A sharp debate over bitcoin quantum risk has broken out, with leading industry voices clashing over timelines, threats, and how fast developers must react.
Why Gabor Gurbacs says Bitcoin doesn’t risk quantum
Over the weekend, Gabor Gurbacs, founder of Pointsville and strategic advisor to Tether, argued on X that fears of a looming “quantum doomsday” for Bitcoin are “pure FUD.”
According to him, Bitcoin’s cryptography is already resilient and flexible enough to withstand advances in quantum technology and adapt when needed.
“There’s a lot of FUD around Bitcoin’s quantum risk,” Gurbacs wrote. “The fact is that Bitcoin’s security is anchored in hash-based proof-of-work, which remains quantum-resistant.
Quantum doesn’t break Bitcoin.” Moreover, he stressed that market narratives are outrunning the actual state of hardware and algorithms.
How does Bitcoin’s design address quantum computing?
Gurbacs emphasized the difference between Bitcoin’s hash-based consensus mechanism and its signature scheme. The consensus layer, secured by SHA-256, is already resistant to quantum attacks because Grover’s algorithm offers only a quadratic speed-up. That improvement, he said, does not fundamentally undermine proof-of-work or the economic cost of attacking the network.
The primary weakness, Gurbacs acknowledged, lies in Bitcoin’s ECDSA signatures, which could become vulnerable if large-scale quantum computers capable of effectively running Shor’s algorithm are built. However, he argued that Bitcoin’s architecture and user practices already mitigate much of that theoretical exposure and leave room for future upgrades.
What role do addresses and post-quantum signatures play?
According to Gurbacs, the main quantum target in Bitcoin is the set of exposed ECDSA public keys. That risk is reduced today through the non-reuse of addresses, which keeps most keys hidden on-chain until they are spent. Moreover, he noted that Bitcoin’s modular structure allows the signature layer to be upgraded over time.
He pointed to NIST’s newly standardized FIPS-205, which formalizes the Stateless Hash-Based Digital Signature Algorithm (SLH-DSA). “The consensus layer is hash-based and quantum-resilient, and the signature layer is modular, meaning post-quantum schemes like SLH-DSA/SPHINCS+ can be integrated without disrupting monetary integrity or supply rules,” he said.
Why are security veterans challenging Gurbacs?
Gurbacs’s confidence quickly drew pushback from crypto security veterans including Dan McArdle, co-founder of Messari, and Graeme Moore of Project Eleven. Both argued that he was underestimating the complexity and timeline of any full-network migration to stronger cryptography. That said, they agreed that miners and proof-of-work are not at immediate risk.
McArdle highlighted three structural concerns Bitcoin still must confront: legacy P2PK outputs with already-exposed public keys, the possibility of mempool sniping, and the large size of post-quantum signatures. The last point could force a controversial blocksize increase, reviving old governance and scaling battles within the community.
What is a mempool quantum attack and why does it matter?
McArdle described mempool sniping as the risk that a sufficiently powerful quantum adversary could steal funds while a transaction is propagating through the network. During that short window, public keys may be visible but not yet confirmed on-chain. However, he admitted the necessary hardware would need to be exceptionally fast and stable compared to today’s prototypes.
“Given all that,” McArdle said, “it’s best to get serious about quantum robustness now. It’s not an issue to kick down the road until the threat is imminent.” In his view, building and testing migration paths long before a break becomes possible is essential risk management.
Are quantum risks “real but remote” for Bitcoin?
Gurbacs pushed back by labeling these concerns “real but remote.” He argued that remaining P2PK outputs are “small and scattered,” reducing systemic exposure. Furthermore, he said the kind of quantum computers needed for mempool attacks would have to be “unbelievably fast and stable—which we’re nowhere near.” That gap in capabilities, he believes, buys developers valuable time.
He added that Bitcoin could absorb larger signature schemes or even a blocksize upgrade “before any realistic threat shows up.” “I agree we should take quantum hardening seriously,” Gurbacs wrote. “I just don’t buy the idea that we’re close to a break—and scammers tend to abuse the quantum narrative. The bigger risk now is people panicking instead of looking at actual timelines.”
What open governance questions face Bitcoin developers?
Moore countered that complacency, not panic, is the greater threat. Citing Project Eleven’s research, he said a coordinated migration to post-quantum signatures could take six months or more even under ideal conditions. Moreover, he warned that “we could have a CRQC in a couple years,” raising pressure to prepare governance and technical frameworks in advance.
He questioned whether the Bitcoin community could realistically converge on NIST-approved standards such as SLH-DSA or ML-DSA. Satoshi Nakamoto intentionally avoided NIST curves when selecting secp256k1, partly due to distrust of centralized standard-setting. That history could complicate any decision to adopt future NIST-backed algorithms.
What happens to lost or unmigrated coins in a quantum upgrade?
Moore also raised the contentious issue of what happens to unmigrated or “lost” coins during a transition, including early holdings attributed to Satoshi Nakamoto. “Are you in favor of freezing Satoshi’s coins?” he asked Gurbacs. “Why or why not?” The question underscored how technical changes to signatures could intersect with sensitive economic and ethical debates.
Gurbacs responded that governance choices should apply equally to all unmigrated keys and rejected any “special rules.” “We’ll see weaker cryptosystems fall first,” he said. “That buys years of warning for picking schemes, implementing and testing, and allowing gradual opt-in rotation before the ‘oh shit’ moment.”
Would other cryptosystems fail before Bitcoin?
While Moore insisted that “we’re already at the ‘oh shit’ moment,” Gurbacs disagreed. He argued that if a real cryptographically relevant quantum computer (CRQC) existed at the level needed to break secp256k1, the earliest signs would not appear in Bitcoin. Instead, failures would first show up in TLS, PGP, government PKI, and weaker elliptic-curve systems.
“That simply hasn’t happened,” he noted. In his view, the absence of such failures in adjacent systems as of 2024 indicates quantum computing is still far from undermining Bitcoin’s core cryptographic assumptions, even if preparation work should continue in parallel.
How does Adam Back view Bitcoin’s quantum readiness?
Gurbacs’s stance received support from OG cypherpunk Adam Back. On X, Back wrote that “Bitcoin can just add a new signature type, and make a ‘quantum ready’ taproot leaf alternative spend method, under taproot/schnorr.” In this design, users could opt into new methods without everyone immediately bearing the cost.
That way, Back argued, the network can be prepared “without paying the cost of large signatures until it becomes relevant.” He pointed out that NIST standardized SLH-DSA in Aug 2024 only, implying that robust standards are still emerging. Moreover, this timeline suggests developers have time to study trade-offs before any wholesale migration.
Back added that if cryptographically relevant quantum computers are developed, “my guess is schnorr & ECDSA signature methods would be deprecated (become unspendable). IMO it’s a lot further away than 2030 so people should have time to migrate and be quantum ready long before.” His comments align with Gurbacs’s view that planning is needed, but panic is not.
Is quantum computing an imminent threat to Bitcoin?
For now, Gurbacs maintains that quantum computing represents a long-term coordination and engineering challenge rather than an imminent collapse scenario. “Quantum panic is misplaced,” he said. “Bitcoin’s architecture is adaptable, conservative, and mathematically robust. Quantum doesn’t break Bitcoin.” Meanwhile, the market seems unfazed: at press time, BTC traded at $85,984.
In summary, leading developers and analysts agree that a transition to stronger signatures will eventually be required, but they sharply disagree on how urgent the work is. The coming years of research, standardization, and community debate will determine how, and how quickly, Bitcoin hardens itself against future quantum machines.
Source: https://en.cryptonomist.ch/2025/11/24/bitcoin-quantum-risk/
