Skip to main content
2024 arXiv:2410.16965

How Much of Bitcoin's Bandwidth Must Be Sacrificed for Quantum Safety?

Bitcoin has 186.7 million UTXOs secured by ECDSA-256, a signature scheme that will be broken by quantum computers. Migrating them all to post-quantum cryptography requires at minimum 76 days of dedicated block space — and the clock is ticking.

Based on: Pont, J.J., Kearney, J.J., Moyler, J., Perez-Delgado, C.A. (2024). Downtime Required for Bitcoin Quantum-Safety. arXiv:2410.16965

Migration Calculator

Adjust the deadline to see what percentage of Bitcoin's block space would need to be reserved for UTXO migration transactions. The default is set to IonQ's projected timeline for a cryptographically relevant quantum computer (~1,600 logical qubits by 2028).

31 December 2028

Days remaining

---

Today 2040

Slide to change the deadline date for when quantum computers could break Bitcoin's cryptography. Moving left brings the deadline closer, requiring more block space for migration.

Block space required for migration

--

%
0% Normal transactions 100%

Effective TPS reduction

--

Bitcoin avg: ~7 TPS

Migration duration

--

At the calculated bandwidth

Status

--

How the Calculation Works

Bitcoin's UTXO (Unspent Transaction Output) model means every coin is locked behind a cryptographic signature. To make Bitcoin quantum-safe, every single UTXO must be moved from an ECDSA-secured address to one protected by a post-quantum signature scheme.

186.7M

UTXOs to migrate

17,020

Max UTXOs per block

10,967

Blocks required

Within Bitcoin's 4MB block weight limit, a maximum of 17,020 SegWit UTXOs can be upgraded per block. With 186,676,874 UTXOs (as of June 2024), the entire migration requires at least 10,967 blocks — or 76.16 days at Bitcoin's ~10-minute block interval, assuming every block is used exclusively for migration.

In reality, Bitcoin must continue processing normal transactions during the migration. The calculator above shows what fraction of each block must be reserved for upgrade transactions to meet a given deadline, and the corresponding reduction in Bitcoin's capacity for regular use.

Why the Deadline Matters: The Just-In-Time Attack

It might seem that partial migration is still worthwhile — protecting some UTXOs is better than none. However, this paper introduces the Just-In-Time (JIT) quantum attack, which shows that even unmigrated UTXOs that have never exposed their public key are vulnerable.

Attack sequence

  1. 01 A user broadcasts a transaction, exposing their ECDSA public key in the mempool.
  2. 02 An attacker derives the private key using Shor's algorithm before the next block is mined.
  3. 03 The attacker forges a competing transaction with a higher fee, redirecting funds.
  4. 04 The fraudulent transaction is confirmed before the legitimate one.

This means the entire migration must be complete before a cryptographically relevant quantum computer (CRQC) exists. There is no safe "halfway" state.

The Long-Term Cost: Larger Signatures

Even after migration, Bitcoin faces a permanent throughput reduction. Post-quantum signatures are significantly larger than ECDSA, meaning fewer transactions fit in each block.

Scheme Signature Size vs ECDSA
ECDSA-256 (current) 64 bytes
FALCON 666 bytes 10.4x
CRYSTALS-Dilithium 2,420 bytes 37.8x
SPHINCS+ 7,856 bytes 122.8x

Signature sizes at equivalent security to ECDSA-256. Source: NIST PQC standardisation.

Read the Full Paper

This page summarises the key findings. For the complete methodology, proofs, and analysis, read the full paper.

Download PDF View on arXiv

Citation: Pont, J.J., Kearney, J.J., Moyler, J., Perez-Delgado, C.A. (2024). Downtime Required for Bitcoin Quantum-Safety. arXiv:2410.16965v1.