Citi warned that Bitcoin faces an outsized quantum-computing threat as recent breakthroughs shorten the timeline to a machine capable of breaking the network's elliptic-curve cryptography. The bank's research note frames Bitcoin — along with a handful of older chains that reuse vulnerable address formats — as disproportionately exposed relative to protocols built on post-quantum signature schemes.
Why it matters
The risk is not speculative, just front-loaded: a cryptographically relevant quantum computer would let an attacker derive a private key from a public key exposed on-chain, draining any address that has ever spent funds. Roughly a quarter of all Bitcoin sits in address types that would be directly vulnerable, Citi notes, because the public key is visible after the first spend. The threat is asymmetric — most newer chains and L2s have a cleaner migration path to post-quantum signatures than Bitcoin's ossified upgrade process.
Market impact
The report lands as several recent demonstrations — including error-corrected logical qubits and small-scale Shor's algorithm runs — have pulled the consensus horizon forward to the late-2020s to early-2030s window. Developers and standards bodies are already drafting quantum-resistant signature schemes, but a Bitcoin-wide migration would require years of coordination across miners, node operators, and holders. Until that path is concrete, Citi frames the risk as priced in only partially — a tail that the market is starting to discount, but not yet fully.
Frequently asked questions
-
Why does Citi say Bitcoin is more exposed to quantum risk than other chains?
Bitcoin's elliptic-curve signature scheme is reused on a large base of legacy addresses whose public keys are exposed on-chain, and the network's governance and upgrade process makes a coordinated migration to post-quantum signatures slower than on newer chains.
-
How much Bitcoin is in vulnerable address types?
Citi's note flags that roughly a quarter of all Bitcoin sits in address types where the public key becomes visible after the first spend, putting those funds directly in the line of a future quantum attack.
-
What kind of quantum computer would actually break Bitcoin?
A cryptographically relevant quantum computer — one capable of running Shor's algorithm at scale against a 256-bit elliptic-curve key — would let an attacker derive a private key from a public key visible on-chain and drain the associated address.
-
When could a quantum attack realistically happen?
Citi frames the horizon as the late-2020s to early-2030s window, citing recent breakthroughs in error-corrected logical qubits and small-scale Shor's algorithm demonstrations as the inputs that have pulled the timeline forward.
-
Could Bitcoin migrate to post-quantum signatures?
In principle yes, but a network-wide switch would require years of coordination across miners, node operators, and holders and is materially harder on Bitcoin than on chains built with post-quantum schemes from the start.
CoinDesk