Understanding the Quantum Attack Vectors | Bitcoin 2026

All right, guys. Uh, I'm super excited to be here for us to explore the super fun topic of uh the quantum vulnerability space. Uh, my name is Isabel Foxen Duke. I'm the co-author of BIP 360 for Bitcoin quantum mitigation. Um, and also the host of the Bitcoin Rails podcast. So, yeah, excited to have a little fun right now. Would you guys really quickly just get us started by introducing yourselves and kind of what your position is in the quantum space, however you define that. Uh, is there So, I'm Brandon Black. I am a I'm skeptical of the quantum vector for attacks, which does not mean I'm skeptical of post-quantum cryptography or anything. Um, and I I do Bitcoin consulting. Uh, so I kind of pay attention to what's happening in Bitcoin to make sure I'm ready for it. I'm uh Pierre Loup La Damez. I'm a quantum scientist. So, like I'm I think quantum is getting extremely close, and uh it's time to upgrade to post-quantum cryptography. Otherwise, I do like these days I mostly do post-quantum privacy uh research. I'm Clara Shikhelman, and I authored with Anthony Milton a report that overviewed the state of preparedness of quantum computing and path forward. And we also have a break-the-glass emergency plan waiting in GitHub. And I think my view is that don't panic, but have a plan. Um, yeah. All right. So, uh before we get into kind of like the proper panel, we're going to be exploring sort of all the different ways that this um kind of issue could potentially uh challenge Bitcoin. I think that this is super complex topic, so there's a lot to explore just in understanding the vulnerabilities here. But before we do, I've tapped Brandon to just sort of explain the basics, like the core problem that people are concerned about just so we can kind of get that out of the way. Then we're going to kind of like dive deeper into the details of like the implications of this problem. So, would you go ahead and kind of take it from here? So, the the potential issue here is that Bitcoin and many cryptosystems in the world rely on the hardness of reversing what's called the discrete log problem. So, the Bitcoin in particular is the elliptic curve discrete log problem. But the point is this is a mathematically difficult problem for classical computers to solve. If there were to be a sufficiently large quantum computer, it can solve that problem in much less time, potentially down to just a a minute or or less over the long term. And so that problem is what makes it hard to make fake Bitcoin signatures. Um, so if a quantum computer could solve the encrypt elliptic curve discrete log, it could make fake signatures on Bitcoin. That's what we're worried about. Uh, that doesn't affect Bitcoin's mining. Quantum computers are much less effective at breaking hash functions like are used in Bitcoin mining. So, that's the the space that we're sitting in. All right. So, on that note, now that we've kind of defined the core problem, um how worried, this is sort of the big question I think on everyone's minds, so I'll just dive right into it. In your opinion, and why, how worried should we be that a cryptographically relevant quantum computer will arrive anytime soon? How worried about this problem should we be? Um, again, feel free to answer that question creatively. Uh, Brandon, we can start with you and go down the line. All right. Uh, I would say we shouldn't be worried at all, really. Quantum computers to date are still working on a handful of logical qubits. It's difficult to keep logical qubits working for more than a couple of microseconds at a time. Um, there's really nothing to worry about at this point. Now, that could have changed, and there was that kind of scare, you might say, over the weekend. Oh, maybe it changed. Um, but it didn't actually change. And so, as of now, there's absolutely nothing to worry about. Um, like if from the milestones of quantum computers, they are getting very close. So, like the small demonstration of logical qubits are kind of like the basic uh ingredients that you need to reach cryptanalysis. And the main problem is that the the there isn't much other warning um than uh there will be long a long-lived logical qubits, then small keys, then big keys. The and um the the there's no other application that we will see before cryptanalysis. And the so the the reaction time will be extremely will likely be months or years, like or like a few years. But the migration of Bitcoin, say building the consensus around like the new type of cryptography that must be deployed, deploying the new cryptography, getting people to migrate, then deciding what to do with the the the like the stale like the stale assets, uh is what takes time. So, it's it's not like the case of um harvest now decryptor, where you're worried about people decrypting your email in some time. Like it's it's signatures. Uh, the issue is building the consensus of the upgrade before attacks happen. So, and um and what we're seeing like the the there's quantum, but there's also like AI is accelerating. So, like we're not guaranteed that like you you've seen often quantum like uh like classical computer catching up to quantum. If it keeps happening, at some point it will cross elliptic curve cryptography. So, like we're not guaranteed either that like there's not a super AI in 2029 or 2031 that will come along and like just break elliptic curve cryptography classically, which would be like much worse uh much worse situation actually than just quantum. So, I do agree with Pierre. Um, in general, it's like how worried should you be about your plane crashing? You shouldn't be very worried, but you need an emergency exit. So, in that sense, with Bitcoin, how worried should you be about quantum? Not too worried, but we should have a plan, and should we should be working on this plan because it could happen, maybe sooner, maybe later. And it's just completely irresponsible to just completely relax and not to do anything. But don't panic. I want to drill down on Brandon a little bit further. Um, why exactly are you not worried, right? I mean, like what is your sort of argument here? Because it sounds like, again, if I'm understanding Pierre correctly, that there's like some possibility that this could happen in, you know, months to years, even if we just call it five years or less, right? It would take probably, you know, that amount of time for us to activate around a really, you know, sophisticated mitigation strategy. Um, so I'm just curious sort of why you are not concerned. So, there's I'll try to be very brief because I know we have a little bit of time. There's there's really two things. One, we've been researching quantum computing for close to 50 years now, and we have not yet made any progress against solving real mathematical problems with quantum computers. So, so the fact that in 50 years of research we haven't solved a single actual difficult problem with it, um suggests that it's a very hard thing to do. Uh, so that's thing one. It's just it seems very hard. And then, thing two is I think a lot of folks in in Pierre's seat and elsewhere in the quantum industry look at the problem of going from the first long-lived qubit to many long-lived qubits as as like kind of a almost a done deal once you get that first qubit. But the reality is that when you're building physical things, adding that next one is going to be hard. Adding the next two is going to be hard. Each one we have to add is going to be a hard-fought battle. And and there's good evidence for that in how quantum has gone to date. So, I don't think I don't think there's any reason to believe that we'll go from one logical qubit to 2,000 uh overnight. It'll be 10 years, it'll be 20 years. And so, even once we get those long-lived qubits, we're going to have a decade or two decades to to work on solving it in Bitcoin. We'll have plenty of time. Do either of you have a response to that? I don't completely agree. First of all, assuming that it's going to take another decade, another two decades, it's very difficult to predict the future. And even if it's an event of a small probability, if you calculate the expectation of the disaster that can happen, it's just irresponsible not to do something. And I don't say panic, change to whatever cryptography is now, cuz there's a lot of things to worry about more than quantum cryptography just because it's very new. But it just doesn't make sense to assume that oh, we have another decade or two. What Why should we take this risk if we can avoid it? Um, response? It's it's a very compounding technology. So, like I I get like the point of view like Brandon that like we don't see like uh progress on the yardsticks of say breaking small small keys or like factoring small numbers. But the like the the resource the physical resources of quantum computers are a bit counterintuitive in the sense that once you have the substrate of like having the ability to essentially amplify the the the the quality of the qubits up to an arbitrary degree when you have like the the fault-tolerant machines. Um, that uh physical technology like to break keys, you need only a polynomial amount of work from that point on that substrate. So, as you increase like so so increasing the size doesn't uh but like if it like if errors increase exponentially with the size of the qubits, like it would be over. But like that effect has not been like people have been looking for that effect, but it's not there. If you add qubits, noise stay local, and uh which means that like you can error correct it. So, we achieve that regime like the the the small regime has been achieved. And it's the if you want the the the substrate for which the like cryptanalysis becomes like a polynomial problem. And uh we're already there, and that will create like a very sharp transition. So of the arguments I think I heard you make, Clara, but correct me if I'm wrong, um but I do hear this frequently is just this idea that, you know, uh even if it's a very very very small chance that quantum is coming anytime soon, we should be prepared, you know, just in case, in the event, because of just the potentially catastrophic implications of this. Um but I do think it's also important for us to kind of think about like, well, what are the tradeoffs of, you know, premature mitigation or, um you know, there there will be potentially negative downstream effects in terms of how Bitcoin will functionally work after we implement these PQ signatures and other PQ mitigation strategies. Do you each kind of want to give a point of view about the risks associated with uh maybe jumping the gun or acting too early or etc.? Uh I can start there, sure. Um one of the things that we need to be really conscious of as Bitcoiners is that while I kind of agree with Clara, we should have a plan, um we don't have any suitable post-quantum crypto that actually works well in Bitcoin yet. The the state of the art in post-quantum crypto would make transactions uh 100 times larger than they are today. It would make uh verification 10 times more costly for those transactions. Uh it would make key generation, I think, 100 times more costly. So, there's really major problems with any of the post-quantum crypto options that are out there. Um so, we need to continue investing heavily in being ready for that. Uh as of now, there is simply isn't a good plan. There are things we could do that would be kind of a uh barely tenable stopgap. And so, we should keep trying to build towards that great plan. I I I strongly support that work. It's a it's it's a difficult problem mostly because like people want battle-tested cryptography to be deployed on Bitcoin, but like that battle-tested like it it takes time. So, like if you want something that's been there for 20 years now, it's cryptography that has been done in 2005. Like there's lattices, there's hash-based, and like that they come with tradeoffs. So, like on the US it's difficult. But like there's a bright side in that um like quantum attacks won't be cheap. Like if it's going to cost like probably millions of dollars like for the first quantum attacks per key. So, most people are not directly affected, uh but large uh holders uh must get ways to secure the assets like in nearish term. So, like in my opinion, it's better to deploy, say, a more conservative hash-based cryptography in the near term, allow, say, large uh like exchanges to to to migrate, and allow more time to like optimize the the the the the cryptographic method to uh keep like the user experience that the Bitcoiners are used to. So, I also agree we should not change the signatures we're using right now. This is a very dangerous game, and the technology is getting better and better, or uh as it happens with lattices, broken from time to time. So, uh we don't want to be on the receiving side of that. But we can write code. We can prepare something that if we understand that this is happening, this is happening in 6 months, this is happening in 2 years, we can mostly push the button. We have like something prepared, so we can take an action. We don't need to start from scratch if we realize this is coming soon. Um yeah. So, I think that's what we should do, and I don't think there's anybody advocating right now, and correct me if I'm wrong, just to change the whole cryptography. Um All of it, no, but deploying hash-based, I would urge it rather fast. And hash-based is old much older actually than elliptic curve cryptography. Elliptic curve cryptography is from the '80s, like the first ones. Uh Lamport signatures are from 1979, and like it's information theoretically secure up to breaking hashes. So, it's as secure it it's more secure than mining actually. But it's so inefficient. >> [laughter] >> It it it's like Lamport signatures are Yeah, it's it's inefficient, but like for like if you if you have 10 billion dollar of a pot of 10 billion dollar, it's probably worth it. But like you don't need to deploy it for everyone. Like I don't think it's reasonable to deploy it for everyone right I actually want to tap on that cuz I think it's really important a lot of people miss it. You know, the size of your UTXO actually affects how affected by quantum you might be, cuz even if quantum computers come along, they'll start out expensive. And so, if you have $500 in UTXO, who's going to use a quantum computer to break that? Not for a very very long time. But if you have strategies holdings, it's a very different story. So, so there's a huge range of how affected you are, how soon in this quantum attack. I agree. Brendan, is that an argument for UTXO splitting? Don't we usually try to get people to use as limited number of UTXOs as possible? Well well, there's always a balance, right? So, we tell people to use like a million sats per UTXO, and I think that kind of holds, right? It's going to be a pretty long time before your million sat UTXO is going to be threatened by quantum. But if you put like 10 Bitcoin in a UTXO, you might be threatened sooner. Well, that's a good segue into the Satoshi's coins conversation where you have several 50 Bitcoin UTXOs just hanging out in quantum vulnerable addresses. Um this is sort of, I think, arguably potentially, you know, the biggest vulnerability according to some um is not necessarily the PQ signatures, but the fact that not all of these coins will migrate to PQ signatures. For instance, probably not Satoshi's coins will migrate. Um what do you do about that? What do each of you think? What are your thoughts? How should we handle that situation? What do we do with that quantum vulnerable abandoned coins? Is it the It may not be the biggest vulnerability. Like Coinbase, they have like a million Bitcoin, and BlackRock's Bitcoin. So, like they're probably the biggest target at first. Like it's a And they reuse addresses. >> And they reuse addresses. So, this is the same thing. >> So, for using addresses, please. Satoshi's coins, like it's 50,000 keys. So, like if you have a quantum computer, it takes a while to burn through it, but psychologically, it's extremely damaging if like Satoshi's coin move without expecting it. So, like there's not that many solutions. Either we accept the move, or if like we expect it would create too much uh like volatility, then like they can be frozen. Then there's or put back into circulation. Like there's pretty much only those uh solutions. Um likely there's going to be forks. Uh like people will view them as airdrops. Uh like big like markets would choose. Like I have a prefer I prefer markets to be able to choose really. I I beg to differ because there are middle solutions, I think, the hourglass where you say, "Okay, we are now aware that there is a CRQC out there. Any movement that could be initiated by a quantum attacker is allowed to spend at most one Bitcoin per block." And then, okay, so maybe you found your grandfather's private key buried somewhere, the money is not lost, but you don't get to cash it in immediately. You need to drip it slowly slowly. So, there's there's a plethora of solutions that need to be discussed, I think, both the freezing the funds or or just, you know, rule of the jungle, let the market decide. Or Basically free What I'm hearing is freeze, liquidate, or rate limit. Yeah, I think rate limit is the way to go. Um Surprisingly on this one, I completely agree with everything that Pierre Rochard I completely agree. I don't I think the market will decide. I think we should we should expect there to be forks. And I did a whole talk at Bitcoin Plus Plus about fork maximalism basically. We should accept chain splits and forks. Uh we're going to have to as these things progress. I I view it as a balance. So, say say if you freeze or if you do um like hourglass, it's going to it will absorb some of the volatility. Like effectively, the number of like say the forks increase, but once the volatility is like as fast, it will like it's going to be like the the the the Bitcoin cash story. Like it will converge back to like one canonical Bitcoin. So, like there will be a period of volatility if a post-quantum signatures are deployed, uh the dynamics of the system will like stabilize at some point. Also, like saying the market will decide is almost an empty saying because the market can always fork Bitcoin, right? So, the market always decides. Uh but if we have an idea that we discussed, maybe we can experience a bit less volatility. Does it stand to reason though that, you know, when you say the market will decide, right? Uh it seems pretty clear what the market will decide in this case. It will potentially decide, I think, the the Wouldn't it stand to reason that it would decide whatever has the lowest supply cap for Bitcoin, whatever isn't, you know, flushing 2 million coins into the market all at once and like bumping up supply? You don't think so? I don't think so. Bitcoin has the long-standing value of kind of the the rules being hard to change. And if we if we do a confiscatory soft fork against Satoshi's coins or some other quantum vulnerable coins, we're fundamentally changing the contract of Bitcoin in a way that at least to me would make it close to worthless. So, I know myself I'm probably not alone on that. And so, I could very easily see the opposite being the case that the despite the dumping of Satoshi's coins on one side, that the the market would choose the other side um because that preserves the original qualities of Bitcoin. >> The market of pleb Bitcoin maximalists versus the market of like ETFs and institutional asset holders? >> But but I think ETFs have the same thing. They To them, the value of Bitcoin is its hardness to change. Um and you you can talk to some of them about that stuff. Hot take, okay. I think like when it comes to values, you know, not your keys, not your money means yes your key yes your money yes your keys, right? It's it's also a value. So, I I don't see it as I don't rate limiting or changing something. This is like philosophically against what Bitcoin is. You don't Oh, sorry, say that again. You don't >> Yeah, >> I because I think part of the values of Bitcoin is like if you have your private key and you kept it safe, nobody's supposed to take your money. Because I'm curious if you think um just sort of you know, this is sort of the first time that we have institutional players really even kind of getting into the Bitcoin governance conversation, even really starting to like have an opinion about technical decisions in Bitcoin. Historically, that's not been the case. We're also new to having major institutional asset holders in the first place. Um do you guys see this as a good thing, a bad thing, an inevitable thing? Like what's your take on the fact that, you know, corporate players are are, you know, kind of more invested in this conversation than they have been in previous technical conversations in Bitcoin? Part of the adoption. Like the current burst of adoption is the risk managers at those institutions who like at some point like the the Bitcoin will make its way into a retirement funds and like the the the the like bigger like a bigger pools of money. Um Part of the adoption story like those people who are part of the ecosystem. I think it's inevitable and and also in some ways potentially beneficial because uh Bitcoin need better attackers and having them out there almost pushes Bitcoin to be to be better. To be honest, like it it's eventually would have happened anyway and I don't think that these big players have a lot of say. They don't sup- they don't finance developers. They don't tell developers what to do. They're just there enjoying the fruits of the developers' labor. So I'm curious if you have opinions about sort of like indirect, you know, vulnerabilities to Bitcoin that are just from the fud associated with quantum. Like if if quantum never arises, but we're just like having these conversations for the next 20 years, um is that again fundamentally again better than us not having the conversations because at least we're prepared for something that could potentially happen or are there downstream effects related to the fud on adoption? Is that potentially a reason in and of itself to fix the problem? You know, like just the fact that all this fud is happening and it could be affecting adoption. Is that a legitimate reason to move forward with mitigation strategies? What are your kind of thoughts about that? I I actually echo I think Pierre said earlier um the there are other things that could break Bitcoin's cryptography. It's not only a possible quantum computer. Um and so we should absolutely be continuing to do this this research on on better crypto systems for Bitcoin, new crypto systems for Bitcoin. Um and and so in the long run the fud is is helpful in pushing that forward. Um short-term probably it might suppress the price a little bit, but that's a short-term, not a long-term concern. So I'm glad we're doing the research and I think, you know, BIP 360 that you worked on is a great example of it's a it's thing we can start doing right now that's an obviously good change for Bitcoin and I want us to pursue all of the obviously good changes, whether it's for post-quantum or post-classical or whatever. The it the upgrade is an interesting exercise because like it's consensus building on a decentralized system to upgrade the public key cryptography. It has never been done. We don't know if it's possible, but like if it's possible, I think it's through some process of consensus building that like it's going to be achieved. So Yeah, like if the but I don't like but I don't think the fud is counterproductive here. Like it's hardening Bitcoin like in the the the in the forge. I mostly would like people to stop asking, but what about quantum? And I could point them to here and then continue with the conversation. Okay, final fire round. Any quantum vulnerabilities? Like anything that you think could come up around this topic that people aren't thinking about or a vulnerability that people are underestimating that you want to draw attention to or something we should be considering in this conversation that you're not hearing enough about? We didn't we didn't talk about it I should have said that earlier the the risk of post-quantum crypto introducing a new vulnerability into Bitcoin's code. Some of these things are a lot of code to add. So think about that as well. Yeah, on the side of stateful signatures that hash-based signatures, it will introduce some social attacks because like if you leak if you sign the message and the opposite of the message you're leaking all your key and social attacks could happen to that and the the it must be thought about very carefully. I think for wallets and other supportive things in the ecosystem, people might panic and mistakes can arise there because they'll feel, "Oh my god, we have like to to do this to do this real quickly." And this is where problem arise. So suddenly the problem is before you even get to the blockchain. It's one step before and it's all gone anyway. All right, that's all we got. Thank you guys so much. This was awesome. >> [applause] [music] >> Every year this community comes together to celebrate, >> [music] >> to debate, to build what comes next. And every year the stage [music] gets bigger. Sound money >> [music] >> center stage. So, where do you go to celebrate the next chapter in Bitcoin history? >> [music] >> You come home. Nashville, July 2027. [music]