TLDR:
Google research shows quantum computers could break Bitcoin’s cryptography in as little as nine minutes.
6.9 million Bitcoin in Taproot and P2PK wallets already have publicly exposed keys vulnerable to quantum attacks.
Osuntokun’s zk-STARK proof generates wallet authorization in 50 seconds on a standard MacBook using GPU acceleration.
The prototype lets Bitcoin owners reclaim funds if an emergency soft fork disables the key path spend mechanism.
A Bitcoin developer has created a working prototype that could protect wallet holders if quantum computers ever threaten the network’s core cryptography.
The solution addresses a gap that has existed in theoretical discussions for years. Olaoluwa Osuntokun, CTO of Lightning Labs, posted the prototype to the Bitcoin developer mailing list.
His work solves a problem that no one had previously resolved with a concrete technical implementation.
The Quantum Threat to Bitcoin Wallets
Bitcoin wallets rely on elliptic curve cryptography to secure private keys from public view. Classical computers cannot realistically derive a private key from a public key within any practical timeframe. However, quantum computers running Shor’s algorithm change that equation entirely.
Google researchers recently published findings showing a quantum computer could compromise Bitcoin’s cryptography in as little as nine minutes.
That estimate also requires far fewer physical qubits than prior research had projected. The threat remains distant, but the timeline is now considerably shorter than the field previously assumed.
Around 6.9 million Bitcoin across Taproot and older P2PK address formats are already in an exposed state. Their public keys are permanently recorded on the blockchain, making them visible targets for a sufficiently powerful quantum computer.
As @BullTheoryio noted on X, “Even if Bitcoin is forced to shut down part of its own security system to protect itself,” a solution is now available.
Bitcoin’s developer community had already outlined an emergency soft fork to disable Taproot’s key path spend mechanism if a quantum attack became imminent. That plan, however, created a secondary problem that Osuntokun’s prototype now directly addresses.
How the zk-STARK Prototype Solves the Problem
Disabling the key path spend mechanism would strand funds in most modern single-signature Taproot wallets. Those wallets rely entirely on that mechanism and have no alternative spending path.
Owners would lose access to their funds permanently, not through theft, but through an inability to authorize transactions.
Osuntokun’s solution uses a zk-STARK proof to bypass the disabled mechanism entirely. The proof demonstrates that a specific public key was derived from a master seed via the standard BIP-32 derivation path. Critically, it does this without revealing the seed or any private key material.
The prototype generates a valid proof in 50 seconds on a standard MacBook using Metal GPU acceleration. It consumes approximately 12 gigabytes of RAM and produces a proof of 1.7 megabytes.
Osuntokun noted the codebase is largely unoptimized, meaning a production build would run faster and generate smaller proofs.
Multiple proofs could also be aggregated into a single compact proof to reduce on-chain verification overhead. The Bitcoin network can then verify the proof and authorize legitimate wallet owners to move their funds. The emergency defense mechanism can therefore work without permanently locking holders out of their own wallets.
