ETHDenver zeroes in on Bitcoin’s quantum weak spot: signatures and the migration fight

The most useful conversation at ETHDenver wasn’t about AI agents or building through a downturn. It was a sober look at where quantum computing can actually break Bitcoin first—and what it would take to move the network before attackers do.

Developers narrowed the technical scope. SHA-256 is not the near-term failure point. Even with Grover’s algorithm, you’d need an implausibly large quantum machine to brute-force Bitcoin’s hashing. The live wire is signatures. Shor’s algorithm directly targets elliptic curve cryptography. If you can compute it at sufficient scale, a public key becomes a roadmap to the private key, which is how ownership is expressed on Bitcoin.

That framing matters because the exposure isn’t hypothetical. Project Eleven’s “Bitcoin Risq List” tracks more than 6.9 million BTC at addresses with revealed public keys—roughly a third of supply if you include early outputs—of which 1.7 million were mined in Bitcoin’s first years. BIP 360 co-authors Hunter Beast and Isabel Foxen Duke put a name to the likely first move: a long-exposure attack that sweeps coins tied to known public keys.

Timelines are murky, but the hardware trajectory no longer looks flat. In December 2024, Google unveiled Willow, demonstrating below-threshold error correction—a milestone many believed might never arrive. Alongside IBM’s steady progress, that update didn’t prove the endgame, but it did validate a path to scale. Unsurprisingly, estimates have tightened. Work that once pegged the break at ~20 million qubits (circa 2021) now has research, including from Iceberg Quantum, modeling feasibility in the ~100,000-qubit range. Today’s devices can’t run Shor to crack Bitcoin, but the gradient is steepening.

The response is finally organizing. The Ethereum Foundation spun up a post-quantum security team, and Coinbase convened an advisory board to assess cross-asset risk. Coinbase’s CEO has called the challenge solvable, which is fine as a direction of travel; the friction is in the migration mechanics. You can engineer a quantum-safe signature scheme. You still have to get coins to use it.

This is where Bitcoin’s culture collides with its threat model. Many long-dormant UTXOs—potentially including Satoshi-era pay-to-public-key outputs—may never move. Any proposal to freeze those coins, or to quarantine entire script types, would trigger a legitimacy fight. The idea surfaces periodically because the math is uncompromising: if a quantum adversary arrives before social consensus on a migration plan, you could see a flood of seized coins hitting markets within hours. Panelists floated a 4 million BTC shock as a plausible stress case—more than enough to overwhelm depth, shatter price discovery, and contaminate trust even if robust post-quantum cryptography exists by then.

This isn’t just a protocol upgrade problem. It’s a coordination and incentives problem:

- Technically, Bitcoin needs a well-reviewed, optional post-quantum path (think staged support for PQ signatures and address formats) that doesn’t fragment UX. - Operationally, exchanges, custodians, and miners need playbooks for fee markets, replay risks, and cutover windows once PQ rails are live. - Economically, large holders need a credible reason to migrate early—perhaps fee rebates, priority block space, or standardized tooling—because inertia is powerful. - Ethically, any move to freeze or selectively invalidate old outputs risks redefining property rights. The bar for consensus is therefore extremely high.

BIP 360 is a sensible center of gravity because it focuses on signatures—the actual fault line—rather than sprinkling quantum branding on unrelated features. The proposal’s strength, in my view, will hinge on two details: how it minimizes on-chain footprint and verification costs for PQ schemes, and how it sequences incentives so that exposed UTXOs migrate without coercion. If either piece is sloppy, you trade one systemic risk for another.

One more misconception to retire: this isn’t “Bitcoin vs. Ethereum.” The Ethereum Foundation’s new team is a useful signal that serious projects are treating quantum as a lifecycle risk, not a marketing trope. Shared R&D on lattice-based or hash-based signatures, cross-client audits, and coordinated testnets will likely compress timelines for everyone.

The market psychology angle is straightforward. As soon as credible quantum milestones stack—like Willow did for error correction—perception can front-run capability. That means headlines can move coins before qubits do. Proactive, boring migration beats reactive crisis management every time.

If you’re allocating capital, watch three dials: credible hardware progress (error rates and logical qubit counts, not hype), measurable reduction in exposed UTXOs, and the emergence of a widely-accepted PQ signature standard wired into major clients, custodians, and wallets. When those line up, the quantum risk discount narrows. Until then, plan for volatility around each lab milestone—and remember where the real weak link sits.