Understanding the Quantum Threat to Elliptic Curve Cryptography
Bitcoin’s security relies on the Elliptic Curve Digital Signature Algorithm (ECDSA) using the secp256k1 curve. Quantum computers running Shor’s Algorithm can theoretically derive private keys from public keys in polynomial time — a computation that would take millions of years on classical computers. Google’s Willow quantum processor, announced in December 2024, demonstrated error correction capabilities identified as a significant step toward cryptographically relevant quantum computation, though still many orders of magnitude below the threshold required to attack Bitcoin.
Why P2PK Addresses Are Specifically Vulnerable
Project Eleven’s analysis identifies 6.5 million BTC — approximately 31% of total supply — stored in legacy P2PK addresses that directly expose the public key. Unlike modern P2PKH or SegWit addresses that only reveal the public key at spending time, P2PK addresses allow an attacker to target them at leisure. This includes coins attributed to Satoshi Nakamoto’s estimated 1.1 million BTC in genesis-era mining rewards.
Timeline Estimates from Project Eleven
The report presents three scenarios: pessimistic (CRQC by 2030-2032), base case (2035-2040), and optimistic (2045+). Crucially, the report notes that nation-state quantum programs in the US, China, and EU operate under strict secrecy. “The public timeline for quantum computing progress is almost certainly behind the classified timeline,” the report states, echoing former GCHQ Director Robert Hannigan at a March 2026 London conference.
Bitcoin Developer Response: Post-Quantum BIPs
NIST finalized four post-quantum cryptographic standards in August 2024: CRYSTALS-Kyber, CRYSTALS-Dilithium, FALCON, and SPHINCS+. BIP-360 by developer Hunter Beast proposes a new address type using FALCON lattice-based signatures, with cautious support from Bitcoin Core developers. Key debate: FALCON signatures are approximately 1,200-1,300 bytes vs. 72 bytes for ECDSA — a significant block space increase requiring network-wide coordination.
What Holders Should Do Now
For most Bitcoin holders, quantum threat is not imminent. Modern wallets generating P2PKH or native SegWit addresses do not expose public keys until spending. Holders with legacy P2PK addresses, or who have reused addresses, should migrate to fresh P2WPKH addresses. This simple step eliminates the primary quantum vulnerability under all current threat scenarios. The Satoshi coins governance question — whether to burn unmoved early-era coins after a migration deadline — remains deeply controversial in the Bitcoin community.
