Quantum Risks: Chaincode Labs Evaluates Bitcoins Vulnerability to Quantum Threats

Experts from the research organization Chaincode Labs have released a comprehensive report detailing the potential risks posed by quantum computers to Bitcoin. The 55-page document was authored by Dr. Anthony Milton and Clara Shiklerman in May 2025.

According to the authors’ estimates, between 20% and 50% of all Bitcoin in circulation (approximately 4 to 10 million BTC) could be vulnerable to attacks conducted by cryptographically relevant quantum computers (CRQC).

The most precise estimate from Project Eleven, dated January 17, 2025, points to 6,262,905 BTC at risk. The distribution of these funds is as follows:

The researchers emphasized the concentration of funds on exchange addresses. Some of these addresses hold hundreds of thousands of bitcoins, making them prime targets for possible quantum attacks.

*“Regarding assets with exposed public keys, many large holders, including exchanges and institutional custodians, have historically managed their cold storage by reusing addresses for operational convenience. […]”*

*“As a result, an economically prioritized list of targets for quantum attacks emerges: breaching such addresses could yield significant returns for the efforts expended,”* the report states.

In 2024, the Canadian organization Global Risk Institute conducted a survey of 32 leading experts in academia. Nearly one-third of the respondents (10 out of 32) believe there is a 50% or greater chance that CRQCs will appear within the next decade.

The authors noted governmental initiatives affirming the seriousness of the threat:

They also highlighted the accelerating advancements in quantum computing. In December 2024, Google introduced the Willow processor, featuring 105 physical qubits, achieving an important milestone in quantum error correction. In February 2025, Microsoft unveiled Majorana 1, the first quantum processor utilizing topological qubits.

Quantum computers threaten Bitcoin through the exploitation of elliptic curve cryptography via *Shor’s algorithm*. This algorithm can compute a private key from a public key in hours or days, compared to the quadrillions of years required by classical computers.

Long-term attacks target three types of scripts with known public keys:

Short-term attacks affect all transactions but occur within a narrow time frame when a user reveals the public key in the mempool (prior to confirmation).

The issue of the fate of quantum-vulnerable funds has already polarized the community into two factions.

Proponents of «burning» led by *Jameson Lopp* argue that eliminating vulnerable coins will preserve the integrity of Bitcoin. They contend that allowing quantum computers to seize funds is akin to redistributing wealth from those who have lost access to Bitcoin to those who will win the technological race for quantum computers.

Lopp likened the quantum vulnerability to a protocol-level bug that needs fixing. Burning coins would ensure certainty and limit market volatility.

Opponents view burning as confiscation and a violation of the property rights of coin owners. They believe Bitcoin was created as a system where users maintain full sovereignty over their funds and can access them at any time.

An alteration that makes certain UTXOs permanently inaccessible represents third-party intervention against which Bitcoin was established. This would constitute effective confiscation for holders who, for various reasons, are unaware of the quantum threat or cannot timely transfer coins to quantum-resistant addresses.

Such measures would affect Bitcoin’s total supply (in the event of burning) or lead to large-scale wealth redistribution (in cases of «quantum theft»). Legal questions also arise concerning the potential liability of developers for any decisions made.

Developers are considering various approaches to quantum protection, each with its own advantages and compromises.

**OP_CAT in Tapscript (BIP-347).** Ethan Heilman and Armin Sabouri proposed reintroducing the OP_CAT opcode, disabled by Satoshi in 2010, which would enable the creation of quantum-resistant Lamport signatures.

**QuBit (BIP-360).** A developer known as Hunter Beast unveiled the most thoroughly developed proposal after months of discussion. P2QRH introduces a new type of outputs leveraging the NIST-approved FALCON algorithm, as well as CRYSTALS-Dilithium and SPHINCS+.

**Quantum-protected Taproot scripts.** Matt Corallo proposed adding the OP_SPHINCS opcode to verify post-quantum signatures. This would allow wallets to create Taproot outputs with a quantum-protected spending path. Luke Dash Jr. noted that wallets could begin implementation immediately after the specification is finalized, without waiting for a soft fork activation.

**Signature compression using STARK.** Ethan Heilman suggested aggregating post-quantum signatures into a single compact STARK proof. This could increase Bitcoin’s throughput while simultaneously enhancing privacy.

The authors of the report proposed a two-phase approach, acknowledging the uncertainty surrounding the timeline of the quantum threat.

They estimate that migrating all UTXOs to quantum-resistant addresses may take between 76 and 568 days, depending on available block space.

Quantum computers are unlikely to disrupt Bitcoin mining in the foreseeable future due to inherent limitations.

*“Unlike quantum attacks on digital signatures, quantum mining must compete with classical mining. Regarding Bitcoin signatures based on elliptic curves, once quantum computers reach sufficient development, a single machine (CRQC) could compromise funds by exploiting the used cryptography. In contrast, quantum mining will require numerous fast quantum machines to match the performance of current ASICs. Unlike classical mining, quantum mining does not scale well and is much less efficient in practice,”* the report states.

Researchers recommend:

The report emphasizes that although the quantum threat is not immediate, the window for preparation will narrow as technology advances. Proactive measures today are essential for Bitcoin’s long-term survival.

Previously, Project Eleven proposed offering 1 BTC for a successful quantum breach of Bitcoin’s cryptography.