Michael Saylor delivered a characteristically daring tackle Dec. 16 about Bitcoin and the quantum leap:
“The Bitcoin Quantum Leap: Quantum computing will not break Bitcoin—it’ll harden it. The community upgrades, lively cash migrate, misplaced cash keep frozen. Safety goes up. Provide comes down. Bitcoin grows stronger.”
The assertion captures the optimistic case for Bitcoin’s post-quantum future. Nonetheless, the technical document reveals a messier image the place physics, governance, and timing decide whether or not the transition strengthens the community or triggers a disaster.
Quantum will not break Bitcoin (if migration occurs in time)
Saylor’s core declare rests on the notion of directional fact. Bitcoin’s major quantum vulnerability sits in its digital signatures, not proof-of-work.
The community makes use of ECDSA and Schnorr over secp256k1. Shor’s algorithm can derive non-public keys from public keys as soon as a fault-tolerant quantum pc reaches roughly 2,000 to 4,000 logical qubits.
Present gadgets function orders of magnitude under that threshold, inserting cryptographically related quantum computer systems at the very least a decade out.
NIST has already finalized the defensive instruments Bitcoin would want. The company printed two post-quantum digital signature requirements, the ML-DSA (Dilithium) and SLH-DSA (SPHINCS+), as FIPS 204 and 205, with FN-DSA (Falcon) progressing as FIPS 206.
These schemes resist quantum assaults and might be built-in into Bitcoin by way of new output varieties or hybrid signatures. Bitcoin Optech tracks stay proposals for post-quantum signature aggregation and Taproot-based constructions, with efficiency experiments exhibiting SLH-DSA can operate on Bitcoin-like workloads.
What Saylor’s framing omits is the price. Analysis from the Journal of British Blockchain Affiliation argues {that a} reasonable migration is a defensive downgrade: safety improves in opposition to quantum threats, however block capability might fall by roughly half.
Node prices rise as a result of present post-quantum signatures are bigger and costlier to confirm. Transaction charges climb as every signature consumes extra block area.
The arduous half is governance. Bitcoin has no central authority to mandate upgrades. A post-quantum delicate fork would require overwhelming consensus amongst builders, miners, exchanges, and huge holders, all transferring earlier than a cryptographically related quantum pc seems.
A16z’s latest evaluation emphasizes that coordination and timing pose better dangers than the cryptography itself.
Uncovered cash turn into targets, not frozen belongings
Saylor’s declare that “lively cash migrate, misplaced cash keep frozen” oversimplifies the on-chain actuality. Vulnerability relies upon totally on the tackle sort and whether or not the general public key’s already seen.
Early pay-to-public-key outputs place the uncooked public key instantly on-chain and completely expose it.
Commonplace P2PKH and SegWit P2WPKH addresses conceal the general public key behind hashes till the cash are spent, at which level the important thing turns into seen and quantum-stealable.
Taproot P2TR outputs encode a public key within the output from day one, making these UTXOs uncovered even earlier than they transfer.
Analyses estimate that roughly 25% of all Bitcoin is already in outputs with publicly revealed keys. Deloitte’s breakdown and up to date Bitcoin-focused work converge on this determine, encompassing massive early P2PK balances, custodian exercise, and fashionable Taproot utilization.
On-chain analysis suggests roughly 1.7 million BTC in “Satoshi-era” P2PK outputs and a whole lot of hundreds extra in Taproot outputs with uncovered keys.
Some “misplaced” cash aren’t frozen, however slightly ownerless and will turn into a bounty for the primary attacker with a succesful machine.
Cash which have by no means revealed a public key (single-use P2PKH or P2WPKH) are protected by hashed addresses, for which Grover’s algorithm supplies solely a square-root speedup, which parameter changes can compensate for.
Essentially the most at-risk slice of provide is exactly dormant cash locked to already-exposed public keys.
Provide results are unsure, not computerized
Saylor’s assertion that “safety goes up, provide comes down” separates cleanly into mechanics and hypothesis.
Publish-quantum signatures, resembling ML-DSA and SLH-DSA, are designed to stay safe in opposition to massive, fault-tolerant quantum computer systems and at the moment are a part of official requirements.
Bitcoin-specific migration concepts embrace hybrid outputs that require each classical and post-quantum signatures, in addition to signature-aggregation proposals to cut back chain bloat.
However provide dynamics aren’t computerized, and three competing situations exist.
The primary is “provide shrink by way of abandonment,” the place cash in susceptible outputs whose homeowners by no means improve are handled as misplaced or explicitly blocklisted. The second is “provide distortion by way of theft,” the place quantum attackers drain uncovered wallets.
The remaining state of affairs is “panic earlier than physics,” the place the notion of looming quantum functionality triggers sell-offs or chain splits earlier than any precise machine exists.
None of those ensures a web discount in circulating provide that’s cleanly bullish. They may simply as simply produce a messy repricing, contentious forks, and a one-time wave of assaults on legacy wallets.
Whether or not provide “comes down” hinges on coverage decisions, uptake charges, and the attacker’s capabilities.
SHA-256-based proof-of-work is comparatively strong as a result of Grover’s algorithm solely provides a quadratic speedup.
The extra refined threat lies within the mempool, the place a transaction spending from a hashed-key tackle reveals its public key whereas it waits to be mined.
Latest analyses describe a hypothetical “sign-and-steal” assault during which a quantum attacker watches the mempool, rapidly recovers a personal key, and races a conflicting transaction with a better charge.
What the mathematics really says
The physics and requirements roadmap agree that quantum doesn’t mechanically break Bitcoin in a single day.
There’s a window, probably a decade or extra, for a deliberate post-quantum migration. Nonetheless, that migration is expensive and politically arduous, and a non-trivial share of immediately’s provide already sits in quantum-exposed outputs.
Saylor is directionally proper that Bitcoin can harden. The community can undertake post-quantum signatures, improve susceptible outputs, and emerge with stronger cryptographic ensures.
Nonetheless, the declare that “misplaced cash keep frozen” and “provide comes down” assumes a clear transition during which governance cooperates, homeowners migrate over time, and attackers by no means exploit the lag.
Bitcoin can come out stronger, with upgraded signatures and probably some successfully burned provide, however provided that builders and huge holders transfer early, coordinate governance, and handle the transition with out triggering panic or large-scale theft.
Whether or not Bitcoin grows stronger relies upon much less on quantum functionality timelines than on whether or not the community can execute a messy, costly, politically fraught improve earlier than the physics catches up. Saylor’s confidence is a wager on coordination, not cryptography.
