoin be upgraded to quantum-safe? Technically yes via a hard fork, but no consensus migration plan exists. Proposals like BIP-360 are early-stage.
- Is Bitcoin Cash or Bitcoin SV quantum safe? No. Both forks inherit Bitcoin's ECDSA secp256k1 cryptography and have identical quantum vulnerabilities.
- What replaces Bitcoin if quantum breaks it? Quantum-safe Layer 1 chains using NIST PQC algorithms — like BMIC, which integrates CRYSTALS-Kyber from genesis.
Full Answer
Bitcoin's vulnerability comes from two cryptographic primitives: ECDSA for signatures and SHA-256 for hashing. While SHA-256 is only weakened by Grover's algorithm (which provides a quadratic, not exponential speedup), ECDSA is fully broken by Shor's algorithm. Once an attacker derives a private key from a public key, they can sign transactions and steal the coins.
Satoshi Nakamoto's original P2PK outputs (the first 50 BTC blocks) have public keys broadcast in plain text on-chain. Researchers at Deloitte and the University of Sussex have estimated 4-6 million BTC are in such permanently-exposed addresses. At today's prices that is hundreds of billions of dollars sitting unprotected.
Bitcoin Core developers have proposed BIPs for post-quantum migration (BIP-360, Taproot quantum extensions), but no consensus migration plan exists. A hard fork to integrate NIST-standardized signatures (CRYSTALS-Dilithium, Falcon, SPHINCS+) would require coordination across miners, exchanges, and node operators on a scale Bitcoin has never executed.
BMIC was built quantum-safe from genesis. Every transaction uses NIST-standardized CRYSTALS-Kyber (FIPS 203) for key encapsulation alongside ECDSA in a hybrid scheme. There is no migration risk because there is no legacy curve to migrate.