The possibility that quantum computers could neutralise Bitcoin's core cryptographic system is being raised, spurring full-scale discussion of network-level defence upgrades.

CoinDesk reported on April 5 that Google said in recent research that if a sufficiently powerful quantum computer emerges, it could crack Bitcoin's Elliptic Curve Digital Signature Algorithm (ECDSA) in under 9 minutes. That is shorter than Bitcoin's average block generation time of about 10 minutes.

No quantum computer at that level exists for now. But industry wariness is rising quickly as the threat is seen as moving beyond theory toward a realistic scenario. Some analysts see such a technological inflection point arriving as early as around 2029.

If the risk materialises, the scale of damage is also expected to be significant. An estimated 6.5 million BTC is held in addresses with exposed public keys that quantum computers could attack directly. That includes some early holdings attributed to Satoshi Nakamoto, known as Bitcoin's creator. If an attack succeeds, it could reverse-engineer private keys from public keys and steal assets, raising concern that Bitcoin's core values of "code trust" and "immutability" could be shaken.

The root of the problem is that the current cryptographic structure relies on one-wayness. In conventional computing, deriving a private key from a public key would take effectively impossible amounts of time, but quantum computers have the potential to overturn that assumption. Addresses with already revealed public keys could become vulnerable to attack over the long term.

There are two main paths for public key exposure. One is "long-term exposure", where public keys remain on-chain as they are due to past transaction methods, and the other is "short-term exposure", where signature information is revealed while a transaction sits in the mempool before it is included in a block. Early P2PK addresses or some newer Taproot (P2TR) addresses could face long-term exposure, and about 1.7 million BTC is said to be locked in old P2PK addresses alone.

Developers are therefore discussing multiple countermeasures in parallel. One is a shift to a structure that does not leave public keys themselves on-chain. "Bitcoin Improvement Proposal (BIP) 360" proposes introducing a new output type, Pay-to-Merkle-Root (P2MR), to prevent fixed public key exposure. But it focuses on protecting newly created assets, meaning the existing address problem would need a separate solution.

A second measure is a shift to quantum-resistant cryptography. SPHINCS+, a hash-based signature scheme, is cited as a next-generation standard candidate because it is relatively more resistant to quantum algorithms. The U.S. National Institute of Standards and Technology (NIST) standardised it as FIPS 205. But a drawback is that signature size increases sharply versus existing methods, raising block space and fee burdens.

A third approach is reducing short-term exposure during transactions. The idea is to defend against mempool attacks by using a "commit-reveal" structure that first records only transaction intent as a hash, then later reveals the actual transaction. In that case, even if an attacker submits a forged transaction, it can be blocked by verifying whether a prior commit exists.

Finally, a mechanism has also been proposed to soften a sudden outflow of already exposed assets. The "Hourglass V2" method, which limits the amount moved per block, aims to slow a situation where large assets pour into the market over a short period. But it is sparking debate within the community because it restricts the freedom to move assets.

These measures remain at an early discussion stage. Because Bitcoin upgrades require broad agreement among developers, miners and node operators, practical adoption is expected to take considerable time. Even so, the debate suggests that the potential threat of quantum computers is no longer a distant-future story and foreshadows Bitcoin's next technological shift.