Bitcoin developers are sleepwalking towards collapse.

Author: Nic Carter Translated by: LlamaC

“Recommended Message: Key Points: Nic Carter (Partner at Castle Island Ventures, a well-known opinion leader in the crypto space, directly criticizes the governance inertia and strategic misjudgments of Bitcoin Core developers). This article mainly discusses the potential threat of quantum computing to Bitcoin's security. Bitcoin developers seem to adopt a conservative attitude towards the potential impacts of quantum computers, but in reality, preparations need to start now to address the quantum cracking risks that may arrive within the next decade.”

Main Text

Recently, there has been a lot of discussion about the quantum risks of Bitcoin. I have previously elaborated on my views in a lengthy article, but most people have not read it and only obtained some scattered snippets of debate from X. Therefore, I have condensed my views into this short article. I do not intend to pile up a large number of references and details in this article.

The security of Bitcoin—specifically the difficulty of deriving a private key from a public key—relies on elliptic curve cryptography. It is well known that quantum computing (QC) could theoretically break this, thanks to an algorithm invented by David Shor in the 1990s. Satoshi Nakamoto recognized this when he invented Bitcoin and proposed an upgrade if quantum computing became powerful enough. For a quantum computer to actually deploy this algorithm, it requires 1,000 to 2,000 so-called “logical qubits,” or about several hundred thousand to a million “physical qubits.” For reference, the most advanced quantum computers currently have at most around 1,000 physical qubits and a few dozen logical qubits. Therefore, we are about three orders of magnitude away from achieving this capability. While this may seem far off, the renowned quantum theorist and scholar Scott Aaronson describes it as merely an “extremely difficult” engineering problem, rather than a need for new fundamental physical discoveries. In other words, the current stage of quantum computing is comparable to nuclear fission in 1939—it is known to be feasible and there are no theoretical obstacles, but it still requires enormous engineering investment. Further analogy suggests that due to the significant strategic utility of quantum computing, early adopters of the technology may conceal their capabilities or delay disclosure. Driven by interests, quantum computing could suddenly emerge without any warning. This is bad news for Bitcoin holders who believe they will have ample warning and preparation time. Just as we have seen in the field of artificial intelligence—and the level of surprise exhibited by the AI community when scaling laws were developed and LLMs became powerful—non-linear growth does occur in technology. I am unwilling to stake the future of Bitcoin on the mere hope that “the development of quantum technology will not bring unexpected surprises.”

The probability of quantum cracking occurring within the next ten years is unknown. However, 2025 is set to be the most active year in the history of quantum computing. On a technical level, this year IONQ and MIT made breakthroughs in 'fidelity' (the frequency at which quantum bits perform expected operations). Quantum error correction aims to capture and address errors introduced by physical quantum bits, thus creating pure logical quantum bits, and this technology is expected to make substantial progress starting in 2025. As these errors tend to increase with the scaling of quantum computers, achieving large-scale error correction has become the most significant advancement in the field of quantum computing. Google and Quantinuum have made notable achievements in error correction this year.

This year, quantum startups have raised at least $6 billion, setting a historic high with a huge lead. One of these startups, PsiQuantum, raised $1 billion with the aim of building a million-qubit machine—believing that it is feasible to utilize existing technology. Many companies developing quantum computers explicitly predict that by the late 2020s or mid-2030s, they will be able to manufacture functional and scalable quantum computers. Experts on Metaculus predict on average that quantum computers will emerge around 2033.

The U.S. government's official standards organization NIST has required government agencies to discontinue the use of quantum-vulnerable encryption schemes like ECC256 before 2030, and to end all reliance on them by 2035. Other major powers such as the EU and the UK are also operating on a similar timeline. As I will explain, these dates should motivate Bitcoin holders to take action today.

If sufficiently powerful “cryptographic quantum computers” (QCs) are manufactured, they could pose a threat to Bitcoin by allowing attackers to steal private keys from exposed public keys. Not all tokens are currently exposed (some public keys are within hash addresses, and SHA-256 is not considered vulnerable to quantum attacks), but at the time of writing, 6.7 million BTC are at risk — worth $604 billion. Additionally, during the brief window between when tokens are spent and when they are included in a block, a sufficiently powerful quantum computer could theoretically reverse engineer the private keys and redirect the spending. This applies to tokens in any type of address, regardless of whether they have been hashed.

Theoretically, Bitcoin can adopt a “post-quantum” (PQ) signature scheme through a soft fork. Indeed, there are some proposed quantum-resistant signature schemes. Setting aside technical issues, such as significantly increased data demands (requiring larger blocks or reducing throughput), the main challenge will be to determine the specific post-quantum scheme, organize the soft fork, and painstakingly migrate tens of millions of addresses with balances. Adopting new cryptographic technologies carries risks, which is another issue. We don't want to turn to PQ encryption out of panic, only to later find out that it can even be cracked by classical computers. Stripping the cryptography that is core to the Bitcoin system is a monumental task that must be approached with caution. If you reflect on how difficult it was for the Bitcoin community to reach consensus and implement the (relatively uncontroversial) SegWit and Taproot soft forks, you will understand that Bitcoin's actions are not agile.

The post-quantum fork of Bitcoin (or more precisely, multiple forks, as it may require several) will be more invasive and complex than any previous updates to the protocol. Cryptography is at the core of this protocol, and replacing it will force changes in nearly all aspects of the system and the way users interact with it. It is clear that the debate, development, and testing time required for such a fork will be longer than that of SegWit (which took two years from proposal to activation) or Taproot (three years).

In fact, it will be more difficult to get Bitcoin into a secure state after the fork. Tokens in quantum-vulnerable addresses must be rotated and sent to new quantum-resistant address types. Ultimately, all address types must be deprecated and rotated. Even if every Bitcoin holder is aware of this and can access their wallets and private keys at any time, this transition would take months at best. A more realistic scenario is that you need to give Bitcoin holders a few years' notice to rotate their tokens.

The situation has worsened. Some Bitcoins have been lost or abandoned. A significant portion of this—1.7 million BTC—belongs to Satoshi Nakamoto and other early miners, stored in an old address type known as “pay to public key.” If these Bitcoins are indeed lost, they cannot be transferred to quantum-resistant address types for security. They are like ancient coins scattered on the seabed among shipwrecks, once thought to be unrecoverable—until someone invented better submarines. Therefore, the Bitcoin community must decide how to handle them. Should they freeze them, thus engaging in a form of institutionalized theft; or should they let it be, allowing an unknown, potentially hostile quantum agent to become the largest holder of Bitcoin? Neither option is ideal, and there is currently no consensus within the community. The Bitcoin community has never voted to freeze or fix anyone's Bitcoin, no matter how loathsome they may be. In fact, this kind of collective theft (even for legitimate reasons) is exactly why many early Bitcoin believers disdain Ethereum. By doing so, Bitcoin believers would indicate that they are no better than the opponents they hate. It would also send a signal to future holders: in emergencies, collective confiscation is an option. Confiscation would set a dangerous precedent. Therefore, the fate of the abandoned P2PK Bitcoins must be debated, and a set of solutions (such as freezing or expropriating them through a fork) must be implemented and deployed. This is no easy task and will be completely unprecedented in Bitcoin's history.

If you do the math, you will find that the required relief timeline could take nearly a decade. We need time to discuss strategies, resolve differences, reach consensus on protocols and the roadmap for threatened tokens, write code, test cryptography, and actually execute the migration. This means that even if the quantum doomsday (the so-called “Q-day”) arrives a decade from now, we must start preparing from today. An early or unexpected Q-day would be catastrophic. We would have to rush to decide whether to freeze the threatened tokens, panic-implement post-quantum signature schemes, and hope that the scheme is secure, as well as that the system's confidence can be restored. Chaincode, a major Bitcoin development company, estimates that even “short-term” emergency measures will take two years. Changing Bitcoin is like steering an aircraft carrier.

The panic response to sudden destructive events, rather than the destruction itself, could destroy Bitcoin. The opposing viewpoints on whether to destroy or claim these vulnerable tokens could lead to forks, as we saw in the block size wars. The competitive forks vying for the name of Bitcoin may have barely held up in 2017 when Bitcoin was far from mature and the stakes were lower, but today, this situation would cause the large institutional capital sources that Bitcoin relies on to lose confidence in the protocol. Quantum computing pierces the inviolable promise of Bitcoin. It's no wonder that most Bitcoin holders are even afraid to acknowledge this. They know that admitting the existence of risk casts doubt on the core narrative that Bitcoin is “indelible.” From the perspective of capital allocators, you wouldn't want your ultimate safe-haven store of value asset to have tail risks. Therefore, Bitcoin holders choose to play a massive prisoner's dilemma game, where everyone remains silent and doesn't inform on one another. But they did not anticipate that there would be a few intellectually honest Bitcoin holders willing to reveal an unwelcome truth to the world—even if it harms our own interests.

Some Bitcoin supporters believe that U.S. laws will prevent anyone with CRQC from using it to attack Bitcoin. However, relying on the hope that adversaries will adhere to legal rules for Bitcoin's protection offers minimal comfort. We cannot expect the early custodians of quantum technology to act benevolently. Although they won't publicly admit it, there is a reason why various quantum computing companies are cautiously probing around Bitcoin meetings: if they can develop hardware capable of acquiring this wealth, there are hundreds of billions of dollars in bounty waiting for them. China is investing enormous national resources into quantum computing, and they have no loyalty to Bitcoin or U.S. laws. Furthermore, if the U.S. government believes China is about to take action, it is not out of the question for them to preemptively seize Bitcoin that poses a risk.

If you understand my logic, you will realize that we should start preparing today. The consensus among experts and governments indicates that quantum issues could arise between 2030 and 2035, and considering the timeline for response, this means we must begin preparations today. If we are not prepared, the damage caused by a quantum collapse could be catastrophic—confidence in the entire system would be completely lost. Therefore, the expected value of quantum risk to Bitcoin is significantly negative. For those investors or developers who ignore this threat, I would like to ask you, what probability of a complete collapse are you willing to accept? 10%? 5%? 1%? People buy insurance for low-probability events that could cause catastrophic losses. Even if the risk of a dangerous flood occurring is only 1% per year, you might purchase flood insurance, and you would be glad you did. In fact, the cost of insuring against quantum risk is very low because most developers are engaged in meaningless self-reflection. For the past decade, the primary focus for developers has been on scaling models based on the Lightning Network, but it has been proven that this model has failed. Internal debates about filters and whether Bitcoin should carry arbitrary data have captured the attention of developers. Over the past decade, the Bitcoin protocol has only been updated twice. Although they will eventually update it, developers cannot justifiably claim to be too busy with other important matters to pay attention to this increasingly serious existential threat.

What action has the Bitcoin community taken regarding this? Unfortunately, very little. Although there have been some sporadic efforts exploring post-quantum signature schemes and some early mitigation ideas, there have been very few actual concrete proposals. The only listed Bitcoin Improvement Proposal (BIP) — BIP360 — is led by a relatively outsider rather than one of the “high priests” who typically have decisive voices on major Bitcoin updates. What BIP360 actually does at this stage is correct a significant mistake made by Bitcoin developers, namely the introduction of the quantum-vulnerable Taproot address type in 2021. Despite Chief Developer Pieter Wuille publicly acknowledging the quantum risks associated with Taproot addresses at the time, they went ahead with it. Even by 2025, Wuille still insists that there is “no urgency” for quantum protection for Bitcoin.

What annoys me the most is the Bitcoin developers' unusual indifference to the increasingly imminent risks posed by quantum computing. Typically, Bitcoin's development culture is extremely cautious, almost to the point of absurdity. Developers go to great lengths to avoid introducing vulnerabilities, minimizing reliance on third-party libraries as much as possible. It is well-known that Bitcoin rejected the industry-standard elliptic curve stack and avoided the ECC implementation of OpenSSL, instead opting for secp256k1 as the standard and maintaining its own custom code. This is just one example. Many should remember that even a slight increase in block size was discussed for years and viewed as a potential existential threat. Developers warned that adding a few megabytes could lead to a network collapse or undermine decentralization. The system's scripting language is also deliberately limited—not due to a lack of imagination, but out of fear of denial-of-service attacks and erratic behavior. These choices are ideologically charged, rooted in an extreme self-reliance, resistance to current and future threats, and a pervasive culture of paranoia. However, it is unbelievable that today Bitcoin faces the complete obsolescence of modern public-key cryptography, and the developers' reaction is one of complacency.

When faced with the risks posed by quantum computing, Bitcoin holders (Bitcoiners) often respond that this threat applies equally to all financial technologies (and any other systems that rely on encryption). The implication is that since the apocalypse is coming anyway, it’s not worth worrying about. However, this is not only absurd (clearly, even in chaotic situations, we still hope Bitcoin will function normally), but it is also not true. “Quantum Day” (Q-day), if it occurs, will likely see governments and major financial institutions well-prepared, making it similar to the “Y2K” problem, where everything remained calm due to adequate preparation. Post-quantum signatures already exist and can be easily implemented by any centralized institution. The main issue lies with blockchains, as they suffer from governance inertia and upgrade difficulties. Cloudflare has provided post-quantum encryption protection for most of its traffic. AWS has deployed post-quantum cryptography in critical services. NordVPN now offers post-quantum browsing features. While upgrading infrastructure can be painful, all financial institutions, software companies, and governments are highly centralized and can simply issue direct orders to upgrade. (There is a small number of systems that cannot be upgraded, such as hardware that has been hardened and cannot be updated. But this refers to those long-lasting hardware systems that should be phased out anyway. Satellites are an exception, as they are also at a disadvantage when it comes to addressing “Quantum Day.”)

Decentralized blockchains like Bitcoin cannot self-update as nimbly as centralized database operators. Since 2017, Bitcoin has only undergone two updates, and even these updates were achieved after significant resentment and infighting. Furthermore, a large portion of vulnerable tokens are stored in abandoned addresses, and the owners of these addresses cannot be forced to transfer their tokens. Therefore, even if Bitcoin does upgrade to post-quantum signatures, it still faces the risk of 1.7 million tokens being suddenly seized by quantum attackers. Bitcoin not only needs to upgrade in an orderly and timely manner, but Bitcoin holders must also collectively agree to confiscate these 1.7 million tokens to mitigate this risk—something that is completely unprecedented in Bitcoin's history.

Bitcoin is also more vulnerable than other blockchains. In terms of supply proportion, it is estimated that a higher percentage of tokens are lost or abandoned. Ethereum does face some of the same risks, but its account abstraction and smart contract capabilities mean that, with some tricks, Ethereum could even achieve post-quantum (PQ) signatures without forking. A post-quantum fork will still be necessary, but under Ethereum's more active governance processes, this is more likely to be realized. Ethereum also benefits from having a leader who recognizes the quantum threat and has already proposed solutions to address it. Another competitor, Solana, has begun testing post-quantum signatures. Layer two networks like Starkware position quantum resistance as a core value proposition. Bitcoin enthusiasts may find these comparisons frustrating, but when “Quantum Day” (Q-day) arrives, Bitcoin is highly likely to be the only blockchain exposed to risk.

So, this is the cruel truth. Few Bitcoin believers are willing to admit this. Compared to other systems that rely on public key cryptography, blockchain is particularly vulnerable in the face of quantum computing, and Bitcoin is the most vulnerable within the blockchain. Quantum computing has shifted from a distant theoretical possibility to a pure engineering challenge, which may arrive in ten years or even less. If this is the case, Bitcoin supporters need to start preparing now.