Preparing For Post-Quantum

Bitcoin's Quantum
Defense

Quantum computers may one day threaten the cryptography that secures Bitcoin. Blockstream is building the upgrade path on a production network today.

SIMPLICITY SHRINCS SHRIMPS BITCOIN BIP
See What We're Doing
LAYING THE FOUNDATION

What Is a Quantum Computer
and Why Should You Care?

Your bitcoin is protected by a math problem. When you create a Bitcoin wallet, you get two things: a private key (your secret password) and a public key (derived from the private key using math that is easy to compute forward but practically impossible to reverse). Spending bitcoin means proving you know the private key without revealing it. Today's computers cannot work backward from the public key to find the private key. A quantum computer could.

Regular Computer

Tries keys one at a time. A brute-force attacker would need roughly 2128 operations to find a private key from a public key. That would take longer than the age of the universe.

One key at a time

Quantum Computer

Exploits quantum mechanics to try enormous numbers of possibilities simultaneously. Given enough scale, it could derive a private key from a public key directly.

Many keys simultaneously

The critical detail: quantum computers do not threaten all of Bitcoin equally. They threaten one specific operation: the elliptic curve math (ECDSA and Schnorr) used in signatures. SHA-256 mining is not meaningfully affected: quantum computers do not become competitive with classical miners. Replacement signature schemes already exist: NIST (the U.S. standards body) standardized two post-quantum signature schemes in August 2024. The remaining challenge is making them compact enough to work within Bitcoin's block space constraints.

THE RISK

How Much Bitcoin
Is Actually Vulnerable?

The quantum threat against Bitcoin is targeted, not total. Signatures are exposed; hashing is not. The upgrade path is focused: replace the signature scheme; preserve the hash-based foundation.

Vulnerable
Elliptic Curve Signatures
ECDSA and Schnorr
A sufficiently advanced quantum computer could derive a private key from its corresponding public key, exposing any coin whose public key is visible on-chain.
At risk
  • Pay-to-pubkey outputs
  • Pay-to-taproot outputs
  • Reused addresses
  • Addresses spent from
Fast-clock quantum architectures make even briefly-exposed keys vulnerable, not just long-exposed ones.
Safe
SHA-256 Hashing
Proof-of-work and hash-based addresses
Known quantum algorithms offer only a quadratic speedup against preimage resistance, leaving hashed outputs and mining economics far less impacted in the near term.
Protected
  • Proof-of-work consensus
  • Unspent P2PKH outputs
  • Unspent P2WPKH outputs
  • Mining economics
The hash shields the public key until the coin is spent.
21M TOTAL SUPPLY
Directly exposed public keys (p2pk, spent addresses) 4-10M BTC
Behind hashed addresses (additional protection layer, but all EC keys are ultimately vulnerable) ~11-17M BTC
Includes an estimated ~1M BTC attributed to Satoshi-era addresses, early miner rewards, and addresses that have spent at least once. Sources: Deloitte
THE MIGRATION

The Rest of the World
Isn't Waiting

Nobody knows exactly when quantum computers will break elliptic curve cryptography. But major organizations have already decided they can't afford to wait and find out.

2022
NSA
Mandated post-quantum transition for all national security systems. CNSA 2.0 →
2023
Signal
Deployed post-quantum key exchange (PQXDH) for all messages. Announcement →
AUG 2024
NIST
Published final post-quantum standards: ML-DSA, SLH-DSA, ML-KEM. Standards →
2024
Apple
Shipped PQ3 encryption for iMessage. Live for all users. PQ3 Protocol →
2024
Google
Migrated Chrome TLS and Cloud KMS to post-quantum cryptography. Blog →
NEXT
Bitcoin
Decentralized consensus means preparation must start earlier.
9
years
Blockstream Research
Simplicity smart contracts (2017). Taproot post-quantum security proofs. SHRINCS signatures at 324 bytes, 7x smaller than the NIST standard. First post-quantum transaction on the Liquid Network, March 2026.

Every organization on this list decided that waiting for certainty was the greater risk. Bitcoin's decentralized upgrade process makes preparation harder and slower. That is exactly why it needs to start earlier.

THE TRANSACTION DILEMMA

Bigger Signatures,
Fewer Transactions

Every Bitcoin transaction includes a signature that proves you authorized it. Quantum-safe signatures are much larger than current ones. Larger signatures take up more space in each block, meaning fewer transactions fit and fees rise. The size of the replacement signature determines whether this upgrade is practical.

Today
64 B
per signature (Schnorr)
~4,200
transactions per block
Not quantum-safe
NIST Standard
2,420 B
per signature
~84
transactions per block
97% capacity loss
Blockstream's SHRINCS
324 B
per signature
~1,750
transactions per block
Quantum-safe

Each filled square represents transactions that fit in one Bitcoin block. The NIST standard is quantum-safe but reduces capacity by 97%. Blockstream's SHRINCS was designed specifically for this constraint.

TAKING SMALL STEPS

What Blockstream Built

Blockstream Research, with deep roots in Bitcoin cryptography and protocol development, built three components of post-quantum infrastructure. All of it is live on a production network today.

1

Simplicity

A smart contract language designed for Bitcoin's trustless model. Formally verifiable and expressive enough to implement new cryptographic primitives as spending conditions.

On Bitcoin mainnet, deploying a new signature scheme requires a consensus-level soft fork. On Liquid with Simplicity, the same capability deploys as a contract.

Created by Russell O'Connor, Blockstream Research. Published 2017, activated on Liquid mainnet July 31, 2025.

Website Docs GitHub (347 ★)
Simplicity paper Read the Paper
2

Taproot PQ Security

Before building new signature schemes, Blockstream Research proved that Taproot's existing commitment structure is already post-quantum secure. The curve point in a Taproot output can be reinterpreted as a commitment to alternative spending conditions, including hash-based signatures.

This means Bitcoin does not need to abandon Taproot to survive quantum computers. The upgrade path preserves the existing address format while allowing individual UTXOs to opt into post-quantum protection.

By Tim Ruffing, Blockstream Research. Published July 2025.

Paper (ePrint)
SHRINCS paper Read the Paper
3

SHRINCS

A post-quantum signature scheme built specifically for blockchain constraints, where every byte costs block space and fees. Produces 324-byte signatures in stateful mode, more than 7x smaller than the NIST post-quantum standard.

Security rests entirely on hash function preimage resistance, the same mathematical foundation as Bitcoin's proof-of-work. No new cryptographic assumptions. A stateless fallback (3-8 KB) ensures funds remain accessible even if signing state is lost.

By Mikhail Kudinov and Jonas Nick, Blockstream Research. Published December 2025.

Paper (ePrint) Blog Post Delving Bitcoin
SHRIMPS paper Read the Paper

Post-Quantum Cryptography Requires a Tradeoff

Larger signatures, heavier transactions, possible consensus changes, more complex recovery. Blockstream's research minimizes each cost across three axes.

Security
Built on SHA-256 preimage resistance, the same foundation as Bitcoin's proof-of-work. No new cryptographic assumptions.
Scalability
324-byte signatures, 7x smaller than the NIST standard. Post-quantum transactions still fit in Bitcoin blocks.
Usability
Opt-in per UTXO. No forced network migration. A stateless fallback protects funds if signing state is lost.
What This Means for Blockstream Products
Blockstream Jade
Jade
Post-quantum protection will deploy as a firmware update.
  • Per-UTXO opt-in
  • Existing wallets keep working
  • No hardware replacement
Explore Jade →
Blockstream Enterprise
Blockstream Enterprise
Post-quantum signing will land as a first-class spend policy.
  • PQ signature requirements
  • Preserved approval workflows
  • Segregated account isolation intact
Explore Enterprise →
Blockstream App
Blockstream App
Post-quantum protection will roll out as an app update.
  • Per-account opt-in
  • Hardware wallet integration intact
  • No re-onboarding required
Explore the App →
Core Lightning
Core Lightning
Post-quantum signing will extend to Lightning channels.
  • Channel commitment upgrade path
  • Backward-compatible deployment
  • BOLT-spec coordination required
Explore Core Lightning →
ONE GIANT LEAP

First Post-Quantum
Transaction

On March 3, 2026, Blockstream Research confirmed the first post-quantum-signed transaction on the Liquid Network. The signature itself is 324 bytes, though the full transaction including the Simplicity verification program was roughly 38 KB. A production Bitcoin sidechain with real transactions, a 85+ member federation, and over $5B in total value locked.

Opt-in, per-UTXO. No network-wide migration required. The path from research paper to production deployment took three months.

Read More →
A LOOK BACK AND BEYOND

Built on Liquid.
Proven for Bitcoin.

Liquid has served as a proving ground for Bitcoin cryptographic innovation: Confidential Transactions, Schnorr signatures, and now post-quantum signatures. Each follows the same path from research to production deployment.

2018
Confidential Transactions
Deployed on Liquid
2019
Schnorr Signatures
2 yrs before Bitcoin Taproot
2020
Schnorr Multisig
MuSig on Liquid
Jul 2025
Simplicity Activated
Live on Liquid mainnet
Dec 2025
SHRINCS Published
324-byte PQ signatures
Source
Mar 2026
First PQ Transaction
Confirmed on Liquid
Source
Mar 2026
SHRIMPS
1,024-device PQ sigs
Source
Apr 2026
OPNEXT Talk
PQ rationale, NYC
Next
BIP Proposal
2018
Confidential Transactions
Deployed on Liquid
2019
Schnorr Signatures
2 yrs before Bitcoin Taproot
2020
Schnorr Multisig
MuSig on Liquid
JUL 2025
Simplicity Activated
Live on Liquid mainnet
DEC 2025
SHRINCS Published
324-byte PQ signatures · Source
MAR 2026
First PQ Transaction
Confirmed on Liquid · Source
MAR 2026
SHRIMPS
1,024-device PQ sigs · Source
APR 2026
OPNEXT Talk
PQ rationale, NYC
NEXT
BIP Proposal
WHAT COMES NEXT

Blockstream Is Building for
Bitcoin's Quantum Upgrade.

The next step is a Bitcoin Improvement Proposal for hash-based post-quantum signature verification. Blockstream Research is collaborating with others in the community to develop a concrete specification. Once finalized, a contract implementing the BIP would follow.

Quantum readiness will define the next decade of Bitcoin infrastructure.
Blockstream is building for that future today.

View Blog View Videos
Want to Keep Up with Quantum?
Subscribe to our email list.